The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to Treasury Inspector General for Tax Administration Reports

 

April 2005

 

Reference Number:  2005-20-071

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Redaction Legend:

7 = Predecisional staff recommendations or suggestions to agency decision makers

 

April 11, 2005

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:     Pamela J. Gardiner /s/ Pamela J. Gardiner

                 Deputy Inspector General for Audit

 

SUBJECT:     Final Audit Report - The Chief Information Officer Is Taking Steps to Timely Complete Corrective Actions to Treasury Inspector General for Tax Administration Reports (Audit # 200520028)

 

This report presents the results of our review of Modernization and Information Technology Services (MITS) open corrective actions.  Our overall objective was to determine whether the Internal Revenue Service (IRS) is efficiently addressing open corrective actions resulting from Treasury Inspector General for Tax Administration (TIGTA) audit recommendations.  In October 2004, the Chief Information Officer (CIO) expressed concerns regarding the number of open corrective actions and requested that we perform a review of the MITS organization’s open corrective actions.

In summary, since Fiscal Year 2000, we have issued to the MITS organization a consistent number of audit reports each year resulting in an average of 143 recommendations per year.  Based on the distribution of the open corrective actions within the MITS organization, we believe no division is overly burdened with a large number of outstanding corrective actions.

While corrective actions are being closed by the MITS organization, some of the open corrective actions are not being resolved by the original due dates.  All open corrective actions are significant because they address issues with systems security, systems modernization, existing IRS material weaknesses/internal control deficiencies, or the President’s Management Agenda (PMA).

After we briefed the CIO on our results, the CIO initiated additional actions to improve the timeliness of completing corrective actions and reemphasized to the staff the importance of providing quality, timely responses to TIGTA reports.  Therefore, we made no additional recommendations in this report.

Management’s Response:  Management’s response was due on March 31, 2005.  As of April 5, 2005, management had not responded to the draft report.

Copies of this report are also being sent to the IRS managers affected by the report results.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

Table of Contents

Background

The Modernization and Information Technology Services Organization Is Closing Corrective Actions

Some Corrective Actions Are Not Being Timely Resolved

Open Corrective Actions Are Related to Significant Areas

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Division of Open Corrective Actions Within the Modernization and Information Technology Services Organization

Appendix V – Security Versus Non-Security Open Corrective Actions

Appendix VI – Corrective Actions Related to Material Weaknesses or Internal Control Deficiencies

Appendix VII – Corrective Actions Related to the President’s Management Agenda

Appendix VIII – Categorization of Open Corrective Actions

 

Background

The Internal Revenue Service (IRS) Modernization and Information Technology Services (MITS) organization is challenged with addressing recommendations made by the Treasury Inspector General for Tax Administration (TIGTA) and other oversight groups.  The MITS organization initiates corrective actions and tracks the status of those actions in response to oversight recommendations.

According to the IRS, the Office of Stakeholder Management regularly issues aging reports to responsible officials assigned the open corrective actions.  These reports list corrective actions that are due or will be due within 30, 60, and 90 days.  The responsible officials are required to respond to the reports by providing status updates on the open corrective actions.  In addition, as part of the MITS organization’s Business Performance Reviews, open corrective actions are reviewed and the status is discussed to provide oversight and tracking.

In October 2004, the Chief Information Officer (CIO) expressed concerns regarding the number of open corrective actions and requested that we perform a review of the MITS organization’s open corrective action items.  The CIO provided a listing of 129 corrective actions open as of the beginning of October 2004.  As of November 2004, 101 corrective actions remained open and were analyzed during this audit.

This review was performed in the MITS organization offices at the IRS National Headquarters in Washington, D.C., during the period November 2004 through February 2005.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

The Modernization and Information Technology Services Organization Is Closing Corrective Actions

 

Since Fiscal Year (FY) 2000, we have issued to the MITS organization an average of 32 audit reports per year containing an average of 143 recommendations per year.  Figure 1 shows the number of audit reports we issued to the MITS organization and the corresponding number of recommendations. 

Figure1:  TIGTA Final Reports and Associated Recommendations

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

The MITS organization responded to these audit recommendations by initiating and taking measures to complete corrective actions.  For example, all FY 2000 recommendations were closed through the completion of their assigned corrective actions.  Only a small percentage of corrective actions remained open for FYs 2001, 2002, and 2003.  As of November 2004, 101 corrective actions, resulting from 92 recommendations, remained open.  The majority (67 of 101 or 66 percent) of the open corrective actions were from FY 2004 audits.  Figure 2 shows a breakdown of open corrective actions by fiscal year.

