TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources

 

 

 

December 14, 2007

 

Reference Number:  2008-20-030

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 Redaction Legend:

3(a) = Identifying Information - Name of an Individual or Individuals
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

December 14, 2007

 

 

MEMORANDUM FOR ACTING COMMISSIONER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources (Audit # 200720034)

 

This report presents the results of our review to assess prior Homeland Security Presidential Directive-12 (HSPD-12)[1] program management activities and provide Internal Revenue Service (IRS) executives with an independent perspective to assist them in future implementation of the HSPD-12 program.[2]

This report presents the results of our second audit of HSPD-12.  The IRS has been designated as the lead bureau for ensuring the Department of the Treasury (the Treasury) complies with the Directive.  In our first review,[3] we reported that the IRS was at risk of wasting taxpayer funds because the Treasury was developing its own system for issuing the cards rather than joining other agencies that had already incurred much of the upfront costs associated with this effort.

Impact on the Taxpayer

The total estimated cost to build and maintain an HSPD-12 system for the Treasury is $421 million over 14 years.  As the lead bureau for the Treasury, the IRS is charged with ensuring the funds are spent prudently.  The IRS estimated it had obligated $30 million as of June 2007.  However, $3.5 million was spent on acquisitions that should have been avoided.  In addition, the IRS did not administer contracts effectively and could not provide documentation to support the actual costs charged to the HSPD-12 program.  Oversight of the program was hindered because the IRS, on advice from the Treasury, did not prepare a formal business case[4] for the program.  As a result, taxpayers could have little confidence their funds were being used effectively during the early stages of this initiative.

Synopsis

To implement HSPD-12, the IRS initially established an integrated project team to lead its efforts.  In September 2005, the IRS replaced the project team by formally establishing an HSPD-12 Program Management Office (PMO).  In January 2006, the IRS Commissioner volunteered the IRS to lead the Treasury HSPD-12 program efforts and to deliver a Departmentwide solution.  The Treasury agreed and, in March 2006, the IRS assumed leadership of the Treasury HSPD-12 PMO.

The integrated project team, and later the PMO, did not effectively manage the contracts for the HSPD-12 program.  Statements of work were too general to hold contractors accountable for work performed, and the IRS paid contractors without verifying work was performed.  The IRS could not provide supporting documentation for the actual costs spent on the program, and we found that at least $3.5 million was spent on unneeded hardware, software, and services.  The following specific costs could have been avoided:

·         $1,940,397 spent to purchase 350,000 Public Key Infrastructure[5] certificates in March and September 2005.

·         $837,616 spent to purchase 18 Public Key Infrastructure servers in September 2005 that were never used for the program.

·         $431,035 spent to establish an identification badge laboratory to create a test environment for issuing HSPD-12 identification badges.

·         $91,618 spent to reimburse the General Services Administration for preparing a Request for Procurement for acquiring another contractor’s services.

·         $188,160 paid to a contractor for 1 person to perform clerical duties over an 11-month period.

In addition, the IRS did not follow its established governance procedures for overseeing the HSPD-12 program because it did not prepare a formal business case for the program.  An internal business case was prepared by the PMO, but it did not comply with the IRS’ business case requirements and it was never provided to the Treasury HSPD-12 governance committees overseeing the program.  In addition, ****3(d)****

Many of the problems experienced by the HSPD-12 program are similar to those we have reported previously in the IRS Business Systems Modernization program.  In our Fiscal Year 2007 annual assessment of the Business Systems Modernization program,[6] we cited four specific challenges the IRS needs to overcome to deliver a successful modernization effort.  Three of these challenges (improving key management processes, managing the increasing complexity and risks of the Modernization program, and ensuring contractor performance and accountability are effectively managed) are related to the issues we identified in this review, indicating a need for the IRS to address these same challenges on information technology projects outside the Business Systems Modernization program.

Recommendations

We recommended the Chief, Agency-Wide Shared Services, require that future task orders prepared by the HSPD-12 PMO separate tasks by function to enable the IRS to better monitor contractor performance, ensure Contracting Officer’s Technical Representatives comply with procedures that require sufficient supporting documentation for hours worked and require the HSPD-12 Program Manager to provide written certification for labor hours worked on contracts before any payments are made to contractors, and ensure the Program Manager maintains documentation sufficient to support all HSPD-12 program costs and assigns costs to specific task orders.  We also recommended the Chief Information Officer coordinate with the Treasury to evaluate the possibility of combining its Public Key Infrastructure efforts with those of the General Services Administration and ensure executive steering committees responsible for providing oversight to information technology projects enforce use of IRS Enterprise Life Cycle requirements.[7]

Response

IRS management agreed with our recommendations.  The IRS has taken several steps to improve the management of the HSPD-12 PMO, including initiating a process to separate tasks by functional area to better monitor contractor performance; ensuring the Contracting Officer’s Technical Representatives are in compliance with existing IRS procedures for reviewing invoices before payments are made to contractors; and assigning planned costs, including labor hours, to project tasks to support all HSPD-12 program costs.  The IRS will coordinate with the Treasury to evaluate the possibility of combining Public Key Infrastructure efforts with those of the General Services Administration.  In addition, the IRS will strengthen the responsibilities of the executive steering committees and ensure project reporting templates, used by projects at the assigned governance board, are updated to reflect project status and compliance with the Enterprise Life Cycle.  Management’s complete response to the draft report is included as Appendix VII.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 Table of Contents

