TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
November
6, 2007
Reference
Number: 2008-20-002
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from public
release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
November 6, 2007
MEMORANDUM FOR CHIEF INFORMATION OFFICER
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Efforts to Update Aging Computer Hardware Are Underway, but Program Improvements Are Needed to Minimize Risks (Audit # 200620021)
This
report presents the results of our review to determine whether the Internal
Revenue Service (IRS) implemented effective controls to identify and replace
aging equipment components that could adversely affect its ability to meet its
mission if the equipment components were to fail. This review is part of the
Treasury Inspector General for Tax Administration’s Fiscal Year 2007 Annual
Audit Plan coverage under the major management challenge of Modernizing the
IRS.
Impact on the Taxpayer
The IRS estimates it should spend $180 million annually to adequately
maintain and replenish its computer hardware and has initiated several actions to address the risks
associated with the aging computer hardware. However, the
information used to estimate the size and effect of the aging computer hardware
could be improved. The IRS
established a goal to obtain increased resources to address the aging computer
hardware as one of its highest priorities, but permanent program funding
remains uncertain and a disciplined investment management governance process is
needed for all infrastructure initiatives/activities. As a result, the IRS may not fund the highest
priority projects to ensure investment decisions result in the most efficient
use of available resources on behalf of
taxpayers.
Synopsis
The IRS continues to emphasize that the core of tax administration processing relies heavily on critical systems designed in the 1960s, thereby hindering its ability to accomplish its mission and provide better service to taxpayers due to the inherent limitations of these systems. The IRS also reports the risk to tax administration is significant because critical business systems are currently operating on aged computer hardware (i.e., hardware that has exceeded its useful life). At the beginning of Fiscal Year 2006, the aged hardware was estimated to be valued at $276 million, with an additional $161 million in hardware becoming aged during Fiscal Year 2006.
Although
the IRS has initiated several actions to address the aging computer hardware
risks, the size and effect of the aging computer hardware issue is unknown and
the source(s) for a permanent increase in funding has not been identified.
The IRS
has initiated several actions to address the risks associated with the aging computer
hardware issue. On September 28,
2006, it hired a contractor to develop a Sustaining Infrastructure Program,
which is intended to provide a comprehensive approach to manage all
infrastructure requirements and establish a governance structure to prioritize
competing initiatives/activities (i.e., Infrastructure Roadmap, End of Life
Equipment Replacement (Rust Replacement), and Security Infrastructure). The IRS is scheduled to complete implementation
of the Sustaining Infrastructure Program in Calendar Year 2008. As a result, the IRS identified as one of its
highest budget priorities the need to obtain
increased resources to reverse the erosion of its basic computer hardware. Also, the Financial Management
Services organization established a separate accounting code in
Fiscal Year 2007 to track
funds spent to replace aging computer hardware.
The Information Technology Asset Management System is the primary control and official IRS computer equipment database used to record all computer inventories. In Fiscal Year 2005, the IRS analyzed Information Technology Asset Management System data to determine the size of the aging computer hardware inventory and the estimated cost to adequately maintain and replenish its computer hardware. Our review of the information used to estimate the size and effect of the aging computer hardware issue determined the information could be improved. For example, the estimated cost to maintain and replenish the computer hardware needs to be updated, and reported information technology problems and reduced enforcement revenue could not be linked to aged computer hardware. Also, because the IRS considered the effect of the SASSER worm[1] to be related to aged hardware and software, unreliable information supporting the Fiscal Year 2007 budget request was reported to the Office of Management and Budget (see Appendix IV). While there is risk associated with the aging computer hardware, the data provided by the IRS should be improved to provide more complete and accurate management information related to the negative impact the aging infrastructure is having on tax administration. Therefore, management needs to improve its information systems and data collection methodology to help support the need for new equipment.
The IRS stated
it would augment the current
$45 million it was spending to address the aging computer hardware issue
by reallocating an
additional $45 million in each of Fiscal Years 2006 through 2008 from savings
achieved through program efficiencies. Our review of the
Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to
reallocate only $34 million instead of the reported $45 million. The
IRS did exceed its Fiscal Year 2006 target computer hardware budget, but this
was accomplished by identifying other one-time funding sources such as a labor
surplus. On June 18, 2007, IRS management advised us they
had permanently transferred $11 million from the Fiscal Year 2007 Modernization
and Information Technology Services (MITS) organization budget to the computer
hardware budget. In Fiscal Year
2007, the IRS used $45 million in user fees[2]
and enrolled agent fees[3]
to fund additional computer hardware needs.
Realigning user fees
to address computer hardware needs does not constitute a permanent increase in
computer hardware funding because user fee funds require annual reallocation.
The Infrastructure Executive
Steering Committee was established to ensure the successful
implementation and integration of modernization projects and related program
activities for the Infrastructure portfolio. Our review of the End of Life Equipment
Replacement activity determined the MITS organization has not included
expenditures from this activity as part of its investment governance process. MITS organization management advised us that
several actions have been taken to improve the discipline of the governance
process over infrastructure investments.
The Government Performance and Results Act of 1993[4] was enacted by Congress to hold agencies accountable for achieving business results by requiring agencies to adopt performance measures to assess performance. The MITS organization has measures for asset management, customer satisfaction, incident management, and the enterprise service desk. The contractor assisting the IRS in developing its Sustaining Infrastructure Program has been assigned the task of formalizing a performance measurement process for the overall Sustaining Infrastructure Program and the individual initiatives/activities. Management advised us that once the Sustaining Infrastructure Program is implemented the MITS organization will have a process in place to assess its efforts in addressing the aging computer hardware problem.
