TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Efforts to Update Aging Computer Hardware Are Underway, but Program Improvements Are Needed to Minimize Risks

 

 

 

November 6, 2007

 

Reference Number:  2008-20-002

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

November 6, 2007

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Efforts to Update Aging Computer Hardware Are Underway, but Program Improvements Are Needed to Minimize Risks (Audit # 200620021)

 

This report presents the results of our review to determine whether the Internal Revenue Service (IRS) implemented effective controls to identify and replace aging equipment components that could adversely affect its ability to meet its mission if the equipment components were to fail.  This review is part of the Treasury Inspector General for Tax Administration’s Fiscal Year 2007 Annual Audit Plan coverage under the major management challenge of Modernizing the IRS.

Impact on the Taxpayer

The IRS estimates it should spend $180 million annually to adequately maintain and replenish its computer hardware and has initiated several actions to address the risks associated with the aging computer hardware.  However, the information used to estimate the size and effect of the aging computer hardware could be improved.  The IRS established a goal to obtain increased resources to address the aging computer hardware as one of its highest priorities, but permanent program funding remains uncertain and a disciplined investment management governance process is needed for all infrastructure initiatives/activities.  As a result, the IRS may not fund the highest priority projects to ensure investment decisions result in the most efficient use of available resources on behalf of taxpayers.

Synopsis

The IRS continues to emphasize that the core of tax administration processing relies heavily on critical systems designed in the 1960s, thereby hindering its ability to accomplish its mission and provide better service to taxpayers due to the inherent limitations of these systems.  The IRS also reports the risk to tax administration is significant because critical business systems are currently operating on aged computer hardware (i.e., hardware that has exceeded its useful life).  At the beginning of Fiscal Year 2006, the aged hardware was estimated to be valued at $276 million, with an additional $161 million in hardware becoming aged during Fiscal Year 2006.

Although the IRS has initiated several actions to address the aging computer hardware risks, the size and effect of the aging computer hardware issue is unknown and the source(s) for a permanent increase in funding has not been identified.

The IRS has initiated several actions to address the risks associated with the aging computer hardware issue.  On September 28, 2006, it hired a contractor to develop a Sustaining Infrastructure Program, which is intended to provide a comprehensive approach to manage all infrastructure requirements and establish a governance structure to prioritize competing initiatives/activities (i.e., Infrastructure Roadmap, End of Life Equipment Replacement (Rust Replacement), and Security Infrastructure).  The IRS is scheduled to complete implementation of the Sustaining Infrastructure Program in Calendar Year 2008.  As a result, the IRS identified as one of its highest budget priorities the need to obtain increased resources to reverse the erosion of its basic computer hardware.  Also, the Financial Management Services organization established a separate accounting code in Fiscal Year 2007 to track funds spent to replace aging computer hardware.

The Information Technology Asset Management System is the primary control and official IRS computer equipment database used to record all computer inventories.  In Fiscal Year 2005, the IRS analyzed Information Technology Asset Management System data to determine the size of the aging computer hardware inventory and the estimated cost to adequately maintain and replenish its computer hardware.  Our review of the information used to estimate the size and effect of the aging computer hardware issue determined the information could be improved.  For example, the estimated cost to maintain and replenish the computer hardware needs to be updated, and reported information technology problems and reduced enforcement revenue could not be linked to aged computer hardware.  Also, because the IRS considered the effect of the SASSER worm[1] to be related to aged hardware and software, unreliable information supporting the Fiscal Year 2007 budget request was reported to the Office of Management and Budget (see Appendix IV).  While there is risk associated with the aging computer hardware, the data provided by the IRS should be improved to provide more complete and accurate management information related to the negative impact the aging infrastructure is having on tax administration.  Therefore, management needs to improve its information systems and data collection methodology to help support the need for new equipment.

The IRS stated it would augment the current $45 million it was spending to address the aging computer hardware issue by reallocating an additional $45 million in each of Fiscal Years 2006 through 2008 from savings achieved through program efficiencies.  Our review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to reallocate only $34 million instead of the reported $45 million.  The IRS did exceed its Fiscal Year 2006 target computer hardware budget, but this was accomplished by identifying other one-time funding sources such as a labor surplus.  On June 18, 2007, IRS management advised us they had permanently transferred $11 million from the Fiscal Year 2007 Modernization and Information Technology Services (MITS) organization budget to the computer hardware budget.  In Fiscal Year 2007, the IRS used $45 million in user fees[2] and enrolled agent fees[3] to fund additional computer hardware needs.  Realigning user fees to address computer hardware needs does not constitute a permanent increase in computer hardware funding because user fee funds require annual reallocation.

The Infrastructure Executive Steering Committee was established to ensure the successful implementation and integration of modernization projects and related program activities for the Infrastructure portfolio.  Our review of the End of Life Equipment Replacement activity determined the MITS organization has not included expenditures from this activity as part of its investment governance process.  MITS organization management advised us that several actions have been taken to improve the discipline of the governance process over infrastructure investments.

The Government Performance and Results Act of 1993[4] was enacted by Congress to hold agencies accountable for achieving business results by requiring agencies to adopt performance measures to assess performance.  The MITS organization has measures for asset management, customer satisfaction, incident management, and the enterprise service desk.  The contractor assisting the IRS in developing its Sustaining Infrastructure Program has been assigned the task of formalizing a performance measurement process for the overall Sustaining Infrastructure Program and the individual initiatives/activities.  Management advised us that once the Sustaining Infrastructure Program is implemented the MITS organization will have a process in place to assess its efforts in addressing the aging computer hardware problem.