 

Background

Results of Review

The Program Management Office Did Not Adequately Safeguard the Financial Interests of the Federal Government

Recommendations 1 through 4:

The Internal Revenue Service Governance Process Over the HSPD-12 Program Was Ineffective

Recommendation 5:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Enterprise Life Cycle Overview

Appendix VI – Participants Involved in Oversight of the Department of the Treasury HSPD-12 Initiative

Appendix VII – Management’s Response to the Draft Report

 

 Abbreviations

 

  

Background

 

On August 27, 2004, President Bush signed Homeland Security Presidential Directive-12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.  This Directive established a new standard for issuing and processing Federal Government identification badges for entering Federal Government facilities and accessing computer systems.  The Office of Management and Budget, which is responsible for overseeing implementation of the Directive, established the following deadlines for Federal Government agencies:

• October 27, 2005 – Agencies must develop procedures for registering employees, issuing cards, and maintaining a card system.
• October 27, 2006 – Agencies must demonstrate their ability to issue an identification card to a new employee.
• October 27, 2007 – Agencies must verify and/or complete background investigations and issue identification cards for all employees with fewer than 15 years of service.
• October 27, 2008 – Agencies must verify and/or complete background investigations and issue identification cards for employees with 15 or more years of service.

To implement HSPD-12, the Internal Revenue Service (IRS) initially established an integrated project team to lead its efforts.  However, the leadership and responsibilities of the program have changed significantly over the past 3 fiscal years.  Figure 1 provides a historical perspective on the designation of HSPD-12 program[8] management oversight responsibilities.

Figure 1:  Timeline of the HSPD-12 Program Management Office (PMO)

Source: Interviews with IRS officials.

The PMO must complete a significant amount of work to comply with the Directive and obtain identification cards for approximately 150,000 employees who work in the Treasury.  The PMO is led by a Program Manager and the scope of its work includes:

• Enrollment – Employees must be fingerprinted and photographed, and their identities must be verified.
• Card Printing and Finalization – The identification cards must be encoded and printed to comply with all HSPD-12 standards, including the encryption of personal data on the cards.  Each card is printed with an employee’s photograph and other identifiable information.
• Systems Infrastructure – The identification cards will provide controls over employees’ access to buildings and eventually be programmed to provide controls over employees’ access to computer systems.  The Treasury will have to develop and maintain a data store of employee information, such as where they work and what facilities and computer systems they are allowed to access.
• Card Maintenance – Identification cards must be updated when employees’ responsibilities and access needs change.

Our first audit of HSPD-12[9] determined the PMO was experiencing delays in meeting the Office of Management and Budget milestones.  The PMO was planning to produce its own identification cards instead of taking advantage of the General Service Administration’s (GSA) shared services provider, which was being offered to all Federal Government agencies at a low cost due to the economies of scale.  Despite assigning 68 employees to the Treasury HSPD-12 effort, the PMO had not yet purchased the hardware and software necessary to produce the identification cards and did not expect to complete the program until September 2010, 2 years after the Office of Management and Budget’s mandated deadline.  We recommended the IRS consider the benefits of using the GSA shared services provider, coordinate with the GSA to resolve concerns, and customize the GSA solution to meet the Treasury’s needs.  The IRS agreed with our recommendation and now intends to use the GSA shared services provider to the fullest extent possible.

We conducted this followup review to assess prior HSPD-12 program management activities and provide IRS executives with an independent perspective to assist them in future implementation of the program.  This review was performed at the IRS National Headquarters in New Carrollton, Maryland, in the Agency-Wide Shared Services organization during the period June through September 2007; it focused on activities occurring from the beginning of the program through May 2007.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

The Program Management Office Did Not Adequately Safeguard the Financial Interests of the Federal Government

The total estimated cost to build and maintain an HSPD-12 system for the Treasury is $421 million over 14 years.  The IRS advised us that, as of June 2007, it had obligated approximately $30 million.  However, the IRS spent at least $3.5 million of these funds on acquisitions that should have been avoided.  In addition, it did not administer contracts effectively and could not provide documentation to support planned or actual costs attributable to the HSPD-12 program.

HSPD-12 program funds were used to purchase unneeded hardware, software, and services

The IRS HSPD-12 integrated project team made several unnecessary purchases in Fiscal Year 2005.  The following costs could have been avoided.

• $1,940,397 spent to purchase 350,000 Public Key Infrastructure (PKI)[10] certificates in March and September 2005.  PKI certificates will be needed in the future so employees can use their identification cards to access computer systems; however, the IRS does not expect to use the cards at this time.  The Treasury informed us that the certificates the IRS purchased had a 3-year lifespan; however, the IRS was unable to provide us with the exact dates on which these certificates would expire.

