TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Annual Assessment of the Business Systems Modernization Program

 

 

 

September 23, 2010

 

Reference Number:  2010-20-094

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

HIGHLIGHTS

 

ANNUAL ASSESSMENT OF THE BUSINESS SYSTEMS MODERNIZATION PROGRAM

Highlights

Final Report issued on September 23, 2010  

Highlights of Reference Number:  2010-20-094 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Business Systems Modernization (BSM) Program, which began in 1999, is a complex effort to modernize the Internal Revenue Service’s (IRS) technology and related business processes.  The objective of the BSM Program is to address and manage the inherent risks of modernization, while still delivering the level of service American taxpayers expect.

WHY TIGTA DID THE AUDIT

This audit was initiated as part of TIGTA’s Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge of Modernization of the IRS.  TIGTA is required to assess and report annually on the progress of the IRS’ modernization activities.

WHAT TIGTA FOUND

The BSM Program is now in its 12th year and has received approximately $3.24 billion for contractor services, plus an additional $474 million for internal IRS costs.  The IRS originally estimated the BSM Program effort would last up to 15 years and incur contractor costs of approximately $8 billion.  The three core projects of the BSM Program, referred to as the “Pillars of Modernization,” are the:

·         Customer Account Data Engine (CADE) – the databases and related applications for daily posting, settlement, maintenance, refund processing, and issue detection for taxpayer tax account and return data.

·         Modernized e-File – an electronic filing platform used for electronic tax return filing for both business and individual taxpayers.

·         Account Management Services/Integrated Data Retrieval System – systems that provide IRS employees with the ability to view, access, update, and manage taxpayer accounts.

Since July 2009, the IRS has implemented new releases of the CADE, Account Management Services, and Modernized e-File systems.  Most significantly, the Modernized e-File for the first time included individual tax returns in addition to business tax returns.

The IRS has refocused the BSM Program to deliver the modernized systems sooner.  TIGTA is encouraged by the actions planned and taken to refocus the BSM Program, especially related to the retooling of the CADE program, known as the CADE 2.  When successful, the CADE 2 program will provide a significant boost to the IRS’ ability to move away from its antiquated tax return processing systems and provide improved service to taxpayers.  However, there are significant risks involved in retooling the entire BSM Program and with the use of techniques and processes new to the IRS.

WHAT TIGTA RECOMMENDED

Because this was an assessment of the BSM Program status and accomplishments through Fiscal Year 2010, TIGTA did not offer any recommendations.  However, because of the significant risks involved with the refocusing of the BSM Program, TIGTA believes the IRS should continue to consider the BSM Program as a material weakness until it can successfully demonstrate that the CADE 2 can operate securely and effectively.

In its response, the Chief Technology Officer responded that the IRS was pleased to read TIGTA’s comments and observations that the BSM Program has continued to provide new information technology capabilities and related benefits to the IRS and taxpayers.  The Chief Technology Officer also acknowledged the IRS is at a key point in the BSM effort and believes it is on its way to successfully demonstrate that the CADE 2 can operate effectively.

 

September 23, 2010

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:            (for)         Michael R. Phillips /s/ Margaret E. Begg

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Annual Assessment of the Business Systems Modernization Program (Audit # 201020002)

 

This report presents our annual assessment of the Business Systems Modernization Program.  The overall objective of this review was to assess the progress of the Internal Revenue Service’s Business Systems Modernization Program since June 2009 as required by the Internal Revenue Service Restructuring and Reform Act of 1998.[1]  This review is part of our Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge of Modernization of the Internal Revenue Service.

Management’s complete response to the draft report is included as Appendix XII.

Copies of this report are also being sent to the IRS managers affected by the report findings.  Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services), at (202) 622-5894.

 

 

Table of Contents

 

Background

Results of Review

The Business Systems Modernization Program Has Delivered Business Value and Benefits to Taxpayers

The Business Systems Modernization Program Is Being Revised to Deliver Improved Capabilities Sooner

Delivering Planned Capabilities Is a Continuing Challenge for Modernization Efforts

Effective Management of Persistent Project Development Activity Problems Is Necessary for Success of the Modernization Program

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Enterprise Life Cycle Overview

Appendix V – Business Systems Modernization Program Funding

Appendix VI – Project Cost and Schedule Variance Analysis

Appendix VII – Business Systems Modernization Program Project Accomplishments

Appendix VIII – Open Recommendations From Prior Year Reports Related to the Business Systems Modernization Program Material Weakness

Appendix IX – Recent Treasury Inspector General for Tax Administration Reports on the Internal Revenue Service’s Modernization Program

Appendix X – Treasury Inspector General for Tax Administration Assessments of the Business Systems Modernization Program

Appendix XI – Glossary of Terms

Appendix XII – Management’s Response to the Draft Report

 

Abbreviations

 

BSM

Business Systems Modernization

CADE

Customer Account Data Engine

CMMI

Capability Maturity Model Integration

IRS

Internal Revenue Service

MeF

Modernized e-File

TIGTA

Treasury Inspector General for Tax Administration

 

 

Background

 

The Internal Revenue Service (IRS) Restructuring and Reform Act of 1998[2] requires the Treasury Inspector General for Tax Administration (TIGTA) to annually evaluate the adequacy and security of IRS information technology.  This report provides our assessment of the IRS Business Systems Modernization (BSM) Program from June 2009 through June 2010.

Recognizing the long-term information technology commitment required to support the IRS’ mission, Congress created a special Modernization Program account in Fiscal Year 1998.  The BSM Program, which began in 1999, is a complex effort to modernize the IRS’ technology and related business processes.  This effort involves integrating thousands of hardware and software components.  All of this is being done while replacing outdated technology and maintaining the current tax system. 

Factors that characterize the IRS’ complex information technology environment include widely varying inputs from taxpayers (from simple concise records to complex voluminous documents), seasonal processing with extreme variations in processing loads, transaction rates on the order of billions per year, and data storage measured in trillions of bytes.[3]  The BSM Program is working toward addressing Congress’ intent of improved benefits to taxpayers that include:

  • Issuing refunds, on average, 5 days faster than existing legacy systems.
  • Offering electronic filing capability for large corporations, small businesses, tax-exempt organizations, and partnerships, with dramatically reduced processing error rates.
  • Delivering web-based services for tax practitioners, taxpayers, and IRS employees.
  • Providing IRS customer service representatives with faster and improved access to taxpayer account data with real-time data entry, validation, and updates of taxpayer addresses.

While the BSM Program encompasses dozens of projects and systems, the core projects that the IRS refers to as the “Pillars of Modernization” are the:

  • Customer Account Data Engine (CADE) – the databases and related applications that include applications for daily posting, settlement, maintenance, refund processing, and issue detection for taxpayer tax account and return data.
  • Modernized e-File (MeF)/e-Services – an electronic filing platform used for electronic filing of tax returns for both business and individual taxpayers.
  • Account Management Services/Integrated Data Retrieval System – systems that provide IRS employees with the ability to view, access, update, and manage taxpayer accounts.

The IRS planned to complete the Modernization Program in 15 years at a cost of approximately $8 billion.

The IRS originally estimated the BSM Program effort would last up to 15 years and incur contractor costs of approximately
$8 billion.  The BSM Program is now in its 12th year and has received approximately $3.24 billion for contractor services, plus an additional $474 million for internal IRS costs.  Appendix V presents an analysis of BSM Program funding since its inception.

The compilation of information for this report was conducted at the TIGTA office in Laguna Niguel, California, during the period May through July 2010.  The information presented in this report is derived from TIGTA audit reports issued since June 2009[4] and the Government Accountability Office report on the BSM Program’s Fiscal Year 2010 Expenditure Plan.[5]  These previous audits and our analyses were conducted in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our conclusions based on our audit objective.  We believe the evidence obtained provides a reasonable basis for our conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The Business Systems Modernization Program Has Delivered Business Value and Benefits to Taxpayers

The BSM Program has continued to provide new information technology capabilities and the related benefits to both the IRS and taxpayers.  Since July 2009, the IRS has implemented new releases of the CADE, Account Management Services, and MeF systems—the “Pillars of Modernization.”

Customer Account Data Engine

The CADE is a major component of the BSM Program.  It consists of modernized databases and related applications that work in conjunction with the IRS Master File system.

Our post-implementation review[6] of CADE Release 4 showed that it accurately processes and records tax return and tax account information.  The CADE project team successfully implemented Release 4 requirements that enable the system to more successfully accept, record, and process tax return information.  With the additional capabilities provided by Release 4, the CADE system processed more than 40.2 million tax returns (approximately 30 percent of all individual tax returns filed) and generated approximately $58.9 billion in refunds in Calendar Year 2009.  This is a significant increase over the 30 million tax returns processed in Calendar Year 2008.

CADE Release 5.2 was deployed in January 2010 to incorporate Tax Year 2009 tax law changes affecting individual taxpayers and to provide technical improvements to the infrastructure and availability of the CADE system.  From January through May 2010, the current CADE system processed approximately 40.5 million tax returns (approximately 31 percent of all individual tax returns filed) and issued 35.4 million refunds totaling about $65.6 billion. 

Account Management Services

The Account Management Services system provides IRS employees with the tools to access information quickly and accurately in response to complex customer inquiries.  The Account Management Services Release 2.1 final milestone was completed in February 2010 and provided all users the ability to view correspondence images online and on demand.  From its February deployment through April 2010, Release 2.1 processed 141,659 correspondence image view requests. 

Modernized e-File

The MeF system streamlines tax return filing processes and reduces the costs associated with paper tax returns.  Returns submitted through the MeF system have an average 7 percent processing error rate, compared to 19 percent for transcription-based paper processing.  The MeF system offers 100 percent data capture that is available to IRS customer service representatives online and in real time.

The IRS first introduced the MeF system in February 2004 for business taxpayers.  The IRS has expanded the MeF system to include excise and partnership tax returns, and MeF Release 6.1 included the first U.S. Individual Income Tax Returns (Forms 1040).  On February 17, 2010, the MeF system began accepting transmissions of the Forms 1040 and 22 related individual forms and schedules filed during the 2010 Filing Season.  As of May 29, 2010, the IRS successfully accepted approximately 697,000 individual tax returns transmitted through the MeF system for processing, in addition to the 4.7 million corporate, partnership, and exempt organization returns and forms accepted. 

Future releases of the MeF will include tax law changes, hardware installation for full Form 1040 implementation, full disaster recovery capability, and the remaining Form 1040 related forms (approximately 120). 

Appendix VII presents the BSM Program project accomplishments during the past year.