Recommendations

We recommended the Chief Information Officer (1) implement procedures to improve the accuracy and completeness of the inventory data and periodically prepare an updated aged computer hardware estimate, (2) improve the integration of asset/inventory management with incident and problem management so problems related to old computer hardware issues can be readily identified and the IRS can report a more accurate assessment of the negative impact of aging computer hardware, (3) permanently allocate the necessary funds within the MITS organization budget to maintain and replenish the aging computer hardware, (4) ensure the End of Life Equipment Replacement activity is included in the Infrastructure Executive Steering Committee governance process, and (5) establish a performance measurement process providing periodic monitoring and reporting of Sustaining Infrastructure Program accomplishment.

Response

IRS management agreed with four of the five recommendations but did not agree with Recommendation 3.  Management believes they cannot commit to permanently allocating funds in future years without fully understanding tax administration requirements and budget constraints.  However, they agreed that sustaining the information technology infrastructure is one of their highest priorities and will realign the base budget whenever appropriate, subject to availability.

The IRS will identify and correct discrepancies in the Information Technology Asset Management System data, implement processes to improve and maintain the accuracy of the Information Technology Asset Management System data and produce quarterly estimates of the aged computer hardware and current estimates of the replacement costs, develop a business case for using a software tool to improve integration of asset/inventory management with incident and problem management, provide oversight of the End of Life Equipment Replacement activity, and implement outcome measures and a monitoring process to report on the IRS’ progress in reducing its aged asset inventory.  Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment 

The Chief Information Officer disagreed with our recommendation to permanently allocate funds within the MITS organization’s budget to maintain and replenish the aging computer hardware because the Chief Information Officer cannot commit to permanently allocating funds in future years without fully understanding tax administration requirements and budget constraints.  We disagree and believe the Chief Information Officer should honor the commitment made to the IRS Oversight Board on May 23, 2006, that the IRS would augment the current $45 million being spent on infrastructure by reallocating an additional $45 million from program efficiencies in Fiscal Years 2006 through 2008.  In addition, the IRS reported in the Fiscal Year 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal Year 2006 information technology budget that permitted the permanent reallocation of $45 million to address the aging computer hardware issue.  However, our review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to permanently reallocate only $34 million instead of the reported $45 million. 

In the IRS response to the draft report, management provided several comments that make incorrect inferences.  The management comments and related Office of Audit Comments are provided in appropriate sections of the report.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 Table of Contents

 

Background

Results of Review

Several Actions Have Been Taken to Address the Aging Computer Hardware Issue

Information Used to Estimate the Size and Effect of the Aging Computer Hardware Could Be Improved

Recommendation 1:

Recommendation 2:

Permanent Program Funding Remains Uncertain

Recommendation 3:

A Disciplined Investment Management Governance Process Is Needed for All Infrastructure Initiatives/Activities

Recommendation 4:

Performance Measures Are Needed to Assess the Success of Efforts to Address the Aging Computer Hardware Issue

Recommendation 5:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Management’s Response to the Draft Report

 

 

Abbreviations

 

IRS

Internal Revenue Service

MITS

Modernization and Information Technology Services

 

 

Background

 

The Internal Revenue Service (IRS) continues to emphasize that the core of tax administration processing relies heavily on critical systems designed in the 1960s, thereby hindering its ability to accomplish its mission and provide better service to taxpayers due to the inherent limitations of these systems.  At the same time, the IRS is faced with the challenge of keeping pace with the growing volume of electronic submissions, payments, and refund transactions, which will continue to place a greater demand on it to provide a modernized and secure information technology infrastructure (e.g., desktop computers, laptop computers, printers, servers, data storage, and communications equipment).  The IRS reports the risk to tax administration is significant because critical business systems are currently operating on aged computer hardware (i.e., hardware that has exceeded its useful life).  With the amount of aged computer hardware increasing every year, the IRS Commissioner testified to Congress on March 29, 2007, that failing to replace the aged computer hardware will lead to increased maintenance costs and will increase the risk of disruption to business operations.  The IRS estimates more than 50 percent of the laptop computers supporting Compliance organization employees are over-age and need replacement, which has resulted in increased downtime, reduced ability to communicate effectively, and delays in retrieving taxpayer data that are vital to daily compliance and enforcement activities.

The IRS estimates it needs to spend $180 million annually to adequately maintain and replenish its computer hardware.

The IRS identified as one of its highest budget priorities the need to obtain increased resources to reverse the erosion of its basic computer hardware.  In December 2003, the IRS received a consultant’s analysis and findings from a comparison of the IRS information technology investments in hardware to private sector benchmark levels for equivalent financial services companies.  The consultant’s report did not state a specific dollar amount the IRS should be investing in hardware, but IRS management advised us that the consultant stated the IRS’ investment in hardware was approximately $195 million below private sector benchmark levels.  In 2005, the IRS validated the consultant’s estimate and calculated it should be spending $180 million annually to adequately maintain and replenish its computer hardware based on industry standards.  

The IRS reported it was spending only about $45 million each year for this purpose and the gap in computer hardware replenishment spending had resulted in a significant amount of aged hardware that cannot adequately support its day-to-day business.  To determine the amount of aged computer hardware and the cost to replace it, the IRS established a refresh cycle by equipment category (e.g., servers, routers, and desktop computers) based on industry standards and an estimated replacement cost.  For example, it considers the useful life of a laptop computer to be 3 years with a replacement cost of $2,150.  It estimated the amount of aged computer hardware at the beginning of Fiscal Year 2006 was $276 million based on the established equipment refresh cycles and associated replacement costs.  Figure 1 provides a breakdown of the aged computer hardware by equipment category at the beginning of Fiscal Year 2006.

Figure 1:  Backlog of Aged Computer Hardware at the Beginning of Fiscal Year 2006

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

This review was performed in Modernization and Information Technology Services (MITS) organization offices at the IRS National Headquarters in New Carrollton, Maryland, during the period August 2006 through April 2007.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Several Actions Have Been Taken to Address the Aging Computer Hardware Issue

The Internal Revenue Manual states the Chief Information Officer is responsible for managing information resources and technology and the IRS long-range objectives and strategies for improving tax administration through modernizing the tax administration system.  The Chief Information Officer also has responsibility for strategic technology planning, data administration, technology standards, and the purchase of information technology products and services.