Both the GSA and the Treasury have been developing separate PKI strategies.  During our last review, the Program Manager stated that the need for the HSPD-12 program to comply with the Treasury PKI strategy was one of the reasons the IRS did not consider earlier use of the GSA shared services provider for the purchase of identification cards.  To ensure consistency throughout the Federal Government and reduce the duplication of effort in providing an effective PKI solution, we believe the Treasury should coordinate with the GSA and possibly other agencies to determine the feasibility of developing one PKI solution Governmentwide.  The GSA has recently endorsed the vendor used by the Treasury, which could make the transition easier than in prior years.

• $837,616 spent in September 2005 to purchase 18 PKI servers that were never used for the HSPD-12 program.  We were advised that some of the servers have been used on a very limited, intermittent basis for other IRS projects.  It is clear, however, that the servers were purchased prematurely and the funds could have been used more effectively.  The IRS Enterprise Life Cycle[11] is divided into five milestones and requires the purchase of hardware and software in the fourth milestone of a project.  However, the program had not yet exited the first milestone of the Enterprise Life Cycle at the time the servers were purchased.

The Treasury HSPD-12 PMO also spent $710,813 that could have been avoided.  These expenditures included:

• $431,035 spent from September 2006 through June 2007 to establish and maintain an identification badge laboratory to create a test environment for issuing HSPD-12 identification badges.  The laboratory included a computer for the initial processing of employees, a credential verification system, and an identification card printer; however, most of the costs were for contractor labor.  The laboratory has been closed and deemed unnecessary now that the Treasury is planning to use the GSA shared services provider for card issuance.  The PMO did not follow the Enterprise Life Cycle when purchasing the lab equipment.  Testing and piloting of new systems should occur during development and integration, which take place in the fourth phase of the Enterprise Life Cycle.  The program had not exited the first milestone when the items were purchased.
• $91,618 spent in Fiscal Year 2007 to reimburse the GSA for preparing a Request for Procurement for acquiring another contractor’s services.  The purpose of the contract was to assist the PMO in meeting the needs of the Treasury’s own HSPD-12 identification card system.  The contract to provide these services was cancelled after the Treasury decided to use the GSA shared services provider for all identification card services, and a contractor was never selected.  The PMO was aware that other options were available at the time; the Request for Procurement was never used to solicit bids.
• $188,160 paid to a contractor for 1 person to provide clerical support over an 11-month period.  The clerk was responsible for processing documents, maintaining and updating the PMO contact list, assigning and tracking equipment, maintaining calendars and meetings, and processing trip reports and was billed at $128 per hour.  Similar duties could have been provided to the PMO using resources already available at the IRS.

We attribute these unnecessary purchases to ineffective program management.  The PMO did not follow the IRS Enterprise Life Cycle and did not carry out its fiduciary responsibilities when making decisions to purchase hardware and software.  A key official from the Modernization and Information Technology Services organization informed us the IRS had worked hard to obtain funding ($15 million) for Fiscal Year 2005 and believed the IRS needed to spend the funds by the end of the fiscal year.  We reviewed procurement documentation and found approximately 90 percent of the program’s Fiscal Year 2005 budget was obligated to contractors during the last 2 months of Fiscal Year 2005.  We consider these purchases to be an inefficient use of resources.

Statements of work were incomplete, and the IRS paid contractors without verifying work was performed

According to the Federal Acquisition Regulation,[12] the Contracting Officer is responsible for ensuring performance of all necessary actions for effective contracting and ensuring compliance with the contract.  In addition, the Contracting Officer is to ensure the contractor(s) receives impartial, fair, and equitable treatment and request and consider the advice of specialists when appropriate.  The Contracting Officer’s Technical Representative is charged with (1) developing the specifications on each statement of work in such a manner as to promote competitive procurement actions and (2) monitoring the contractor’s technical performance to ensure the performance is strictly within the scope of the contract.  Statements of work should clearly define the scope of the work requested and list specific deliverables describing what is due and when it is due.  Additional duties include coordinating with the project’s program manager on issues related to funding and to changes in the scope of the work.

The PMO hired three contractors to assist in planning, developing, and implementing the requirements of the HSPD-12 program.  Each contractor was assigned responsibilities to meet program goals.  Specifically:

·         Booz Allen Hamilton was hired to address stakeholder management, communications, and program support.

·         MITRE was hired to coordinate the program management and business process engineering.

·         Presidio was hired to conduct the technical support work for implementation.

A separate Contracting Officer’s Technical Representative was assigned to each contract.  Statements of work for the MITRE contract were adequate; however, those for the other two contracts were not well defined.

To set aside or obligate funds for the three contracts, the IRS issued task orders to the contractors.  Task orders were issued to both Presidio and MITRE specifically for work on the HSPD-12 program.  However, the PMO used existing IRS contracts with Booz Allen Hamilton to perform work related to the program.  Instead of issuing a separate task order along with a statement of work to Booz Allen Hamilton, the PMO charged the HSPD-12 work to existing task orders that included many other assignments.  The HSPD-12 tasks included in the statements of work were not specific enough to identify the deliverables and were too general to track the program’s work requirements effectively.  For example, in one of the statements of work issued with a Booz Allen Hamilton task order, the subtask read, “. . . the Contractor shall support and assist the Treasury/IRS Program Management Office (PMO) in the implementation and maintenance of the IRS HSPD-12 program and related identity management project . . .”  The PMO paid Booz Allen Hamilton about $2.9 million dollars on these task orders.  An obligation of this magnitude should have its own task order and related statement of work with clearly defined deliverables.

