TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
Business Cases for
Information Technology Projects Remain Inaccurate
January 25, 2007
Reference Number: 2007-20-024
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from
public release has been redacted from this document.
Redaction Legend:
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
January 25, 2007
MEMORANDUM FOR CHIEF INFORMATION OFFICER
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Business Cases for Information Technology Projects Remain Inaccurate (Audit # 200620005)
This report presents the results of our follow-up review on the Internal Revenue Service’s (IRS) management of information technology investments. The overall objective of the review was to determine whether the IRS took effective corrective actions to address the recommendations in our previous audit report.[1] Also, we evaluated whether the IRS is managing its information technology investments in compliance with Office of Management and Budget (OMB) and Clinger-Cohen Act of 1996[2] requirements.
Impact on the Taxpayer
The IRS spends approximately $2 billion annually on information technology investments. In this follow-up review, we determined the IRS business cases used to manage and fund specific information technology investments remain inaccurate and unreliable. IRS business case inaccuracies distort the true life-cycle costs of information technology investments and present a false depiction of the IRS’ information technology portfolio, resulting in potential waste and mismanagement of taxpayer dollars.
Synopsis
The Federal Government invests over $60 billion in information technology investments annually. Motivated to improve information technology budget stewardship, Congress enacted legislation directing agencies to use better business practices to manage and report major information technology investments. In April 2005, we issued a report that addressed whether the IRS planned, managed, and controlled its information technology investments in compliance with OMB and Clinger-Cohen Act requirements. We reported project costs had not been reported accurately in the business cases, relevant cost and benefit information had been omitted, progress on development projects had been measured inaccurately, and business cases for operational projects did not demonstrate the results of an E-Government review.[3]
The IRS took several
actions to address the weaknesses cited in our previous report; however, most
of the weaknesses remain unresolved. Specifically:
·
Project costs are still being reported inaccurately. Costs cannot be substantiated, indirect costs
for management and overhead are not allocated to projects, and security costs
are not reported accurately.
·
Progress on development projects continues to be measured
inaccurately. Actual costs used in progress calculations
were understated and baselines for cost and schedule are continually
revised. In addition, the IRS did not review contractors’ procedures for tracking
their cost and schedule information, as required.
·
The Department of the Treasury’s programming of the software used
to prepare business cases continues to contribute to inaccuracies in the
business cases. Systemic problems with
the software programming contributed to the total costs being reported
inconsistently making it difficult to determine the projects’ true financial
status.
· Two major systems were not included in the IRS budget submission for Budget Year[4] 2007, and a business case should have been prepared for an additional system based on the expected costs of the system. Failure to provide business cases for all required systems detracts from the OMB’s ability to allocate information technology funding and from the IRS’ ability to adequately monitor and manage the costs and benefits of its major systems.
We believe senior IRS executives and Department of the Treasury and OMB officials still cannot rely on the data in these business cases to manage and fund the projects. Inaccurate information in business cases can distort viable alternative analysis and provide IRS executives with a false assessment of the actual progress and costs of their information technology projects.
Recommendations
To make the business cases more reliable and useful, we recommended the Chief Information Officer provide increased oversight to ensure Project Managers include complete and realistic cost estimates for their projects, coordinate with the Department of Treasury Capital Planning and Investment Control (CPIC) office to follow OMB guidance requiring allocation of all management and labor costs to specific projects, provide additional oversight of Project Managers to ensure sufficient care is taken in developing and reporting progress data, and ensure reviews are conducted to determine whether contractors’ cost and schedule procedures comply with industry standards. In addition, the Chief Information Officer should coordinate with the Department of the Treasury CPIC office to program the ProSight system so the total life-cycle costs are reported consistently and to implement access controls to ensure only authorized users have access to the system. The Chief Information Officer should ensure the Director, CPIC, reviews the IRS Federal Information Security Management Act Master Inventory of major systems annually to ensure business cases are prepared for required projects.
Response
IRS management agreed with all seven of our
recommendations. To increase oversight
and ensure that realistic costs are reported, the IRS CPIC office will prepare Exhibit 300
policies and provide guidance and training to project managers. The IRS CPIC office will collaborate with the
Department of the Treasury to develop policies for allocating management and
labor costs to specific projects so they reflect the true cost of the
investment, prepare Earned Value Management reporting policies, and provide
guidance and training to Project Managers and staff to ensure Earned Value
Management data are adequately prepared and disclosed. The IRS also created the Application
Development Program Management Office to provide increased oversight over project
cost and schedule information.