The IRS has initiated several actions to address the risks associated with the aging computer hardware issue.  On September 28, 2006, it hired a contractor to develop a Sustaining Infrastructure Program, which is intended to provide a comprehensive approach to manage all infrastructure requirements and establish a governance structure to prioritize competing initiatives/activities (i.e., Infrastructure Roadmap, End of Life Equipment Replacement (Rust Replacement), and Security Infrastructure).  The IRS is scheduled to complete implementation of the Sustaining Infrastructure Program in Calendar Year 2008.  Figure 2 contains a brief description of the different initiatives/activities.

Figure 2:  Infrastructure Initiatives/Activities

Initiative/Activity

Description

Infrastructure Roadmap

This initiative is intended to identify infrastructure investment opportunities (including computer hardware) with potential for significant return on investment or savings, risk mitigation, service delivery improvements, security, and compliance and to better align information technology investments with business needs.

End of Life Equipment Replacement (Rust Replacement)

This activity is intended to fund the replacement of aging computer hardware components.

Security Infrastructure

This initiative is intended to fund projects to enhance the security of the information technology infrastructure.

Source:  The MITS organization.

To address the annual spending deficit for the aging computer hardware issue, the IRS planned to augment the current $45 million it was spending to sustain the hardware by reallocating an additional $45 million in each of Fiscal Years 2006 through 2008 from savings it achieved through program efficiencies.  The additional funding would result in a total increase of $135 million by Fiscal Year 2008 to achieve the spending goal of $180 million each year to maintain and replenish the computer hardware.  To address the backlog of aged hardware inventory, the IRS Fiscal Year 2008 Congressional Budget Submission requested an additional $60 million.  The additional funds will also be requested in Fiscal Years 2009 through 2011, for a total of $240 million over a 4-year period.

The IRS’ commitment to improve the maintenance and replenishment of its computer hardware has been demonstrated by the reallocation and expenditure of $362.8 million from Fiscal Year 2005 through March 8, 2007.  This expenditure amount represents an increase of 169 percent over the $135 million spent on aging computer hardware in the prior 3 fiscal years.

In addition, the Financial Management Services organization established a separate accounting code in Fiscal Year 2007 to track funds spent to replace aging computer hardware.  While the Financial Management Services organization had previously tracked the expenditures by function (e.g., Enterprise Operations, Enterprise Networks), the funds allocated to address the aging computer hardware issue were not uniquely identified in the Integrated Financial System.[5]

Information Used to Estimate the Size and Effect of the Aging Computer Hardware Could Be Improved

The Clinger-Cohen Act of 1996[6] requires each agency to ensure senior management is provided with timely, verifiable data as one of the elements in maximizing the value and assessing and managing the risk of information technology acquisitions.  To have a successful information technology investment management process, the agency must ensure management decisions are based on complete and current information.  In fact, informed management decisions can occur only if accurate, reliable, and up-to-date information is part of the decision-making process.

Figure 3 shows the IRS has reported it will need a total of $850 million from Fiscal Year 2006 to Fiscal Year 2010 to replenish its aging computer equipment and prevent a significant risk to tax administration due to computer equipment failure.

Figure 3:  Estimated Cumulative Replacement Cost of the Aged Computer Equipment

Figure 3 was removed due to its size.  To see Figure 3, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

The Information Technology Asset Management System is the primary control and official IRS computer equipment database used to record all computer inventories.  In Fiscal Year 2005, the IRS analyzed Information Technology Asset Management System data to determine the size of the aging computer hardware inventory and the estimated cost to adequately maintain and replenish this hardware.  At the beginning of Fiscal Year 2006, the aged hardware was estimated to be valued at $276 million, with an additional $161 million in hardware becoming aged during Fiscal Year 2006.

The IRS hired a contractor to review the inventory data

Due to continuing concerns about the aging computer equipment, the IRS hired a contractor to assist in developing a Sustaining Infrastructure Program to manage the prioritization of hardware and software upgrades and replacements.  On November 29, 2006, the contractor delivered its initial inventory data assessment, including an assessment of the quality and validity of data contained in the Information Technology Asset Management System and other asset management tools and data sources.  On December 15, 2006, the contractor delivered the results of its asset inventory review, including a comparison of the IRS asset inventory to industry best practices and the Government Accountability Office Information Technology Investment Management maturity model.  The contractor also recommended process improvements.  Specifically, the contractor reported:

·         Workstation data in the Information Technology Asset Management System are largely accurate and complete; however, this System is not sufficiently accurate or complete for other information technology asset categories.

  • Make and model information appears to be accurate but is not sufficient to determine replacement cost.
  • The inventory tracking system does not contain the asset owner, location of the asset, and configuration management information needed to support investment decisions.

Therefore, the contractor concluded the MITS organization’s inventory tracking system does not provide the information required to support optimal inventory investment decisions.  The contractor also reported that inefficiencies in the Information Technology Asset Management System affect the infrastructure investment process because estimates for infrastructure replacement cost may not be accurate and it will be difficult to determine funding requirements for implementation of infrastructure standards.

Our review of the Information Technology Asset Management System identified similar issues.  For example, management provided us information showing that in Fiscal Year 2005 123 computer servers were purchased for $12.7 million (included $7.9 million for aged computer hardware), including 8 Sun Microsystems Inc. Sun Fire E25K servers.  However, the December 2006 Information Technology Asset Management System reports listed only five of the servers.