We also identified weaknesses with the process used to pay contractors.  When a contractor provides an invoice to the IRS, prior to approving payment, the Contracting Officer’s Technical Representative is required to obtain sufficient supporting documentation from the contractor and a certification from the Program Manager that the work was performed.  ****3(d)****

****3(d)****  No written statements were obtained from the PMO stating the hours charged were appropriate for the tasks performed before payments were made.

At the time the statements of work were prepared, the HSPD-12 initiative was new and the IRS did not have knowledge of the specific technological requirements.  We believe this lack of technical knowledge contributed to the lack of specificity in the statements of work prepared by the Contracting Officer’s Technical Representatives.  ****3(d)****  Thus, the Federal Government has no assurance it received what it paid for, and additional funds could have been wasted.  The lack of specificity in the statements of work could have also contributed to delays in developing the program.

The PMO did not maintain documentation to support program costs and did not assign costs to planned tasks

The PMO should maintain adequate documentation to support program costs.  Through June 2007, the PMO had obligated $30 million.  Documentation was maintained to support approximately $15 million spent in Fiscal Year 2005.  Since then, adequate documentation has not been kept to support the remainder of the obligations.  Due to poor accounting controls, the PMO could not readily provide the amount spent on the MITRE and Presidio contracts without totaling the invoices.  Invoices from Booz Allen Hamilton were not available.

In an attempt to support the costs, we analyzed the invoices from MITRE and Presidio and requested that Booz Allen Hamilton provide copies of its invoices.  Booz Allen Hamilton supplied invoice numbers and amounts charged without providing the entire invoices.  Through that effort and with the documentation provided for the Fiscal Year 2005 costs, we have been able to locate support for approximately $21.6 million in expenditures.  We are continuing our efforts to determine the validity of the remainder of the program costs and obligations.  Without effective documentation to support costs, the PMO and oversight committees cannot ensure funds have been spent appropriately.

In addition, the program’s work breakdown structure did not include planned costs and resources needed to complete the program’s milestones and deliverables.  Preparing a work breakdown structure is a basic management technique for defining and organizing the total scope of a program and reporting progress.  It should identify what should be done, who will do it, how long it will take, and how much the program will cost.  The work breakdown structure should facilitate tracking of the program’s deliverables, milestones, and costs.

The Program Manager stated that costs were not assigned to specific tasks in the work breakdown structure due to poor contractor performance.  However, the work breakdown structure is ultimately the responsibility of the Program Manager.  Considering 68 employees and contractors were assigned to the PMO, we believe the PMO had sufficient staff with which to prepare and maintain a work breakdown structure that aligned planned costs and resources with the program’s milestones and deliverables.  By not assigning planned costs and resources to specific tasks, the Program Manager could not identify costly tasks that may be avoided and could not plan for staffing needs as the program progressed.

****3(d)****  Employees and contractors were not given sufficient direction and emphasis to carry out these responsibilities.

Recommendations

The Chief, Agency Wide-Shared Services, should:

Recommendation 1:  Require that future task orders prepared by the HSPD-12 PMO clearly separate tasks by function.  Doing so will help each contractor understand the tasks and propose its solution and will enable the IRS to monitor the contractor’s performance.

Management’s Response:  IRS management agreed with this recommendation.  The HSPD-12 PMO has initiated a process to establish clear delineation of tasks by functional area.

Recommendation 2:  Ensure Contracting Officer’s Technical Representatives comply with procedures that require sufficient supporting documentation for hours worked.  The HSPD-12 Program Manager should also be required to provide written certification for labor hours worked on contracts before any payments are made to contractors.

Management’s Response:  IRS management agreed with this recommendation.  The HSPD-12 project manager has implemented a process that will ensure the PMO and the Contracting Officer’s Technical Representatives are in compliance with existing IRS procedures for reviewing invoices prior to making payments to contractors.

Recommendation 3:  Ensure the HSPD-12 Program Manager maintains documentation sufficient to support all program costs and assigns costs to specific tasks in the work breakdown structure.

Management’s Response:  IRS management agreed with this recommendation.  The HSPD-12 PMO is now assigning planned costs, including labor hours, to project tasks.  The IRS will use software to track hours for Federal Government and contractor employees for projected earned value and schedule analysis.

The Chief Information Officer should:

Recommendation 4:  Coordinate with the Treasury to evaluate the possibility of combining its PKI efforts with those of the GSA.  Progress may be made for ensuring a consistent PKI approach throughout the Federal Government, and the duplication of effort could be reduced by taking advantage of the lessons learned from both efforts.

Management’s Response:  IRS management agreed with this recommendation.  The IRS will coordinate with the Treasury to evaluate the possibility of combining PKI efforts with those of the GSA.  The IRS is using the GSA-provided certificates for the HSPD-12 compliant Personal Identification Verification cards to be used by new and existing employees and contractors.