In addition, the IRS will work
with the Department of the Treasury to develop a plan requiring contractors to
perform self-assessments and furnish a certificate of compliance or a strategy to
achieve compliance so that Earned Value Management data meets industry standards. To ensure total life-cycle costs are reported
consistently in business cases, the IRS CPIC office will work with the
Department of the Treasury and request modifications to the ProSight system and
request that only users authorized by Project Managers have “write”
access to project data in the ProSight system. The IRS
CPIC office performed an ad hoc review of the IRS’ Federal Information Security
Management Act inventory to identify any major systems that are required to have business cases
prepared and will develop a process in its CPIC guide to address this
recommendation.
The Chief Information Officer did not concur with our
outcome measures reported in Appendix IV of the report and disagreed that the
IRS was putting millions of taxpayer
dollars at risk. The inconsistencies
reported were primarily due to the omission of historical data (sunk costs) in
the ProSight system and the IRS is meeting with the Department of the Treasury
to correct the programming issues.
Management’s complete response to the draft report is included as
Appendix VI.
Office of Audit
Comment
Our position is to
sustain the outcome measures. The outcome
measures claimed in the report are based on inaccurate, incomplete, and
inconsistent cost information found in the sampled business cases. Unreliable cost information reduces
the usefulness of the business cases and inhibits management’s ability to make
fully informed project finance decisions, potentially putting millions of
taxpayer dollars at risk. We agree that
correcting the ProSight system should improve the consistency of cost
information reported in the business cases.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Project Costs Remain
Inaccurate
Progress on
Development Projects Continues to Be Measured Inaccurately
Major Applications Were Omitted
From the Budget Submission
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Outcome Measures
Appendix
V – Glossary of Terms
Appendix
VI – Management’s Response to the Draft Report
Abbreviations
|
CADE |
Customer Account Data Engine |
|
CPIC |
Capital Planning and Investment Control |
|
|
Electronic Management System |
|
EVM |
Earned Value Management |
|
FISMA |
Federal Information Security Management
Act |
|
FMS |
Financial Management System |
|
ICCE |
Integrated Customer Communications Environment |
|
ICS |
Integrated Collection System |
|
IRS |
Internal Revenue Service |
|
MeF |
Modernized e-File |
|
OMB |
Office of Management and Budget |
|
SCRIPS |
|
The Federal Government invests over $60 billion in information technology annually. Motivated to improve information technology budget stewardship, Congress enacted legislation directing agencies to use better business practices to manage and report major information technology investments. The Clinger-Cohen Act of 1996[5] requires Federal Government agencies to improve the way they acquire and manage their information technology investments. Agencies are required to put their technology investment decisions in a true business context and analyze investments for their return on investment. The Office of Management and Budget (OMB) published Circular A-11, Preparation, Submission and Execution of the Budget, to assist Federal Government agencies in complying with the Clinger-Cohen Act. This guidance includes two key sections applicable to information technology capital planning. Section 300, Planning, Budgeting, Acquisition, and Management of Capital Assets, provides guidance on the preparation of business cases for information technology systems. Section 53, Information Technology and E-Government, provides guidance on the preparation of an agency’s entire Information Technology Investment Portfolio.
The
Internal Revenue Service (IRS) spends approximately $2 billion annually on
information technology investments. The
IRS uses business cases as the primary tool for capital planning and investment
control. These business cases provide a
standard format for reporting key details about the investment. The information contained in the business case
assists IRS management in evaluating an information technology investment’s
costs, benefits, and risks. The business
cases also provide support for the IRS’ strategic goals and objectives when
compared to other competing information technology requirements. The IRS Capital Planning and Investment
Control (CPIC) office[6] is
responsible for establishing the processes
that support business case preparation and review and maintaining information
technology investment process documentation.
In April 2005, we issued a report[7] that addressed whether the IRS planned, managed,
and controlled its information technology investments in compliance with OMB
and Clinger-Cohen Act requirements. We
reported the IRS procedures for preparing information technology business cases
had improved, but managers were not complying with these requirements. Specifically, project costs had not been
reported accurately in the business cases, relevant cost and benefit
information had been omitted, progress on development projects had been
measured inaccurately, sufficient information was not provided in the
alternatives analysis section, and business cases for operational projects did
not demonstrate the results of an E-Government review.[8] Due to
the number and significance of the conditions reported, we concluded that the
business cases could not be relied on to manage and fund the IRS’ information
technology projects.
We conducted this follow-up review to determine whether the IRS had taken corrective actions to address the weaknesses in the report and whether those actions were effective. For this review, we selected Budget Year[9] 2007 business cases for the following six major information technology investment projects. See Appendix V for detailed descriptions of these investment projects:
The CADE and MeF projects are
referred to as development projects, which are information technology systems
currently being designed and built. The
This review was performed at the
IRS CPIC office in New Carrollton, Maryland, during the period November 2005 through
September 2006. The audit was conducted
in accordance with Government Auditing
Standards. Detailed information on our audit objective,
scope and methodology is presented in Appendix I. Major contributors to the report are listed
in Appendix II.