Management recognizes the problems with the Information Technology Asset Management System and advised that corrective actions have been initiated.  For example, the IRS is implementing an automated device discovery tool to help identify information technology assets that may not be in the Information Technology Asset Management System and to facilitate the reconciliation of missing or inaccurate data.  This effort is also examining the processes used to maintain the data in the System to identify and implement improvements.

The IRS needs to improve and update documentation supporting the aging computer hardware concerns

As part of our audit work, we attempted to obtain documentation supporting various presentations to the IRS Oversight Board[7] and the Office and Management and Budget that showed the extent of infrastructure problems and their effects on operations.  We compared several sources of information and found the following issues in the information reviewed.

  • Management provided us with a spreadsheet showing the IRS needs to spend an estimated $180 million annually to adequately maintain and replenish its computer hardware.  However, management was unable to provide documentation supporting the replacement costs.  Our review of the spreadsheet information indicates the estimated cost to maintain and replenish the computer hardware needs to be updated.  For example, the spreadsheet shows the Enterprise Operations organization had 64 servers over 5 years old with a replacement cost of $22.4 million.  However, another spreadsheet provided by management indicates that 123 servers were purchased in Fiscal Year 2005 for $12.7 million (included $7.9 million for aged computer hardware) resulting in no backlog of aged servers at the beginning of Fiscal Year 2006.  Therefore, the IRS spent only 35 percent ($7.9 million/$22.4 million) of the original estimate to eliminate the aged server hardware by the beginning of Fiscal Year 2006.  Reliance on the Fiscal Year 2005 information could result in erroneous conclusions about the aged computer hardware issue.
  • During a Fiscal Year 2007 budget briefing for its Oversight Board, the IRS stated the aging computer hardware issue is placing an increased burden on business operations.  It stated that overall information technology problems reported to the IRS help desk increased 12 percent between Fiscal Years 2004 and 2005 (from 80,000 per month to 90,000 per month).  Figure 4 provides a summary of the information technology problems reported to the IRS help desk.

Figure 4:  Summary of Information Technology Problems Reported to the IRS Help Desk

Category

Number of Problem Tickets in Fiscal Year 2004

Number of Problem Tickets in Fiscal Year 2005

Percentage Increase (Decrease)

Number of Problem Tickets in Fiscal Year 2006

Percentage Increase (Decrease)

Get-It Problem Tickets – Used for requesting new information technology products and services.

Get-It – Subtotals

105,039

99,494

(5.28%)

82,813

(16.77%)

Fix-It Tickets – Used for reporting problems with existing hardware and software.

Communications

13,852

13,713

(1.00%)

12,307

(10.25%)

Customer Request[8]

525,457

618,448[9]

17.70%

612,790

(0.91%)

Hardware

115,652

124,347

7.52%

141,709

13.96%

Software

203,669

219,839

7.94%

241,315

9.77%

Combined Categories[10]

148

315

112.84%

595

88.89%

Fix-It – Subtotals

858,778

976,662

13.73%

1,008,716

3.28%

Totals

963,817

(80,318 per month)

1,076,156

(89,680 per month)

11.66%

1,091,529

(90,960 per month)

1.43%

Source:  The MITS organization.

Our review of a report summarizing the approximately 1 million information technology problems/requests reported in Fiscal Year 2005 confirmed the IRS has experienced about a 12 percent increase in the number of problem tickets submitted by employees.  However, we also determined 45 percent (438,274/976,662) of the Fix-It problem tickets were categorized as Customer Requests (i.e., password or password management policy subcategory requests) that do not appear to have been caused by the aged infrastructure.  Some of the other problem ticket categories (including Communications – Data, Communications – Voice, Hardware – Desktop, Hardware – Laptop, and Hardware – Printer) could be related to the aging hardware, but the documentation on the problem tickets is not sufficient to determine the cause of the problem.  Although the number of reported information technology problems is increasing, the MITS organization is unable to readily link these problems to aging computer hardware.

  • Finally, in September 2005 in support of the Fiscal Year 2007 budget request, the IRS budget presentation included a page entitled Outdated and Vulnerable Information Technology Infrastructure Has a Negative Impact on Enforcement Revenue that reported the following items to the Office of Management and Budget:

>        In Fiscal Year 2004, the IRS Collection program reported it lost more than 70 revenue officer full-time equivalent[11] staff years due to computer downtime at a cost of roughly $70 million in uncollected tax revenue.

Our review of the calculation of the uncollected tax revenue determined the Collection function uses a specific code in the employee timekeeping system to record computer downtime resulting in an employee being unable to perform assigned duties.  However, the time code does not indicate whether the computer downtime was caused by aged computer equipment.  Employees that do not use the specific time code to report computer downtime are interviewed to determine the amount of downtime.  Therefore, the computer-related downtime is an estimate, and no analysis was performed to determine whether it was caused by aging computer equipment.

>        In Calendar Year 2005, the Small Business/Self-Employed Division Examination program reported it lost 37 revenue agent full-time equivalent staff years and 20 tax compliance officer full-time equivalent staff years due to computer downtime, costing roughly $37 million in unassessed tax revenue.

Our review of the calculation of the lost staff years determined the Examination program estimated the computer downtime by talking to affected employees and using a general code in the employee timekeeping system.  However, the time code is also used to record several other types of time (e.g., Combined Federal Campaign, workload reviews).  Therefore, the computer-related downtime in this category is an estimate, and no analysis was performed to determine whether it was caused by aging computer equipment.

>        In Calendar Year 2004, the SASSER worm[12] attack on IRS computer systems cost more than $50 million in uncollected or unassessed tax revenues because delayed upgrades from Windows NT software left the IRS open to attacks by computer viruses.  Management explained that, if the hardware had been updated, the operating system software would have also been updated and the IRS would not have been affected by the SASSER worm.

