The Chief Information Officer Is
Taking Steps to Timely Complete Corrective Actions to Treasury Inspector
General for Tax Administration Reports
April 2005
Reference Number:
2005-20-071
This report has cleared the Treasury Inspector
General for Tax Administration disclosure review process and information
determined to be restricted from public release has been redacted from this
document.
Redaction Legend:
7 = Predecisional staff recommendations or suggestions to agency decision makers
April
11, 2005
MEMORANDUM FOR
CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - The Chief Information Officer Is Taking Steps to
Timely Complete Corrective Actions to Treasury Inspector General for Tax
Administration Reports (Audit # 200520028)
This
report presents the results of our review of Modernization and Information
Technology Services (MITS) open corrective actions. Our overall objective was to determine
whether the Internal Revenue Service (IRS) is efficiently addressing open
corrective actions resulting from Treasury Inspector General for Tax Administration
(TIGTA) audit recommendations. In
October 2004, the Chief Information Officer (CIO) expressed concerns regarding
the number of open corrective actions and requested that we perform a review of
the MITS organization’s open corrective actions.
In
summary, since Fiscal Year 2000, we have issued to the MITS organization a consistent number of audit reports each year resulting in an
average of 143 recommendations per year.
Based on the distribution of the open corrective actions within the MITS
organization, we believe no division is overly burdened with a large number of
outstanding corrective actions.
While corrective actions are
being closed by the MITS organization, some of the open corrective actions are
not being resolved by the original due dates.
All
open corrective actions are significant because they address issues with
systems security, systems modernization, existing IRS material
weaknesses/internal control deficiencies, or the President’s Management Agenda
(PMA).
After
we briefed the CIO on our results, the CIO initiated additional actions to
improve the timeliness of completing corrective actions and reemphasized to the
staff the importance of providing quality, timely responses to TIGTA
reports. Therefore, we made no
additional recommendations in this report.
Management’s Response: Management’s
response was due on March 31, 2005. As
of April 5, 2005, management had not responded to the draft report.
Copies
of this report are also being sent to the IRS managers affected by the report
results. Please contact me at (202) 622-6510
if you have questions or Margaret E. Begg, Assistant Inspector General for
Audit (Information Systems Programs), at (202) 622-8510.
The Modernization and Information
Technology Services Organization Is Closing Corrective Actions
Some
Corrective Actions Are Not Being Timely Resolved
Open Corrective Actions Are Related to
Significant Areas
Appendix I – Detailed Objective, Scope, and
Methodology
Appendix II – Major Contributors to This
Report
Appendix III – Report Distribution List
Appendix V – Security Versus Non-Security Open
Corrective Actions
Appendix VI – Corrective Actions Related to
Material Weaknesses or Internal Control Deficiencies
Appendix VII – Corrective Actions Related to
the President’s Management Agenda
Appendix VIII – Categorization of Open Corrective
Actions
The
Internal Revenue Service (IRS) Modernization and Information Technology
Services (MITS) organization is challenged with addressing recommendations made
by the Treasury Inspector General for Tax Administration (TIGTA) and other
oversight groups. The MITS organization
initiates corrective actions and tracks the status of those actions in response
to oversight recommendations.
According
to the IRS, the Office of Stakeholder Management regularly issues aging reports
to responsible officials assigned the open corrective actions. These reports list corrective actions that
are due or will be due within 30, 60, and 90 days. The responsible officials are required to
respond to the reports by providing status updates on the open corrective
actions. In addition, as part of the
MITS organization’s Business Performance Reviews, open corrective actions are
reviewed and the status is discussed to provide oversight and tracking.
In
October 2004, the Chief Information Officer (CIO) expressed concerns regarding
the number of open corrective actions and requested that we perform a review of
the MITS organization’s open corrective action items. The CIO provided a listing of 129 corrective
actions open as of the beginning of October 2004. As of November 2004, 101 corrective actions
remained open and were analyzed during this audit.