Additional modernized systems and applications

Additional modernization accomplishments not specifically related to the BSM Program include:

·         Enhancements to the Excise Files Information Retrieval System.

·         Implementation of the American Recovery and Reinvestment Act of 2009 (Recovery Act)[7] provisions for the Health Coverage Tax Credit.

·         Consideration to continue development of the My IRS Account online application.

·         Development of the Federal Student Aid – Data Share project.

Modernization and Information Technology Services organization realignment

The Modernization and Information Technology Services organization realigned some program management responsibilities affecting the modernization efforts.  The realignment included placing the Modernization Vision and Strategy office under the Strategy and Capital Planning office.  The mission of the Strategy and Capital Planning office is to provide investment management services to help ensure value-added information technology products and services, ensure fidelity to investment principles, and fulfill legislative and oversight requirements.  The Strategy and Capital Planning office focuses on IRS-wide information technology strategy and capital planning and investment controls. 

A Pre-Select phase has been developed to establish alignment between strategic priorities of the IRS and the information technology investments approach.

In addition, to improve investment decisions and achieve efficiencies in the investment selection process, the Strategy and Capital Planning office developed the Pre-Select phase.  The Case for Action document initiates the business investment proposal through the Pre-Select phase.  Previously, executive consideration and approval of information technology investments was based on very detailed solution concept descriptions and cost estimations.  To alleviate some of the effort relating to information technology investment planning and decision making and to ensure strategic alignment of the investments, the Strategy and Capital Planning office added the Pre-Select phase, which was based upon the use of a business case.

Relative to responding to program needs, the IRS Oversight Board noted that the need for the IRS to modernize its information technology systems becomes even greater if it is to effectively manage additional administrative responsibilities being added.  The tax code is being used to deliver economic benefits to taxpayers, including efforts for economic relief, to stimulate the automotive and housing market, to deliver unemployment and health insurance assistance to unemployed taxpayers, and to broadly stimulate the economy.  Further, with the recent passage of health care legislation, more responsibilities are being placed on the IRS to become more of a program administrator.

Process improvement activities

The Modernization and Information Technology Services organization is currently taking steps to implement the Software Engineering Institute’s Capability Maturity Model® Integration (CMMI).  CMMI is a process improvement maturity model for the development of products and services.  CMMI can be used to guide process improvement across a project, a division, or an entire organization.  The Modernization and Information Technology Services organization goal is to achieve CMMI Level 3, which shows the organization tailors its work products, measures, and other process improvement information to the organizational process assets.  The objective of the IRS’ CMMI focus is to:

·         Produce quality products or services.

·         Create value for the business stakeholders.

·         Enhance customer satisfaction.

·         Gain an industry-wide recognition for excellence.

The Business Systems Modernization Program Is Being Revised to Deliver Improved Capabilities Sooner

TIGTA’s September 2009 Annual Assessment of the BSM Program reported that the immediate challenge recognized by the IRS is the future of the CADE system, the acknowledged centerpiece throughout the life of the BSM Program.  Currently, the CADE system operates concurrently with Individual Master File processing.  This requires that work must be done across the two environments, increasing the complexity of the filing season and resulting in a greater risk for errors in processing taxpayer account information.  In addition, concerns about the increasing complexities and questions of scalability with the existing system led to the development of the new strategy.

In August 2008, the IRS Commissioner established the Modernized Taxpayer Account Program Integration Office to manage the transition of taxpayer account processing to the newly refocused plan for a new modernized environment (now referred to as the CADE 2).  The CADE 2 Strategy for improving individual taxpayer account processing involves three phases:

  • Transition State 1 will modify the Individual Master File to run daily (currently individual taxpayer accounts are processed on a weekly basis) and establish a new relational database to store all individual taxpayer account information.  The IRS plans to implement Transition State 1 in January 2012.
  • Transition State 2 will use a single set of applications and address previously identified financial material weaknesses.  The IRS plans to implement Transition State 2 in January 2014.
  • Target State will consist of a single system using elements of the Individual Master File and the current CADE system and will eliminate all transitional applications such as those used to link the current CADE system, the Individual Master File, and the Integrated Data Retrieval System.  The IRS is performing additional analysis to establish an estimated date for the Target State to be implemented.

Upon completion of the CADE 2 program, individual tax account processing applications will access and update taxpayer data using the new relational database.  The relational database will be the single system of record for all individual taxpayer accounts.  Accounts will be updated and settled within 24 hours to 48 hours, and subsequently synchronized with other systems.  The system will provide financial management services for all individual taxpayer accounts and mechanisms will be in place to ensure data privacy and integrity.  Achievement of the proposed CADE 2 program capabilities will also reduce or eliminate the financial material weakness and will enhance security over taxpayer data.

To enable the successful implementation of the new CADE 2 Strategy, the Program Integration Office must effectively manage the risks it has identified.  The Program Integration Office, working in conjunction with the IRS business owners, has identified risks that must be managed to allow the success of the new CADE 2 Strategy.  The Program Integration Office has prepared management strategies for each high-level risk.  Following are some challenges that we believe the Program Integration Office must address to effectively manage these risks.

  • Ensuring support for the modernization efforts from other critical IRS organizations.
  • Implementing a governance structure for the Program Integration Office to provide oversight and direction for the implementation of the new CADE 2 Strategy.
  • Employing enough competent technical resources to modify the Individual Master File and current CADE programs, while continuing to keep the current system operating.
  • Developing a strategy for addressing potential questions and concerns by Congress, the IRS Oversight Board, and other stakeholder groups about the refocused BSM Program plans and transitional activities.
  • Developing contingency plans in the event that the new CADE 2 Strategy cannot be fully implemented.

Successful completion of the new CADE 2 Strategy will require a long-term commitment from both current and future IRS executives to maintain the modernization direction and goals.  Past attempts by the IRS to modernize its computer systems have been affected by changes introduced by new senior level executives.  While some changes are inevitable due to evolving technologies and changing environments, consistency in BSM Program direction and goals is critical for successful completion. 

Delivering Planned Capabilities Is a Continuing Challenge for Modernization Efforts

The BSM Program has continued to help improve IRS operations and is refocusing its efforts to improve business practices with new information technology solutions.  However, project development activities have not always effectively implemented planned processes or delivered all planned system capabilities to achieve the BSM Program expectations.  Management of the project costs and schedule has improved since the previous year, but requirements development and management continues to need attention.  Further, resolution has not yet been completely achieved for security vulnerabilities affecting the CADE and MeF systems.

BSM Program cost and schedule management

In our 2009 assessment of the BSM Program,[8] we reported that 5 (29 percent) of the 17 project milestones scheduled for completion were significantly over cost estimates.  These projects were between 30 percent and 375 percent over budget.  In addition, 3 (18 percent) of 17 milestones were significantly behind schedule.  These projects were between 15 percent and 54 percent behind schedule.  IRS management subsequently informed us that the variances were revised in July 2009 to reflect changes in the baseline figures used to compute the variances.

In the past year, progress has been made as project releases delivered after May 2009 and currently in progress were delivered on or within the accepted 10 percent variance in schedule.  However, 3 projects experienced cost variances in excess of the accepted plus or minus 10 percent variance.

  • Account Management Services Release 2.1 (Milestone 5) – The IRS reported it spent $699,000 less than planned (negative 64 percent variance) because deployment activities were significantly less than originally planned.
  • CADE Release 5.2 (Milestone 4b) – The IRS reported it spent $2,635,000 less than planned (negative 12 percent variance) because the costs for development, test, and integration activities were less than originally planned.
  • MeF Release 6.1 (Milestones 4a through 5) – The project experienced a 73 percent cost variance.  The IRS reported that the MeF Project required a net realignment of $29.1 million from Release 7 to 6.1 to support unplanned and required needs, including disaster recovery preparation and testing, the integration of processing and access with other applications and external users, and expanded hardware needs.  This realignment was properly documented, controlled, and approved through the Submission Processing Executive Steering Committee.

Appendix VI presents the cost and schedule variance for BSM Program project releases delivered from June 2009 through May 2010 and currently in progress.

Requirements development and management continues to need attention

During the past year, the TIGTA reported on the adequacy of the development and management of BSM Program and other modernization project requirements.  These issues included the adequacy of controls for managing the development of requirements and the documentation and control over requirements testing and traceability.  These issues were present in two BSM Program reports on the MeF Program and four reports on non-BSM Program modernization projects.

  • MeF In our report on the development of MeF Release 6.1,[9] the TIGTA reported that the System Integration and Test End of Test Completion Report showed that the test results were not traced to the requirements and that the MeF system did not execute all of the requirements as expected.  In a prior TIGTA audit report entitled The Modernized e-File Project Can Improve Its Management of Requirements,[10] we recommended Project Teams follow the Enterprise Life Cycle[11] provisions for managing requirements by ensuring planned capabilities were developed by tracing release requirements in the System Requirements Report to the requirements traceability verification matrices.  In addition, we recommended the Project Team document implementation of all requirements throughout the project life cycle in the System Requirements Report.  The lack of consistent information regarding the effective execution of application requirements could affect the ability of the MeF system to perform the expected capabilities.

A second MeF report (this one on the post-implementation results of MeF Release 6.1)[12] identified that individual tax returns were erroneously rejected from the MeF system.  The report stated that the IRS anticipated processing 9.3 million tax returns through its MeF system as of April 15, 2010.  However, delays in deploying the MeF system for individual tax returns and subsequent problems with the application reduced the number of tax returns processed to only 752,320 (8.1 percent of expected volume).

  • Excise Files Information Retrieval System The IRS developed the Excise Files Information Retrieval System to improve motor fuel excise tax compliance and identify potential noncompliant taxpayers to reduce fraud.  The TIGTA reported that changing system requirements resulted in increased costs and schedule delays.  The Excise Files Information Retrieval System Project Team began a modernization upgrade of two of its six subsystems based on a recommendation from a study conducted by the Unisys Corporation.  Subsequently, Small Business/Self-Employed Division Excise Tax Program personnel recommended that consideration be given to moving the two subsystems to a new platform.  The Unisys Corporation stated in its report that insufficient information and time were available to complete a detailed study of the new platform.

The IRS hired the MITRE Corporation to conduct a study to determine whether the new platform was better.  The MITRE Corporation study concluded that both platforms technically met the user requirements, but stated that Small Business/Self-Employed Division Excise Tax Program personnel were skeptical that the platform recommended by the Unisys Corporation could support their processes.  Finally, IRS executives approved the migration of the two subsystems to the new platform.  The indecision in assessing the user requirements to upgrade the subsystems resulted in increased costs of almost $2.8 million and delayed implementation of the first phase of the Excise Files Information Retrieval System Project modernization by 1 year.