Our review of the May 2, 2004, SASSER worm attack determined the IRS had not applied a security patch that was available on April 14, 2004.  The MITS organization was notified numerous times from April 14, 2004, through May 2, 2004, by both the Microsoft Corporation and the Mission Assurance and Security Services organization to apply the security patch; however, the security patch was not applied consistently to servers and was not applied to any workstations.  Therefore, the problem was caused by a software security patch issue, not delayed upgrades of aging computer hardware or software, because the SASSER worm infected computers with various Windows operating systems including Windows 2000, Windows XP, and Windows 2003 server.

Because the IRS considered the effect of the SASSER worm to be related to aged hardware and software, unreliable information supporting the Fiscal Year 2007 budget request was reported to the Office of Management and Budget (see Appendix IV).

As a result, the IRS does not know the cost of replenishing the aged hardware because the estimated cost is not timely updated.  It also does not know the actual amount of uncollected or unassessed tax resulting from the aging computer hardware because the information technology problem tickets do not track the root cause of problems and uncollected and unassessed taxes are based on estimates.

While there is risk associated with the aging computer hardware, the data provided by the IRS should be improved to provide more complete and accurate management information related to the negative impact the aging infrastructure is having on tax administration.  Therefore, management needs to improve its information systems and data collection methodology to help support the need for new equipment.

Recommendations

Recommendation 1:  The Chief Information Officer should implement procedures to improve the accuracy and completeness of the inventory data on the Information Technology Asset Management System and periodically prepare an updated aged computer hardware estimate, including current replacement cost, based upon reliable and current information.

Management’s Response:  IRS management agreed with this recommendation.  They will identify discrepancies in the Information Technology Asset Management System inventory data for correction by the appropriate asset owner and will develop processes to improve and maintain the accuracy of the data in the Information Technology Asset Management System.  A process will be implemented to produce quarterly estimates based on Information Technology Asset Management System data along with current estimates of the replacement costs.

Recommendation 2:  The Chief Information Officer should improve the integration of asset/inventory management with incident and problem management so problems related to old computer hardware issues can be readily identified and the IRS can report a more accurate assessment of the negative impact of aging computer hardware.

Management’s Response:  IRS management agreed with this recommendation and will develop a business case for using a software tool to improve the integration of asset/inventory management with incident and problem management.  The business case will be presented to the appropriate MITS Governance Board for investment consideration and prioritization.

Office of Audit Comment:  In the IRS response to the draft report, management provided several comments that make incorrect inferences.  Our reasons for disagreeing with each of these comments are summarized below and after other recommendations within the report.

·         The Chief Information Officer commented that we did not accomplish the Engagement Letter objective to assess the current aging infrastructure environment because we did not independently validate the size or cost of the aged computer hardware issue.  The audit report presents the results of our assessment of several areas of the aging infrastructure environment, including the information used to estimate the size and effect of the aging computer hardware, program funding, investment management governance, and performance measures. 

·         The Chief Information Officer asserted that the IRS knows the size of the aged information technology hardware problem and the audit team does not provide a position on which part of the estimate is valid and/or invalid.  The IRS provided us with a spreadsheet showing it needs to spend an estimated $180 million annually to adequately maintain and replenish its computer hardware.  Our review of the spreadsheet determined the information is not current.  For example, we reported the IRS spent only 35 percent of its original estimate to eliminate the aged server hardware by the beginning of Fiscal Year 2006 (see page 6).  The significance of the difference between the actual cost to replace the servers and the estimate in the spreadsheet raises a question about the accuracy of the estimates for the other asset categories.  Therefore, the cost to maintain the infrastructure may be significantly lower than the IRS estimate of $180 million annually.

·         The Chief Information Officer disagreed with any inference that the aged infrastructure is not a significant cause of information technology-related problems.  The report does not state the aged infrastructure is not a problem; rather, it states the IRS could not quantify the problem and inaccurate information was reported externally.  

·         Chief Information Officer stated that the accuracy of the information related to the “root cause” of the SASSER Worm is not an essential factor of the audit and is therefore a peripheral issue.  The IRS advised the Office of Management and Budget that delayed software upgrades due to the aged infrastructure issue cost more than $50 million in uncollected or unassessed tax revenues.  Our point was that this information is not correct.  The problem was the IRS did not apply a security patch that has nothing to do with the aged infrastructure issue.

Permanent Program Funding Remains Uncertain

Office of Management and Budget Circular A-11, Preparation, Submission, and Execution of the Budget, requires agencies to use long-range planning and a disciplined, integrated budget process as the basis for managing information technology investments to achieve performance goals with the lowest costs and least risk.  As part of its long-range planning to address the aging computer hardware issue, on May 23, 2006, the IRS advised its Oversight Board that it would augment the current $45 million it was spending by reallocating an additional $45 million achieved through program efficiencies in each of Fiscal Years 2006 through 2008.  The IRS reported in the Fiscal Year 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal Year 2006 information technology budget that permitted the permanent reallocation of $45 million to address the aging computer hardware issue.

Our review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to permanently reallocate only $34 million instead of the reported $45 million.  The IRS did exceed its Fiscal Year 2006 target computer hardware budget, but this was accomplished by identifying other one-time funding sources such as a labor surplus.  On June 18, 2007, IRS management advised us they had permanently transferred $11 million of the Fiscal Year 2007 MITS organization budget to the computer hardware budget.  Therefore, IRS management completed the first of its 3 permanent reallocations of $45 million to the computer hardware budget.

In Fiscal Year 2007 (the second of 3 planned permanent reallocations), the IRS is using $45 million in user fees[13] and enrolled agent fees[14] to fund additional computer hardware needs.  Realigning user fees to address computer hardware needs does not constitute a permanent increase in base computer hardware funding because user fee funds require annual reallocation.  Therefore, the IRS will not meet its goal of reinvesting an additional $45 million each year from information technology efficiencies beginning in Fiscal Year 2006 to achieve the annual spending amount of $180 million by Fiscal Year 2008 to maintain and replenish the aging computer hardware.