Recommendations
We recommended the Chief Information Officer (1) implement procedures to improve the accuracy and completeness of the inventory data and periodically prepare an updated aged computer hardware estimate, (2) improve the integration of asset/inventory management with incident and problem management so problems related to old computer hardware issues can be readily identified and the IRS can report a more accurate assessment of the negative impact of aging computer hardware, (3) permanently allocate the necessary funds within the MITS organization budget to maintain and replenish the aging computer hardware, (4) ensure the End of Life Equipment Replacement activity is included in the Infrastructure Executive Steering Committee governance process, and (5) establish a performance measurement process providing periodic monitoring and reporting of Sustaining Infrastructure Program accomplishment.
Response
IRS management agreed with four of the five recommendations
but did not agree with Recommendation 3. Management believes they cannot commit to
permanently allocating funds in future years without fully understanding tax
administration requirements and budget constraints. However, they agreed that sustaining the
information technology infrastructure is one of their highest priorities and
will realign the base budget whenever appropriate, subject to availability.
The IRS will identify and correct discrepancies in the
Information Technology Asset Management System data, implement processes to
improve and maintain the accuracy of the Information Technology Asset
Management System data and produce quarterly estimates of the aged computer
hardware and current estimates of the replacement costs, develop a
business case for using a software tool to improve integration of
asset/inventory management with incident and problem management, provide
oversight of the End of Life Equipment Replacement activity, and implement
outcome measures and a monitoring process to report on the IRS’ progress in
reducing its aged asset inventory. Management’s complete response to the draft
report is included as Appendix V.
Office of
Audit Comment
The Chief Information Officer disagreed
with our recommendation to permanently
allocate funds within the MITS organization’s budget to maintain and replenish
the aging computer hardware because the Chief Information Officer cannot commit
to permanently allocating funds in future years without fully understanding tax
administration requirements and budget constraints. We disagree and
believe the Chief Information Officer should honor the commitment made to the
IRS Oversight Board on May 23, 2006, that the IRS would augment the current $45
million being spent on infrastructure by reallocating an additional $45 million
from program efficiencies in Fiscal Years 2006 through 2008. In addition, the IRS reported in the Fiscal Year 2008 Congressional
Budget Submission it had
identified efficiencies in the Fiscal Year 2006 information technology budget
that permitted the permanent reallocation of $45 million to address the aging computer
hardware issue. However, our review of the Fiscal Year 2006
funds permanently reallocated to the computer hardware budget found the IRS was able to
permanently reallocate only $34 million instead of the reported $45
million.
In the IRS response to the draft report, management provided several comments that make incorrect inferences. The management comments and related Office of Audit Comments are provided in appropriate sections of the report.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Several Actions Have Been Taken to Address the Aging Computer Hardware
Issue
Information Used to Estimate the Size
and Effect of the Aging Computer Hardware Could Be Improved
Permanent Program Funding Remains
Uncertain
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
IRS |
Internal Revenue Service |
|
MITS |
Modernization
and Information Technology Services |
The Internal Revenue Service (IRS) continues to emphasize that the core of tax administration processing relies heavily on critical systems designed in the 1960s, thereby hindering its ability to accomplish its mission and provide better service to taxpayers due to the inherent limitations of these systems. At the same time, the IRS is faced with the challenge of keeping pace with the growing volume of electronic submissions, payments, and refund transactions, which will continue to place a greater demand on it to provide a modernized and secure information technology infrastructure (e.g., desktop computers, laptop computers, printers, servers, data storage, and communications equipment). The IRS reports the risk to tax administration is significant because critical business systems are currently operating on aged computer hardware (i.e., hardware that has exceeded its useful life). With the amount of aged computer hardware increasing every year, the IRS Commissioner testified to Congress on March 29, 2007, that failing to replace the aged computer hardware will lead to increased maintenance costs and will increase the risk of disruption to business operations. The IRS estimates more than 50 percent of the laptop computers supporting Compliance organization employees are over-age and need replacement, which has resulted in increased downtime, reduced ability to communicate effectively, and delays in retrieving taxpayer data that are vital to daily compliance and enforcement activities.
The IRS estimates it needs to spend $180 million annually to adequately maintain and replenish its computer hardware.
The IRS identified as one of its highest budget priorities the need to obtain increased resources to reverse the erosion of its basic computer hardware. In December 2003, the IRS received a consultant’s analysis and findings from a comparison of the IRS information technology investments in hardware to private sector benchmark levels for equivalent financial services companies. The consultant’s report did not state a specific dollar amount the IRS should be investing in hardware, but IRS management advised us that the consultant stated the IRS’ investment in hardware was approximately $195 million below private sector benchmark levels. In 2005, the IRS validated the consultant’s estimate and calculated it should be spending $180 million annually to adequately maintain and replenish its computer hardware based on industry standards.
The IRS reported it was spending only about $45 million each year for this purpose and the gap in computer hardware replenishment spending had resulted in a significant amount of aged hardware that cannot adequately support its day-to-day business. To determine the amount of aged computer hardware and the cost to replace it, the IRS established a refresh cycle by equipment category (e.g., servers, routers, and desktop computers) based on industry standards and an estimated replacement cost. For example, it considers the useful life of a laptop computer to be 3 years with a replacement cost of $2,150. It estimated the amount of aged computer hardware at the beginning of Fiscal Year 2006 was $276 million based on the established equipment refresh cycles and associated replacement costs. Figure 1 provides a breakdown of the aged computer hardware by equipment category at the beginning of Fiscal Year 2006.
Figure 1: Backlog of Aged Computer Hardware at the Beginning of
Fiscal Year 2006
Figure 1 was removed due to its size.
To see Figure 1, please go to the Adobe PDF version of the report on the
TIGTA Public Web Page.