  • My IRS Account The first release of the My IRS Account project, which would allow taxpayers to view their tax account information online, was developed and near deployment when the IRS decided to terminate the project.  The IRS Strategic Plan for 2009-2013 was presented at the same time the My IRS Account project was being readied for deployment, and IRS executives decided to reexamine the project for its ability to meet both taxpayer and IRS strategic needs and requirements.  As a result of not fully managing the project’s requirements and development of a long-term strategy for the My IRS Account project or other online projects, the IRS approved the termination of the My IRS Account project near the project’s scheduled deployment date.  This decision occurred after 32 months of development and the expenditure of approximately $10 million to build My IRS Account Release 1.
  • Health Coverage Tax Credit The IRS implemented mandated provisions to the Health Coverage Tax Credit Program and upgraded the capacity of the Health Coverage Tax Credit system used to manage the health care claims and payments.  However, the requirements traceability matrix for Health Coverage Tax Credit Release 9 was not all inclusive and needed further development.  Without complete traceability, the IRS could not ensure adequate development of requirements and tracing, potentially resulting in requirements not being satisfied.  Missing or invalid requirements could jeopardize the IRS’ ability to deliver health insurance benefits to taxpayers and its ability to identify noncompliance with mandated Health Coverage Tax Credit legislation.
  • Federal Student Aid Datashare Application The Federal Student Aid Datashare application provides a web-based method for taxpayers to complete the Department of Education’s Free Application for Federal Student Aid.  Instead of manually entering their tax return information on the application form, taxpayers can now automatically transfer their tax return data to the application form.  While the IRS successfully developed and deployed the Federal Student Aid Datashare application on January 28, 2010, some system development processes needed improvement.  Specifically, controls over requirements management needed strengthening to ensure test cases and requirement documents were fully developed, test results should be documented timely and consistently and in a manner that minimizes the potential for manipulation, and project team meetings should be documented to ensure significant decisions and followup action items are tracked and timely completed.

Resolution of security vulnerabilities with BSM systems has not been achieved

In the past year, the TIGTA performed followup work relating to known CADE and MeF system security vulnerabilities.  We identified that the IRS Cybersecurity organization does not monitor system owners’ compliance with IRS policy to track all system vulnerabilities in the Plan of Action and Milestones lists.  Further, it does not monitor system owners’ compliance with IRS policy to verify that weaknesses are corrected before reporting them as resolved on the Plan of Action and Milestones list.  We reported about the management of security weaknesses affecting the CADE and MeF systems:

  • CADE The IRS has taken steps to address all 16 CADE system security vulnerabilities presented in our report entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities[13] and has fully resolved 10 of them.  The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy.  Further, we found that the IRS prematurely reported resolution of six vulnerabilities in the Plan of Action and Milestones list before effective corrective actions were taken.  Three of these six vulnerabilities were not fully resolved as of the date of our review.

We observed that inadequate monitoring of vulnerabilities in the Plan of Action and Milestones list and premature reporting of vulnerabilities as resolved may decrease managerial attention to unresolved problems, prevent allocation of resources required to fix problems, and lead to delays in correcting vulnerabilities.  Inaccurate Plan of Action and Milestones list information prevents the Office of Management and Budget from obtaining an accurate status of the IRS’ security weaknesses.

  • MeF There were 13 MeF system security vulnerabilities identified as part of the IRS Cybersecurity MeF Release 4 Security Risk Assessment, dated April 23, 2007.  These security vulnerabilities were also reported in a prior TIGTA report entitled The Internal Revenue Service Deployed the Modernized e-File System With Known Security Vulnerabilities.[14]  In our report on the development of MeF Release 6.1,[15] we related our analysis of the vulnerabilities and found the resolution activity was not always adequately controlled or monitored.  The January 2010 Security Test and Evaluation reports show that only 2 of the 13 security MeF system vulnerabilities were actually resolved.  The Security Test and Evaluation also identified two failed security controls that were not previously reported as system security weaknesses.  The failed controls involved user access limitations and configuration of audit trail record storage capacity.

We observed that without proper controls to monitor and resolve the MeF system security vulnerabilities and findings, unauthorized access to taxpayer information would continue to be available and possibly go undetected.  Consequently, the confidentiality, integrity, and availability of the taxpayer records maintained by the MeF system could be affected.  Also, weak supervision and review of user activities increases the opportunity for a user to perform undesirable actions that could go undetected by organization officials.

We recommended that the Chief Technology Officer ensure that the Cybersecurity organization complete implementation of the process to ensure that system owners comply with IRS policy to enter and track all system security weaknesses in IRS control systems (this should include all MeF system security issues).  The security weaknesses should be monitored and tracked to resolution in either the Plan of Action and Milestones or the Item Tracking Reporting and Control System.  The IRS agreed with our recommendation.  The Cybersecurity office responded that it has made continuous improvements to the Plan of Action and Milestones process and considers the process complete and implemented as of March 2010.

In addition to the above issues, we have reported that the IRS continues to face difficulties in capturing, storing, and reviewing audit trail information on many systems, including both the CADE and MeF.  Similarly, the Government Accountability Office reported that information security weaknesses continue to affect the IRS’ modernization environment.  They reported that the IRS continues to have weaknesses in information security controls.  While the IRS reported that it had corrected about 40 percent of previously reported weaknesses, the Government Accountability Office found that the IRS had not fully implemented the remedial actions it had reported for at least a third of those that it considered corrected.

Appendix IX presents a synopsis of the findings, recommendations, and IRS corrective actions for TIGTA reports issued from June 2009 through July 2010.

Effective Management of Persistent Project Development Activity Problems Is Necessary for Success of the Modernization Program

Since November 2001, the TIGTA has reported nine assessments on annual accomplishments and activities of the BSM Program.  Although the BSM Program has made improvements in business practices with information technology solutions, the development activities experienced difficulties in the process (Appendix X presents a synopsis of the issues reported in each of the nine TIGTA annual assessments of the BSM Program).  In developing the annual assessments, the TIGTA formulated four primary challenges the IRS must overcome to be successful:

1.      Implement planned improvements in key management processes and commit necessary resources to enable success.

2.      Manage the increasing complexity and risks of the BSM Program.

3.      Maintain the continuity of strategic direction with experienced leadership.

4.      Ensure contractor performance and accountability is effectively managed.

The BSM Program made progress in overcoming aspects of these challenges since their formulation in September 2002 and September 2003.  However, some elements of the challenges and project development activities persistently present barriers to success.

With respect to the first challenge, improvements to key processes, a major issue reported repeatedly in these annual assessment reports is the ability to manage project requirements.  This is a major issue again in this year’s assessment.

Managing the increasing complexity and risks of the BSM Program is a current challenge in the form of the new strategy to Manage Taxpayer Accounts through the CADE 2 system.  Along with the management of this new strategy and the ability to achieve a successful solution through the CADE 2 system is the future planning and strategy for integrating downstream systems.  This integration will provide the ability to enhance business practices to meet goals for better customer service and improved tax compliance.

The BSM Program has previously experienced significant and frequent turnover of high-level IRS and Modernization Program executives.  Although this year’s executive cadre has been stable, executive changes make program continuity a challenge to achieving long-term program success.

Lastly, managing contractor performance has been less of an issue since the IRS assumed the BSM Program integrator role in January 2005.  However, identifying and timely employing contractors continues to present a challenge to the IRS.  This challenge includes the ability to ensure appropriate security controls are timely and completely implemented in employing contracted personnel.

The IRS is at a key point in its BSM Program with the demands for achieving success for the “Pillars of Modernization.”  The TIGTA continues to take the position that these four challenges still need to be met to achieve program success.  We are encouraged by the actions planned and taken to refocus the BSM Program, especially related to the CADE 2 program activities.  When successful, the CADE 2 program will provide a significant boost to the IRS’ ability to move away from its antiquated tax return processing systems and provide improved service to taxpayers.  However, there are significant risks involved in retooling the entire BSM Program and the use of techniques and processes new to the IRS.  Consequently, we believe the IRS should continue to consider the overall BSM Program as a material weakness until it can successfully demonstrate that the CADE 2 system can operate securely and effectively.

Management’s Response:  The Chief Technology Officer responded that the IRS was pleased to read the TIGTA’s comments and observations that the BSM Program has continued to provide new information technology capabilities and related benefits to the IRS and taxpayers.  The Chief Technology Officer acknowledged the IRS was at a key point in the BSM effort and believes it is on its way to successfully demonstrate that the CADE 2 can operate effectively.  The Chief Technology Officer also related that the IRS is committed to continuously improving its technology systems and process.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to assess the progress of the IRS BSM Program since June 2009 as required by the IRS Restructuring and Reform Act of 1998.[16]  To accomplish this objective, we:

I.                   Determined the current condition of the BSM Program.

A.    Reviewed various TIGTA audit reports issued from June 2009 through July 2010,[17] and the TIGTA’s eight previous BSM Program annual assessment reports (issued in Fiscal Years 2002 2009).[18]

B.     Reviewed IRS Oversight Board[19] reports on the BSM Program for Fiscal Year 2010.

C.     Reviewed Government Accountability Office reports relevant to BSM Program activities for Fiscal Year 2010.

D.    Identified the TIGTA audit recommendations with incomplete IRS corrective actions related to the BSM Program material weakness.

II.                Determined the status and condition of the BSM Program reported by the IRS by reviewing documentation related to:

A.    The Chief Technology Officer’s material weaknesses, corrective actions, and status.

B.     The IRS Information Technology Modernization Vision and Strategy.

C.     The November 2009 Business Systems Modernization Fiscal Year 2009 and 2010 Expenditure Plan and BSM Monthly Performance Measures Reports to analyze cost, schedule, and capability status and accomplishments.  We did not validate the information provided by the IRS on the cost, scope, and business value of the BSM Program.  We analyzed these documents to:

1.      Determine overall variances between planned and actual costs and schedules and obtain reasons for significant variances.

2.      Determine the extent planned capabilities were delivered as proposed in the November 2009 Business Systems Modernization Fiscal Year 2009 and 2010 Expenditure Plan.