This review was performed in the MITS organization offices
at the IRS National Headquarters in
The Modernization and Information Technology
Services Organization Is Closing Corrective Actions
Since Fiscal Year (FY) 2000, we have issued to the MITS organization an average of 32 audit reports per year containing an average of 143 recommendations per year. Figure 1 shows the number of audit reports we issued to the MITS organization and the corresponding number of recommendations.
Figure1: TIGTA Final Reports and Associated Recommendations
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
The MITS organization responded to these audit recommendations by initiating and taking measures to complete corrective actions. For example, all FY 2000 recommendations were closed through the completion of their assigned corrective actions. Only a small percentage of corrective actions remained open for FYs 2001, 2002, and 2003. As of November 2004, 101 corrective actions, resulting from 92 recommendations, remained open. The majority (67 of 101 or 66 percent) of the open corrective actions were from FY 2004 audits. Figure 2 shows a breakdown of open corrective actions by fiscal year.
Figure 2: Open Corrective Actions by Fiscal Year
Figure 2 was removed due to its size. To see Figure 2, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Based on the distribution of the open corrective actions within the MITS organization, we believe no division is overly burdened with a large number of outstanding corrective actions. No division has over 20 open corrective actions. See Appendix IV for a detailed breakdown of this analysis.
While corrective actions are being closed by the MITS organization, we determined some of the open corrective actions are not being resolved by their original due dates, and open corrective actions relate to critical areas.
Some Corrective Actions Are
Not Being Timely Resolved
The number of recommendations has been fairly consistent from year to year, and no division within the MITS organization appears to be overly burdened with corrective actions. However, some corrective actions are not being timely resolved. Of the 101 open corrective actions, 32 (32 percent) are considered late by an average of 15 months.
Figure 3 shows the majority of overdue items are from prior fiscal years and if timely closed would reduce the number of open corrective actions. Older corrective actions are being worked on by the MITS organization; however, it is taking longer than expected to complete the corrective actions due to the extensive nature of the work required. See Appendix V for a listing of open corrective actions and the current status of work performed to complete the corrective actions.
Figure
3: Overdue Open Corrective Actions
|
Fiscal Year |
Open Corrective Actions |
Corrective Actions Overdue |
Average Months Overdue |
|
2000 |
0 |
0 |
0 |
|
2001 |
5 |
5 |
35 |
|
2002 |
13 |
8 |
22 |
|
2003 |
16 |
8 |
12 |
|
2004 |
67 |
11 |
4 |
|
TOTAL |
101 |
32 |
15.26 |
Source: Data obtained from analyzing the JAMES.
Management Actions: After we communicated our preliminary audit results to the IRS in December 2004, the CIO required all extensions of corrective action due dates to be reviewed and approved by the CIO. Since the CIO has taken actions to improve the timeliness of completing corrective actions, we are making no additional recommendations at this time.
Open Corrective Actions Are
Related to Significant Areas
To determine whether all open corrective actions were related to significant issues, we reviewed each open corrective action and classified it into one of the categories shown in Figure 4. Based on this analysis, we determined all open corrective actions are significant because they address issues with systems security, systems modernization, existing IRS material weaknesses/internal control deficiencies, or the President’s Management Agenda (PMA). Some of the corrective actions also address multiple issues. Appendix VIII provides a detailed listing of all the prioritized open corrective actions.
Figure 4: Open Corrective Actions by Category
|
Category |
Title |
# Of Items |
|
I |
Systems Security Issues |
44 |
|
II |
Systems Modernization Issues |
23 |
|
III |
Material Weakness/Internal Control Deficiency Issues |
26 |
|
IV |
PMA Issues |
8 |
|
Total
Corrective Actions |
101 |
|
Source: TIGTA prioritization using information from the JAMES.
Category I – Systems Security Issues
The CIO identified systems security as a major focus area for FY 2005. We determined 44 open corrective actions related to systems security. These 44 actions are also considered IRS material weaknesses and relate to a PMA critical area. Examples of TIGTA recommendations generating the systems security open corrective actions are:
1. .****7****
2. .****7****
See Appendix V for a detailed breakdown of systems security
versus nonsystems security corrective actions.
