TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Information Technology Enterprise Governance Structure Needs Further Process Improvements to Ensure Adequate Oversight

 

 

 

July 31, 2008

 

Reference Number:  2008-20-134

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

July 31, 2008

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Information Technology Enterprise Governance Structure Needs Further Process Improvements to Ensure Adequate Oversight (Audit # 200720033)

 

This report presents the results of our review of the tiered-program management structure implemented by the Internal Revenue Service (IRS) for reporting and reviewing status and results on its information technology (IT) projects.  The overall objective of this review was to determine whether the IRS has established and is following adequate internal controls to manage all IT investment projects within the new enterprise governance model in support of the IRS mission and goals.  Due to the critical nature of this area, the Chief Information Officer asked the Treasury Inspector General for Tax Administration to perform this audit, which was included as part of the Fiscal Year 2007 Information Systems Programs business unit’s Annual Audit Plan coverage of IRS modernization efforts.

Impact on the Taxpayer

The IRS estimated that it would spend $1.4 billion on IT products and services in Fiscal Year 2007.  While the IRS has made progress in implementing its IT enterprise governance structure, additional actions are needed to address current weaknesses in providing effective oversight and management of all IT projects.  This will help to ensure that the IRS uses funds efficiently and effectively to provide oversight and control of all IT projects.

Synopsis

To better manage IT investments, the Chief Information Officer outlined a business commitment of implementing an IRS enterprise-wide IT tiered-program management structure.[1]  This commitment requires that all IT investment projects follow a tiered-program management structure for reporting and reviewing project status and results.  To implement the new tiered-program management structure, the IRS designed an enterprise governance model that assigns all IT projects to an appropriate executive oversight body.  This program management concept makes a significant change to IRS procedures by empowering executive oversight bodies with the authority to make project cost, schedule, and scope decisions.

In Fiscal Year 2006, the IRS expanded the roles and responsibilities of the Program Control and Process Management Division[2] to incorporate and establish direction for the new enterprise governance model.  Since then, the Division has made significant progress in directing, developing, and implementing tiered-program management activities.  For example, it has developed and distributed standardized reporting templates with documented processes and procedures for the executive steering committees.  In addition, the IRS has created a master list of IT projects to track and assign oversight.  Each IRS organization has formed or is planning to form its own individual Program Management Office to execute the new tiered-program management processes and procedures while providing oversight and management to assigned IT projects.

The IRS has been successful at improving program management and oversight activity awareness and communication throughout the organization.  This is evident with the participation from IRS organizations in the newly formed Governance Working Group that provides a forum to share and network in the design, development, and formation of the tiered-program management structure, processes, and procedures.  The Group meets biweekly and performs an important function by reviewing new tiered-program management concepts before they are submitted to senior IRS executives for approval and implementation.

While the IRS has made progress in implementing its tiered-program management structure, additional actions are needed to address current weaknesses in providing effective oversight and management of all IT projects.  The IRS has not fully:

·         Documented policies and procedures for developing a complete portfolio of IT projects.

·         Completed the setup of Program Management Offices for all IRS organizations.

·         Implemented the health assessment process.

·         Provided consistent and continual monitoring and oversight of major IT projects through the executive steering committees.

Completing actions to address the above conditions will help ensure that the enterprise tiered-program management structure provides effective oversight and control of all IT projects.

Recommendations

We recommended that the Chief Information Officer 1) work with other IRS executives to develop a complete and accurate master IT project list with a standard set of IT terms that have been approved and communicated to all IRS organizations, 2) ensure that the proposed governance directive is approved and communicated through all levels of the IRS, 3) establish formal policies and procedures to ensure that the health assessment process is consistently applied and followed across all IRS organizations, and 4) ensure that policies and procedures are developed or revised to require control organizations to review all assigned major IT projects monthly and present projects to the appropriate governance board’s attention when established thresholds are exceeded.