D.    The April 2010 IRS Modernization Has Delivered Real Business Value status report to provide perspective on Business System Modernization Program developments used in IRS operations.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We did not evaluate internal controls as part of this review because doing so was not necessary to satisfy our review objective.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Scott A. Macfarlane, Director

Edward A. Neuwirth, Audit Manager

Stasha S. Smith, Senior Auditor

Beverly K. Tamanaha, Senior Auditor

Louis V. Zullo, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief, Agency-Wide Shared Services  OS:A

Chief Information Officer  OS:CTO:CIO

Associate Chief Information Officer, Applications Development  OS:CTO:AD

Associate Chief Information Officer, Enterprise Services  OS:CTO:ES

Associate Chief Information Officer, Strategy and Planning  OS:CTO:SP

Deputy Associate Chief Information Officer, Applications Development  OS:CTO:AD

Deputy Associate Chief Information Officer, Business Integration  OS:CTO:ES:BI

Deputy Associate Chief Information Officer, Systems Integration  OS:CTO:ES:SI

Director, Procurement  OS:A:P

Director, Risk Management  OS:CTO:SP:RM

Director, Strategy and Capital Planning  OS:CTO:SP:CP

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Associate Chief Information Officer, Applications Development  OS:CTO:AD

Associate Chief Information Officer, Enterprise Services  OS:CTO:ES

Director, Procurement  OS:A:P

Director, Program Oversight  OS:CTO:SM:PO

 

Appendix IV

 

Enterprise Life Cycle Overview

 

The Enterprise Life Cycle[20] is the IRS’ standard approach to business change and information systems initiatives.  It is a collection of program and project management best practices designed to manage business change in a successful and repeatable manner.  The Enterprise Life Cycle addresses large and small projects developed internally and by contractors.

The Enterprise Life Cycle includes such requirements as:

·         Development of and conformance to an enterprise architecture.

·         Improving business processes prior to automation.

·         Use of prototyping and commercial software, where possible.

·         Obtaining early benefit by implementing solutions in multiple releases.

·         Financial justification, budgeting, and reporting of project status.

In addition, the Enterprise Life Cycle improves the IRS’ ability to manage changes to the enterprise; estimate the cost of changes; and engineer, develop, and maintain systems effectively. 

Figure 1 provides an overview of the phases and milestones within the Enterprise Life Cycle.  A phase is a broad segment of work encompassing activities of similar scope, nature, and detail and providing a natural breakpoint in the life cycle.  Each phase begins with a kickoff meeting and ends with an executive management decision point (milestone), at which IRS executives make “go/no-go” decisions for continuation of a project.  Project funding decisions are often associated with milestones.

Figure 1:  Enterprise Life Cycle Phases and Milestones

Phase

General Nature of Work

Milestone

Vision and Strategy/
Enterprise Architecture Phase

High-level direction setting.  This is the only phase for enterprise planning projects.

0

Project Initiation Phase

Startup of development projects.

1

Domain Architecture Phase

Specification of the operating concept, requirements, and structure of the solution. 

2

Preliminary Design Phase

Preliminary design of all solution components.

3

Detailed Design Phase

Detailed design of solution components.

4A

System Development Phase

Coding, integration, testing, and certification of solutions.

4B

System Deployment Phase

Expanding availability of the solution to all target users.  This is usually the last phase for development projects.

5

Operations and Maintenance Phase

Ongoing management of operational systems.

System Retirement

Source:  The Enterprise Life Cycle Guide.

 

Appendix V

 

Business Systems Modernization Program Funding

 

Figure 1 presents the cumulative funding received by the BSM Program for contractor costs.

Figure 1:  BSM Program Funding Timeline
(dollars are cumulative)

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

 

* The Fiscal Year 2011 amount has not yet been appropriated.  The amount is from the President’s Fiscal Year 2011 Budget Request and includes an estimated $70 million to fund associated IRS labor costs.

 

Figure 2 presents the funding received annually by the BSM Program for program management and development of business and infrastructure projects.

Figure 2:  BSM Program Funding by Fiscal Year

Figure 2 was removed due to its size.  To see Figure 2, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

 

* The Fiscal Year 2011 amount has not yet been appropriated.  The amount is from the President’s Fiscal Year 2011 Budget Request to fund associated IRS labor costs.

Figure 3 presents the cumulative funding received by the BSM Program for non-contractor costs of managing BSM Program activities. 

Figure 3:  Non-contractor BSM Program Funding Timeline
by Fiscal Year (dollars are cumulative)

Figure 3 was removed due to its size.  To see Figure 3, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

 

* The Fiscal Year 2011 amount has not yet been appropriated.  The amount is from the President’s Fiscal Year 2011 Budget Request.

Figure 4 presents the funding received annually by the BSM Program for non-contractor costs of managing Program activities.

Figure 4:  Non-contractor BSM Program Costs by Fiscal Year

Figure 4 was removed due to its size.  To see Figure 4, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

 

* The Fiscal Year 2011 amount has not yet been appropriated.  The amount is from the President’s Fiscal Year 2011 Budget Request.

 

Figure 5 depicts the cumulative $3.7 billion in BSM Program funding for non-contractor and external (contractor) costs to manage BSM Program activities through Fiscal Year 2011.

Figure 5:  Cumulative Internal and External BSM Program Costs (in millions)

Figure 5 was removed due to its size.  To see Figure 5, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

.

Figure 6 depicts the total $264 million in Fiscal Year 2010 BSM Program funding for
non-contractor and external (contractor) costs to manage BSM Program activities.

Figure 6:  Fiscal Year 2010 Internal and External BSM Program Costs (in millions)

Figure 6 was removed due to its size.  To see Figure 6, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

 

Figure 7 depicts the planned $387 million Fiscal Year 2011 BSM Program budget estimate for external (contractor) and internal (non-contractor) costs to manage BSM Program activities.

Figure 7:  Fiscal Year 2011 Internal and External BSM Program
Cost Estimates (in millions)

Figure 7 was removed due to its size.  To see Figure 7, please go to the Adobe PDF version of the report on the TIGTA Public Web Page. 

* These Fiscal Year 2011 amounts have not yet been appropriated.

 

Appendix VI

 

Project Cost and Schedule Variance Analysis

 

This table presents the cost and schedule variance for BSM Program project releases[21] delivered after May 2009 and currently in progress.  The statistics presented reflect the cost and schedule estimates of these projects at the time of their initial design.

Release

Current
Finish Date
(Planned)

Milestone[22]

Cost Variance (Dollars)

Cost Variance (Percentage)

Schedule Variance (Days)

Schedule Variance (Percentage)

CADE

5.2

January 15, 2010

4b

-$2,635,000

-12%

-9

-5%

6.2

(Jan 31, 2011)

4b

$0

0%

0

0%

CADE 2

Trans State 1

(April 30, 2011)

3-4a

$0

0%

0

0%

Account Management Services

2.1

August 5, 2009

4b

-$456,000

-10%

0

0%

2.1

February 8, 2010

5

-$699,000

-64%

0

0%

MeF

6.1

May 25, 2010

4a-5

$29,100,000

73%

7

2%

6.2

(Sept 21, 2010)

3-4a

$0

0%

0

0%

7

(May 2, 2011)

3-4a

$0

0%

0

0%

Source:  IRS Strategy & Planning organization - Financial Management Services office, Business Systems Modernization Monthly
Performance Measures report, issued June 15, 2010.

 

Appendix VII

 

Business Systems Modernization Program
Project Accomplishments

 

Table 1 presents the BSM Program project accomplishments since our September 2009 annual assessment of the BSM Program.[23]

Table 1:  BSM Program Project Accomplishments

PROJECT

DESCRIPTION

RECENT STATISTICS

Account Management Services[24]

Account Management Services provides customer service representatives and tax examiners with the tools to access information quickly and accurately in response to complex customer inquiries in a modernized environment.  Technical advancements have provided users with the ability to view correspondence images online and on demand.

The Account Management Services Release 2.1 final milestone was completed on February 8, 2010, and provided all Account Management Services users the ability to view correspondence images online and on demand, eliminating users’ reliance on the manual processes to obtain copies of images.  Direct access to images via Account Management Services reduced the case cycle time from 10 to 14 days to zero.

As of April 2010, more than 141,659 correspondence image view requests have been processed since Release 2.1 was deployed. 

Current Customer Account Data Engine (CADE)

The current CADE system has provided a foundation for modernized systems.  It offers the IRS the capability to issue taxpayer refunds faster and the flexibility to respond more quickly to complex tax law and policy initiatives, which the existing Master File system cannot currently do easily or cost-effectively.

Current CADE Release 5.2 delivered Tax Year 2009 tax law changes affecting individual taxpayers and provided technical improvements to the infrastructure and availability of the current CADE system.

Release 5.2 was successfully deployed on
January 18, 2010.  As of May 31, 2010, the current CADE system posted 40.5 million returns and issued
35.4 million refunds totaling in excess of
$65.6 billion.

The CADE system processes refunds on an average of 5 days faster than Individual Master File processing.

Modernized e-File (MeF)

The MeF system provides the electronic filing capability of more than 23 individual tax forms and schedules (Form 1040 family) and more than 600 forms and schedules for large corporations and small businesses (Form 1120 family), tax-exempt organizations (Form 990 family), partnerships (Form 1065 family), and associated extension forms
(e.g., Form 7004).

The Business Master File component, including the entire infrastructure for MeF Release 6.1, deployed on January 7, 2010, and the Individual Master File component deployed on February 17, 2010.  As of May 8, 2010, more than 7 million returns (for both Business and Individual Master File) had been submitted and more than 5.4 million had been accepted.  Also as of that date, more than 20,800 mandated corporate and exempt organization returns had been received and more than 20,300 had been accepted.

Seventeen States now participate in the
MeF Fed-State program.  In 2009, these States received more than 599,000 returns through the MeF system.  As of May 8, 2010, more than 995,000 State returns have been received through the MeF system.

Returns submitted through the MeF system have an average 7 percent processing error rate, compared to
19 percent for transcription-based paper processing.  The MeF system offers 100 percent data capture that is available to IRS customer service representatives online and in real time.

Source:  IRS Applications Development organization – “Business Value Chart.”

 

Appendix VIII

 

Open Recommendations From Prior Year Reports Related to the Business Systems Modernization Program Material Weakness

 

Table 1 lists prior TIGTA audit recommendations related to the BSM Program material weakness[25] that still have open IRS corrective actions.

Table 1:  TIGTA Recommendations Related to the
BSM Program Material Weakness

The Modernization, Information Technology and Security Services Organization Needs to Take Further Action to Complete Its Human Capital Strategy (Reference Number 2003-20-209, dated September 22, 2003)

2003-20-209

Finding 1, Recommendation 1

To ensure the Modernization and Information Technology Services organization has sufficient data to determine human capital demands, the Chief Information Officer needs to support the Director, Management Services, to work with offices throughout the Modernization and Information Technology Services organization to identify the human capital demand.  The demand includes information to adequately plan the number, location, and assignment schedule of human capital assets for existing information systems and future Modernization and Information Technology Services organization operations.