The IRS took several corrective actions to address the weaknesses cited in our previous report; however, in this review, we identified many of the same significant weaknesses. Project costs remain inaccurate, progress on development projects continues to be measured inaccurately, the software used to prepare business cases contributes to the inaccuracies, and major applications were missing from the budget submission. As a result, we believe senior IRS executives and Department of the Treasury and OMB officials still cannot rely on the data in these business cases to manage and fund the information technology projects. Inaccurate information in business cases can distort viable analysis and provide IRS executives with a false assessment of the actual costs and progress of projects.
Project Costs Remain Inaccurate
Project costs remain inaccurate and could be improved with additional corrective actions and managerial oversight. Specifically, project cost forecasts were not substantiated, indirect management and labor overhead costs were not allocated to specific projects, and security costs were calculated inaccurately. Incomplete and inaccurate cost data inhibit management’s ability to make fully informed project finance decisions, potentially putting millions of taxpayer dollars at risk.
Project cost forecasts were unsubstantiated
Previously, we
identified multiple errors in forecasting project costs in IRS business cases. To correct this deficiency, the IRS
designated Project Managers as the individuals accountable for all data
contained in their business cases and provided training and guidance as
appropriate. While this was an important
step, we determined during our review that the business cases remained
inaccurate and project costs were not substantiated.
For the six projects we reviewed, the Project Managers relied on budget data from the IRS Financial Management System (FMS)[10] office as the source for forecasting project costs. The FMS office derived the costs from the previous year's budget, making adjustments for inflation and other budgetary changes. ****3(d)****
For example, ****3(d)**** relied on the budget figures received from the FMS office and reported $12.87 million for direct labor costs for Budget Year 2007. We determined the actual direct labor cost was approximately $26.59 million, an understatement of $13.72 million, because the costs of Product Assurance organization employees dedicated to testing the ****3(d)**** were not included.
****3(d)**** business case overstated project infrastructure costs by $755,000. The IRS was in the process of eliminating this infrastructure; however, the figure provided by the FMS office still included this cost for Budget Year 2007.
Project cost forecasts for steady state projects also were inaccurate. We estimated the data provided by the FMS office for Budget Year 2007 understated project costs an average of 25 percent for the 4 steady state projects we reviewed, assuming the same level of spending as in prior years. ****3(d)****
Management and labor
costs are still not being allocated to the information technology investments
In our
last review, we reported the IRS CPIC office did not allocate management and
overhead labor costs totaling $79.4 million to development projects. As a result, indirect management and overhead
labor costs for each information technology development project were
understated. To correct this
deficiency, the IRS designated Project Managers as the individuals accountable
for all data contained in their business cases and provided training and
guidance. However, the IRS did not
require the Project Managers to allocate management and overhead labor costs to
correct the Budget Year 2007 business cases.
OMB
Circular A-11 states Federal Government staffing costs shall include Government
indirect labor costs in support of an information technology investment. Indirect labor costs include the information
technology investment’s management staff and any other Federal Government
effort that contributes to the success of the information technology investment. Persons working on more than 1 information
technology investment, whose contributions exceed over 50 percent of their
time, should have their time allocated to each information technology
investment.
For
Budget Year 2007, the IRS reported $51 million for Business Systems
Modernization Management and $30 million for Information System Support from
business units. These costs are for oversight
of the Business
Systems Modernization program and staffing support from IRS business units. To comply with OMB guidance, the IRS should
have allocated these costs to the information technology investments in Budget
Year 2007. However, these labor costs were
not allocated to any of the information technology investments we reviewed.
This
is a repeat finding and we continue to disagree with this practice. The IRS justifies not allocating its Business Systems Modernization
Management and Information System Support labor costs because the OMB has
reviewed the IRS’ budget submission and has not raised this issue. Therefore, the IRS believes the OMB has tacitly
approved reporting these costs as separate line items and accepted the
reporting of them in this format. This
practice violates current OMB guidance and understates the IRS’ true cost for
each information technology investment.
Information technology project costs will continue to be understated
when all management and labor costs are not included in the business
cases. Over a period of several years,
the understatement for each project could be significant.
Security costs
continue to be reported inaccurately
We previously determined that three of the
four projects reviewed reported security costs inaccurately. The IRS designated Project Managers as the
individuals accountable for all data contained in their business cases. This corrective action was not effective as security
costs continue to be reported inaccurately in the business cases.
OMB Circular A-11 requires Project Managers
to report the cost of providing information technology security for their
projects. The calculation of security
costs includes two components:
1)
The amount representing corporate or
“network” security (e.g., a shared network-wide intrusion detection system).
2)
The projected security costs specific to the
project (e.g., the cost of certification and accreditation or security
training).