Response

IRS officials agreed with all of our recommendations.  The IRS plans to 1) build on work already completed, incorporate projects and operational applications into the IRS portfolio, and develop, approve, and communicate formal policies and procedures to continually update the portfolio and a standard set of IT terms 2) obtain approval of the governance directive and communicate guidance to foster enterprise-wide adherence to the governance process, 3) conduct an enterprise-wide campaign of education and sustained support for the control organizations to ensure consistency of the health assessment process, and 4) ensure that all assigned major IT projects are reviewed monthly and are presented to the appropriate governance board’s attention when established thresholds are exceeded.  Management’s complete response to the draft report is included as Appendix VII.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

Progress Has Been Made to Implement Tiered-Program Management Activities

A Complete Tiered-Program Management Structure Has Not Been Fully Implemented to Ensure Effective Oversight and Control of All Information Technology Projects

Recommendations 1 through 3:

Recommendation 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Glossary of Terms

Appendix V – Enterprise Governance Model

Appendix VI – Progress in Governance and Control Processes

Appendix VII – Management’s Response to the Draft Report

 

 Abbreviations

 

IRS

Internal Revenue Service

IT

Information Technology

  

Background

 

All IT investment projects must follow a tiered-program management structure for reporting and reviewing project status and results.

The Internal Revenue Service (IRS) estimated that it would spend $1.4 billion on information technology (IT) products and services in Fiscal Year 2007.  To better manage the IT investments, the Chief Information Officer outlined a business commitment to implement an IRS enterprise-wide IT tiered-program management structure.[3]  This commitment requires that all IT investment projects follow a tiered-program management structure for reporting and reviewing project status and results.  This structure assigns projects to executive-level committees for oversight based on the cost of the project and other factors as determined by the IRS and to Program Management Offices for more direct control and performance assessments.

To implement the new tiered-program management structure, the IRS designed an enterprise governance model that assigns all IT projects to an appropriate executive oversight body.  The enterprise governance model is presented in Appendix V.  This program management concept makes a significant change to IRS procedures by empowering executive oversight bodies with the authority to make project cost, schedule, and scope decisions.  Another major change includes expanding the number of oversight committees and redefining the reporting structure to include executive steering committees and organization-level and management-level boards throughout the IRS.

As part of the tiered-program management structure, the IRS is implementing a control process requiring monthly assessments of all IT projects.  These assessments (referred to as “health assessments”) are the primary tools used by the IRS to monitor key performance information on IT projects such as cost, schedule, and scope.  The IRS plans to implement the health assessment process throughout all of its organizations.

This review was performed at the Modernization and Information Technology Services organization facilities in New Carrollton, Maryland, during the period June through December 2007.  During the audit, the IRS was executing new processes and making progress in implementing the tiered-program management structure.  We communicated the interim results of our review and suggestions for improvement to Modernization and Information Technology Services organization officials on December 10, 2007.  Additional changes and progress might have occurred since the conclusion of our analyses.

We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

  

Results of Review

 

Progress Has Been Made to Implement Tiered-Program Management Activities

The Program Control and Process Management Division has made significant progress directing, developing, and implementing tiered-program management activities.

In Fiscal Year 2006, the IRS expanded the roles and responsibilities of the Program Control and Process Management Division[4] to incorporate and establish direction for the new enterprise governance model.  Since then, the Division has made significant progress in directing, developing, and implementing tiered-program management activities.  For example, it has developed and distributed standardized reporting templates with documented processes and procedures for the executive steering committees.  In addition, the IRS has created a master list of IT projects to track and assign oversight.  Each IRS organization has formed or is planning to form its own individual Program Management Office to execute the new tiered-program management processes and procedures while providing oversight and management to assigned IT projects.

The IRS has been successful at improving program management and oversight activity awareness and communication throughout the organization.  This is evident with the participation from IRS organizations in the newly formed Governance Working Group that provides a forum to share and network in the design, development, and formation of the tiered-program management structure, processes, and procedures.  The Group meets biweekly and performs an important function by reviewing new tiered-program management concepts before they are submitted to senior IRS executives for approval and implementation.