Due Date:  December 31, 2010.

The BSM Program Has Achieved Mixed Success in Addressing Weaknesses Identified in Internal and External Studies (Reference Number 2006-20-003, dated November 21, 2005)

2006-20-003

Finding 1, Recommendation 2

To ensure study weaknesses and previous recommendations concerning change/configuration management are addressed, the Associate Chief Information Officer, Enterprise Services, should create an overall plan that includes defined tasks, responsible individuals, and estimated completion dates for implementing the standardized configuration management toolset.

Due Date:  December 31, 2010.

Source:  TIGTA audit reports issued from September 2003 through June 2009 and the Joint Audit Management Enterprise System.

 

Appendix IX

 

Recent Treasury Inspector General for
Tax Administration Reports on the Internal Revenue Service’s
Modernization Program

 

Table 1 lists TIGTA reports related to the IRS Modernization Program issued from June 2009 through July 2010 and the associated findings, recommendations, and IRS corrective actions.

Table 1:  Recent TIGTA Reports, Findings, and Corrective Actions

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Changing Excise Files Information Retrieval System Development Requirements Resulted in Increased Costs and Schedule Delays

2009-20-093

June 30, 2009

Finding 1:  Changing system requirements resulted in increased costs and schedule delays.

Recommendation:  The Chief Technology Officer should ensure that all future system redesign alternatives are adequately considered before final alternative selection.

IRS management agreed to reemphasize the importance and requirement of completing an alternatives analysis when making an alternative selection for new investments, with the involvement of the architecture and engineering organization.

Status:  Closed August 31, 2009.

Finding 2:  Processes for collecting and reporting system development costs need improvement.

Recommendation:  The Chief Technology Officer should ensure that the processes for collecting, computing, verifying, and reporting financial data are clearly understood and followed by Project Office personnel so that the information reported is accurate and can be relied upon when making project decisions.

IRS management agreed to review procedures and processes in place for collecting, computing, verifying, and reporting financial data and develop mechanisms to ensure accuracy when reporting the data.

Status:  Closed November 24, 2009.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Changing Strategies Led to the Termination of the My IRS Account[26] Project

2009-20-102

August 12, 2009

Finding 1:  The My IRS Account project was terminated prior to deployment.

Recommendation:  To facilitate a possible future deployment of the My IRS Account project, the Chief Technology Officer should work with the Commissioner, Wage and Investment Division, to complete a long-term strategy for the My IRS Account project.  If the project is restarted, the project should be quickly deployed in order for the IRS to realize the maximum benefit from its $10 million investment by reusing the hardware and functionality developed for the My IRS Account Release 1.

IRS management agreed with our recommendation.  The IRS is currently developing a comprehensive electronic strategy that will identify a set of electronic services for taxpayers, tax professionals, and other partners.  The My IRS Account project is among the electronic services being considered and, if it is determined the
My IRS Account project should be deployed, the IRS will address the components outlined in the recommendation to maximize potential taxpayer benefits.

Status:  Open.  Due Date is
October 15, 2010.

Finding 2:  An electronic authentication strategy and solution needs to be developed.

Recommendation:  The Chief Technology Officer should ensure that a strategy to develop and deploy an enterprise-wide
E-authentication solution is developed as quickly as possible to allow online projects that require secure access, such as the
My IRS Account project, to be deployed without experiencing similar costly delays. 

IRS management agreed with our recommendation.  The Office of Privacy, Information Protection and Data Strategy, will partner with both the Modernization and Information Technology Services and the Electronic Tax Administration organizations to develop a strategy for delivery and deployment of an enterprise-wide
E-authentication solution for all customer channels.

Status:  Closed February 12, 2010.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Changing Strategies Led to the Termination of the My IRS Account Project

2009-20-102

August 12, 2009

 

(continued)

Finding 3:  Formal project termination procedures need to be developed.

Recommendation:  The Chief Technology Officer should ensure formal project termination procedures are developed for information technology projects that are shut down prior to deployment.  At a minimum, these procedures should include a disposition plan addressing all facets of archiving, transferring, and disposing of the system and its data.

IRS management agreed with our recommendation.  The IRS has created a project shutdown guide for projects that are shut down prior to deployment.  The new guide was approved on May 14, 2009, and provides instructions for archiving, transferring, and disposing of a system and its data.

Status:  Closed August 25, 2009.

CADE
Release 4 Includes Most Planned Capabilities and Security Requirements for Processing Individual Tax Account Information

2009-20-100

August 28, 2009

Finding:  Further work is necessary to alleviate known CADE system security vulnerabilities.

Recommendation:  The Chief Technology Officer should direct the Cybersecurity organization to take actions that ensure the CADE and mainframe computer system owners a) appropriately enter and track system vulnerabilities on control systems, including the Plan of Action and Milestones list and the Item Tracking Reporting and Control System, and
b) verify corrective actions are fully implemented before they are considered and reported as resolved.

The IRS agreed with our recommendation.  The Cybersecurity organization will continue to improve the process to ensure that system owners comply with IRS policy to enter and track all system vulnerabilities in IRS control systems.

Status:  Closed July 1, 2010.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Reengineering Individual Tax Return Processing Requires Effective Risk Management

2010-20-001

December 7, 2009

Finding:  The Program Integration Office and the IRS business owners made significant progress, including the decision to integrate elements from both the existing Individual Master File and the current CADE system processes into a new CADE Strategy.  This report also noted that to foster success of the new CADE Strategy and the BSM Program, identified risks and challenges must be effectively addressed and managed, and a long-term commitment is needed by current and future executives.

Recommendation:  No recommendations were made.

No corrective actions were required because the report did not make any recommendations.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

MeF Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement

2010-20-041

May 26, 2010

Finding 1:  The MeF project team has not completely addressed previously reported requirements management and processing issues.

Recommendation:  The Chief Technology Officer should ensure that project releases are deployed only after all system requirements are tested and met and that test results are verified to ensure their completeness and accuracy.  If requirements are not met, defect reports should be prepared to allow for appropriate resolution by retesting or waiving the requirement prior to deployment.

The IRS did not agree with this recommendation.  One of the components in the Governance Layer of the Enterprise Life Cycle Framework is a Milestone Readiness Review.  This is an ongoing monitoring of a project’s progress toward satisfying exit conditions for the next Milestone Exit Review and results in a formal go/no-go recommendation to the Executive Steering Committee.  The Executive Steering Committee process provides the forum to discuss risk-based decisions prior to deployment of systems built and products delivered.

Status:  Rejected. 

Office of Audit Comment:  We acknowledge the controls the Milestone Readiness Review and the Executive Steering Committee provide and understand the role testing plays to ensure systems perform their intended functions accurately and reliably.  However, with the significant number of failed tests reported and the subsequent problems with rejected individual income tax returns filed, we question whether the Executive Steering Committee had sufficient and timely information to make an informed risk-based decision for deploying MeF Release 6.1. 
As such, we continue to believe our recommendation to ensure that all system requirements are tested and met and results verified prior to deployment is valid and should be considered by the IRS.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

MeF Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement

2010-20-041

May 26, 2010

(continued)

Finding 2:  The MeF project team generally followed established systems development processes, but can improve its management of requirements and risks.

Recommendation:  The Chief Technology Officer should modify the Enterprise Life Cycle guidance to require consideration of prior Lessons Learned Reports as part of the Project Initiation and Phase Kickoff Meeting Procedure in the early milestone planning stages.

The IRS concurred with this recommendation.  The IRS will incorporate updates to the Project Initiation and Phase Kickoff Meeting Process Description and Procedure.

Status:  Open.  Due Date is
October 1, 2010.

(Finding 2 continued)

Recommendation:  The Chief Technology Officer should use the Risk Identification Procedure as an input to the Enterprise Life Cycle’s Project Initiation and Phase Kickoff Meeting Procedure.

The IRS concurred with this recommendation.  The IRS will incorporate updates to the Project Initiation and Phase Kickoff Meeting Process Description and Procedure.

Status:  Open.  Due Date is
October 1, 2010.

Finding 3:  MeF system security issues were not adequately controlled or resolved.

Recommendation:  The Chief Technology Officer should ensure that the Cybersecurity organization will complete implementation of the process to ensure that system owners comply with IRS policy to enter and track all system security weaknesses in IRS control systems.  This should include all MeF system security issues and it should be ensured they are monitored and tracked to resolution in either the Plan of Action and Milestones or the Item Tracking Reporting and Control System.

The IRS agreed with this recommendation.  The Cybersecurity office responded that it has made continuous improvements to the Plan of Action and Milestones process in recent years and now considers the process complete and implemented as of
March 25, 2010.

Status:  Closed March 25, 2010.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Recovery Act Provisions for the Health Coverage Tax Credit Were Implemented, but Development Processes Could Be Improved

2010-21-057

May 25, 2010

Finding 1:  Requirements Management processes need improvement.

Recommendation:  The Commissioner, Wage and Investment Division, should ensure that, for ongoing and future system upgrades, the Health Coverage Tax Credit Program Office completes full traceability on the requirements traceability matrix, including mapping of all requirements to high-level requirements and tracing to the final product requirements.  These include changes, source codes, and any manual referencing accomplished.

IRS management agreed with this recommendation, but noted since it outlines existing standard processes they have already addressed it.  They stated they completed the Release 9.0 requirements traceability matrix on August 19, 2009, following system implementation per the standard process.  The requirements traceability report contains some requirements that do not call for mapping to test cases or build requirements.

Status:  Closed May 25, 2010.

Office of Audit Comment:  The IRS noted that corrective action was accomplished during the review.  However, documentation supporting the corrective action was not provided to the TIGTA during the review, so the TIGTA was unable to validate the actions taken.  As a result, corrective action will be validated during the subsequent review of the Health Coverage Tax Credit Program Office (Audit Number 201020101).

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Recovery Act Provisions for the Health Coverage Tax Credit Were Implemented, but Development Processes Could Be Improved

2010-21-057

May 25, 2010

(continued)

Finding 2:  The Configuration Management process needs strengthening.

Recommendation:  The Commissioner, Wage and Investment Division, should ensure that, for ongoing and future releases, the Health Coverage Tax Credit Program Office updates the Configuration Management Plan to include procedures to verify all configuration changes are properly documented and tracked.