IRS network security costs were not allocated
to any of the six business cases. The
IRS claimed network security costs as a separate line item in the budget
submission to OMB instead of allocating them to the projects. Although total network security costs may have
been accurate, each project’s costs were understated. In addition, $104 million in security costs
attributed to the Mission Assurance and Security Services organization were not
allocated to any projects. The Mission
Assurance and Security Services organization provides many information
technology security services that support projects. For example, it assists IRS organizations in
certifying their systems, testing system security, and identifying and
correcting system security weaknesses.
Furthermore, four of the six projects (
Recommendations
To ensure project costs are reported
accurately, the Chief Information Officer should:
Recommendation 1: Provide increased oversight and training to ensure Project Managers include complete and realistic cost estimates for their projects and more closely review Project Managers’ business cases to ensure realistic cost estimates are provided and costs are substantiated. Particular attention should be paid to the allocation of management, labor, and security costs.
Management’s Response: The IRS agreed with our
recommendation. The IRS CPIC office will prepare Exhibit 300
policies and provide guidance and training to project managers and relevant
staff. In addition, the IRS created the
Application Development Program Management Office to provide additional
oversight and review of project information.
Recommendation 2: Coordinate with the Department of the Treasury CPIC office and follow OMB guidance requiring allocation of management and labor costs to specific projects.
Management’s Response: The IRS agreed with our
recommendation. The IRS CPIC office will collaborate with the
Department of the Treasury to develop policies for allocating management and
labor costs to specific projects so they reflect the true cost of the
investment. The IRS CPIC office will
provide guidance and training to reporting projects when the policy is
established.
Progress on
Development Projects Continues to Be Measured Inaccurately
In our last review, we identified multiple problems in measuring the progress of the two development project business cases reviewed. In addition, the IRS did not adequately review the business cases and data provided by the contractors. To correct these deficiencies, the Director, CPIC, created an additional table for progress calculations in the Budget Year 2007 business cases. However, the progress on development projects continues to be reported inaccurately. As a result, the usefulness and reliability of the business cases were diminished. ****3(d)****
Earned value continues to be reported
inaccurately in business cases
OMB Circular A-11 requires
Project Managers of development projects to report Earned Value Management
(EVM) data in their business cases. EVM can be defined as a
technique to estimate how a project is doing in terms of its budget and
schedule. It compares the actual work
that has been completed to the estimates made at the beginning of the project and should provide an early
warning system for determining whether an investment project is performing on
schedule and within budget. EVM data contain
information that management should use along with other project indicators to
manage a project.
The CADE and MeF projects
reported favorable EVM data in their business cases. For example, the CADE project reported that, as
of June 2005, the project had spent the precise amount estimated and had
completed almost the exact amount of work planned from the time the project was
initiated in January 1999. The MeF
project also reported near perfect performance in these areas. However, we believe the EVM data in the CADE
and MeF business cases did not provide an accurate assessment of the projects’
budget and schedule performance for two reasons.
First, actual costs used in EVM calculations
were understated. Actual costs incurred
prior to 2003 and selected other costs, such as hardware, software, and Federal
Government labor, were not included in EVM calculations. Examples of the understatements include:
·
The CADE project omitted $231 million (78 percent) of the total
costs of $296 million incurred as of June 2005.
·
The MeF
project, which began October 2000, omitted $83 million (54 percent) of the total costs of $154
million incurred as of June 2005.
Second, changes to the baselines
of estimated costs and completion dates undermine the usefulness of the EVM
data. The CADE and MeF projects have
frequently obtained approval from the OMB to change their estimated costs and
work completion dates. Actual costs are
then measured against the new estimates.
The originally approved OMB
baseline for the CADE project estimated it would be completed in June 2009 for
a cost of $327 million. Currently, the
OMB has approved a revised baseline estimate that the CADE project will be
completed by December 2012 for a cost of $1.802 billion. This is a nearly $1.5 billion increase and a
3-year overrun; however, the current EVM data show the project is on time and
within budget. The CADE project’s Budget
Year 2007 business case proposes an additional revised baseline to increase
total project cost to $1.829 billion, a $1.502 billion increase over the
original OMB baseline.
The originally approved OMB
baseline for the MeF project estimated it would be completed in September 2019
for a cost of $509 million. Currently,
the OMB has approved a revised baseline estimate that the MeF project will be
completed in September 2020 for a cost of $638 million, an increase of $129
million and a 1-year overrun. The MeF
project’s Budget Year 2007 business case proposes an additional revised
rebaseline to increase total project cost to $673 million, a $164 million
increase over the original OMB baseline.
In general, the IRS
will request a revised baseline every time the project budget changes. Consequently, very little variance is ever
reported between planned and actual costs.