This review was performed in Modernization and Information Technology Services (MITS) organization offices at the IRS National Headquarters in New Carrollton, Maryland, during the period August 2006 through April 2007. The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Several Actions Have Been Taken to Address the Aging Computer Hardware Issue
The Internal Revenue Manual states the Chief Information Officer is responsible for managing information resources and technology and the IRS long-range objectives and strategies for improving tax administration through modernizing the tax administration system. The Chief Information Officer also has responsibility for strategic technology planning, data administration, technology standards, and the purchase of information technology products and services.
The IRS has initiated several actions to address the risks associated with the aging computer hardware issue. On September 28, 2006, it hired a contractor to develop a Sustaining Infrastructure Program, which is intended to provide a comprehensive approach to manage all infrastructure requirements and establish a governance structure to prioritize competing initiatives/activities (i.e., Infrastructure Roadmap, End of Life Equipment Replacement (Rust Replacement), and Security Infrastructure). The IRS is scheduled to complete implementation of the Sustaining Infrastructure Program in Calendar Year 2008. Figure 2 contains a brief description of the different initiatives/activities.
Figure 2:
Infrastructure Initiatives/Activities
|
Initiative/Activity |
Description |
|
Infrastructure Roadmap |
This initiative is intended to identify infrastructure investment opportunities (including computer hardware) with potential for significant return on investment or savings, risk mitigation, service delivery improvements, security, and compliance and to better align information technology investments with business needs. |
|
End of Life Equipment Replacement (Rust Replacement) |
This activity is intended to fund the replacement of aging computer hardware components. |
|
Security Infrastructure |
This initiative is intended to fund projects to enhance the security of the information technology infrastructure. |
Source: The MITS organization.
To address the annual spending deficit for the aging computer hardware issue, the IRS planned to augment the current $45 million it was spending to sustain the hardware by reallocating an additional $45 million in each of Fiscal Years 2006 through 2008 from savings it achieved through program efficiencies. The additional funding would result in a total increase of $135 million by Fiscal Year 2008 to achieve the spending goal of $180 million each year to maintain and replenish the computer hardware. To address the backlog of aged hardware inventory, the IRS Fiscal Year 2008 Congressional Budget Submission requested an additional $60 million. The additional funds will also be requested in Fiscal Years 2009 through 2011, for a total of $240 million over a 4-year period.
The IRS’ commitment to improve the maintenance and replenishment of its computer hardware has been demonstrated by the reallocation and expenditure of $362.8 million from Fiscal Year 2005 through March 8, 2007. This expenditure amount represents an increase of 169 percent over the $135 million spent on aging computer hardware in the prior 3 fiscal years.
In addition, the Financial
Management Services organization established a separate accounting code in
Fiscal Year 2007 to track funds spent to replace aging computer hardware. While the
Financial Management Services organization had previously tracked the
expenditures by function (e.g., Enterprise Operations, Enterprise Networks),
the funds allocated to address the aging computer hardware issue were not
uniquely identified in the Integrated Financial System.[5]
Information Used to Estimate the Size and Effect of the
Aging Computer Hardware Could Be Improved
The Clinger-Cohen Act of 1996[6] requires each agency to ensure senior management is provided with timely, verifiable data as one of the elements in maximizing the value and assessing and managing the risk of information technology acquisitions. To have a successful information technology investment management process, the agency must ensure management decisions are based on complete and current information. In fact, informed management decisions can occur only if accurate, reliable, and up-to-date information is part of the decision-making process.
Figure 3 shows the IRS has reported it will need a total of
$850 million from Fiscal Year 2006 to Fiscal Year 2010 to replenish its aging
computer equipment and prevent a significant
risk to tax administration due to computer equipment
failure.
Figure 3:
Estimated Cumulative Replacement Cost
of the Aged Computer Equipment
Figure 3 was removed
due to its size. To see Figure 3, please
go to the Adobe PDF version of the report on the TIGTA Public Web Page.
The Information Technology Asset Management System is the primary control and official IRS computer equipment database used to record all computer inventories. In Fiscal Year 2005, the IRS analyzed Information Technology Asset Management System data to determine the size of the aging computer hardware inventory and the estimated cost to adequately maintain and replenish this hardware. At the beginning of Fiscal Year 2006, the aged hardware was estimated to be valued at $276 million, with an additional $161 million in hardware becoming aged during Fiscal Year 2006.
The IRS hired a contractor
to review the inventory data
Due to continuing concerns about the aging computer equipment, the IRS hired a contractor to assist in developing a Sustaining Infrastructure Program to manage the prioritization of hardware and software upgrades and replacements. On November 29, 2006, the contractor delivered its initial inventory data assessment, including an assessment of the quality and validity of data contained in the Information Technology Asset Management System and other asset management tools and data sources. On December 15, 2006, the contractor delivered the results of its asset inventory review, including a comparison of the IRS asset inventory to industry best practices and the Government Accountability Office Information Technology Investment Management maturity model. The contractor also recommended process improvements. Specifically, the contractor reported:
· Workstation data in the Information Technology Asset Management System are largely accurate and complete; however, this System is not sufficiently accurate or complete for other information technology asset categories.
Therefore, the contractor concluded the MITS organization’s inventory tracking system does not provide the information required to support optimal inventory investment decisions. The contractor also reported that inefficiencies in the Information Technology Asset Management System affect the infrastructure investment process because estimates for infrastructure replacement cost may not be accurate and it will be difficult to determine funding requirements for implementation of infrastructure standards.
Our review of the Information Technology Asset Management System identified similar issues. For example, management provided us information showing that in Fiscal Year 2005 123 computer servers were purchased for $12.7 million (included $7.9 million for aged computer hardware), including 8 Sun Microsystems Inc. Sun Fire E25K servers. However, the December 2006 Information Technology Asset Management System reports listed only five of the servers.