A Complete Tiered-Program Management Structure Has Not Been Fully Implemented to Ensure Effective Oversight and Control of All Information Technology Projects

While the IRS has made progress in implementing its tiered-program management structure, additional actions are needed to address current weaknesses in providing effective oversight and management of all IT projects.  The IRS has not fully:

·         Documented policies and procedures for developing a complete portfolio of IT projects.

·         Completed the setup of Program Management Offices for all IRS organizations.

·         Implemented the health assessment process.

·         Provided consistent and continual monitoring and oversight of major IT projects through the executive steering committees.

Completing actions to address the above conditions will help ensure that the enterprise tiered-program management structure provides effective oversight and control of all IT projects.

The IRS has not documented policies and procedures for developing a complete portfolio of IT projects

According to the Government Accountability Office Information Technology Investment Management:  A Framework for Assessing and Improving Process Maturity,[5] an organization should have documented policies and procedures for identifying and collecting information about its IT projects and systems.  Specifically, the responsibility for submitting, updating, and maintaining relevant inventory information about each project should be explicitly assigned.  In addition, the policies and procedures should provide common definitions for IT investment portfolio categories that are generally understandable by all stakeholders.

The IRS created a master list of IT projects based on seven available sources[6] that identify project activity.  Our reconciliation of the IT projects from these sources to the master IT list was not conclusive because naming conventions were not consistent for all projects, and source names did not always match the names included on the master IT list.  For example, the New  Portal Environment Project is the project name on the master IT list, while the Federal Information Security Management Act list identifies the project as “ISS (Infrastructure Shared Services), Web Hosting, -- Employee User portal (EUP), -- Registered User Portal (RUP), -- Citrix, Core Services, -- Application Messaging and Data Access Services (AMDAS), -- Enterprise Directory and Authentication Service (EDAS).”  The difference in the project names and lists might be due to having several IRS functions maintain separate IT project lists for consolidation to the master list.

The IRS has been working to resolve these issues.  However, the current methodology to identify the population of IT projects is extremely complex and is constantly changing.  Policies and procedures to ensure that all IT projects are captured in the portfolio have not been documented.  The IRS is further challenged with different interpretations of key IT terms used throughout the organization.  These conditions make it difficult to identify the type, size, and importance of projects for tracking and reporting.  Without a complete and accurate master list, the IRS does not have adequate assurance that all required IT projects have been identified and placed under proper governance authority for appropriate oversight and review.

Management Action:  Subsequent to our audit fieldwork, the IRS provided information about its efforts to assign unique identification codes to enable it to clearly identify, distinguish, and control IT projects.  The IRS is currently completing this assignment process.  In addition, the IRS provided us with information about its ability to identify specific IT project releases in the master IT list.

The IRS has not completed the setup of Program Management Offices

The new enterprise governance model relies heavily on the formation of individual Program Management Offices in each IRS organization.  These Program Management Offices work with the Program Control and Process Management Division to ensure that the new procedures and control processes are appropriately executed.

As of December 2007, the formation of all required Program Management Offices was not completed.  For example, Program Management Offices were not established for 3 of 6 Associate Chief Information Officer organizations and 4 of 10 IRS functions.  Appendix VI provides additional details on the IRS’ progress in implementing the Program Management Offices.

According to IRS officials, all of the required Program Management Offices will be implemented in the future.  However, formal authority has not been established to require, review, or ensure that the IRS organizations comply with this requirement or any of the policies and procedures developed by the Program Control and Process Management Division.  Without a consistent approach and required compliance with policies and procedures from the Program Control and Process Management Division, the enterprise governance processes might not be executed effectively to ensure that all required IT projects are provided with the appropriate governance, oversight, and review.

The IRS has not fully implemented the health assessment process

Health assessments provide critical information for the entire governance and control process.