Category
II – Systems Modernization Issues
Since its inception in FY 2000, the TIGTA has identified the IRS’ systems modernization effort as a major management weakness. In addition, the Government Accountability Office has designated the modernization program as high risk, in part because of its size, complexity, and immense importance to improving mission performance and accountability. We determined 23 open corrective actions related to systems modernization. These actions are also considered IRS material weaknesses and relate to PMA critical areas. Examples of TIGTA recommendations generating the systems modernization open corrective actions are:
1. To help provide clear direction in the development of the Business Systems Modernization (BSM) program, the CIO should determine whether and how the BSM Office will fulfill the BSM program integrator role and document the related responsibilities and processes.
2. To more clearly define the Computer Sciences Corporation’s (CSC) responsibility to fully document the business requirements prior to beginning system development, the CIO should require the BSM Office to conduct an analysis of future change requests to determine whether the change should have been part of the contractor’s normal requirements gathering. Task orders to define business requirements should be written to hold the CSC responsible for making such changes at no additional cost to the IRS.
Category
III – IRS Material Weakness and Internal Control Deficiency Issues
The IRS is required by the Federal Managers Financial Integrity Act of 1982 (FMFIA) to report and effectively correct outstanding material weaknesses and internal control deficiencies through implementing recommendations made by the TIGTA and other oversight agencies. We determined 26 corrective actions related to an IRS material weakness and were not included as Category I and II actions. Examples of TIGTA recommendations generating the material weakness and internal control deficiency open corrective actions are:
1. The CIO should ensure service is immediately discontinued for cellular telephones that have not been registered in the national database.
2.
The CIO should ensure a complete inventory of
phone cards is established, prior to migrating the inventory management and
billing function to the Telecommunications Asset Tool (TAT) system, and annual
phone card inventories are completed on a consistent basis.
See Appendix VI for the analysis of open corrective actions relating to the IRS material weaknesses and internal control deficiencies.
Category IV – PMA Issues
Since the inception of the PMA in July 2001, we have made recommendations to make improvements to meet the PMA goals. We determined eight corrective actions related to a PMA critical area but were not included in Categories I through III. Examples of TIGTA recommendations generating the PMA open corrective actions are:
1. To ensure the MITS organization has adequate staffing to meet its needs, the CIO should charge the Director, Management Services, to develop detailed hiring and retention plans.
2. The CIO should ensure a centralized, multifunctional investment review process is established and documented for the selection, funding, and monitoring of all IRS information technology investments.
See Appendix VII for the analysis of open corrective actions
relating to the PMA.
Management Actions: After we met with the CIO to communicate our
interim results, the CIO met with other high-level IRS executives to determine
how to prioritize the corrective actions.
The CIO also provided our results to approximately 20 leadership team
members during an all day senior leadership team meeting and reemphasized the
importance of delivering quality, timely responses to the TIGTA. Because the CIO has
taken actions to prioritize corrective actions, we are making no additional
recommendations at this time.
Management’s Response: Management’s response was due on March 31, 2005. As of April 5, 2005, management had not responded to the draft report.
Appendix I
Detailed
Objective, Scope, and Methodology
The overall objective of this review was to determine whether the Internal Revenue Service (IRS) is efficiently addressing open corrective actions resulting from Treasury Inspector General for Tax Administration audit recommendations. To achieve this objective, we determined whether the open corrective actions were categorized to provide for an efficient method of resolution. We:
1. Reviewed all open corrective actions to determine:
1. The number of months each corrective action had been overdue.
2. The percentage of corrective actions having missed the original due dates and the average amount of time these actions were overdue.
2.
Reviewed all of the open corrective actions and
determined whether they were aligned with a broader program.
1.
Determined whether any open corrective
actions related to any IRS material weaknesses or internal control
deficiencies.
2.