Management recognizes the problems with the Information
Technology Asset Management System and advised that corrective actions have
been initiated. For example, the IRS is
implementing an automated device discovery tool to help identify information
technology assets that may not be in the Information Technology Asset
Management System and to facilitate the reconciliation of missing or inaccurate
data. This effort is also examining the
processes used to maintain the data in the System to identify and implement
improvements.
The IRS needs to improve
and update documentation supporting the aging computer hardware concerns
As part of our audit
work, we attempted to obtain documentation supporting various presentations to
the IRS Oversight Board[7] and the Office and Management and Budget that
showed the extent of infrastructure problems and their effects on
operations. We compared several sources
of information and found the following issues in the information reviewed.
Figure
4: Summary of Information Technology
Problems Reported to the IRS Help Desk
|
Category |
Number of Problem Tickets in Fiscal Year
2004 |
Number of Problem Tickets in Fiscal Year
2005 |
Percentage Increase (Decrease) |
Number of Problem Tickets in Fiscal Year
2006 |
Percentage Increase (Decrease) |
|
Get-It Problem Tickets – Used for requesting new information
technology products and services. |
|||||
|
Get-It – Subtotals |
105,039 |
99,494 |
(5.28%) |
82,813 |
(16.77%) |
|
Fix-It Tickets – Used for reporting problems with
existing hardware and software. |
|||||
|
Communications |
13,852 |
13,713 |
(1.00%) |
12,307 |
(10.25%) |
|
Customer
Request[8] |
525,457 |
618,448[9] |
17.70% |
612,790 |
(0.91%) |
|
Hardware |
115,652 |
124,347 |
7.52% |
141,709 |
13.96% |
|
Software |
203,669 |
219,839 |
7.94% |
241,315 |
9.77% |
|
Combined
Categories[10] |
148 |
315 |
112.84% |
595 |
88.89% |
|
Fix-It – Subtotals |
858,778 |
976,662 |
13.73% |
1,008,716 |
3.28% |
|
Totals |
963,817 (80,318
per month) |
1,076,156 (89,680
per month) |
11.66% |
1,091,529 (90,960
per month) |
1.43% |
Source:
The MITS organization.
Our review of a report summarizing the approximately 1
million information technology problems/requests reported in Fiscal Year 2005 confirmed the IRS has
experienced about a 12 percent increase in the number of problem tickets
submitted by employees. However, we also
determined 45 percent (438,274/976,662) of the Fix-It problem tickets were
categorized as Customer Requests (i.e., password or password management policy
subcategory requests) that do not appear to have been caused by the aged
infrastructure. Some of the other
problem ticket categories (including Communications – Data, Communications –
Voice, Hardware – Desktop, Hardware – Laptop, and Hardware – Printer) could be related
to the aging hardware, but the documentation on the problem tickets is not
sufficient to determine the cause of the problem. Although the number of reported information
technology problems is increasing, the MITS organization is unable to readily link
these problems to aging computer hardware.
>
In Fiscal Year 2004,
the IRS Collection program reported it lost more than 70 revenue officer full-time
equivalent[11] staff years due to computer downtime at a cost of roughly
$70 million in uncollected tax revenue.
Our review of the calculation of
the uncollected tax revenue determined the Collection function uses a specific
code in the employee timekeeping system to record computer downtime resulting
in an employee being unable to perform assigned duties. However, the time code does not indicate
whether the computer downtime was caused by aged computer equipment. Employees that do not use the specific time
code to report computer downtime are interviewed to determine the amount of
downtime. Therefore, the computer-related
downtime is an estimate, and no analysis was performed to determine whether it
was caused by aging computer equipment.
>
In
Calendar Year 2005, the Small Business/Self-Employed Division Examination
program reported it lost 37 revenue agent full-time equivalent staff years and
20 tax compliance officer full-time equivalent staff years due to computer
downtime, costing roughly $37 million in unassessed tax revenue.
Our review of the calculation
of the lost staff years determined the Examination program estimated the
computer downtime by talking to affected employees and using a general code in
the employee timekeeping system. However, the time
code is also used to record several other types of time (e.g., Combined Federal
Campaign, workload reviews). Therefore, the computer-related downtime in
this category is an estimate, and no analysis was performed to determine
whether it was caused by aging computer equipment.
>
In
Calendar Year 2004, the SASSER worm[12] attack on IRS computer systems cost more than $50 million
in uncollected or unassessed tax revenues because delayed upgrades from Windows NT software left
the IRS open to attacks by computer viruses. Management explained that, if the hardware had
been updated, the operating system software would have also been updated and
the IRS would not have been affected by the SASSER worm.
Our review of the May 2, 2004, SASSER worm attack determined the IRS had not applied a security patch that was available on April 14, 2004. The MITS organization was notified numerous times from April 14, 2004, through May 2, 2004, by both the Microsoft Corporation and the Mission Assurance and Security Services organization to apply the security patch; however, the security patch was not applied consistently to servers and was not applied to any workstations. Therefore, the problem was caused by a software security patch issue, not delayed upgrades of aging computer hardware or software, because the SASSER worm infected computers with various Windows operating systems including Windows 2000, Windows XP, and Windows 2003 server.
Because the IRS considered the effect of the SASSER worm
to be related to aged hardware and software, unreliable information supporting
the Fiscal Year 2007 budget request was reported to
the Office of Management and Budget (see Appendix IV).
As
a result, the IRS does not know the cost of replenishing the aged hardware
because the estimated cost is not timely updated. It also does not know the actual amount of uncollected or unassessed tax resulting from
the aging computer hardware because the information technology problem tickets
do not track the root cause of problems and uncollected and unassessed taxes
are based on estimates.