 Figure 2:  Open Corrective Actions by Fiscal Year

Figure 2 was removed due to its size.  To see Figure 2, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

Based on the distribution of the open corrective actions within the MITS organization, we believe no division is overly burdened with a large number of outstanding corrective actions.  No division has over 20 open corrective actions.  See Appendix IV for a detailed breakdown of this analysis.

While corrective actions are being closed by the MITS organization, we determined some of the open corrective actions are not being resolved by their original due dates, and open corrective actions relate to critical areas. 

Some Corrective Actions Are Not Being Timely Resolved

 

The number of recommendations has been fairly consistent from year to year, and no division within the MITS organization appears to be overly burdened with corrective actions.  However, some corrective actions are not being timely resolved.  Of the 101 open corrective actions, 32 (32 percent) are considered late by an average of 15 months. 

Figure 3 shows the majority of overdue items are from prior fiscal years and if timely closed would reduce the number of open corrective actions.  Older corrective actions are being worked on by the MITS organization; however, it is taking longer than expected to complete the corrective actions due to the extensive nature of the work required.  See Appendix V for a listing of open corrective actions and the current status of work performed to complete the corrective actions.

Figure 3:  Overdue Open Corrective Actions

Fiscal Year

Open Corrective Actions

Corrective Actions Overdue

Average Months Overdue

2000

0

0

0

2001

5

5

35

2002

13

8

22

2003

16

8

12

2004

67

11

4

TOTAL

101

32

15.26

Source:  Data obtained from analyzing the JAMES.

Management Actions:  After we communicated our preliminary audit results to the IRS in December 2004, the CIO required all extensions of corrective action due dates to be reviewed and approved by the CIO.  Since the CIO has taken actions to improve the timeliness of completing corrective actions, we are making no additional recommendations at this time.

Open Corrective Actions Are Related to Significant Areas

 

To determine whether all open corrective actions were related to significant issues, we reviewed each open corrective action and classified it into one of the categories shown in Figure 4.  Based on this analysis, we determined all open corrective actions are significant because they address issues with systems security, systems modernization, existing IRS material weaknesses/internal control deficiencies, or the President’s Management Agenda (PMA).  Some of the corrective actions also address multiple issues.  Appendix VIII provides a detailed listing of all the prioritized open corrective actions.

Figure 4:  Open Corrective Actions by Category

Category

Title

# Of Items

I

Systems Security Issues

44

II

Systems Modernization Issues

23

III

Material Weakness/Internal Control Deficiency Issues

26

IV

PMA Issues

8

Total Corrective Actions

101

Source:  TIGTA prioritization using information from the JAMES.

Category I – Systems Security Issues

The CIO identified systems security as a major focus area for FY 2005.  We determined 44 open corrective actions related to systems security.  These 44 actions are also considered IRS material weaknesses and relate to a PMA critical area.  Examples of TIGTA recommendations generating the systems security open corrective actions are:

1.      .****7****

2.      .****7****

See Appendix V for a detailed breakdown of systems security versus nonsystems security corrective actions.

Category II – Systems Modernization Issues

Since its inception in FY 2000, the TIGTA has identified the IRS’ systems modernization effort as a major management weakness.  In addition, the Government Accountability Office has designated the modernization program as high risk, in part because of its size, complexity, and immense importance to improving mission performance and accountability.  We determined 23 open corrective actions related to systems modernization.  These actions are also considered IRS material weaknesses and relate to PMA critical areas.  Examples of TIGTA recommendations generating the systems modernization open corrective actions are:

1.      To help provide clear direction in the development of the Business Systems Modernization (BSM) program, the CIO should determine whether and how the BSM Office will fulfill the BSM program integrator role and document the related responsibilities and processes.

2.      To more clearly define the Computer Sciences Corporation’s (CSC) responsibility to fully document the business requirements prior to beginning system development, the CIO should require the BSM Office to conduct an analysis of future change requests to determine whether the change should have been part of the contractor’s normal requirements gathering.  Task orders to define business requirements should be written to hold the CSC responsible for making such changes at no additional cost to the IRS.

Category III – IRS Material Weakness and Internal Control Deficiency Issues

The IRS is required by the Federal Managers Financial Integrity Act of 1982 (FMFIA) to report and effectively correct outstanding material weaknesses and internal control deficiencies through implementing recommendations made by the TIGTA and other oversight agencies.  We determined 26 corrective actions related to an IRS material weakness and were not included as Category I and II actions.  Examples of TIGTA recommendations generating the material weakness and internal control deficiency open corrective actions are:

1.      The CIO should ensure service is immediately discontinued for cellular telephones that have not been registered in the national database.