Each individual IT project team is required to perform a self-assessment (termed a health assessment) of its IT project and report the status of seven key performance areas:  cost, schedule, scope, risk, staffing, organizational change, and technical features.  To communicate the purpose, process, and procedures for performing health assessments, the Program Control and Process Management Division issued the Project Status Survey Assessor Guide on May 14, 2007, and the Project Status Survey User Guide on May 24, 2007.  Although these Guides were issued in May 2007, the Modernization and Information Technology Services organization Enterprise Governance board did not formally approve the guidance until November 19, 2007.

If a health assessment identifies significant issues in two or more of the seven key performance areas, IRS program management must conduct in-depth interviews with the IT project team to identify causes and develop corrective actions.  Health assessment results and any corrective actions should be documented and reported to appropriate IRS officials, including assigned executive oversight committees.  The executive oversight committees use these results to make informed decisions regarding the IT projects.

The IRS has not established formal policies and procedures to require compliance with the health assessment process.  Our interviews with IRS officials determined that some IRS organizations were not fully aware of the monthly health assessment processes and procedures.  In addition, the Applications Development organization has accepted responsibility for performing IT project health assessments for four other IRS organizations.[7]

Based on interviews with IRS officials and reviews of a judgmental sample of health assessments, we determined that the health assessment process was not adequately implemented across all IRS organizations.  We identified the following concerns with the health assessment process:

  • Monthly health assessments were not conducted on all IT projects.  During our review of monthly health assessment summaries from May through August 2007, we found that the Applications Development organization did not conduct health assessments on 22 IT projects from 4 other IRS organizations.  Further, control processes were not established to conduct health assessments by two of the Associate Chief Information Officer organizations.  As a result, these 2 organizations did not conduct health assessments on 39 assigned IT projects.  Major projects without health assessments included the Enterprise Disk Encryption Phase II, the Appeals Automated Environment, and the Counsel Automated System Environment.
  • Corrective actions were not always developed for significant problems identified by health assessments.  Our sample review of health assessments included two projects (the New Portal Implementation - major project, and the Tier 2 Encryption - non-major project) in which the IRS identified significant problems in several key areas such as cost, schedule, scope, and staffing.  The responsible IRS program management did not conduct the required in-depth reviews with the IT project teams to discuss the problems and develop appropriate corrective actions.
  • Health assessments did not always measure and report the status of all key performance indicators for IT projects.  Several IRS organizations were using different methods to conduct the health assessment processes.  These organizations did not measure and report on all seven IT project key performance indicators (see Appendix VI for more information).  Instead, the organizations reported on a subset of the key performance indicators based on processes they used prior to the tiered-program management initiative.  Until the organizations begin reporting on all key performance indicators, the IRS will have inconsistent oversight and reporting of IT project development efforts.

Without consistent application of established health assessment procedures, continual and effective reporting and monitoring of IT project performance might not occur.  Also, significant issues and proposed corrective actions might not be identified in a timely manner and brought to the attention of appropriate IRS officials for oversight and decision-making purposes.

The executive steering committees do not provide consistent and continual monitoring and oversight of all major IT projects

The executive steering committees are responsible for overseeing assigned major and non-major IT projects.  During monthly meetings, the executive steering committees approve project proposals and milestone exits.  They also review and make decisions based on risks and on cost and schedule variances.  The 11 executive steering committees did not provide consistent and continual oversight of all assigned major IT projects.  For example:

·         The Security Services and Privacy Executive Steering Committee did not discuss the Homeland Security Presidential Directive-12 Project for 5 months.

·         The Infrastructure and the Criminal Investigation Executive Steering Committees were not tracking the status of IT project corrective action items on a monthly basis.

According to IRS officials, the executive steering committees do not review all assigned IT projects monthly because they provide governance only on an “as needed” or “exception” basis.  In addition, executive steering committee charters do not detail specific duties and responsibilities with documented processes and procedures for reviewing assigned major IT projects.