While there is risk associated with the aging computer hardware, the data provided by the IRS should be improved to provide more complete and accurate management information related to the negative impact the aging infrastructure is having on tax administration. Therefore, management needs to improve its information systems and data collection methodology to help support the need for new equipment.
Recommendations
Recommendation 1: The Chief Information Officer should implement procedures to improve the accuracy and completeness of the inventory data on the Information Technology Asset Management System and periodically prepare an updated aged computer hardware estimate, including current replacement cost, based upon reliable and current information.
Management’s Response: IRS management agreed with this recommendation. They will identify discrepancies in the Information Technology Asset Management System inventory data for correction by the appropriate asset owner and will develop processes to improve and maintain the accuracy of the data in the Information Technology Asset Management System. A process will be implemented to produce quarterly estimates based on Information Technology Asset Management System data along with current estimates of the replacement costs.
Recommendation 2: The Chief Information Officer should improve the integration of asset/inventory management with incident and problem management so problems related to old computer hardware issues can be readily identified and the IRS can report a more accurate assessment of the negative impact of aging computer hardware.
Management’s Response: IRS management agreed with this recommendation and will develop a business case for using a software tool to improve the integration of asset/inventory management with incident and problem management. The business case will be presented to the appropriate MITS Governance Board for investment consideration and prioritization.
Office of Audit Comment: In the IRS response to the draft report, management
provided several comments that make incorrect inferences. Our reasons for disagreeing with each of these comments are summarized below
and after other recommendations within the report.
·
The Chief Information
Officer commented that we did not accomplish the
Engagement Letter objective to assess the current aging infrastructure
environment because we did not independently validate the size or cost of the
aged computer hardware issue. The audit
report presents the results of our assessment of several areas of the aging
infrastructure environment, including the information used to estimate
the size and effect of the aging computer hardware, program funding, investment
management governance, and performance measures.
·
The Chief Information
Officer asserted that the IRS knows the size of the
aged information technology hardware problem and the audit team does not
provide a position on which part of the estimate is valid and/or invalid. The IRS provided us with a spreadsheet showing it needs to spend an estimated
$180 million annually to adequately maintain and replenish its computer
hardware. Our review of the spreadsheet determined
the information is not current. For example, we reported the IRS spent only 35
percent of its original estimate to eliminate the aged server hardware by the
beginning of Fiscal Year 2006 (see page 6).
The significance of the difference between the actual cost to replace
the servers and the estimate in the spreadsheet raises a question about the
accuracy of the estimates for the other asset categories. Therefore, the cost to maintain the
infrastructure may be significantly lower than the IRS estimate of $180 million
annually.
·
The Chief Information
Officer disagreed with any inference that the aged infrastructure is not
a significant cause of information technology-related problems. The report does not state the aged
infrastructure is not a problem; rather, it states the IRS could not quantify
the problem and inaccurate
information was reported externally.
·
Chief Information
Officer stated that the accuracy of the information related to the “root
cause” of the SASSER Worm is not an essential factor of the audit and is
therefore a peripheral issue. The IRS advised
the Office of Management and Budget that delayed software upgrades due to the
aged infrastructure issue cost more than $50 million in uncollected or
unassessed tax revenues. Our point was
that this information is not correct.
The problem was the IRS did not apply a security patch that has nothing
to do with the aged infrastructure issue.
Permanent Program Funding Remains Uncertain
Office of Management
and Budget Circular A-11, Preparation,
Submission, and Execution of the Budget, requires agencies to use long-range
planning and a disciplined, integrated budget process as the basis for managing
information technology investments to achieve performance goals with the lowest
costs and least risk. As part of its
long-range planning to address the aging computer hardware issue, on May
23, 2006, the IRS advised its Oversight Board that it would augment the current
$45 million it was spending by reallocating an additional $45 million achieved
through program efficiencies in each of Fiscal Years 2006 through 2008. The IRS reported in the Fiscal Year 2008 Congressional Budget
Submission it had
identified efficiencies in the Fiscal Year 2006 information technology budget
that permitted the permanent reallocation of $45 million to address the aging computer
hardware issue.
Our
review of the Fiscal Year 2006 funds permanently reallocated to the computer
hardware budget found the
IRS was able to permanently reallocate only $34 million instead of the reported
$45 million. The IRS did exceed its
Fiscal Year 2006 target computer hardware budget, but this was accomplished by
identifying other one-time funding sources such as a labor surplus. On June 18, 2007, IRS management advised us they
had permanently transferred $11 million of the Fiscal Year 2007 MITS organization
budget to the computer hardware budget.
Therefore, IRS management completed the first of its 3 permanent
reallocations of $45 million to the computer hardware budget.
In
Fiscal Year 2007 (the second of 3 planned permanent reallocations), the IRS is
using $45 million in user fees[13] and enrolled agent fees[14] to fund additional computer
hardware needs. Realigning user fees to
address computer hardware needs does not constitute a permanent increase in
base computer hardware funding because user fee funds require annual
reallocation. Therefore, the IRS will
not meet its goal of reinvesting an additional $45 million each year from
information technology efficiencies beginning in Fiscal Year 2006 to achieve
the annual spending amount of $180 million by Fiscal Year 2008 to maintain and
replenish the aging computer hardware.
Although the IRS considers
the need to obtain increased resources to reverse the erosion of its basic
computer hardware as one of its highest budget priorities and has requested an
additional $240 million from Congress over a 4-year period beginning in Fiscal
Year 2008, it has not permanently reallocated the
necessary funding into the MITS organization’s base budget for computer
hardware replacement to adequately maintain and replenish its hardware. The funds were not permanently reallocated to
increase computer hardware funding because they were used to absorb reductions
to the Fiscal Year 2007 budget. Until
funds are permanently reallocated to the computer hardware budget, the ability to adequately maintain and
replenish the old hardware will remain
uncertain, thereby increasing the risk of disruptions to operations and the
risk of potential uncollected or unassessed tax revenues.