Determined whether any open corrective
actions were aligned with the President’s Management Agenda (PMA).
3.
Determined the distribution of open corrective
actions within the Modernization and Information Technology Services (MITS) organization.
1.
Identified the responsible official for each
corrective item.
2.
Analyzed the workload of assigned corrective
actions to the identified manager within the MITS organization.
Appendix II
Major
Contributors to This Report
Margaret E. Begg,
Assistant Inspector General for Audit (Information Systems Programs)
Gary V. Hinkle,
Director
Troy D. Paterson,
Audit Manager
Phung H. Nguyen, Lead
Auditor
Tina Wong, Senior
Auditor
Steven W. Gibson,
Auditor
Appendix III
Commissioner
C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for
Operations Support OS
Associate Chief Information
Officer, Business Systems Modernization
OS:CIO:B
Associate Chief Information
Officer,
Associate Chief Information
Officer, Information Technology Services
OS:CIO:I
Associate Chief Information
Officer, Management OS:CIO:M
Director, Stakeholder
Management OS:CIO:SM
Chief Counsel
CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk
Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Audit Liaisons:
Associate
Chief Information Officer, Business Systems Modernization OS:CIO:B
Manager, Program
Oversight Office OS:CIO:SM:
Appendix IV
Division of
Open Corrective Actions Within the Modernization and Information Technology
Services Organization
The
101 open corrective actions we reviewed were divided among 11 different
divisions within the Modernization and Information Technology Services
organization.
Figure
1: Open Corrective Actions by
Responsible Official
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Appendix V
Security
Versus Non-Security Open Corrective Actions
The 101 open corrective actions we reviewed can be broken
down between systems security and nonsystems security-related actions. In addition, we performed a detailed review
of each open corrective action to determine and group similar items into
specific categories. These categories
show the status of work performed and other actions required of the
Modernization and Information Technology Services organization to close out the
corrective actions.
Figure
1: Security Versus Non-Security Open
Corrective Actions
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Appendix VI
Corrective
Actions Related to Material Weaknesses or Internal Control Deficiencies
We analyzed all 101 open corrective actions to
determine whether they related to specific Internal Revenue Service (IRS)
material weaknesses or internal control deficiencies. Of the 101 open corrective actions, 93 relate
to either a material weakness or an internal control deficiency. See Appendix VIII for details on the open
corrective actions that relate to an IRS material weakness or internal control
but are not related to systems security or systems modernization.
Figure
1: Open Corrective Actions Related to
Material Weaknesses or Internal Control Deficiencies
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Appendix VII
Corrective
Actions Related to the President’s Management Agenda
We analyzed all 101 open corrective actions and
determined they all relate to a specific President’s Management Agenda (PMA)
item. Of the 101 open corrective
actions, only 8 do not relate to systems security, systems modernization, or a
material weakness/internal control deficiency.
See Appendix VIII for details on the open corrective actions that relate
to a PMA item but are not related to systems security, systems modernization, or
a material weakness/internal control deficiency.
Figure
1: Open Corrective Actions Related to
the President’s Management Agenda
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Appendix VIII
Categorization
of Open Corrective Actions
We analyzed all 101 open corrective actions and
classified them into 4 specific categories based upon their relationship to
systems security, systems modernization, existing Internal Revenue Service
(IRS) material weaknesses/internal control deficiencies, and the President’s
Management Agenda (PMA). Table 1 lists
the open corrective action according to the format used by the IRS.