Without providing adequate and consistent oversight for IT projects, the executive steering committees might not be aware of IT project health problems affecting major IRS initiatives.  For example, the Security Services and Privacy Executive Steering Committee is assigned to oversee the Homeland Security Presidential Directive-12 Project.  However, we found that the Committee did not discuss or oversee the results of this Project for a 5-month period.  As reported in a prior audit report,[8] the Project experienced significant issues and problems resulting in the inefficient use of potentially $3.5 million.  Another example is the Electronic Fraud Detection System Project,[9] which did not have continual oversight and resulted in the inefficient use of potentially $22.7 million.

Management Action:  During our review, the IRS updated the proposed governance directive to include higher level approval authority by the Deputy Commissioners.  This ensures that the enterprise-proposed governance directive will cover the entire IRS organization.  In addition, the IRS revised the directive to require that executive steering committees track project action items to completion.

Recommendations

The Chief Information Officer should:

Recommendation 1:  Work with other IRS executives to develop a complete and accurate master IT project list with formally approved and documented policies and procedures to continually update the portfolio.  These procedures should include a standard set of IT terms that have been approved and communicated to all IRS organizations.

Management’s Response:  The IRS agreed with this recommendation.  Building on work already completed, the IRS master IT project list will incorporate projects and operational applications into the IRS portfolio.  The IRS will use the governance process to develop, approve, and communicate formal policies and procedures to continually update the portfolio as well as a standard set of IT terms.

Recommendation 2:  Ensure that the proposed governance directive is approved and communicated through all levels of the IRS and work with IRS executives to require all IRS organizations to adhere to the Program Control and Process Management Division governance processes.

Management’s Response:  The IRS agreed with this recommendation and will work with executives from both the business and technology organizations to obtain approval of the governance directive and to communicate guidance to foster enterprise-wide adherence to the governance processes.

Recommendation 3:  Establish formal policies and procedures to ensure that the health assessment process is consistently applied and followed across all IRS organizations.

Management’s Response:  The IRS agreed with this recommendation.  It will issue a directive and guidance and will conduct an enterprise-wide campaign of education and sustained support for the control organizations to ensure consistency of the health assessment process.

Recommendation 4:  Ensure that policies and procedures are developed or revised to require control organizations to review all assigned major IT projects monthly and present projects to the appropriate governance board’s attention when established thresholds are exceeded.

Management’s Response:  The IRS agreed with this recommendation and will develop a directive and guidance to ensure that all assigned major IT projects are reviewed monthly by the appropriate control organizations and are presented to the appropriate governance board’s attention when established thresholds are exceeded.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS has established and is following adequate internal controls to manage all IT investment projects within the new enterprise governance model in support of the IRS mission and goals.  Due to the critical nature of this area, the Chief Information Officer asked the Treasury Inspector General for Tax Administration to perform this audit.  To accomplish the objective, we:

I.                   Determined whether the IRS developed a master list of all IT investment projects and a reliable process to update the list on a regular basis.

A.    Interviewed the Acting Director, Portfolio Estimation Delivery Services, to determine the process for developing the master list.

B.     Reviewed the completed master IT list.

II.                Determined whether the Program Control and Process Management Division has applied adequate oversight and authority to ensure that established program governance processes are followed by all IRS organizations.

A.    Interviewed the Director, Program Control and Process Management Division, to determine the current status of the governance program.

B.     Determined the areas, functions, and organizations within the IRS that have or have not implemented the proposed governance processes.

III.             Determined whether adequate oversight and reporting was developed at each level of the IRS organization to ensure compliance with the new enterprise governance structure.

A.    Reviewed areas that have not developed a formal Program Management Office or applied the new program governance process and procedures.

B.     Reviewed areas that have developed a formal Program Management Office and instituted mature program governance processes, controls, and procedures.

C.     Tested the level of compliance with the health assessments.

IV.             Determined whether the governing bodies (e.g., executive steering committees, organization-level governance boards, and management-level governance boards) followed approved policies, procedures, and templates outlined by the Program Control and Process Management Division.

A.    Determined whether established documents were being developed and delivered with appropriate guidelines followed.

B.     Determined whether the use of contractors for governance responsibilities is an efficient use of resources for the IRS.