Business cases do not disclose the percentage of costs for which
earned value is not calculated and the number of times a project has been
rebaselined. These disclosures would
help explain how the investment is able to achieve its high performance
standards. Without this disclosure, the
EVM data provided to IRS executives and the OMB will be of little value for
tracking progress and costs of information technology projects.
****3(d)****
We had previously found that Project Managers were not verifying whether contractors’ EVM systems were compliant with industry standards. For development projects, the OMB requires business cases to demonstrate the EVM system used by a contractor meets industry standards.[11] After our last review, the IRS designated Project Managers as the individuals accountable for all data contained in their business cases. This corrective action was not effective. ****3(d)****
For example, the IRS reported in the CADE business case that it had conducted reviews of the CADE project contractor’s project management system in 2003 and 2004 and determined the contractor had made progress toward institutionalizing EVM. However, we determined the IRS did not conduct a review in 2004, and there is no evidence to support that the contractor had made progress. The CADE project had planned to conduct a compliance review of the contractor’s project management system in 2004, but cancelled this work due to budget constraints. ****3(d)****
****3(d)**** We determined the IRS has not conducted annual reviews of the MeF project contractors’ project management systems and did not disclose this fact in its business case for the MeF project.
The
EVM data for the CADE and MeF projects provide IRS executives and OMB officials
little value for making management decisions to track the historical costs and
progress of these projects. Until all
costs are included and the project management systems used by contractors
comply with industry standards, the IRS and the OMB cannot rely on the business
case information.
Recommendations
To ensure EVM data are accurately computed and disclosed in IRS business cases, the Chief Information Officer should:
Recommendation
3: Provide
additional oversight of Project Managers to ensure sufficient care is taken in
developing and reporting EVM data. Each
Project Manager should disclose all significant facts related to the EVM data,
including the significant percentage of costs omitted from earned value
calculations and the number of times the project has been rebaselined. These disclosures would help explain how the
investment is able to achieve its high performance standards.
Management’s Response: The IRS agreed with our
recommendation. The IRS CPIC office will prepare EVM
reporting policies to encompass all aspects of this recommendation, and will
provide guidance and training to project managers and relevant staff. In addition, the Application Development Program
Management Office will provide increased oversight over EVM data.
Recommendation 4: Ensure reviews are conducted to determine whether contractors’ EVM systems comply with industry standards. Noncompliance and failure to conduct the reviews should be disclosed.
Management’s Response: The IRS agreed with our recommendation. The IRS will work with the Department of the Treasury to develop a plan requiring contractors to perform self-assessments and to furnish a Cognizant Federal Agency certificate of compliance or a strategy to achieve compliance. To ensure contractor compliance, the plan will include the approach for criteria, roles, and review cycle along with the approval, review, and certification process.
The Department of the Treasury’s Programming of the ProSight System
Continues to Contribute to Inaccuracies in Business Cases
We had previously identified a problem in the
Department of the Treasury’s ProSight system[12] that contributed to inaccuracies in the EVM
section of IRS business cases. While the
IRS had corrected the programming error in the ProSight system cited in our
previous report, additional systemic problems contributed to the IRS’
inconsistent reporting of the total investment costs for all six business cases
we reviewed. Total costs were reported
inconsistently throughout the business cases, which affected the reliability of
the business cases. In addition, a lack
of access control to the ProSight system allowed multiple users to make changes
to business cases. As a result, accountability
for the accuracy of data could not be established.
Total costs were reported inconsistently
throughout the business cases
IRS guidance for
preparing business cases states there should be no surprises or inconsistencies across the sections of the
business case. Inconsistencies create
confusion and hinder the readability throughout the business case.
The costs of all six
business cases we reviewed were reported inconsistently in different sections
of the same business case, which made it difficult to determine the accurate
cost of the investment. For example, the
Summary of Spending table[13] in the first part of the business case
reports the total cost of the CADE investment as $1.829 billion. The Alternatives Analysis table[14] reports the total cost as $1.569
billion. The difference of $260 million represents
the costs for Budget Year 2004 and prior years.
We found this inconsistency in each business case we reviewed, as
illustrated in Table 1.
Table 1: Total Cost of Investment As Reported in
Different Sections of the Business Case
|
|
Summary of Spending |
Alternatives Analysis |
Difference |
|
CADE |
$1.829 |
$1.569 |
$260 |
|
|
$175 |
$44 |
$131 |
|
ICCE |
$460 |
$198 |
$262 |
|
ICS |
$372 |
$51 |
$321 |
|
MeF |
$673 |
$555 |
$118 |
|
SCRIPS |
$142 |
$129 |
$13 |
Source: IRS Budget Year 2007 business cases.
The discrepancies
between the Summary of Spending and Alternatives Analysis cost tables are
directly attributable to how the Department of the Treasury CPIC office
programmed the ProSight system used to prepare the business cases. The ProSight system excluded the cost
data for Budget Year 2004 and prior years in the Alternatives Analysis tables. Therefore, the Summary of Spending tables
contained the projects’ full life-cycle costs, while the Alternatives Analysis
tables did not. A project’s full
life-cycle costs should be accounted for and consistent in both tables.