The Internal Revenue Service Governance Process Over the HSPD-12 Program Was Ineffective

The IRS requires executive steering committees to oversee major information technology projects.  The committees are comprised of key executives from organizations involved in the projects.  In March 2006, the Treasury HSPD-12 Executive Steering Committee was established to provide oversight and to support the Directive’s implementation across the Department and all its bureaus.  Because the HSPD-12 program involved all Treasury bureaus, a Bureau Advisory Board also was formed to serve as the primary coordination body for the Treasury and its bureaus on matters related to planning and implementation.  A list of participants for the Committee and Board is included in Appendix VI.

An information technology investment portfolio and a business case are required by the IRS Enterprise Life Cycle to assist governance committees in their monitoring of a program’s activities and progress.  However, these techniques were not effective in administering the HSPD-12 program.  ****3(d)****

Management over the HSPD-12 investment portfolio and business case was inadequate

The Clinger-Cohen Act of 1996[13] requires Federal Government agencies to improve the way they acquire and manage their information technology investments.  Agencies are required to put their technology investment decisions in a true business context and analyze investments for their return on investment.  The Office of Management and Budget published Circular A-11, Preparation, Submission and Execution of the Budget, to assist Federal Government agencies in complying with the Clinger-Cohen Act.  Specifically, Circular A-11, Section 300, Planning, Budgeting, Acquisition, and Management of Capital Assets, requires agencies to prepare and submit a business case for all major information technology investments.  The business case illuminates and clarifies details such as viable alternatives, budget and schedule performance variances, investment costs, and the reliability of the information, all of which are critical for accurate decision making.  Analysis of business cases helps instill discipline and rigor into an agency’s investment decision-making process.  In a prior report,[14] we noted the IRS used the business cases only to support funding requests.  We reported little effort had been given to using the business cases for decision making and for monitoring progress of information technology investments.

IRS procedures require preparation of a separate business case for any major information technology investment that:

• Requires special management attention because of its importance to the mission or function of the agency.
• Presents significant program or policy implications.
• Requires a total life cycle cost of more than $50 million.
• Obligates annual expenditures of more than $5 million.

The HSPD-12 program meets all of the above criteria; however, the PMO did not submit a separate business case for the program to the Bureau Advisory Board and the HSPD-12 Executive Steering Committee.  Information pertaining to the program was consolidated into another business case for Treasurywide infrastructure costs; therefore, the information could not be used by the HSPD-12 governance committees in making business decisions for the program.  The decision to consolidate the HSPD-12 business case into a Treasurywide security infrastructure business case was based on guidance received from the Treasury Capital Planning and Investment Control Office.  This decision is clearly in conflict with the stated requirement for preparation of a business case.

An internal business case for the program was prepared and submitted in October 2006 by the PMO but was never shared with the governance committees overseeing the program.  In addition, the internal business case did not include the information normally required by the Office of Management and Budget and the IRS.  Specifically:

• Three viable alternatives were not provided.  The Office of Management and Budget requires agencies to identify and consider at least three viable alternatives, in addition to the chosen investment strategy.  The analysis should include estimated costs for each alternative.  One alternative, which should have been provided, is the GSA shared services provider.  The cost savings that could have been achieved by choosing the shared services provider would have been apparent if this alternative had been provided to IRS and Treasury executives.  The PMO informed us the costs for the shared services provider were unknown at the time the business case was prepared.  However, cost data for the GSA provider were available.  Specifically, the GSA notified agencies in September 2006 that it would charge $110 for initial card issuance, plus $52 per card for annual maintenance.
• Actual costs were not provided, and the PMO did not compare actual costs and deliverables with budgeted estimates.  Analysis of variances between actual and budgeted estimates should provide an early warning for determining whether an investment project is performing on schedule and within budget.  The Office of Management and Budget requires agencies to report the cost and schedule performance of investments.
• The E-Government Strategy section was not adequately completed.  The E-Government Act of 2002[15] requires agencies to support Governmentwide initiatives and leverage cross-agency opportunities to further the advantages of electronic Federal Government.  This section must justify why the project is being developed when other alternatives are available in the Federal Government.  The internal business case stated the HSPD-12 program supported the Presidential Management Agenda E-Government initiative.  However, as we previously reported, the program did not intend to use the GSA shared services provider to issue identification cards.  The Treasury PMO was planning to develop its own HSPD-12 system and follow a “go-it-alone” implementation strategy.

The lack of information and analysis in the business case contributed to the Treasury continuing its costly implementation strategy.  An accurate, fully developed business case and regular analysis of variances between actual and budgeted costs and schedule would have provided IRS and Treasury executives with substantive information that could have prompted them to scale back the program at an earlier date and to minimize the costs incurred by the PMO.

****3(d)****  We also noted the HSPD-12 Executive Steering Committee did not request to see the internal business case.  Consequently, the business case was not subjected to the discipline and scrutiny normally required for an expensive information technology investment.  We were advised that the IRS is in the process of updating and improving the internal business case.  Thus, we have no recommendations at this time.

****3(d)****

On November 20, 2006, the Program Manager informed the HSPD-12 Executive Steering Committee that the Office of Management and Budget had approved the Treasury’s strategy for implementing the Directive.  T****3(d)****  On March 19, 2007, the Executive Steering Committee chairperson correctly apprised the Committee that the Office of Management and Budget had not approved the Treasury’s strategy.