Health Assessment Sample Selection Methodology

We judgmentally selected a sample of 21 project health assessments from a population of approximately 598 projects involving 7 IRS organizations.  According to the health assessment procedures, each IT project team might not have to perform a monthly health assessment if the Program Management Office does not require an assessment that month.  Therefore, there is no one-to-one relationship between the number of health assessments and the number of projects.  We judgmentally selected the sample because we were not going to project the results over the entire population.  Figure 1 identifies the 7 organizations and the 21 projects we sampled.

Figure 1:  Health Assessment Project Sample

Organization

Health Assessment Project Name

Associate Chief Information Officer, Applications Development

Correspondence Examination Automated System-Major-WINTEL

Notice Print Processing

Correspondence Imaging System Release 1 Operations and Maintenance

Correspondence Imaging System Release 2 Milestone 4

Business Master File Document Specific

Interim Revenue Accounting Control System Project

Associate Chief Information Officer, Enterprise Services

Document and Imaging Management

Enterprise Application Integration Broker

New Portal Implementation Project Release 1.1

Infrastructure Roadmap Initiative Phase III

Associate Chief Information Officer, Enterprise Operations

Server Consolidation and Virtualization

Tier 1 Encryption for Offsite Storage

Tier 2 Encryption

Small Business/Self-Employed Division

Expanded Compliance Data Warehouse

Bankruptcy Law Advisory Rules Engine

Wage and Investment Division

Form 94x to Service Center Recognition/Image Processing System

Centralized Contact Center Forecasting and Scheduling Release 1a

Centralized Contact Center Forecasting and Scheduling Release 1b

Tax Exempt and Government Entities Division

Tax Exempt and Government Entities Reporting and Electronic Examination System

Large and Mid-Size Business Division

Issue Management System Integration

Decision Support and Data Capture

Source:  Individual IRS organization project lists.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Preston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)

Scott A. Macfarlane, Director

Edward A. Neuwirth, Audit Manager

Phung-Son Nguyen, Audit Manager

Wallace Sims, Senior Auditor

Charlene Elliston, Auditor

Suzanne Noland, Auditor

Linda Screws, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Commissioner, Large and Mid-Size Business Division  SE:LM

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Tax Exempt and Government Entities Division  SE:T

Commissioner, Wage and Investment Division  SE:W

Deputy Chief Information Officer  OS:CIO

Associate Chief Information Officer, Applications Development  OS:CIO:AD

Associate Chief Information Officer, Enterprise Services  OS:CIO:ES

Director, Stakeholder Management  OS:CIO:SM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Commissioner, Large and Mid-Size Business Division  SE:LM

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Tax Exempt and Government Entities Division  SE:T

Commissioner, Wage and Investment Division  SE:W

Associate Chief Information Officer, Applications Development  OS:CIO:AD

Associate Chief Information Officer, Enterprise Services  OS:CIO:ES

Director, Program Oversight  OS:CIO:SM:PO

 

Appendix IV

 

Glossary of Terms

 

Appeals Automated Environment Project

A major project that provides a fully integrated office automation environment and IT support to the IRS Appeals function.

Bankruptcy Law Advisory Rules Engine Project

A non-major project for web-based decision support answering incoming calls from taxpayers by the Centralized Insolvency site at the Philadelphia Campus.

Business Master File

The IRS database that consists of Federal tax-related transactions and accounts for businesses.  These include employment taxes, income taxes on businesses, and excise taxes.

Business Master File Document Specific Project

A major project that accounts for annual changes to Business Master File forms processing.

Campus

The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.

Centralized Contact Center Forecasting and Scheduling Project

A non-major project for identifying and deploying end-to-end workforce management solutions with workforce planning functionality.

Correspondence Examination Automated System Project

A major project that will incrementally replace the Report Generation System Batch application with a web-based environment.  It will allow inventories to be managed at a corporate level.