Although the IRS considers the need to obtain increased resources to reverse the erosion of its basic computer hardware as one of its highest budget priorities and has requested an additional $240 million from Congress over a 4-year period beginning in Fiscal Year 2008, it has not permanently reallocated the necessary funding into the MITS organization’s base budget for computer hardware replacement to adequately maintain and replenish its hardware.  The funds were not permanently reallocated to increase computer hardware funding because they were used to absorb reductions to the Fiscal Year 2007 budget.  Until funds are permanently reallocated to the computer hardware budget, the ability to adequately maintain and replenish the old hardware will remain uncertain, thereby increasing the risk of disruptions to operations and the risk of potential uncollected or unassessed tax revenues.

Recommendation

Recommendation 3:  The Chief Information Officer should permanently allocate the necessary funds within the MITS organization budget to maintain and replenish the aging computer hardware.

Management’s Response:  IRS management disagreed with this recommendation because the Chief Information Officer cannot commit to permanently allocating funds in future years without fully understanding tax administration requirements and budget constraints.  However, the IRS agreed that sustaining the information technology infrastructure is one of its highest priorities; it will realign the base budget whenever appropriate, subject to availability.

Office of Audit Comment:  We disagree and believe the Chief Information Officer should honor the commitment made to the IRS Oversight Board on May 23, 2006, that the IRS would augment the current $45 million being spent on infrastructure by reallocating an additional $45 million from program efficiencies achieved in each of Fiscal Years 2006 through 2008.  In addition, the IRS reported in the Fiscal Year 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal Year 2006 information technology budget that permitted the permanent reallocation of $45 million to address the aging computer hardware issue.  However, our review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware budget found the IRS was able to permanently reallocate only $34 million instead of the reported $45 million. 

We also disagree with the Chief Information Officer’s comment that we interpreted the IRS’ goal to realign the MITS organization base budget as a requirement.  We consistently discuss the realignment of funds to the infrastructure budget as a goal.

A Disciplined Investment Management Governance Process Is Needed for All Infrastructure Initiatives/Activities

The Clinger-Cohen Act of 1996 requires agencies to use a disciplined capital planning and investment control process to maximize the value of information technology investments and manage the acquisition risk.  The capital planning and investment control process is a decision-making process for ensuring information technology investments integrate strategic planning, budgeting, procurement, and management of information technology in support of the agency’s mission and business needs.  When evaluating information technology investments, the agency should conduct the review from an enterprisewide perspective to use information technology to drive strategic business change.

The IRS’ Capital Planning and Investment Control process for managing information technology projects includes an executive governance process for monitoring projects.  The process includes the MITS Enterprise Governance Committee[15] and executive steering committees responsible for specific projects.  Specifically, the Infrastructure Executive Steering Committee was established to ensure the successful implementation and integration of modernization projects and related program activities for the Infrastructure portfolio.  Major projects with costs of more than $5 million each year or more than $50 million in total life cycle costs are to be governed by the executive governance process.

With all infrastructure initiatives/activities following the established executive governance process, the IRS can assure proper equipment expenditure prioritization and the most efficient use of available resources.

Our review of the End of Life Equipment Replacement activity determined the MITS organization has not included expenditures from this activity as part of its investment governance process.  The Enterprise Operations organization has 12 ongoing Rust Replacement projects; it received more than $20 million in Fiscal Year 2005 and more than $39 million in Fiscal Year 2006 to replace aging computer hardware.  Therefore, the End of Life Equipment Replacement activity would qualify under the IRS information technology investment control process as a major project warranting executive steering committee governance.

Although the Infrastructure Executive Steering Committee is designated as the decision-making body responsible for successful implementation and integration of all infrastructure initiatives/activities, the End of Life Equipment Replacement activity does not report to the Infrastructure Executive Steering Committee for oversight and follows a formalized investment decision process when requesting funds for individual projects.  For this activity, each MITS organization identifies its equipment needs and related projects and submits these funding needs to MITS organization executives for review, approval, prioritization, and funding.  As a result, the ad hoc investment management process is particularly apparent at the end of a fiscal year when additional funds become available.  The Enterprise Operations organization received its Fiscal Year 2006 funding for the End of Life Equipment Replacement activity at the end of Fiscal Year 2006.  In addition, because the End of Life Equipment Replacement activity is not considered an information technology investment project, it is not reflected in the IRS Enterprise Transition Plan, which is a key IRS modernization document that facilitates a strategic investment decision-making process from an enterprisewide perspective.

Without a disciplined investment management decision-making and governance process that evaluates information technology investments from an enterprisewide perspective, the IRS may not assure the proper prioritization of projects to ensure investment decisions result in the most efficient use of available resources to address the aging computer hardware issue.  The implementation of a disciplined investment management process will become even more critical by Fiscal Year 2008 when the IRS may have $240 million ($180 in the aged computer hardware budget and $60 million in additional budgeted funds) to spend on maintaining and replenishing the aged computer hardware.

MITS organization management advised us that several actions have been taken to improve the discipline of the governance process over infrastructure investments.  For example, an engineering review was conducted on the approved Fiscal Year 2007 funding requests, which were then ranked and prioritized using a structured process and scoring criteria and submitted to the MITS Enterprise Governance Committee for final review.  In addition, the Infrastructure Executive Steering Committee and the MITS Enterprise Governance Committee will be responsible for future governance of the Sustaining Infrastructure Program.

Recommendation

Recommendation 4:  The Chief Information Officer should ensure the End of Life Equipment Replacement activity is included in the Infrastructure Executive Steering Committee governance process.

Management’s Response:  IRS management agreed with this recommendation and will implement a governance model that includes oversight from the Infrastructure Executive Steering Committee.