Table
1: Categorization of Open Corrective
Actions
|
Category I – 44
Corrective Actions Related to Systems Security |
||||
|
2004-20-142/1/1/1 |
2004-20-131/1/2/2 |
2004-20-073/3/1/1 |
2003-20-119/1/1/3 |
2002-20-075/1/1/2 |
|
2004-20-142/1/2/1 |
2004-20-131/2/4/1 |
2004-20-073/3/1/2 |
2003-20-119/1/4/3 |
2002-20-075/1/1/3 |
|
2004-20-142/2/1/3 |
2004-20-126/1/1/1 |
2004-20-063/3/1/1 |
2003-20-118/2/2/1 |
2002-20-075/1/1/4 |
|
2004-20-142/2/1/4 |
2004-20-126/1/2/1 |
2004-20-063/2/1/1 |
2003-20-118/1/5/1 |
2002-20-075/1/2/1 |
|
2004-20-142/2/2/1 |
2004-20-126/1/3/1 |
2004-20-053/1/1/1 |
2003-20-118/2/2/2 |
2002-20-075/5/2/1 |
|
2004-20-142/2/2/2 |
2004-20-079/1/3/1 |
2004-20-053/1/2/2 |
2003-20-082/5/1/1 |
2002-20-007/3/1/1 |
|
2004-20-142/2/3/2 |
2004-20-079/2/1/1 |
2004-20-053/1/3/1 |
2003-20-082/6/1/1 |
2001-20-043/1/1/1 |
|
2004-20-135/1/1/1 |
2004-20-079/3/1/1 |
2004-20-053/1/5/1 |
2003-20-056/2/1/1 |
2001-20-043/1/2/1 |
|
2004-20-131/1/2/1 |
2004-20-073/2/1/1 |
2004-20-053/2/1/1 |
2002-20-145/1/1/1 |
|
|
|
|
|
|
|
|
Category II - 23
Corrective Actions Related to Systems Modernization |
||||
|
2004-20-157/3/1/1 |
2004-20-061/3/1/1 |
2004-20-026/1/1/2 |
2004-40-110/1/2/1 |
2003-20-219/1/4/1 |
|
2004-20-157/2/1/1 |
2004-20-034/1/2/1 |
2004-20-026/1/1/1 |
2004-40-013/1/2/1 |
2001-20-152/1/1/1 |
|
2004-20-157/1/1/1 |
2004-20-034/2/1/1 |
2004-20-001/2/1/1 |
2004-40-013/1/3/1 |
2001-20-152/1/2/1 |
|
2004-20-147/2/4/1 |
2004-20-034/2/2/1 |
2004-40-110/1/1/1 |
2004-30-023/1/3/3 |
|
|
2004-20-147/2/3/1 |
2004-20-026/1/2/1 |
2004-40-110/1/1/2 |
2004-30-023/1/5/1 |
|
|
|
|
|
|
|
|
Category III - 26 Corrective Actions Related to an
IRS Material Weakness/Internal Control Deficiency |
||||
|
2002-20-043/2/1/1 |
2003-40-165/4/1/1 |
2004-20-041/3/2/1 |
2004-20-156/2/3/1 |
2004-20-156/4/1/1 |
|
2002-20-043/2/2/1 |
2004-20-041/1/1/1 |
2004-20-041/3/3/1 |
2004-20-156/2/4/1 |
2004-20-156/4/2/1 |
|
2002-20-100/1/1/1 |
2004-20-041/1/2/1 |
2004-20-156/1/1/1 |
2004-20-156/2/5/1 |
2004-20-156/4/3/1 |
|
2002-20-100/1/2/1 |
2004-20-041/1/3/1 |
2004-20-156/2/1/1 |
2004-20-156/3/1/1 |
2004-20-156/5/1/1 |
|
2003-40-092/1/1/1 |
2004-20-041/2/1/1 |
2004-20-156/2/2/1 |
2004-20-156/3/3/1 |
2004-20-156/5/2/1 |
|
|
|
|
|
2004-30-055/2/1/1 |
|
Category IV - 8
Corrective Actions Related to the President’s Management Agenda |
||||
|
2003-20-209/2/1/1 |
2003-20-035/1/1/1 |
2003-20-035/2/3/1 |
2002-20-138/1/2/1 |
|
|
2003-20-117/1/2/1 |
2003-20-035/1/2/1 |
2002-20-138/1/1/1 |
2001-20-004/1/1/1 |
|
Source:
Data obtained from analyzing the Joint Audit
Management