In addition, the Summary of Spending tables
and the Actual Performance tables[15]
inconsistently reported the actual
costs expended for the ICS and
A lack of control allowed multiple users to have
access to the ProSight system and make changes to business cases
All Department of the Treasury information systems are
required to implement system access controls that protect the information from
unauthorized modification, loss, or disclosure.
Access to information or
system resources must be limited to only authorized users, programs, processes,
or other systems.
For each of the 6 business cases in our sample, we found
that approximately 60 individuals were granted the ability to access and modify
the business case on the ProSight system without the approval or knowledge of
the Project Manager. Individuals with
access included officials in the IRS’ CPIC office, FMS office, IRS Contractors,
and the Department of the Treasury’s CPIC office. This
lack of control makes it difficult for the Project Manager to be responsible
for changes made to the business case.
It also increases risk of errors and decreases reliability of
information. The IRS’ CPIC office did
not effectively coordinate with the Department of the Treasury’s CPIC office to
ensure only those with a need to access the ProSight system were given the
permission to do so.
Recommendations
To correct the
ProSight system and improve business case controls, the Chief Information
Officer should:
Recommendation 5: Coordinate
with the Department of the Treasury CPIC office to program the ProSight system so
total life-cycle costs are reported consistently in the Summary of Spending and
Alternatives Analysis tables and actual project costs are reported consistently
in the Summary of Spending and Actual Performance tables. Project Managers should ensure the data are
reported consistently.
Management’s Response: The IRS agreed with our
recommendation. The IRS CPIC office will present this
recommendation to the Department of the Treasury CPIC office. It will request modifications to the ProSight
system so that total reported lifecycle and actual project costs are consistent
in the Summary of Spending and Alternative Analysis tables.
The Chief Information Officer did not concur with our
outcome measures reported in Appendix IV of the report and disagreed that the
IRS was putting millions of taxpayer
dollars at risk. The inconsistencies
reported were primarily due to the omission of historical data (sunk costs) in
the ProSight system and the IRS is meeting with the Department of the Treasury
to correct the programming issues.
Office
of Audit Comment: Our
position is to sustain the outcome measures.
The outcome measures claimed in the report are based on inaccurate,
incomplete, and inconsistent cost information found in the sampled business
cases. Unreliable cost information
reduces the usefulness of the business cases and inhibits management’s ability
to make fully informed project finance decisions, potentially putting millions
of taxpayer dollars at risk. We agree
that correcting the ProSight system should improve the consistency of cost
information reported in the business cases.
Recommendation 6: Coordinate with the Department of the Treasury CPIC office to implement system access controls to ensure only users authorized by Project Managers have access to project data in the ProSight system.
Management’s Response: The IRS agreed with our recommendation. The IRS CPIC office will present this recommendation to the Department of the Treasury CPIC office. It will request modifications to the ProSight system so only users authorized by Project Managers have “write” access to project data in the ProSight system.
Major
Applications Were Omitted From the Budget Submission
The OMB requires that all major applications
be included in an agency’s budget submissions.
The IRS CPIC office has issued guidance that requires business cases to be
prepared for any major information technology system with budgetary outlays of
over $5 million per year. We compared
the list of major systems the IRS uses for the Federal Information Security
Management Act (FISMA)[16] to the list of systems reported on the IRS
OMB budget submission for Budget Year 2007 to determine whether all systems
were reported and business cases had been prepared for the required
systems. We identified two major systems
(the Electronic Levy System and the Offshore Credit Card Project Application)
that were listed on the IRS FISMA Master Inventory list but not included on the
IRS OMB budget submission. In addition, a
business case had not been prepared for the Automated Collection System
although its projected annual costs exceeded $5 million. Failure to provide business cases for all
required systems detracts from the OMB’s ability to allocate information technology
funding and from the IRS’ ability to adequately monitor the costs and benefits
of its major systems. The IRS CPIC
office had not ensured business cases were prepared for all major systems.
The Department of the
Treasury recently issued guidance that requires bureaus to ensure all FISMA major systems are
covered by an investment that is reported in the CPIC inventory
submitted to the OMB for the Budget Year 2008 reporting cycle, starting in
September 2006. The IRS has started this process by completing
a comparison of FISMA and CPIC applications.
Recommendation
To ensure
information technology systems are reported consistently:
Recommendation 7: The Chief Information Officer should ensure the Director, CPIC, reviews the IRS FISMA Master Inventory of major systems annually to ensure business cases are prepared for required projects.