2.      The CIO should ensure a complete inventory of phone cards is established, prior to migrating the inventory management and billing function to the Telecommunications Asset Tool (TAT) system, and annual phone card inventories are completed on a consistent basis.

See Appendix VI for the analysis of open corrective actions relating to the IRS material weaknesses and internal control deficiencies.

Category IV – PMA Issues

Since the inception of the PMA in July 2001, we have made recommendations to make improvements to meet the PMA goals.  We determined eight corrective actions related to a PMA critical area but were not included in Categories I through III.  Examples of TIGTA recommendations generating the PMA open corrective actions are:

1.      To ensure the MITS organization has adequate staffing to meet its needs, the CIO should charge the Director, Management Services, to develop detailed hiring and retention plans.

2.      The CIO should ensure a centralized, multifunctional investment review process is established and documented for the selection, funding, and monitoring of all IRS information technology investments.

See Appendix VII for the analysis of open corrective actions relating to the PMA.

Management Actions:  After we met with the CIO to communicate our interim results, the CIO met with other high-level IRS executives to determine how to prioritize the corrective actions.  The CIO also provided our results to approximately 20 leadership team members during an all day senior leadership team meeting and reemphasized the importance of delivering quality, timely responses to the TIGTA.  Because the CIO has taken actions to prioritize corrective actions, we are making no additional recommendations at this time.

Management’s Response:  Management’s response was due on March 31, 2005.  As of April 5, 2005, management had not responded to the draft report.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the Internal Revenue Service (IRS) is efficiently addressing open corrective actions resulting from Treasury Inspector General for Tax Administration audit recommendations.  To achieve this objective, we determined whether the open corrective actions were categorized to provide for an efficient method of resolution.  We:

1.                  Reviewed all open corrective actions to determine:

1.      The number of months each corrective action had been overdue.

2.      The percentage of corrective actions having missed the original due dates and the average amount of time these actions were overdue.

2.                  Reviewed all of the open corrective actions and determined whether they were aligned with a broader program.

1.      Determined whether any open corrective actions related to any IRS material weaknesses or internal control deficiencies.

2.      Determined whether any open corrective actions were aligned with the President’s Management Agenda (PMA).

3.                  Determined the distribution of open corrective actions within the Modernization and Information Technology Services (MITS) organization.

1.      Identified the responsible official for each corrective item.

2.      Analyzed the workload of assigned corrective actions to the identified manager within the MITS organization.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Gary V. Hinkle, Director

Troy D. Paterson, Audit Manager

Phung H. Nguyen, Lead Auditor

Tina Wong, Senior Auditor

Steven W. Gibson, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Associate Chief Information Officer, Enterprise Services  OS:CIO:ES

Associate Chief Information Officer, Information Technology Services  OS:CIO:I

Associate Chief Information Officer, Management  OS:CIO:M

Director, Stakeholder Management  OS:CIO:SM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons: 

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Manager, Program Oversight Office  OS:CIO:SM:PO

 

Appendix IV

 

Division of Open Corrective Actions Within the Modernization and Information Technology Services Organization

 

The 101 open corrective actions we reviewed were divided among 11 different divisions within the Modernization and Information Technology Services organization.

 

Figure 1:  Open Corrective Actions by Responsible Official

 

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Appendix V

 

Security Versus Non-Security Open Corrective Actions

 

The 101 open corrective actions we reviewed can be broken down between systems security and nonsystems security-related actions.  In addition, we performed a detailed review of each open corrective action to determine and group similar items into specific categories.  These categories show the status of work performed and other actions required of the Modernization and Information Technology Services organization to close out the corrective actions.

Figure 1:  Security Versus Non-Security Open Corrective Actions

 

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Appendix VI

 

Corrective Actions Related to Material Weaknesses or Internal Control Deficiencies

 

We analyzed all 101 open corrective actions to determine whether they related to specific Internal Revenue Service (IRS) material weaknesses or internal control deficiencies.  Of the 101 open corrective actions, 93 relate to either a material weakness or an internal control deficiency.  See Appendix VIII for details on the open corrective actions that relate to an IRS material weakness or internal control but are not related to systems security or systems modernization.

Figure 1:  Open Corrective Actions Related to Material Weaknesses or Internal Control Deficiencies

 

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Appendix VII

 

Corrective Actions Related to the President’s Management Agenda

 

We analyzed all 101 open corrective actions and determined they all relate to a specific President’s Management Agenda (PMA) item.  Of the 101 open corrective actions, only 8 do not relate to systems security, systems modernization, or a material weakness/internal control deficiency.  See Appendix VIII for details on the open corrective actions that relate to a PMA item but are not related to systems security, systems modernization, or a material weakness/internal control deficiency.