****3(d)**** we had briefed the Program Manager on February 15, 2007, with the following recommendation:

To reduce costs and to improve the likelihood of meeting [the] OMB’s [Office of Management and Budget] milestones for developing identification cards compliant with HSPD-12 requirements, we recommend the Chief, Mission Assurance and Security Services, consider discontinuing the IRS pilot and contract with the GSA for developing identification cards.

If the PMO had provided accurate information to the governance committees, it is more likely that costs would have been minimized and funds could have been put to better use.  The Program Manager attributed the error to a misunderstanding.

Some of the unnecessary purchases and inappropriate decisions made by the HSPD-12 PMO could have been avoided if the PMO had followed the IRS Enterprise Life Cycle.  We believe stronger oversight by the HSPD-12 Executive Steering Committee was needed to ensure compliance with the Enterprise Life Cycle.

We also noted that many of the problems experienced by the HSPD-12 program are similar to those we have reported previously in the IRS Business Systems Modernization program.  In our Fiscal Year 2007 annual assessment of the Business Systems Modernization program,[16] we cited four specific challenges the IRS needs to overcome to deliver a successful modernization effort.  Three of these challenges are related to the issues presented above, indicating a need for the IRS to address these same challenges on information technology projects outside the Business Systems Modernization program.  These challenges include the need for the IRS to:

·         Implement planned improvements in key management processes and commit necessary resources to succeed.

·         Manage the increasing complexity and risks of the modernization program.

·         Ensure contractor performance and accountability are effectively managed.

Recommendation

Recommendation 5:  The Chief Information Officer should ensure executive steering committees responsible for providing oversight to information technology projects take an active role to address these challenges and, specifically, to enforce use of the IRS Enterprise Life Cycle requirements.

Management’s Response:  IRS management agreed with this recommendation.  The IRS will continue to implement planned improvements in key management processes through the continued rollout of program management initiatives.  To enforce the use of the Enterprise Life Cycle, the IRS will ensure project reporting templates, used by projects at the assigned governance board, are updated to reflect project status and compliance with the Enterprise Life Cycle.  In addition, the IRS Program Governance office will update executive steering committee charters to strengthen the committees’ responsibilities.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to assess prior HSPD-12 program management activities and provide IRS executives with an independent perspective to assist them in future implementation of the program.  To accomplish this objective, we:

I.                   Identified and reviewed the requirements of HSPD-12 from the detailed guidance established by Office of Management and Budget Memorandum 05-24, Implementation of Homeland Security Presidential Directive–12 (HSPD-12) Policy for a Common Identification Standard for Federal Employees and Contractors (August 2005), and Federal Information Processing Standard 201, Personal Identity Verification (PIV) of Federal Employees and Contractors (February 2005).

II.                Evaluated the governance process over the HSPD-12 program to determine whether the funding decision was warranted and whether the executive steering committees provided adequate oversight.

A.    Reviewed the meeting minutes from the governance committees (the HSPD-12 Executive Steering Committee, Treasury Bureau Advisory Board, and Security and Privacy Executive Steering Committee) that were overseeing the program.

B.     Reviewed key program documents provided to the governance committees and verified the accuracy and completeness of the documentation.

C.     Determined whether procedures were followed in the approval of the program.

D.    Evaluated the decision to move responsibility for the program from the Modernization and Information Technology Services organization to the Mission Assurance and Security Services organization in September 2005.

E.     Reviewed the most current business case for the program.

III.             Determined whether the HSPD-12 PMO planned and carried out program tasks effectively.

A.    Reviewed the requirements matrix to determine whether key requirements in Federal Information Processing Standard 201 were identified.

B.     Reviewed the work breakdown structure[17] for the program.

C.     Determined whether staffing levels were appropriate for the work scheduled and performed and whether the program followed the IRS Enterprise Life Cycle[18] methodology.

D.    Determined whether the program met scheduled and budgeted goals and the experience and qualifications of employees in the PMO.

IV.             Determined whether the contracts used to deliver the HSPD-12 business solution were appropriate.

A.    Determined whether the appropriate types of contracts were used for the program.

B.     Evaluated the terms of the contracts, including the statements of work, task orders, and program deliverables such as status reports, and determined how much has been and is obligated to be paid to the contractors.

V.                Evaluated the process used by the HSPD-12 PMO to review and accept contract deliverables.

A.    Determined whether the PMO released funds based on accepted deliverables or based on hours worked.

B.     Interviewed the Contracting Officer’s Technical Representatives and identified their process for monitoring the contractors to ensure the contractors’ work meets the contracts’ terms and requirements.

VI.             Determined the total amount of funds possibly misspent on the HSPD-12 program.  The total funds should include all IRS and contractor labor costs and all hardware and software costs.

A.    Determined the total amount expended, committed, and obligated.

B.     Evaluated the timing of the PMO’s decision to scale back the program by adopting the GSA shared services provider.