Recommendation
Recommendation
3: The Chief
Information Officer should permanently allocate the necessary funds within the
MITS organization budget to maintain and replenish the aging computer hardware.
Management’s Response: IRS management disagreed with this recommendation because the Chief Information Officer cannot commit to permanently allocating funds in future years without fully understanding tax administration requirements and budget constraints. However, the IRS agreed that sustaining the information technology infrastructure is one of its highest priorities; it will realign the base budget whenever appropriate, subject to availability.
Office of Audit Comment: We disagree and believe the Chief Information Officer should honor the commitment made to the IRS Oversight Board on May 23, 2006, that the IRS would augment the current $45 million being spent on infrastructure by reallocating an additional $45 million from program efficiencies achieved in each of Fiscal Years 2006 through 2008. In addition, the IRS reported in the Fiscal Year 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal Year 2006 information technology budget that permitted the permanent reallocation of $45 million to address the aging computer hardware issue. However, our review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to permanently reallocate only $34 million instead of the reported $45 million.
We also disagree with the Chief
Information Officer’s comment that we interpreted the IRS’ goal to realign the
MITS organization base budget as a requirement.
We consistently discuss the realignment of funds to the infrastructure
budget as a goal.
A Disciplined Investment Management Governance Process Is
Needed for All Infrastructure Initiatives/Activities
The Clinger-Cohen Act of 1996 requires
agencies to use a disciplined capital planning and investment control process
to maximize the value of information technology investments and manage the
acquisition risk. The capital planning and
investment control process is a decision-making process for ensuring
information technology investments integrate strategic planning, budgeting,
procurement, and management of information technology in support of the
agency’s mission and business needs. When evaluating information technology
investments, the agency should conduct the review from an enterprisewide
perspective to use information technology to drive strategic business change.
The IRS’ Capital Planning and Investment Control process for managing information technology projects includes an executive governance process for monitoring projects. The process includes the MITS Enterprise Governance Committee[15] and executive steering committees responsible for specific projects. Specifically, the Infrastructure Executive Steering Committee was established to ensure the successful implementation and integration of modernization projects and related program activities for the Infrastructure portfolio. Major projects with costs of more than $5 million each year or more than $50 million in total life cycle costs are to be governed by the executive governance process.
With all infrastructure initiatives/activities following the established executive governance process, the IRS can assure proper equipment expenditure prioritization and the most efficient use of available resources.
Our review of the End of Life Equipment Replacement activity
determined the MITS organization has not included expenditures from this
activity as part of its investment governance process. The Enterprise
Operations organization has 12 ongoing Rust Replacement projects; it received more
than $20 million in Fiscal Year 2005 and more than $39 million in Fiscal Year
2006 to replace aging computer hardware.
Therefore, the End of Life Equipment Replacement activity would qualify under the IRS information technology
investment control process as a major project warranting executive steering
committee governance.
Although the Infrastructure Executive Steering Committee is designated as the decision-making body responsible for successful implementation and integration of all infrastructure initiatives/activities, the End of Life Equipment Replacement activity does not report to the Infrastructure Executive Steering Committee for oversight and follows a formalized investment decision process when requesting funds for individual projects. For this activity, each MITS organization identifies its equipment needs and related projects and submits these funding needs to MITS organization executives for review, approval, prioritization, and funding. As a result, the ad hoc investment management process is particularly apparent at the end of a fiscal year when additional funds become available. The Enterprise Operations organization received its Fiscal Year 2006 funding for the End of Life Equipment Replacement activity at the end of Fiscal Year 2006. In addition, because the End of Life Equipment Replacement activity is not considered an information technology investment project, it is not reflected in the IRS Enterprise Transition Plan, which is a key IRS modernization document that facilitates a strategic investment decision-making process from an enterprisewide perspective.
Without a disciplined investment management decision-making and governance process that evaluates information technology investments from an enterprisewide perspective, the IRS may not assure the proper prioritization of projects to ensure investment decisions result in the most efficient use of available resources to address the aging computer hardware issue. The implementation of a disciplined investment management process will become even more critical by Fiscal Year 2008 when the IRS may have $240 million ($180 in the aged computer hardware budget and $60 million in additional budgeted funds) to spend on maintaining and replenishing the aged computer hardware.
MITS organization management advised us that several actions
have been taken to improve the discipline of the governance process over
infrastructure investments. For example,
an engineering review was conducted on the approved Fiscal Year 2007 funding
requests, which were then ranked and prioritized using a structured process and
scoring criteria and submitted to the MITS Enterprise Governance Committee for final review. In addition, the Infrastructure Executive Steering
Committee and the MITS
Enterprise Governance Committee will be responsible for future
governance of the Sustaining Infrastructure Program.
Recommendation
Recommendation 4: The Chief Information Officer should ensure the End of Life Equipment Replacement activity is included in the Infrastructure Executive Steering Committee governance process.
Management’s Response: IRS management agreed with this recommendation and will implement a governance model that includes oversight from the Infrastructure Executive Steering Committee.
Office of Audit Comment: The Chief Information Officer disagreed that improvements in the 2007 investment process did not help the IRS successfully identify the highest priority infrastructure investments. The audit report did not suggest this. The report states the investment process could be further improved by ensuring the End of Life Equipment Replacement activity was reporting to an executive steering committee. Based on the amount of money being spent on the activity, the established MITS organization governance process for information technology investments should be followed to ensure all business units are involved in and aware of the prioritization. In addition, some of the improvements mentioned in the IRS response are discussed on page 15 of the report.