Office of Audit Comment:  The Chief Information Officer disagreed that improvements in the 2007 investment process did not help the IRS successfully identify the highest priority infrastructure investments.  The audit report did not suggest this.  The report states the investment process could be further improved by ensuring the End of Life Equipment Replacement activity was reporting to an executive steering committee.  Based on the amount of money being spent on the activity, the established MITS organization governance process for information technology investments should be followed to ensure all business units are involved in and aware of the prioritization.  In addition, some of the improvements mentioned in the IRS response are discussed on page 15 of the report.

Performance Measures Are Needed to Assess the Success of Efforts to Address the Aging Computer Hardware Issue

The Government Performance and Results Act of 1993[16] was enacted by Congress to hold Federal Government agencies accountable for achieving business results by requiring agencies to adopt performance measures and set goals to assess performance.  The Clinger-Cohen Act of 1996 specified that the agency Chief Information Officer is responsible for monitoring the performance of the agency’s information technology programs; evaluating the performance of those programs on the basis of applicable performance measures; and advising the agency head regarding whether to continue, modify, or terminate the program or project.  To comply with the Clinger-Cohen Act of 1996 and Office of Management and Budget guidelines, each agency’s information technology investment planning process must include periodic evaluations of project performance as measured against predefined outcome goals to assess how well information technology investments improve the efficiency and effectiveness of the agency’s operations.

The MITS organization uses the Business Process Management System for reporting measures on asset management, customer satisfaction, incident management, and the enterprise service desk.  The contractor assisting the IRS in developing its Sustaining Infrastructure Program has been assigned the task of formalizing a performance measurement process for the overall Sustaining Infrastructure Program and the individual initiatives/activities.  The contractor has provided some preliminary portfolio metrics, and the metrics will be refined and finalized at the time the Implementation Plan is completed.  The draft Implementation Plan was delivered to the IRS in April 2007 and is currently under review.

Once these performance measures are developed, the IRS will be able to assess whether current efforts to address the aging computer hardware problem are meeting expectations and achieving anticipated business results.  Management advised us that performance measures have not been established because the IRS is focusing its efforts on identifying and addressing the highest priority aged computer hardware needs and has not developed measures to assess its effectiveness.  Management also advised us that once the Sustaining Infrastructure Program is implemented the MITS organization will have a process in place to assess its efforts in addressing the aging computer hardware problem.

Recommendation

Recommendation 5:  The Chief Information Officer should ensure a performance measurement process providing periodic monitoring and reporting of Sustaining Infrastructure Program accomplishments is established for current and future efforts to address the aging computer hardware issue.

Management’s Response:  IRS management agreed with this recommendation and will implement outcome measures and a monitoring process to report on the IRS’ progress in reducing its aged asset inventory.

Office of Audit Comment:  The Chief Information Officer commented it is not accurate to infer that the IRS has not developed such metrics; specifically, the IRS has developed measures for asset management. We reported on page 16 of this report that the MITS organization uses the Business Process Management System for reporting measures on asset management, customer satisfaction, incident management, and the enterprise service desk.   The report clearly states the issue is that performance measures are needed for the Sustaining Infrastructure Program and states a contractor is in the process of developing the measures.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this audit was to determine whether the IRS implemented effective controls to identify and replace aging equipment components that could adversely affect its ability to meet its mission if the equipment components were to fail.  To accomplish this objective, we:

I.                   Assessed the current aging infrastructure environment.

A.    Reviewed the results of studies establishing the current size and expected growth of the aging infrastructure, actual and potential financial effects from use of the outdated equipment (e.g., increased maintenance costs, loss of revenue), and the estimated IRS funding necessary to maintain and replace the aging infrastructure.

B.     Reviewed other presentations made by the IRS to communicate the severity of the aging infrastructure problem and its effect on expenditures and revenues.

C.     Identified the measures taken by the IRS to validate the reported severity of the aging infrastructure problem and the estimated costs to replace outdated equipment.

D.    Reviewed documentation supporting key elements of the aging infrastructure problem to justify funding the program (e.g., size of the aging inventory, loss of revenue, replacement costs).

E.     Obtained infrastructure aging reports from the Information Technology Asset Management System to determine the information available to assess the reported aging infrastructure inventory.  We interviewed IRS management to determine whether infrastructure aging information is entered into the Information Technology Asset Management System.  Also, we determined whether IRS management uses the reports to monitor the aging infrastructure.

II.                Determined the effectiveness of the infrastructure governance process.

A.    Interviewed Enterprise Services organization and Enterprise Operations organization personnel to determine the governance structure and investment decision-making process for the sustaining infrastructure program and individual initiatives.

B.     Reviewed documentation describing the governance structure and investment decision-making process (e.g., project identification, prioritization, approval, monitoring).

C.     Reviewed the meeting minutes of the governance bodies (e.g., executive steering committees, investment review boards) over the sustaining infrastructure program and individual initiatives.

III.             Determined the status of the sustaining infrastructure program and individual initiatives.

A.    Interviewed Enterprise Services organization and Enterprise Operations organization personnel to discuss the aging infrastructure problem and the status of the overall program and individual initiatives (e.g., Rust Replacement, Infrastructure Roadmap) established to reduce the risks.

B.     Reviewed project documentation for the sustaining infrastructure program, including the current project schedule, key milestones, and planned completion dates.

C.     Reviewed status reports for the sustaining infrastructure program and the individual initiatives.

D.    Identified the performance measures established to assess the effectiveness of the program and to support program-level analysis and status reporting.

E.     Identified the processes for gathering the data to accurately measure and report program performance.

F.      Identified planned funding for the Sustaining Infrastructure Program and individual initiatives for Fiscal Years 2005 through 2009, including actual expenditures through Fiscal Year 2006.