C.     Compared the deliverables and work completed to the amounts spent and determined the amounts misspent.  We considered the possibility that the decision to forgo use of the GSA shared services provider may not have been the only area of mismanagement.[19]

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Stephen R. Mullins, Director

Thomas Polsfoot, Audit Manager

William A. Gray, Senior Auditor

Louis Lee, Senior Auditor

Thomas Nacinovich, Senior Auditor

Glenn Rhoades, Senior Auditor

Stasha Smith, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Office of the Commissioner – Attn:  Acting Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief, Agency-Wide Shared Services  OS:A

Chief Information Officer  OS:CIO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief, Agency-Wide Shared Services  OS:A

Chief Information Officer  OS:CIO

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·         Inefficient Use of Resources – Actual; $3.5 million (see page 4).

Methodology Used to Measure the Reported Benefit:

The outcome measure is reported using actual contract amounts and support for arriving at the amounts listed.  The PMO made unnecessary purchases totaling approximately $3.5 million.  The following costs could have been avoided.

• $1,940,397 spent to purchase 350,000 PKI[20] certificates in March and September 2005.  PKI certificates will be needed in the future so employees can use their identification cards to access computer systems; however, the IRS does not expect to use the cards at this time.  The certificates procured in 2005 will expire in 2008; as of August 2007, only 12 had been issued.  Current renewal fees for 50,000 2-year certificates will cost the IRS an additional $1.7 million.
• $837,616 spent to purchase 18 PKI servers in September 2005 that were never used for the HSPD-12 program.  We were advised that some of the servers have been used on a very limited, intermittent basis for other IRS projects.  The servers are located at four different locations and are inventoried and categorized as being used for “development.”  The IRS Enterprise Life Cycle[21] is divided into five milestones and requires the purchase of hardware and software in the fourth milestone of a project.  However, the program had not yet exited the first milestone of the Enterprise Life Cycle at the time the servers were purchased.
• $431,035 spent to establish an identification badge laboratory to create a test environment for issuing HSPD-12 identification badges.  The laboratory included a computer for the initial processing of employees, a credential verification system, and an identification card printer.  The laboratory has been closed and deemed unnecessary now that the Department of the Treasury (the Treasury) is planning to use the GSA shared services provider for card issuance.  The PMO did not follow the Enterprise Life Cycle when purchasing the lab equipment.  Pilot programs are normally released during the fourth milestone; the HSPD-12 program had not exited the first milestone when the items were purchased.
• $91,618 spent in Fiscal Year 2007 to reimburse the GSA for preparing a Request for Procurement for acquiring another contractor’s services.  The purpose of the contract was to assist the PMO in meeting the needs of the Treasury’s own HSPD-12 identification card system.  The contract to provide these services was cancelled after the Treasury decided to use the GSA shared services provider for all identification card services, and a contractor was never selected.  The PMO was aware that other options were available at the time; the Request for Procurement was never used to solicit bids.
• $188,160 paid to a contractor for 1 person to provide clerical support over an 11-month period.  The clerk was responsible for processing documents, maintaining and updating the PMO contact list, assigning and tracking equipment, maintaining calendars and meetings, and processing trip reports and was billed at $128 per hour.  Similar duties could have been provided to the PMO using resources already available at the IRS.

 

Appendix V

 

Enterprise Life Cycle Overview

 

The Enterprise Life Cycle defines the processes, products, techniques, roles, responsibilities, policies, procedures, and standards associated with planning, executing, and managing business change.  It includes redesign of business processes; transformation of the organization; and development, integration, deployment, and maintenance of the related information technology applications and infrastructure.  Its immediate focus is the IRS Business Systems Modernization program.  Both the IRS and its contractors must follow the Enterprise Life Cycle in developing/acquiring business solutions for modernization projects.

Life-Cycle Processes

The life-cycle processes of the Enterprise Life Cycle are divided into the following six phases:

• Vision and Strategy - This phase establishes the overall direction and priorities for business change for the enterprise.  It also identifies and prioritizes the business or system areas for further analysis.
• Architecture - This phase establishes the concept/vision, requirements, and design for a particular business area or target system.  It also defines the releases for the business area or system.
• Development - This phase includes the analysis, design, acquisition, modification, construction, and testing of the components of a business solution.  It also includes routine, planned maintenance of applications.
• Integration - This phase includes the integration, testing, piloting, and acceptance of a release.  In this phase, the integration team brings together individual work packages of solution components developed or acquired separately during the Development phase. Application and technical infrastructure components are tested to determine if they interact properly.  If appropriate, the team conducts a pilot to ensure all elements of the business solution work together.
• Deployment - This phase includes preparation and release of a system to actual sites.  During this phase, the deployment team puts the solution release into operation at target sites.
• Operations and Support - This phase addresses the ongoing operations and support of the system.  It begins after the business processes and system(s) have been installed and have begun performing business functions.  It encompasses all of the operations and support processes necessary to deliver the services associated with managing all or part of a computing environment.

The Operations and Support phase includes the scheduled activities (e.g., planned maintenance, systems backup, and production output) as well as the nonscheduled activities (e.g., problem resolution and service request delivery, including emergency unplanned maintenance of applications).  It also includes the support processes required to keep the system up and running at the contractually specified level.