Performance Measures Are Needed to Assess the Success of Efforts to Address the Aging Computer Hardware Issue
The Government Performance and Results Act of 1993[16] was enacted by Congress to hold Federal Government agencies accountable for achieving business results by requiring agencies to adopt performance measures and set goals to assess performance. The Clinger-Cohen Act of 1996 specified that the agency Chief Information Officer is responsible for monitoring the performance of the agency’s information technology programs; evaluating the performance of those programs on the basis of applicable performance measures; and advising the agency head regarding whether to continue, modify, or terminate the program or project. To comply with the Clinger-Cohen Act of 1996 and Office of Management and Budget guidelines, each agency’s information technology investment planning process must include periodic evaluations of project performance as measured against predefined outcome goals to assess how well information technology investments improve the efficiency and effectiveness of the agency’s operations.
The MITS organization uses the
Business Process Management System for reporting measures on asset management,
customer satisfaction, incident management, and the enterprise service desk. The
contractor assisting the IRS in developing its Sustaining Infrastructure
Program has been assigned the task of formalizing a performance measurement
process for the overall Sustaining Infrastructure Program and the individual
initiatives/activities. The contractor has provided some preliminary
portfolio metrics, and the metrics will be refined and finalized at the time the
Implementation Plan is completed. The draft Implementation Plan was delivered to
the IRS in April 2007 and is currently under review.
Once these performance measures
are developed, the
IRS will be able to assess whether current efforts to address the aging computer hardware problem are meeting expectations and achieving anticipated business
results. Management advised us that
performance measures have not been established because the IRS is focusing its efforts on identifying
and addressing the highest priority aged computer hardware needs and has not
developed measures to assess its effectiveness.
Management also advised us that once the Sustaining Infrastructure
Program is implemented the MITS organization will have a process in place to
assess its efforts in addressing the aging computer hardware problem.
Recommendation
Recommendation 5: The Chief Information Officer should ensure a performance measurement process providing periodic monitoring and reporting of Sustaining Infrastructure Program accomplishments is established for current and future efforts to address the aging computer hardware issue.
Management’s Response: IRS management agreed with this recommendation and will implement outcome measures and a monitoring process to report on the IRS’ progress in reducing its aged asset inventory.
Office of Audit Comment: The Chief Information Officer commented it is not accurate to infer that the IRS
has not developed such metrics; specifically, the IRS has developed measures
for asset management. We reported on page 16 of this report that the MITS organization
uses the Business Process Management System for reporting measures on asset
management, customer satisfaction, incident management, and the enterprise
service desk. The report clearly states the issue is that
performance measures are needed for the Sustaining Infrastructure Program and states
a contractor is in the process of developing the measures.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this audit was to determine whether the IRS implemented effective controls to identify and replace aging equipment components that could adversely affect its ability to meet its mission if the equipment components were to fail. To accomplish this objective, we:
I.
Assessed
the current aging infrastructure environment.
A. Reviewed the results of studies
establishing the current size
and expected growth of the aging infrastructure, actual and potential financial
effects from use of the outdated equipment (e.g., increased maintenance costs,
loss of revenue), and the estimated IRS funding necessary
to maintain and replace the aging infrastructure.
B.
Reviewed other presentations made
by the IRS to communicate the severity of the aging infrastructure problem and
its effect on expenditures and revenues.
C.
Identified the measures taken by
the IRS to validate the reported severity of the aging infrastructure problem and the estimated costs to replace outdated
equipment.
D. Reviewed documentation supporting key
elements of the aging infrastructure problem to justify funding the program (e.g.,
size of the aging inventory, loss of revenue, replacement costs).
E.
Obtained infrastructure aging reports from
the Information Technology Asset Management System to determine the information available to
assess the reported aging infrastructure inventory. We interviewed IRS management to determine
whether infrastructure aging information is entered into the Information
Technology Asset Management System. Also, we determined whether IRS management
uses the reports to monitor the aging infrastructure.
II.
Determined
the effectiveness of the infrastructure governance process.
A. Interviewed Enterprise Services organization and
Enterprise Operations organization personnel to determine the governance
structure and investment decision-making process for the sustaining
infrastructure program and individual initiatives.
B.
Reviewed documentation describing the
governance structure and investment decision-making process (e.g., project identification, prioritization, approval,
monitoring).
C.
Reviewed the meeting minutes of
the governance bodies (e.g., executive steering committees, investment review
boards) over the sustaining infrastructure program and individual initiatives.
III.
Determined the status of the sustaining infrastructure program and
individual initiatives.
A. Interviewed Enterprise Services organization and
Enterprise Operations organization personnel to discuss the aging
infrastructure problem and the status of the overall program and individual initiatives (e.g., Rust Replacement,
Infrastructure Roadmap) established to reduce the risks.
B.
Reviewed project documentation for the
sustaining infrastructure program, including the current project schedule, key
milestones, and planned completion dates.
C.
Reviewed status reports for the
sustaining infrastructure program and the individual initiatives.
D. Identified the performance
measures established to assess the effectiveness of the program and to support
program-level analysis and status reporting.
E.
Identified
the processes for gathering the data to accurately measure and report program
performance.
F.
Identified planned funding for the Sustaining
Infrastructure Program and individual initiatives for Fiscal Years 2005 through
2009, including actual expenditures through Fiscal Year 2006.
Data Validity and Reliability
We used computer-processed data to review the inventory and cost of the aged computer hardware, the information technology problem tickets, and the amount of funds spent on the aged computer hardware. The IRS hired a contractor to perform an asset inventory review, and the contractor concluded the MITS organization’s inventory tracking system does not provide the information required to support optimal inventory investment decisions. Based on interviews and our review of Information Technology Asset Management System data, we also concluded the information could be improved. Therefore, we used IRS-provided information during the audit and did not independently validate the size or cost of the aged computer hardware issue.