Correspondence Imaging System Project

A major project that captures images of correspondence from taxpayers that are intended to be worked by Accounts Management organization employees.

Counsel Automated System Environment Project

A major project that provides the automated tools that Office of Chief Counsel employees require to accomplish their official duties in the most cost-effective and efficient manner.  This project consists of a number of core functions that have been implemented on a standard hardware platform nationwide, integrating new and existing systems.

Decision Support and Data Capture Project

A non-major project that will develop a comprehensive set of tools and applications to extract and manage data from paper documents for use in decision support, including ranking, issue scoring, issue selection, workload selection capabilities, and support case building, and provide increased ability to share information.

Document and Imaging Management Project

A non-major project that will develop enterprise capabilities to guide Document Management projects.

Enterprise Application Integration Broker Project

A major project that is a main component of the IRS Service Oriented Architecture that allows modernized systems to use common infrastructure security and application services to access and leverage systems and data repositories across heterogeneous platforms.

Enterprise Disk Encryption Project

A major project that provides encryption for IRS IT, including desktop and laptop computers.

Executive Steering Committee

A committee that oversees investments, including validating major investment business requirements and ensuring that enabling technologies are defined, developed, and implemented.

Expanded Compliance Data Warehouse Project

A non-major project that will improve existing workload identification and prioritization, allowing the IRS to better evaluate alternative treatments and ensure that cases receive the most efficient and effective process.

Filing Season

The period from January through mid-April when most individual income tax returns are filed.

Form 94x to Service Center Recognition/Image Processing System Project

A non-major project that will serve to improve the method of processing paper form returns by migrating from a labor-intensive, manual, transcription-based system to an automated image-based system.

Infrastructure Roadmap Initiative Phase III Project

A non-major project that was initiated to acquire contractor expertise to support the continued effort of evaluating the IRS IT infrastructure and investment candidates while providing detailed descriptions of the investment path and making regular recommendations of investments for selection.

Interim Revenue Accounting Control System Project

A major project that records tax revenue due the Federal Government and maintains records of assessments, collections, accounts receivable, refunds, overassessments, and other elements of revenue accounting.

Issue Management System Integration Project

A non-major project with the goal of replacing the Exam Return Control System, which is an outdated inventory control system, for the Large and Mid-Size Business Division.

Major/Non-Major Projects

Department of the Treasury specific criteria state that major IT investments (or projects) have an annual cost equal to or greater than $5 million, or total lifecycle costs exceeding $50 million.  Projects not meeting these criteria are considered non-major.

Milestone

Milestones provide for “go/no-go” decision points in a project and are sometimes associated with funding approval to proceed.

New Portal Implementation Project

A major project that delivers, in phased releases, an infrastructure build-out to support existing and planned applications available to internal and external users, such as taxpayers, tax practitioners, and IRS employees.

Notice Print Processing Project

A non-major project that supports all IRS notices and letters that reside on the Print System.

Server Consolidation and Virtualization Project

A non-major project that consolidates the existing server environment, maximizing the use of all server sources across the enterprise.

Tax Exempt and Government Entities Reporting and Electronic Examination System Project

A non-major project that will provide an automated examination case management system, consolidate multiple legacy systems, leverage existing income tax solutions, and provide computation tools and statutory compliance testing required by end users.

Tier 1 Encryption for Offsite Storage and Tier 2 Encryption Project

A non-major project that is designed to provide the ability to encrypt information generated by IRS Tier 1 and Tier 2 systems.

Tiered-Program Management Structure

The structure includes 1) governance that refers to assignment of IT projects to an executive oversight level and establishment of Program Management Offices to oversee projects and 2) control that refers to reviewing project performance through monthly assessments.

 

Appendix V

 

Enterprise Governance Model

 

The enterprise governance model will account for all IT investment projects regardless of dollar value, including projects considered to support existing operations and maintenance activities.  Figure 1 provides a schema of the new governance structure.