Data Validity and Reliability

We used computer-processed data to review the inventory and cost of the aged computer hardware, the information technology problem tickets, and the amount of funds spent on the aged computer hardware.  The IRS hired a contractor to perform an asset inventory review, and the contractor concluded the MITS organization’s inventory tracking system does not provide the information required to support optimal inventory investment decisions.  Based on interviews and our review of Information Technology Asset Management System data, we also concluded the information could be improved.  Therefore, we used IRS-provided information during the audit and did not independently validate the size or cost of the aged computer hardware issue.

The IRS uses the reporting and tracking tool within the Information Technology Asset Management System to control its problem tickets and reported it had more than 1 million information technology problem ticket requests in Fiscal Year 2005.  It provided us with a summary report of the problem tickets, by category, totaling more than 1 million tickets.  An IRS employee advised us the problem ticket data are a unique and computer-generated assessment based upon specific and applied criteria and the data provided to us were validated for accuracy.  We checked the reasonableness of the information in the summary report by comparing it to the number of tickets the IRS had previously reported.  The data appeared to be reasonably accurate for the purposes of this audit, and we performed no additional data validity tests.

The IRS provided data from the Integrated Financial System[17] for Fiscal Years 2005 through 2007 regarding funding amounts for aged computer hardware.  We relied on the Government Accountability Office’s assessment of the reliability of the computer-processed data from the Integrated Financial System.  During a review of the IRS’ financial statements,[18] the Government Accountability Office concluded the expense and reimbursable revenue information processed through the Integrated Financial System for Fiscal Years 2005 and 2006 was reliable in all material respects.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Gary Hinkle, Director

Danny Verneuille, Audit Manager

Van Warmke, Lead Auditor

Glen Rhoades, Senior Auditor

Beverly Tamanaha, Senior Auditor

Tina Wong, Senior Auditor

Charlene Elliston, Auditor

 

Appendix III

 

Report Distribution List

 

Acting Commissioner  C

Office of the Commissioner – Attn:  Acting Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Information Officer  OS:CIO

Associate Chief Information Officer, End User Equipment and Services  OS:CIO:EU

Associate Chief Information Officer, Enterprise Operations  OS:CIO:EO

Associate Chief Information Officer, Enterprise Services  OS:CIO:ES

Associate Chief Information Officer, Management  OS:CIO:M

Director, Stakeholder Management  OS:CIO:SM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Deputy Commissioner for Operations Support  OS

Director, Program Oversight Office  OS:CIO:SM:PO

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·         Reliability of Information – Actual; $50 million incorrectly reported (see page 4).

Methodology Used to Measure the Reported Benefit:

In support of the Fiscal Year 2007 budget request, the IRS reported in September 2005 to the Office of Management and Budget that (1) delayed upgrades from Windows NT software left it open to attacks by computer viruses and (2) the 2004 SASSER worm[19] attack on its computer systems cost more than $50 million in uncollected or unassessed tax revenues.  Management explained that, if the hardware had been updated, the operating system software would have also been updated and the IRS would not have been affected by the SASSER worm.

Our review of the May 2, 2004, SASSER worm attack determined the IRS had not applied a security patch that was available on April 14, 2004.  The MITS organization was notified numerous times from April 14, 2004, through May 2, 2004, by both the Microsoft Corporation and the Mission Assurance and Security Services organization to apply the patch; however, the patch was not applied consistently to servers and was not applied to any workstations.  Therefore, the problem was caused by a software security patch issue, not delayed upgrades of aging computer hardware or software, because the SASSER worm infected computers with various Windows operating systems including Windows 2000, Windows XP, and Windows 2003 server.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.


[1] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network.  The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.

[2] User fees are charges individuals and businesses are required to pay for services such as installment agreements and photocopies.

[3] An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS.  Enrolled agents pay fees for a test (if applicable) and program enrollment.

[4] Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and 39 U.S.C.).

[5] The Integrated Financial System is intended to address administrative financial management weaknesses.  The first release of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger, Budget Execution, Cost Management, and Financial Reporting activities.  A future Integrated Financial System release will be needed to fully resolve all administrative financial management weaknesses.

[6] Federal Acquisition Reform Act of 1996 (Information Technology Management Reform Act of 1996), Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C., 16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C., 44 U.S.C., 49 U.S.C., 50 U.S.C.).

[7] The IRS Oversight Board is an independent body charged to provide the IRS with long-term guidance and direction.

[8] Subcategories include password, password policy, information, and other.

[9] The password and password policy subcategories totaled 438,274 problem tickets.

[10] The number of problem tickets includes several categories:  Enterprise Service Desk Transfer, File Tracking, Inventory Discrepancy, and System Acceptability Testing Software Testing.

[11] A measure of labor hours in which 1 full-time equivalent is equal to 8 hours multiplied by the number of compensable days in a particular fiscal year.  For Fiscal Year 2004, 1 full-time equivalent was equal to 2,096 staff hours.

[12] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network.  The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.

[13] User fees are charges individuals and businesses are required to pay for services such as installment agreements and photocopies.

[14] An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS.  Enrolled agents pay fees for a test (if applicable) and program enrollment.

[15] The highest level recommending and decision-making body to oversee and enhance enterprise management of information systems and technology.  It ensures strategic modernization and information technology program investments, goals, and activities are aligned with and support 1) the business needs across the enterprise and 2) the modernized vision of the IRS.

[16] Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and 39 U.S.C.).

[17] The Integrated Financial System is intended to address administrative financial management weaknesses.  The first release of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger, Budget Execution, Cost Management, and Financial Reporting activities.  A future Integrated Financial System release will be needed to fully resolve all administrative financial management weaknesses.

[18] Financial Audit:  IRS’s Fiscal Years 2006 and 2005 Financial Statements (GAO-07-136, dated November 2006).

[19] A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on a network.  The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating excessive network traffic and causing infected systems to become unusable due to constant rebooting.