Figure 1:  Open Corrective Actions Related to the President’s Management Agenda

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Appendix VIII

 

Categorization of Open Corrective Actions

 

We analyzed all 101 open corrective actions and classified them into 4 specific categories based upon their relationship to systems security, systems modernization, existing Internal Revenue Service (IRS) material weaknesses/internal control deficiencies, and the President’s Management Agenda (PMA).  Table 1 lists the open corrective action according to the format used by the IRS.

Table 1:  Categorization of Open Corrective Actions

Category I – 44 Corrective Actions Related to Systems Security

2004-20-142/1/1/1

2004-20-131/1/2/2

2004-20-073/3/1/1

2003-20-119/1/1/3

2002-20-075/1/1/2

2004-20-142/1/2/1

2004-20-131/2/4/1

2004-20-073/3/1/2

2003-20-119/1/4/3

2002-20-075/1/1/3

2004-20-142/2/1/3

2004-20-126/1/1/1

2004-20-063/3/1/1

2003-20-118/2/2/1

2002-20-075/1/1/4

2004-20-142/2/1/4

2004-20-126/1/2/1

2004-20-063/2/1/1

2003-20-118/1/5/1

2002-20-075/1/2/1

2004-20-142/2/2/1

2004-20-126/1/3/1

2004-20-053/1/1/1

2003-20-118/2/2/2

2002-20-075/5/2/1

2004-20-142/2/2/2

2004-20-079/1/3/1

2004-20-053/1/2/2

2003-20-082/5/1/1

2002-20-007/3/1/1

2004-20-142/2/3/2

2004-20-079/2/1/1

2004-20-053/1/3/1

2003-20-082/6/1/1

2001-20-043/1/1/1

2004-20-135/1/1/1

2004-20-079/3/1/1

2004-20-053/1/5/1

2003-20-056/2/1/1

2001-20-043/1/2/1

2004-20-131/1/2/1

2004-20-073/2/1/1

2004-20-053/2/1/1

2002-20-145/1/1/1

 

 

 

 

 

 

Category II - 23 Corrective Actions Related to Systems Modernization

2004-20-157/3/1/1

2004-20-061/3/1/1

2004-20-026/1/1/2

2004-40-110/1/2/1

2003-20-219/1/4/1

2004-20-157/2/1/1

2004-20-034/1/2/1

2004-20-026/1/1/1

2004-40-013/1/2/1

2001-20-152/1/1/1

2004-20-157/1/1/1

2004-20-034/2/1/1

2004-20-001/2/1/1

2004-40-013/1/3/1

2001-20-152/1/2/1

2004-20-147/2/4/1

2004-20-034/2/2/1

2004-40-110/1/1/1

2004-30-023/1/3/3

 

2004-20-147/2/3/1

2004-20-026/1/2/1

2004-40-110/1/1/2

2004-30-023/1/5/1

 

 

 

 

 

 

 

Category III - 26 Corrective Actions Related to an IRS Material Weakness/Internal Control Deficiency

2002-20-043/2/1/1

2003-40-165/4/1/1

2004-20-041/3/2/1

2004-20-156/2/3/1

2004-20-156/4/1/1

2002-20-043/2/2/1

2004-20-041/1/1/1

2004-20-041/3/3/1

2004-20-156/2/4/1

2004-20-156/4/2/1

2002-20-100/1/1/1

2004-20-041/1/2/1

2004-20-156/1/1/1

2004-20-156/2/5/1

2004-20-156/4/3/1

2002-20-100/1/2/1

2004-20-041/1/3/1

2004-20-156/2/1/1

2004-20-156/3/1/1

2004-20-156/5/1/1

2003-40-092/1/1/1

2004-20-041/2/1/1

2004-20-156/2/2/1

2004-20-156/3/3/1

2004-20-156/5/2/1

 

 

 

 

2004-30-055/2/1/1

 

Category IV - 8 Corrective Actions Related to the President’s Management Agenda

2003-20-209/2/1/1

2003-20-035/1/1/1

2003-20-035/2/3/1

2002-20-138/1/2/1

 

2003-20-117/1/2/1

2003-20-035/1/2/1

2002-20-138/1/1/1

2001-20-004/1/1/1

 

Source:  Data obtained from analyzing the Joint Audit Management Enterprise System.