Management’s Response: The IRS agreed with our recommendation. The IRS CPIC office performed an ad hoc review of the IRS’ FISMA inventory for Fiscal Year 2007 to identify major systems. The office will develop a process for inclusion in the CPIC guide and will publish the process in the CPIC “Newsflash.”
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS took effective corrective actions to address the recommendations in our previous audit report.[17] Also, we evaluated whether the IRS is managing its information technology investments in compliance with OMB and Clinger-Cohen Act of 1996[18] requirements. To accomplish this objective, we:
I. Determined whether project costs were accurately reported in the business cases.
A. For the six projects selected for this audit,[19] reviewed the Project Managers’ performance plans to determine whether updates were made to the performance plans to hold Project Managers accountable for ensuring all sections of the business case are consistent, accurate, complete, and supported by documentation. From a total of 28 investments for which business cases were prepared in Budget Year 2007, we judgmentally selected 6 information technology investments with the highest costs according to the September 2005 IRS Budget Year 2007 Exhibit 53. These included two modernization and four operational investments. We used a judgmental sample because we did not plan to project our audit results.
B. Determined whether adequate training and guidance were provided to Project Managers to ensure the accuracy of business cases.
C. Reviewed the IRS Budget Year 2007 Exhibit 53 to determine whether management and overhead labor costs were separately reported.
D. Determined whether security costs were accurately reported in the six business cases reviewed.
E. Determined whether IRS direct labor costs were included in the total project costs in the Summary of Spending table, which is in the first part of the Exhibit 300.
F. Determined whether project-specific infrastructure (hardware and software) costs were included in each project’s business case.
G. Reviewed supporting documentation for key costs reported in the six business cases.
H. Determined whether work performed by contractors was reviewed by the IRS Project Managers before data and calculations were input to the business cases.
I. Determined whether the Enterprise Life Cycle directive signed on August 24, 2004, required a comprehensive evaluation and selection report, including costs, on all commercial off-the-shelf products that are considered for new IRS systems.
II. Determined whether progress on development projects was measured accurately.
A. Determined whether the IRS CPIC office provided training and guidance to Project Managers on how to complete the EVM section of business cases.
B. Reviewed supporting documentation for the key EVM calculations presented in each business case to determine whether the EVM calculations were accurate, up-to-date, and consistently reported throughout the business case. We also determined whether IRS Project Managers verified whether their contractors’ EVM systems were compliant with industry standards.
C. Determined whether the tables in the business cases were correct and consistent where appropriate.
D. Determined whether the IRS coordinated with the necessary parties to correct programming in the ProSight system that caused inaccuracies in the business cases. The ProSight system is used to report IRS and Treasury Department business cases.
III. Determined whether the four operational projects’ business cases demonstrated the results of an E-Government review.
IV. Determined whether the IRS made progress in preparing a business case for each major investment.
Appendix II
Major Contributors to This Report
Margaret
E. Begg, Assistant Inspector General for Audit (Information Systems Programs)
Stephen Mullins, Director
Kent Sagara, Acting Director
Thomas Polsfoot, Audit Manager
Jody
Kitazono, Lead Auditor
W.
Allen Gray, Senior Auditor
Bret
Hunter, Senior Auditor
Thomas
Nacinovich, Senior Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Chief Information Officer OS:CIO
Chief,
Associate Chief Information Officer, Applications Development OS:CIO:B
Director, Capital Planning and Investment Control OS:CIO:M:CP
Director, Financial Management Services OS:CIO:M:FM
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative
Affairs CL:LA
Director,
Office of Program Evaluation and Risk Analysis
RAS:O
Office of
Internal Control OS:CFO:CPIC:IC
Audit Liaison: Chief Information Officer OS:CIO
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. These benefits will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
· Reliability of Information – Potential; $199.48 million (see page 3). Incomplete and inaccurate cost data inhibit management’s ability to make fully informed project finance decisions, potentially putting millions of taxpayer dollars at risk. Reliability of Information outcome measures are reported on an absolute basis; i.e., both overestimated and underestimated amounts are reported as positive amounts.
Methodology Used to Measure the Reported Benefit:
Understatement of ****3(d)**** labor $13.72 million
****3(d)**** overstated costs $755,000
Management and labor costs (not allocated to projects) $81.00 million
Security costs (not allocated to projects) $104.00 million
Total $199.48 million
Type and Value of Outcome Measure:
· Reliability of Information – Potential; $1.92 billion (see page 6). As a result, the usefulness and reliability of the business cases were diminished.
Methodology Used to Measure the Reported Benefit:
Inaccuracies:
CADE project (omitted from progress calculations) $231 million
MeF project (omitted from progress calculations) $83 million
Total $314 million
Baseline changes:
CADE project (increase from original estimate) $1.475 billion
MeF project (increase from original estimate) $129 million
Total $1.604 billion
Type and Value of Outcome Measure:
· Reliability of Information – Potential; $1.40 billion (see page 9). Total costs were reported inconsistently throughout the business cases, which affected the reliability of the business cases.