The following are the descriptions of the acronyms used in Figure 1 to describe the governing bodies:

AWSS – Agency-Wide Shared Services

C&L – Communications and Liaison

CC – Office of Chief Counsel

CFO – Chief Financial Officer

CI – Criminal Investigation

EEO – Equal Employment Opportunity and Diversity

HCO Human Capital Office

LC – Life Cycle

LMSB – Large and Mid-Size Business

MA&SS – Mission Assurance and Security Services

MEG – Modernization and Information Technology Services Enterprise Governance

Mgmt – Management

MIM – MEG Investment Management

MITS – Modernization and Information Technology Services

MVS – Modernization, Vision, and Strategy

OPR – Office of Professional Responsibility

SBSE – Small Business/Self-Employed

SOI/RAS – Statistics of Income/Research, Analysis, and Statistics

SSMC – Service, Support, and Modernization

TAS – Taxpayer Advocate Service

TEGE – Tax Exempt and Government Entities

W&I – Wage and Investment

Figure 1:  Enterprise Governance Model

 

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

Appendix VI

 

Progress in Governance and Control Processes

 

Figure 1 shows the progress the IRS has made in establishing Program Management Offices and performing health assessments by the Associate Chief Information Officers and business operating divisions as of December 31, 2007.

Figure 1:  Establishment of Governance and Control Processes

Governance and Control Process

Associate Chief Information Officers

Program Management Offices

Health Assessments

Applications Development

Yes

Yes

End User Equipment and Services

No

No

Enterprise Networks

No

No

Enterprise Operations

Yes

Yes

Enterprise Services

Yes

Yes

Management

No

No

Business Operating Divisions

Program Management Offices

Health Assessments

Large and Mid-Size Business

Yes

Partial*

Small Business/Self-Employed

Yes

Partial*

Tax Exempt and Government Entities

Yes

Partial*

Wage and Investment

Yes

Partial*

* An assessment was conducted, but the scope did not include all seven key process indicators.

 

Governance and Control Process

Offices

Program Management Offices

Health Assessments

Agency-Wide Shared Services

Yes

No

Appeals

Yes

No

Chief Counsel

Yes

No

Commissioner’s Complex, Equal Employment Opportunity and Diversity, and Office of Professional Responsibility

No

No

Communications and Liaison

No

No

Criminal Investigation

Yes

No

Human Capital

Yes

No

Chief Financial Officer

No

No

Research, Analysis, and Statistics/Statistics of Income

No

No

Taxpayer Advocate Service

Yes

No

Source:  Interviews of IRS staff and analysis of IT governance and control documentation.

 

Appendix VII

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.



[1] See Appendix IV for a glossary of terms.

[2] The Program Control and Process Management Division in the Modernization and Information Technology Services organization includes the Program Governance Office and the Program Control Office.  Separately, these two offices guide IT tiered-program management governance and control activities.

[3] See Appendix IV for a glossary of terms.

[4] The Program Control and Process Management Division in the Modernization and Information Technology Services organization includes the Program Governance Office and the Program Control Office.  Separately, these two offices guide IT tiered-program management governance and control activities.

[5] GAO-04-394G, dated March 2004.

[6] The seven sources we reviewed were the Federal Information Security Management Act [part of the E-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002)]; the Applications Development organization; the Capital Planning and Investment Control; the Enterprise Transition Strategy; the As-Built Architecture; and the ProSight system for the Department of Treasury and the IRS.

[7] The Applications Development organization performs IT project health assessments for the Criminal Investigation and Agency-Wide Shared Services Divisions; the Human Capital Office; and the Research, Analysis, and Statistics function.

[8] Lack of Proper IRS Oversight of the Department of the Treasury HSPD–12 Initiative Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).

[9] The Electronic Fraud Detection System Redesign Failure Resulted in Fraudulent Returns and Refunds Not Being Identified (Reference Number 2006-20-108, dated August 9, 2006) and Oversight of the Electronic Fraud Detection System Restoration Activities Has Improved, but Risks Remain (Reference Number 2007-20-052, dated March 29, 2007).