IRS management agreed with this recommendation, but noted they have already addressed it.  They stated many standard configuration management processes were in place at the time of this review, and they document all change requests in a change control log during the development phase as part of their standard process.  Other comments included that the Configuration Management Plan was updated January 29, 2010, to include a clear differentiation of how change requests are managed during development, maintenance, and operations.

Status:  Closed May 25, 2010.

Office of Audit Comment:  The IRS noted that corrective action was accomplished during the review.  However, documentation supporting the corrective action was not provided to the TIGTA during the review, so the TIGTA was unable to validate the actions taken.  As a result, corrective action will be validated during the subsequent review of the Health Coverage Tax Credit Program Office (Audit Number 201020101).

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Recovery Act Provisions for the Health Coverage Tax Credit Were Implemented, but Development Processes Could Be Improved

2010-21-057

May 25, 2010

(continued)

Finding 3:  Testing Practices Need Improvement.

Recommendation:  The Commissioner, Wage and Investment Division, should ensure the Health Coverage Tax Credit Program Office performs an in-depth analysis of test plans prior to beginning each program release for elimination of previously tested requirements and, in the event a test case is erroneously included, completes the Test Case Waiver and Deferral form for approving its removal.

IRS management agreed with this recommendation, but noted they have already addressed it.  They stated they implemented the corrective actions with Release 10.0.  The management response also noted that the IRS had vigorous testing processes at the time of this review and completed the implementation of the waiver and deferral process, peer review of test cases, and removal of test cases from test plans that were no longer applicable.  As these processes existed, or were created for Release 10.0, they are part of the IRS’ standard procedures.

Status:  Closed May 25, 2010.

Office of Audit Comment:  The IRS noted that corrective action was accomplished during the review.  However, documentation supporting the corrective action was not provided to the TIGTA during the review, so the TIGTA was unable to validate the actions taken.  As a result, corrective action will be validated during the subsequent review of the Health Coverage Tax Credit Program Office (Audit Number 201020101).

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Recovery Act Provisions for the Health Coverage Tax Credit Were Implemented, but Development Processes Could Be Improved

2010-21-057

May 25, 2010

(continued)

Finding 4:  Performance Measures Targets Should Be Updated Using Current Estimates.

Recommendation:  The Commissioner, Wage and Investment Division, should ensure the Health Coverage Tax Credit Program Office uses current Fiscal
Year 2010 data to develop performance measures targets for Fiscal Year 2011.  In addition, applicable current fiscal year data should be used when developing performance measures targets for future years to ensure
accurate representation of the Health Coverage Tax Credit Program’s effectiveness.

Although the IRS acknowledges that new performance measures targets should be established for Fiscal Year 2011, it does not agree that the inability to estimate targets diminishes its ability to measure outcomes or demonstrate Health Coverage Tax Credit Program effectiveness.  The IRS intends to baseline several of the performance measures targets using Fiscal Year 2010 data in order to develop new targets in
Fiscal Year 2011.

In Fiscal Year 2009, the IRS obtained agreement from the Wage and Investment Division and the Department of the Treasury that Fiscal Year 2010 would be a baseline year for many of the performance measures targets.  Many of the Health Coverage Tax Credit measures are based on workload and enrollee volumes, which fluctuated widely due to the uncertain nature of the expanded Health Coverage Tax Credit population.  The Health Coverage Tax Credit Program Office collects up-to-date information monthly and shares the results with Program leadership, Wage and Investment Division Senior Leadership, and the Department of the Treasury.

Status:  Open.  Due Date is
November 15, 2010.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Recovery Act Provisions for the Health Coverage Tax Credit Were Implemented, but Development Processes Could Be Improved

2010-21-057

May 25, 2010

(continued)

Finding 4 continued.

Office of Audit Comment:  The audit recommendation is intended to ensure the Health Coverage Tax Credit Program Office uses current Fiscal Year 2010 data to develop performance measures targets for Fiscal Year 2011, which would provide better performance measures.  Since the final Fiscal Year 2009 results included one performance measure (Customer Service Representative Level of Service) that did not meet the Fiscal Year 2009 performance measures targets for the Health Coverage Tax Credit Program, the TIGTA questions whether the IRS had sufficient and timely information to develop accurate performance measures targets with which to make risk-based decisions in the Health Coverage Tax Credit Program.  Updating performance measures targets provides complete historical information needed for accurate rebaselining.

The IRS Is Improving Management Controls for Information Technology Strategic Planning and Capital Investments

2010-20-064

July 9, 2010

Finding:  To comply with all aspects of the Clinger-Cohen Act, the Strategy and Capital Planning office should implement additional processes.

Recommendation:  To ensure compliance with the Clinger-Cohen Act, the Chief Technology Officer should require the Modernization and Information Technology Services organization to identify applications in the information technology inventory that share benefits and costs with other Federal agencies or State or local governments.

The IRS agreed with our recommendation.  The Strategy and Capital Planning office will work with other appropriate offices to develop an information technology inventory of Modernization and Information Technology Services applications that share benefits and costs with other Federal agencies or State or local governments.

Status:  Open.  Due Date is
December 1, 2010.

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

The IRS Is Improving Management Controls for Information Technology Strategic Planning and Capital Investments

2010-20-064

July 9. 2010

(continued)

Recommendation:  To ensure compliance with the Clinger-Cohen Act, the Chief Technology Officer should require the Modernization and Information Technology Services organization to establish a Capital Planning and Investment Control process that identifies information technology investments that share a benefit or cost with other Federal agencies or State or local governments.  This process should include the costs to provide the benefit, the costs to be reimbursed by other agencies or State or local governments, the role and responsibilities these agencies have in making decisions regarding the investment, how these agencies will be notified and impacted by changes to the investment, and whether the agencies have a point of contact to notify the IRS when the benefit being provided is no longer required.

The IRS agreed with our recommendation.  The Strategy and Capital Planning office will amend the Capital Planning and Investment Control process and guide documents to include the collection of all appropriate information relative to investments providing shared benefits.

Status:  Open.  Due Date is
April 1, 2011.

System Errors and Lower than Expected Tax Return Volumes Hinder the Internal Revenue Service’s Ability to Evaluate the Success of the Modernized e-File Individual Tax Return Processing

TIGTA Audit # 200940047

Draft Report Dated
July 13, 2010

Finding:  System errors and lower than expected tax return volumes affected the implementation of the MeF system and the ability to evaluate system performance.

Recommendation:  The Commissioner, Wage and Investment Division, should establish processes to timely monitor the transmission and processing of individual tax returns as tax returns are processed through the MeF system.  These processes should include an analysis of available tax return processing data to identify trends that may indicate errors in the rejection or acceptance of tax returns.  These processes should also include an analysis of the responses generated when a tax return is rejected to ensure the explanation provided is correct. 

 

System Errors and Lower than Expected Tax Return Volumes Hinder the Internal Revenue Service’s Ability to Evaluate the Success of the Modernized e-File Individual Tax Return Processing

TIGTA Audit # 200940047

Draft Report Dated
July 13, 2010

(continued)

Recommendation:  The Commissioner, Wage and Investment Division, should work with Tax Return Transmitters and States to identify and address concerns and/or conditions that prevented them from participating in the MeF system and encourage them to participate in the MeF system during the 2011 Filing Season.

 

The Federal Student Aid Datashare Application Was Successfully Deployed, but Improvements in Systems Development Disciplines Are Needed

TIGTA Audit # 200920031

Draft Report Dated
July 6, 2010

Finding:  Improvements Are Needed in Several Systems Development
Disciplines

Recommendation:  The Chief Technology Officer should ensure that the Test, Assurance, and Documentation System Acceptability Test team use consistent, documented processes to generate a traceability matrix linking each requirement to a test case.

 

Finding continued.

Recommendation:  The Chief Technology Officer should update Internal Revenue Manual 2.6.1, Test, Assurance, & Documentation Standards and Procedures, to state that System Acceptability Test results will be consistently recorded, documented, and verified during test execution.    

 

Report Title, Reference Number, and Date


Finding and Recommendation


Corrective Action

Additional Actions and Resources Are Needed to Resolve the Audit Trail Portion of the Computer Security Material Weakness

2010-20-082

Draft Report Dated
June 22, 2010

Report Redacted

 

 

Appendix X

 

Treasury Inspector General for
Tax Administration Assessments of the
Business Systems Modernization Program

 

Table 1 lists prior TIGTA assessments of the BSM Program issued since November 2001, along with the associated concerns within the reports presented.

Table 1:  Prior TIGTA Assessments and Issues Reported
About the BSM Program

BSM Project Teams Need to Follow Key Systems Development Processes (Reference Number 2002-20-025, dated November 16, 2001)

2002-20-025

 

November 16, 2001

 

Project teams did not follow all critical systems development processes to help projects meet objectives.  Specifically, strengthening and/or implementing aspects of the following key processes will increase the likelihood of BSM Program success:

          Requirements development (including Security requirements).

          Configuration management.

          Risk management.

          Accounting for IRS costs associated with BSM Program.

 


Annual Assessment of the Internal Revenue Service’s Business Systems Modernization Program
(Reference Number 2002-20-189, dated September 27, 2002)

2002-20-189

 

September 27, 2002

 

Although there will be many challenges ahead, we are guardedly optimistic about the future of the BSM Program, assuming the Modernization Office and PRIME contractor[27] effectively:

  1. Implement planned improvements in key management processes and commit necessary resources to enable success.  Resources need to be committed to ensure that process changes are implemented.  Without effective process change and defined accountability, the BSM Program could continue to experience cost increases and schedule delays, while delivering less than expected.  Because the needed process maturity has not yet been achieved, the Modernization Office and PRIME contractor have had to rely on the dedication and heroics of their employees to deliver the successes that have been achieved to date.
  2. Manage the increasing complexity and risks of the BSM Program.  Significant future risks include committing resources, implementing process changes, managing program complexity, and maintaining a consistent strategic direction.
  3. Maintain the continuity of strategic direction with experienced leadership.  Changes in the executive leadership of the BSM Program could affect the success of the modernization efforts.  It will be critical for the IRS to “stay the course” even in light of changes in the leadership of the organization.

 

Annual Assessment of the Business Systems Modernization Program (Reference Number 2003-20-208,
dated September 29, 2003)

2003-20-208

 

September 29, 2003

 

The following concerns were expressed in this report:

          Although the IRS refocused the Modernization Office on a smaller portfolio of existing key projects the past year, noncompliance with existing management processes (Testing and Cost and Schedule Estimation in particular) contributed to deferred capabilities, schedule delays, and cost increases.  The Modernization Office and the PRIME contractor have particularly struggled to develop adequate cost and schedule estimation techniques and have not fully implemented disciplined project testing processes and procedures.  Another contributing factor for the unachieved program goals is that the BSM Program has experienced significant leadership changes due to executive turnover.