Methodology Used to Measure the Reported Benefit:
Spending and Alternatives Tables: Absolute of difference $1.105 billion
Spending and Actual Performance Tables:
a. ICS project difference $287 million
b.
Total $1.40 billion
Grand Total ($199.48 million plus $1.92 billion plus $1.40 billion) $3.52 billion
Appendix V
Automated Collection System
The Automated Collection System is a computerized inventory system which maintains balance due and nonfiler cases requiring telephone contact for resolution.
Budget Year
The Budget Year refers to a future fiscal year (October 1 – September 30) which is the subject of the budget planning process.
Customer Account Data Engine (CADE)
The CADE is the foundation for managing taxpayer accounts in the IRS’ Business Systems Modernization effort and will eventually replace the existing Master File databases, which are the IRS’ central and official repository of taxpayer information.
Electronic Levy System
The Electronic Levy System enables IRS tax examiners and clerks to review levies prior to printing and requires only levies with flagged errors to be reviewed. The system eliminates time and paper costs associated with a manual review and the retyping of erroneous levies
Electronic Management System (
The
The enterprise life cycle establishes a set of repeatable processes and a system of reviews, checkpoints, and milestones that reduce the risks of system development and ensure alignment with the overall business strategy.
Integrated Customer Communications Environment (ICCE)
The ICCE provides customer service applications through toll-free telephone
service and the Internet. The toll-free
telephone service provides automated self-service applications that allow
taxpayers to help themselves, as well as avenues to route taxpayers to live
customer service representatives. The
Internet component of the ICCE allows taxpayers to check refund status.
Integrated Collection System (ICS)
The ICS is an information
management system designed to improve revenue collections by providing revenue
officers access to the most current taxpayer information, while in the field,
using laptop computers for quicker case resolution and improved customer
service.
IRS Exhibit 300 Business Case Guide
The Capital Planning and Investment Control Office developed the
Exhibit 300 Business Case Guide to assist project team members in preparing
“budget quality” Exhibit 300s for submission to higher authority. The Guide addresses content requirements of
the business case and provides insight to program and project managers
regarding the quality of information required to obtain OMB budget approval.
Modernized e-File (MeF)
The MeF system
modernizes the IRS’ existing electronic filing system, providing an Internet-based
electronic filing application that taxpayers can use to file IRS forms.
Offshore Credit Card
Application
This application is
designed to analyze, display, and report information received from summons
issued to financial institutions, credit card companies, and third-party
processors of financial information which may identify individuals who are
illegally sheltering money offshore.
The SCRIPS is a data capture, management, and storage system that uses high-speed
scanning and digital imaging technology to process tax documents.
Appendix VI
Management’s Response to the Draft Report
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
[1] Business Cases for Information Technology Projects Need Improvement (Reference Number 2005-20-074, dated April 2005).
[2] Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C., 44 U.S.C., 49 U.S.C., 50 U.S.C.).
[3] The E-Government Act of 2002 (Pub. L. No. 107-347) requires a comprehensive review and analysis to be performed on existing computer systems and information technology investments to identify strategies for smarter and more cost-effective methods of delivering performance.
[4] See Appendix V for a glossary of terms.
[5] Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C., 44 U.S.C., 49 U.S.C., 50 U.S.C.).
[6] The CPIC office reports to the Associate Chief Information Officer, Management, Capital Planning and Investment Control.
[7] Business Cases for Information Technology Projects Need Improvement (Reference Number 2005-20-074, dated April 2005).
[8] The E-Government Act of 2002 (Pub. L. No. 107-347) requires a comprehensive review and analysis to be performed on existing computer systems and information technology investments to identify strategies for smarter and more cost-effective methods of delivering performance.
[9] See Appendix V for a glossary of terms.
[10] The FMS office is the budget office that reports to the Associate Chief Information Officer, Management, in the Chief Information Officer organization.
[11] The OMB
requires EVM systems to comply with the American National Standards
Institute/Electronic Industries
[12] The ProSight system is the Department of the Treasury software used by the IRS to prepare business cases.
[13] The Summary of Spending table provides an overview of the costs for planning, acquisition, maintenance, and labor for the previous, current, and budget fiscal years.
[14] The Alternatives Analysis table provides a summary of the comparison of viable alternative solutions that includes a general rationale and analysis of the monetary benefits for each alternative presented.
[15] The Actual Performance table compares OMB-approved cost and schedule goals with actual results.
[16] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).
[17] Business Cases for Information Technology Projects Need Improvement (Reference Number 2005-20-074, dated April 2005).
[18] Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C., 44 U.S.C., 49 U.S.C., 50 U.S.C.).
[19] The
CADE,