The IRS uses the reporting and tracking tool within the Information Technology Asset Management System to control its problem tickets and reported it had more than 1 million information technology problem ticket requests in Fiscal Year 2005. It provided us with a summary report of the problem tickets, by category, totaling more than 1 million tickets. An IRS employee advised us the problem ticket data are a unique and computer-generated assessment based upon specific and applied criteria and the data provided to us were validated for accuracy. We checked the reasonableness of the information in the summary report by comparing it to the number of tickets the IRS had previously reported. The data appeared to be reasonably accurate for the purposes of this audit, and we performed no additional data validity tests.
The IRS provided data from the Integrated Financial System[17] for Fiscal Years 2005 through 2007 regarding funding amounts for aged computer hardware. We relied on the Government Accountability Office’s assessment of the reliability of the computer-processed data from the Integrated Financial System. During a review of the IRS’ financial statements,[18] the Government Accountability Office concluded the expense and reimbursable revenue information processed through the Integrated Financial System for Fiscal Years 2005 and 2006 was reliable in all material respects.
Appendix II
Major Contributors to This Report
Margaret E. Begg,
Assistant Inspector General for Audit (Information Systems Programs)
Gary Hinkle, Director
Danny Verneuille,
Audit Manager
Van Warmke, Lead
Auditor
Glen Rhoades, Senior
Auditor
Beverly Tamanaha,
Senior Auditor
Tina Wong, Senior
Auditor
Charlene Elliston,
Auditor
Appendix III
Acting Commissioner C
Office of the Commissioner – Attn: Acting Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Chief Information Officer OS:CIO
Associate Chief Information Officer, End User Equipment and Services OS:CIO:EU
Associate Chief Information
Officer,
Associate Chief Information
Officer,
Associate Chief Information Officer, Management OS:CIO:M
Director, Stakeholder Management OS:CIO:SM
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk
Analysis RAS:O
Office of Internal Control
OS:CFO:CPIC:IC
Audit Liaisons:
Deputy Commissioner for Operations Support OS
Director, Program Oversight Office OS:CIO:SM:
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
· Reliability of Information – Actual; $50 million incorrectly reported (see page 4).
Methodology Used to Measure the Reported Benefit:
In support of the Fiscal Year 2007 budget request, the IRS
reported in September 2005 to the Office of Management and Budget that (1) delayed upgrades from Windows NT software left it open to
attacks by computer viruses and (2) the 2004 SASSER worm[19] attack on its computer systems cost more than $50 million
in uncollected or unassessed tax revenues. Management
explained that, if the hardware had been updated, the operating system software
would have also been updated and the IRS would not have been affected by the
SASSER worm.
Our
review of the May 2, 2004, SASSER worm attack determined the IRS had not
applied a security patch that was available on April 14, 2004. The MITS organization was notified numerous
times from April 14, 2004, through May 2, 2004, by both the Microsoft
Corporation and the Mission Assurance and Security Services organization to
apply the patch; however, the patch was not applied consistently to servers and
was not applied to any workstations. Therefore,
the problem was caused by a software security patch issue, not delayed upgrades
of aging computer hardware or software, because the SASSER worm infected
computers with various Windows operating systems including Windows 2000,
Windows XP, and Windows 2003 server.
Appendix V
Management’s Response to the Draft Report
The
response was removed due to its size. To
see the response, please go to the Adobe PDF version of the report on the TIGTA
Public Web Page.
[1] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.
[2] User fees are charges individuals and businesses are required to pay for services such as installment agreements and photocopies.
[3] An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS. Enrolled agents pay fees for a test (if applicable) and program enrollment.
[4] Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and 39 U.S.C.).
[5] The Integrated Financial System is intended to address administrative financial management weaknesses. The first release of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger, Budget Execution, Cost Management, and Financial Reporting activities. A future Integrated Financial System release will be needed to fully resolve all administrative financial management weaknesses.
[6] Federal Acquisition Reform Act of 1996 (Information Technology Management Reform Act of 1996), Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C., 44 U.S.C., 49 U.S.C., 50 U.S.C.).
[7] The IRS Oversight Board is an independent body charged to provide the IRS with long-term guidance and direction.
[8] Subcategories include password, password policy, information, and other.
[9] The password and password policy subcategories totaled 438,274 problem tickets.
[10] The number of problem tickets includes several categories: Enterprise Service Desk Transfer, File Tracking, Inventory Discrepancy, and System Acceptability Testing Software Testing.
[11] A measure of labor hours in which 1 full-time equivalent is equal to 8 hours multiplied by the number of compensable days in a particular fiscal year. For Fiscal Year 2004, 1 full-time equivalent was equal to 2,096 staff hours.
[12] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.
[13] User fees are charges individuals and businesses are required to pay for services such as installment agreements and photocopies.
[14] An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS. Enrolled agents pay fees for a test (if applicable) and program enrollment.
[15] The highest level recommending and decision-making body to oversee and enhance enterprise management of information systems and technology. It ensures strategic modernization and information technology program investments, goals, and activities are aligned with and support 1) the business needs across the enterprise and 2) the modernized vision of the IRS.
[16] Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and 39 U.S.C.).
[17] The Integrated Financial System is intended to address administrative financial management weaknesses. The first release of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger, Budget Execution, Cost Management, and Financial Reporting activities. A future Integrated Financial System release will be needed to fully resolve all administrative financial management weaknesses.
[18] Financial Audit: IRS’s Fiscal Years 2006 and 2005 Financial Statements (GAO-07-136, dated November 2006).
[19] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.