          Not only do the three Program challenges we reported last year in 2002 continue to confront BSM Program efforts (and contributed to the problems encountered in Fiscal Year 2003), but we also believe the Modernization Office now is facing a 4th significant challenge, Contract Management.  Because of the continued problems confronting the BSM Program, oversight groups are starting to lose confidence in the PRIME contractor’s ability to meet its commitments in modernizing the IRS’ business systems and have raised concerns about future funding.  In light of this concern, effective contract management is becoming an increasingly important challenge that needs to be overcome.  Specifically, the Modernization Office must ensure PRIME contractor performance and accountability are effectively managed.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2004-20-107,
dated June 3, 2004)

2004-20-107

 

June 3, 2004

 

As we reported in previous annual assessments, BSM projects are still taking longer and costing more to deliver less than originally anticipated.

Independent assessments of the BSM Program from other outside experts resulted in
21 recommendations for improvement, 15 of which are similar to those made in TIGTA reports issued the past 3 years.  Since many of the prior TIGTA recommendations have resurfaced as part of the recent studies, we conclude that BSM weaknesses continue to exist and that the IRS and its contractors need to complete planned corrective actions to address the root causes identified.

Recent TIGTA reports continue to find significant areas for improvement, including Business Case Development, Requirements Management, Software Testing, Transition Planning, Business Continuity, Enterprise Architecture Compliance, and Contractor Qualifications.

Over the past 2 fiscal years, we cited 4 primary challenges the IRS and its contractors must overcome to be successful:

  1. Implement planned improvements in key management processes and commit necessary resources to enable success.
  2. Manage the increasing complexity and risks of the BSM Program.
  3. Maintain the continuity of strategic direction with experienced leadership.
  4. Ensure PRIME contractor performance and accountability are effectively managed. 

Based on the results of recent TIGTA audits, as well as the study findings, we believe these four challenges still need to be met to achieve program success.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2005-20-102,
dated August 10, 2005)

2005-20-102

 

August 10, 2005

 

Weaknesses continue to exist in critical program management and system development processes of Requirements Management, Contract Management, Software Testing, and Security Controls.

Analysis of cost estimates, schedules, and planned capabilities for ongoing project releases showed a 48 percent increase in costs, schedule delays up to 14 months, and deferred systems capabilities.

In January 2005, the IRS began taking over the role of systems integrator from the PRIME contractor due to BSM Program funding reductions and concerns about the PRIME contractor’s performance.  In the IRS’ new operating model, the IRS will now be responsible for program-level activities such as:

  • Systems integration.
  • Requirements Management/Validation.
  • Procurement administration.
  • Integrated Cost, Schedule, and Dependency Management.
  • Risk, Release, and Transition Management.
  • Configuration and Change Management.
  • Enterprise Life Cycle Management and Enhancement.
  • Engineering.
  • Architecture.

The assumption of the integrator role by the IRS is recognized as a high-priority issue by the BSM Program.  Many of the high-priority issues revolve around program management transition from the PRIME contractor to the IRS.

Although the Modernization Office recognized the need to improve program management activities, the activities did not include actions to ensure they were adequately planned and implemented.  For example, the Modernization Challenges Plan identified program actions needed to improve Modernization management; however, recommendations were not fully addressed, a measurement plan was not created, and many actions were closed before all significant activities were completed.

We recognize the IRS has taken a number of actions in response to our recommendations, but recent audit findings show the four challenges we cited in the past three annual assessments still exist.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2006-20-102, dated June 30, 2006)

2006-20-102

 

June 30, 2006

 

The BSM Program still struggles to develop mature management capabilities and implement defined and repeatable processes in the areas of Requirements Management, Cost and Schedule Estimation, and Project Justification.

As a result, cost increases for projects grew to more than $86 million and schedule variances slipped to as much as 30 months.  Since breaking down releases into smaller subreleases, the IRS and its contractors are doing better at meeting cost and schedule estimates.  However, some projects still encounter cost and schedule variances of greater than 10 percent.  In 2005, IRS executives—concerned the existing variance methodology did not accurately depict variances—held meetings with the Government Accountability Office and the TIGTA to discuss better ways of presenting cost and schedule estimates.  Based on these meetings, the IRS plans to use a different methodology to calculate and present cost and schedule estimates in future Expenditure Plans.

The IRS is changing its approach from completely replacing current business systems to using current business systems to accomplish modernization.  Instead of scrapping and replacing the capabilities of hundreds of current IRS systems, existing systems will evolve into reusable services.  While this approach differs from the BSM Program of the past, we are unclear how the IRS will identify and leverage the strengths of existing systems to achieve modernization goals.  The new Modernization Vision and Strategy being developed by the IRS may provide additional clarification in this area.  The next challenge for the IRS and its contractors will be to control significant cost and schedule variances and build upon its initial successes with smaller pieces of work to deliver the BSM Program within expectations.

Although the IRS creates Highest Priority Initiatives every 6 months to address needed improvements, the material weakness plan has not been updated to include open corrective actions and improvement initiatives.

The IRS’ recent and planned future changes have not eliminated the four challenges we have reported in prior annual assessments, and one of the challenges—ensure PRIME contractor performance and accountability are effectively managed—has evolved and expanded.  This fourth challenge previously focused on the IRS’ ability to manage the PRIME contractor’s performance.  Since the IRS is taking over the primary role of systems integrator, this challenge has expanded to include not only managing and ensuring the performance and accountability of the PRIME contractor, but also managing and ensuring the performance and accountability of all modernization contractors.  Therefore, we eliminated the reference to the “PRIME” contractor for this challenge, now simply referred to as “Ensure contractor performance and accountability are effectively managed.” 

The IRS is at a juncture where it can build upon the successes and lessons learned from the first 8 years of the BSM Program; however, we continue to believe the eventual success of the modernization effort will depend on how well the IRS deals with the four specific challenges.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2007-20-121,
dated August 24, 2007)

2007-20-121

 

August 24, 2007

 

Although the IRS has made advances in its modernization effort, it has not maintained anticipated progress.  Because of decreased funding and difficulties in managing contractor work, the four prior challenges we have reported continue to exist.  For instance, during Calendar Year 2006, the management process improvements we reported were in areas of:  Requirements Management, Transition Management, Contract Management, Contract and Project Performance monitoring, and Post Implementation Reviews.

Moreover, this annual assessment noted the high turnover rate of executive leadership.  The Chief Information Officer hired in September 2006 became the IRS’ fifth such Officer in 8 years; and the current Associate Chief Information Officer, Applications Development, was appointed a month later and became the sixth executive responsible for the BSM Program in its 9 years of existence.  In addition, the Modernization and Information Technology Services organization changed the governance roles of the Enterprise Governance Investment Management committee and established an Executive Advisory Board.  The continual changes in management add to the time and cost of delivering the BSM Program.

Although the Modernization and Information Technology Services organization has taken actions to improve its effectiveness and efficiency, the Modernization material weakness should not be downgraded until the four challenges have been adequately resolved.

Recommendation:  The Chief Information Officer should continue to address the
BSM Program corrective actions from TIGTA and Government Accountability Office reports through the Highest Priority Initiatives process.  By focusing corrective action efforts through this process, the IRS can begin to achieve resolution of the challenges identified in this report and subsequently address downgrading the Modernization material weakness.

Management Response:  The Chief Information Officer agreed with this recommendation.  Corrective actions are evaluated and submitted as Highest Priority Initiatives candidates, when appropriate, and are selected based upon executive leadership discretion.  In this manner, the IRS will continue to execute the Highest Priority Initiatives process and include BSM Program corrective actions from TIGTA and Government Accountability Office reports.  The IRS will continue to deliver monthly Highest Priority Initiatives reports until it is able to downgrade the Modernization material weakness.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2008-20-129,
dated June 24, 2008)

2008-20-129

 

June 24, 2008

 

Since July 2007, the IRS has implemented further capabilities and provided improvements.  These successes include deploying new releases for the CADE, MeF, and Account Management Services projects.  The BSM Program has also improved contract negotiations and management practices, assumed more responsibility for Program integration, expanded the Information Technology Modernization Vision and Strategy, and continued addressing organizational and Program concerns through the
Highest Priority Initiatives process.

While steady progress and improvements have been made, the IRS and its contractors must still overcome significant barriers in successfully implementing Program goals.  These barriers include:

  • Continued reductions in funding that have forced the IRS to adjust the scope of the BSM Program portfolio and project release schedules.  In some instances, management has had to defer or even forgo project capabilities because sufficient funding was not available.
  • Inconsistent adherence to established project development guidelines that has limited the effectiveness and growth of the BSM Program.  Our audits during this time period found that the BSM Program did not consistently implement Enterprise Life Cycle guidelines, including Project Management and Requirements Management activities.  Also, ineffective Contract Management contributed to delays, inadequacies, and increased costs of deliverables.

In contrast, the IRS achieved success when the BSM Program followed its systems development and management guidance.  The success we reported with one project was attributed to the project team following Enterprise Life Cycle guidelines, developing required work products, completing detailed release designs on time, and formulating a manageable scope.

However, the IRS and its contractors must overcome significant barriers in successfully implementing the goals of the BSM Program.  The Program and processes have not progressed enough to eliminate its material weakness designation, and further reductions in funding could jeopardize the Program’s ability to deliver planned improvements.

Annual Assessment of the Business Systems Modernization Program (Reference Number 2009-20-136,
dated September 14, 2009)

2009-20-136

 

September 14, 2009

 

The BSM Program is being refocused.  At the time of this annual assessment, the immediate challenge was the future of the CADE system.  The IRS Program Integration Office was considering using elements from the Individual Master File and the current CADE system to significantly reengineer the IRS tax account management process.  In addition, the challenge in modernizing the management of business taxpayer accounts had yet to be considered.  Further, we reported that the ability to obtain qualified technical resources and sufficient funding will challenge the successful delivery of future CADE releases.

Further improvements can be made to management of the BSM Program:

  • The past year’s BSM Program performance did not continue the trend of improvement it demonstrated in the prior 3 years.  Our reports the past year identified continued problems in Requirements Development and Management, Program Management, Contract Management, and Security Controls.
  • The IRS has also experienced a turnover of executives that challenges the Program’s continued long-term success.
  • Since our 2008 annual assessment (from May 2008 to May 2009),
    5 (29 percent) of the 17 project milestones scheduled for completion were significantly over cost estimates.  These projects were between 30 percent and 37.5 percent over budget.