Management Processes

In addition to the life-cycle processes, the Enterprise Life Cycle addresses the various management areas at the process level.  The management areas include:

• IRS Governance and Investment Decision Management - This area is responsible for managing the overall direction of the IRS, determining where to invest, and managing the investments over time.
• Program Management and Project Management - This area is responsible for organizing, planning, directing, and controlling the activities within the program and its subordinate projects to achieve the objectives of the program and deliver the expected business results.
• Architectural Engineering/Development Coordination - This area is responsible for managing the technical aspects of coordination across projects and disciplines, such as managing interfaces, controlling architectural changes, ensuring architectural compliance, maintaining standards, and resolving issues.
• Management Support Processes - This area includes common management processes, such as quality management and configuration management that operate across multiple levels of management.

Milestones

The Enterprise Life Cycle establishes a set of repeatable processes and a system of milestones, checkpoints, and reviews that reduce the risks of system development, accelerate the delivery of business solutions, and ensure alignment with the overall business strategy.  The Enterprise Life Cycle defines a series of milestones in the life-cycle processes.  Milestones provide for “go/no-go” decision points in the project and are sometimes associated with funding approval to proceed.  They occur at natural breaks in the process where there is new information regarding costs, benefits, and risks and where executive authority is necessary for next-phase expenditures.

There are five milestones during the project life cycle:

• Milestone 1 - Business Vision and Case for Action.  In the activities leading up to Milestone 1, executive leadership identifies the direction and priorities for IRS business change.  These guide which business areas and system development projects are funded for further analysis.  The primary decision at Milestone 1 is to select Business Systems Modernization projects based on both the enterprise-level Vision and Strategy and the enterprise architecture.
• Milestone 2 - Business Systems Concept and Preliminary Business Case.  The activities leading up to Milestone 2 establish the project concept, including requirements and design elements, as a solution for a specific business area or business system.  A preliminary business case is also produced.  The primary decision at Milestone 2 is to approve the solution/system concept and associated plans for a modernization initiative and to authorize funding for that solution.
• Milestone 3 - Business Systems Design and Baseline Business Case.  In the activities leading up to Milestone 3, the major components of the business solution are analyzed and designed.  A baseline business case is also produced.  The primary decision at Milestone 3 is to accept the logical system design and associated plans and to authorize funding for development, test, and (if chosen) pilot of that solution.
• Milestone 4 - Business Systems Development and Enterprise Deployment Decision.  In the activities leading up to Milestone 4, the business solution is built.  The Milestone 4 activities are separated by two checkpoints.  Activities leading up to Milestone 4A involve further requirements definition, production of the system’s physical design, and determination of the applicability of fixed-price contracting to complete system development and deployment.  To achieve Milestone 4B, the system is integrated with other business systems and tested, piloted (usually), and prepared for deployment.  The primary decision at Milestone 4B is to authorize the release for enterprisewide deployment and commit the necessary resources.
• Milestone 5 - Business Systems Deployment and Postdeployment Evaluation.  In the activities leading up to Milestone 5, the business solution is fully deployed, including delivery of training on use and maintenance.  The primary decision at Milestone 5 is to authorize the release of performance-based compensation based on actual, measured performance of the business system.

 

Appendix VI

 

Participants Involved in Oversight of the Department of the Treasury HSPD-12 Initiative

 

Department of the Treasury HSPD-12 Executive Steering Committee

John Dalrymple, IRS, Chairman ****3(d)****

Linda Stiff, Chairman, IRS (Replaced Mr. Dalrymple)

Bill Baity, Financial Crimes Enforcement Network

Larry Felix, Bureau of Engraving and Printing

Ira Hobbs, Department of the Treasury ****3(d)****

John Manfreda, Alcohol and Tobacco Tax and Trade Bureau

Ken Papaj, Financial Management Service

Mike Parker, Department of the Treasury

Van Zeck, Bureau of the Public Debt

Department of the Treasury HSPD-12 Bureau Advisory Board

Voting Members

Jim Dumais, IRS, Co-Chairman

John Kopec, Financial Management Service, Co-Chairman

Roger Adams, Bureau of the Public Debt

Ron Bell, Department of the Treasury, Departmental Offices

Pat Berbakos, Office of Thrift Supervision

Emile Beshai, Financial Crimes Enforcement Network

Bruce Crouch, Bureau of Engraving and Printing

Theresa Glasscock, Alcohol and Tobacco Tax and Trade Bureau

Tony Hunter, Financial Crimes Enforcement Network

Phil Perry, Department of the Treasury, Departmental Offices

Damon Plummer, Treasury Inspector General for Tax Administration

Fred Pyatt, Bureau of the Public Debt

Ron Sheiden, Office of the Comptroller of the Currency

Adam Silverman, Treasury Office of Inspector General

Rene Smeraglia, United States Mint

Nonvoting Members/Stakeholders

****3(a)**** IBM Corporation

****3(a)**** MITRE

****3(a)**** IRS

****3(a)**** IRS

****3(a)**** IRS

****3(a)**** Booz Allen Hamilton

****3(a)**** IRS

****3(a)**** Booz Allen Hamilton

****3(a)**** (Federally Funded Research and Development Center)

****3(a)**** Booz Allen Hamilton

****3(a)**** IRS

****3(a)**** IRS

****3(a)**** IRS

 

Appendix VII

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.