A control process to manage the Modernization and Information Technology Services (MITS) organization’s Highest Priority Initiatives process was discontinued.  At the conclusion of this annual assessment, the Customer Relationship and Service Delivery organization was developing processes to be used to replace the Highest Priority Initiatives process.  The MITS organization was focusing on process improvements throughout the organization using industry best practices.  The MITS Leadership team determined that would provide a more comprehensive, integrated, disciplined, and effective management approach for process improvements than the previous Highest Priority Initiatives process.

Since 1995, the IRS has identified and reported the BSM Program as a material weakness.  The IRS recognizes the need to incorporate necessary program management disciplines and has plans to implement a process improvement strategy.  This strategy will allow the BSM Program to continue to improve its management practices by incorporating industry best practices.  However, we believe the BSM Program should continue as a material weakness until the modernization material weakness action plan is updated and the improvement strategy is accomplished.

 

Appendix XI

 

Glossary of Terms

 

Term

Definition

Account Management Services

A project that will modernize the capability to collect, view, retrieve, and manage taxpayer information.

Best Practice

A technique or methodology that, through experience and research, has proven to reliably lead to a desired result.

Byte

A byte is commonly used as a unit of storage measurement in computers, regardless of the type of data being stored.  It is also one of the basic integral data types in many programming languages.  Generally, a byte is a contiguous sequence of eight binary digits.

Popular Use and
Standard Meaning

Name

Symbol

Quantity

kilobyte

KB

210 (103)

megabyte

MB

220 (106)

gigabyte

GB

230 (109)

terabyte

TB

240 (1012)

Capital Asset Plan and Business Case (Exhibit 300)

Required by Office of Management and Budget Circular A-11 (Preparation, Execution, and Submission of the Budget; dated June 2005) and commonly called Exhibit 300, Capital Asset Plan and Business Case.  Each agency must submit a
Business Case twice a year for each major information technology investment.

Customer Account Data Engine (CADE)

The foundation for managing taxpayer accounts in the IRS modernization plan.  It will consist of databases and related applications that will replace the existing IRS Master File processing systems and will include applications for daily posting, settlement, maintenance, refund processing, and issue detection for taxpayer tax account and return data.

Customer Account Data Engine 2 (CADE 2)

Creates a modernized processing and data–centric infrastructure that will enable the IRS to improve the accuracy and speed of individual taxpayer account processing, enhance the customer experience through improved access to account information, and increase the effectiveness and efficiency of agency operations.

Data Strategy Implementation Program

An initiative for implementing the data strategies that define the Enterprise Data Architecture, define the current and future data requirements, reduce or eliminate data duplication within the enterprise, provide solutions for information access and sharing, support interoperability among information systems, and support IRS business goals.

Enterprise Computing Center

Supports tax processing and information management through a data processing and telecommunications infrastructure.

Enterprise Data Access Program

An Extensible Markup Language Relational Database and Integrated Production Model.  The Extensible Markup Language Relational Database became operational in Fiscal Year 2006 and provides the IRS Tax Exempt and Government Entities Division with electronically filed business returns in a relational database that captures and associates data using common attributes.  The Integrated Production Model will provide a consolidated database of tax return and account data in a single repository for compliance data used in the case selection processes. 

Enterprise Life Cycle

A structured business systems development method that requires the preparation of specific work products during different phases of the development process.

Executive Steering Committee

Oversees investments, including validating major investment business requirements and ensuring that enabling technologies are defined, developed, and implemented.

Filing Season

The period from January through mid-April when most individual income tax returns are filed.

Highest Priority Initiatives Process

A process IRS executives and managers used to identify and seek resolution for the most significant issues facing the Modernization Program.  IRS executives and senior managers were appointed to oversee the plans to resolve each of the Highest Priority Initiatives, and progress was reported monthly.  New initiatives were identified every 6 months.

Information Technology Modernization Vision and Strategy

A 5-year plan that drives investment decisions, addresses the priorities around modernizing frontline tax administration and supporting technical capabilities, and leverages existing systems (where possible) and new development (where necessary) to optimize capacity, manage program costs, and deliver business value on a more incremental and frequent basis.

Infrastructure

The fundamental structure of a system or organization.  The basic architecture of any system (electronic, mechanical, social, political, etc.) determines how it functions and how flexible it is to meet future requirements.

Integrated Data Retrieval System

The IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.

Integrated Production Model

A consolidated source of core taxpayer data (e.g., tax account, tax return, and third-party data) and business application data to be used by a wide range of business applications to support case identification, selection, prioritization, and delivery.

IRS Oversight Board

The nine-member board was created by Congress under the IRS Restructuring and Reform Act of 1998.[28]  The Board’s responsibility is to oversee the IRS in its administration, management, conduct, direction, and supervision of the execution and application of the internal revenue laws.

Item Tracking Reporting and Control System

An information system used to track and report on issues, risks, and action items in the modernization effort.

Master File

The IRS database that stores various types of taxpayer account information.  This database includes individual, business, and employee plans and exempt organizations data.

Material Weakness

Office of Management and Budget Circular A-123, Management’s Responsibility for Internal Control, dated December 2004, defines a material weakness as any condition an agency head determines to be significant enough to be reported outside the agency.

Milestone

The “go/no-go” decision point in a project and is sometimes associated with funding approval to proceed.

MITRE Corporation

The IRS hired the MITRE Corporation as a Federally Funded Research and Development Center to assist with the IRS’ systems modernization effort.

Modernized e-File (MeF)

The modernized, web-based platform for filing approximately 330 IRS forms electronically.

My IRS Account

This project was intended to provide taxpayers with an online application to view, access, update, and manage their tax accounts.

Plan of Action and Milestones

A requirement for managing the security weaknesses pertaining to a specific application or system.  In addition to noting weaknesses, each Plan of Action and Milestones item details steps that need to be taken to correct or reduce any weaknesses, as well as resources required to accomplish task milestones and a correction timeline.

PRIME Contractor

The Computer Sciences Corporation, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.

Relational Database

A database that captures data using common attributes found in the data set.

Release

A specific edition of software.

Software Engineering Institute

A Federally funded research and development center operated by Carnegie Mellon University and sponsored by the Department of Defense.  Its objective is to provide leadership in software engineering and in the transition of new software engineering technology into practice.

Task Order

An order for services planned against an established contract.

Work Breakdown Structure

A deliverable-oriented grouping of project elements that organizes and defines the total scope of the project.

 

Appendix XII

 

Management’s Response to the Draft Report

 

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, DC  20224

 

CHIEF TECHNOLOGY OFFICER

 

 

September 3, 2010

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                            Terence V. Milholland /s/ Terence V. Milholland

    Chief· Technology Officer

 

SUBJECT:                       Draft Audit Report – Annual Assessment of the business Systems Modernization program (Audit #201020002)

 

Thanks you for the opportunity to review your draft audit report and to discuss earlier draft report observations with the audit team.

 

I was pleased to read your comments and observations that the BSM Program has continued to provide new information technology capabilities and related benefits to both the IRS and taxpayers.  Specifically your report emphasizes that since Jolly 2009, the IRS has implemented new releases of the Customer Account Data Engine, Account Management Services, and Modernized e-File systems – the “Pillars of Modernization.”  I acknowledge that we are at a key point in our BSM effort and believe we are well on our way to successfully demonstrating that CADE 2 can operate securely and effectively.

 

I appreciate your acknowledging the additional modernization accomplishments not specifically related to the BSM Program.  These include enhancements to the Excise Files Information Retrieval System, implementation of the American Recovery and reinvestment Act of 2009 provisions for the Health Coverage Tax Credit, consideration of continued development of the My IRS Account online application and development of the Federal Student Aid – Data Share project, as well as our on going efforts to implement the Software Institutes Capability Maturity Model Integration Level 3, which will gain industry wide recognition for excellence.

 

We are committed to continuously improving our information technology systems and processes.  We value your continued support and the assistance and guidance your team provides.  If you have any questions, please contact me at (202) 622-6800 or Frank DeMarino at (202) 283-5761.

 



[1] Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).

[2] Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).

[3] See Appendix XI for a glossary of terms.

[4] Appendix IX presents the TIGTA reports used in formulating this Modernization Program assessment.

[5] Internal Revenue Service’s Fiscal Year 2010 Expenditure Plan (GAO-10-539, dated May 2010).

[6] Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for

Processing Individual Tax Account Information (Reference Number 2009-20-100, dated August 28, 2009).

[7] Pub. L. No. 111-5, 123 Stat. 115 (2009).

[8] Annual Assessment of the Business Systems Modernization Program (Reference Number 2009-20-136, dated September 14, 2009).

[9] Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement (Reference Number 2010-20-041, dated May 26, 2010).

[10] Reference Number 2007-20-099, dated July 9, 2007.

[11] See Appendix IV for an overview of the Enterprise Life Cycle.

[12] System Errors and Lower Than Expected Tax Return Volumes Hinder the Internal Revenue Service’s Ability to Evaluate the Success of the Modernized e-File Individual Tax Return Processing (TIGTA Audit Number 200940047, draft report dated July 13, 2010).

[13] Reference Number 2008-20-163, dated September 24, 2008.

[14] Reference Number 2009-20-026, dated December 30, 2008.

[15] Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement (Reference Number 2010-20-041, dated May 26, 2010).

[16] Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).

[17] See Appendix IX for a detailed list of recent TIGTA reports and associated findings.

[18] Annual Assessment of the Internal Revenue Service’s Business Systems Modernization Program (Reference Number 2002-20-189, dated September 27, 2002) and seven annual reports entitled Annual Assessment of the Business Systems Modernization Program (Reference Number 2003-20-208, dated September 29, 2003; Reference Number 2004-20-107, dated June 3, 2004; Reference Number 2005-20-102, dated August 10, 2005; Reference Number 2006-20-102, dated June 30, 2006; Reference Number 2007-20-121, dated August 24, 2007; Reference Number 2008-20-129, dated June 24, 2008; and Reference Number 2009-20-136, dated September 14, 2009).

[19] See Appendix XI for a glossary of terms.

[20] See Appendix XI for a glossary of terms.

[21] See Appendix XI for a glossary of terms.

[22] See Appendix IV for description of the various Enterprise Life Cycle milestones.

[23] Annual Assessment of the Business Systems Modernization Program (Reference Number 2009-20-136, dated September 14, 2009).

[24] See Appendix XI for a glossary of terms.

[25] See Appendix XI for a glossary of terms.

[26] See Appendix XI for a glossary of terms.

[27] See Appendix XI for a glossary of terms.

[28] Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).