TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Modernized e-File Release 6.2 Included Enhancements, but Improvements Are Needed for Tracking Performance Issues and Security Weaknesses

 

 

 

September 8, 2011

 

Reference Number:  2011-20-088

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  TIGTACommunications@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

HIGHLIGHTS

 

THE MODERNIZED E-FILE RELEASE 6.2 INCLUDED ENHANCEMENTS, BUT IMPROVEMENTS ARE NEEDED FOR TRACKING PERFORMANCE ISSUES AND SECURITY WEAKNESSES

 

Highlights

Final Report issued on September 8, 2011

Highlights of Reference Number:  2011-20-088 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Modernized e-File (MeF) Project goal is to replace the Internal Revenue Service’s (IRS) current tax return filing technology with a modernized, Internet-based electronic filing platform.  The IRS’s processes for enhancing the MeF System can be improved to better validate correction of prior release performance and stability issues.  This will allow more individual taxpayers to take advantage of the benefits of electronic filing.

WHY TIGTA DID THE AUDIT

This review is part of our Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Modernization of the IRS.  The overall objective of this review was to determine whether the IRS properly identified and corrected MeF performance and stability problems identified during the 2010 Filing Season.

WHAT TIGTA FOUND

The MeF Project Office followed Change Management processes, included key performance enhancements in Release 6.2, and effectively accomplished testing prior to implementation.  However, improvements are needed for tracking performance issues and security weaknesses.  Specifically, internal matrices captured performance enhancements; however, documentation did not support that enhancements were tracked to recommended solutions, and internal controls or guidance were not established for using the matrices.  Therefore, TIGTA was unable to validate whether issues during the 2010 Filing Season were resolved.  Additionally, seven of 24 General Support System security weaknesses affecting the MeF System were unresolved and not being tracked.  Further, although issues were identified, they were not tracked as required by the MeF Risk Management Plan.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer ensure:  1) all identified performance issues are effectively mapped through to their resolution for all future filing seasons; 2) guidance is established for consistent use of the internal matrix to accurately depict the status of performance enhancements and solutions; 3) all confirmed MeF security weaknesses not immediately mitigated are included in the Plan of Action and Milestones to ensure adequate documentation, reporting, and resolution tracking; and 4) all issues and risks are included in the Item Tracking Reporting and Control System or that procedures outside the scope of the MeF Risk Management Plan are properly documented and approved.

The IRS agreed with three of TIGTA’s recommendations and stated corrective actions have been taken or started.  However, the IRS disagreed with TIGTA’s recommendation that all confirmed MeF security weaknesses were not immediately mitigated and included in the Plan of Action and Milestones.  The IRS stated it has currently accounted for all security controls confirmed as not in place within the Plan of Action and Milestones by confirming these through a Security Assessment and Authorization currently in progress.  However, TIGTA maintains that the Plan of Action and Milestones should be continuously monitored and updated as weaknesses are identified or changes occur and milestones are achieved.  This will ensure the accuracy of the information that is reported quarterly to the Department of the Treasury.  

 

September 8, 2011

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Modernized e-File Release 6.2 Included Enhancements, but Improvements Are Needed for Tracking Performance Issues and Security Weaknesses (Audit # 201020028)

 

This report presents the results of our review of the Modernized e-File Release 6.2.  The overall objective of this review was to determine whether the Internal Revenue Service (IRS) properly identified and corrected Modernized e-File performance and stability problems identified during the 2010 Filing Season.[1]  This audit is included in the Treasury Inspector General for Tax Administration Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Modernization. 

Management’s complete response to the draft report is included in Appendix VII.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant Inspector General for Audit, Security and Information Technology Services, at (202) 622-5894.

 

 

Table of Contents

 

Background

Results of Review

Modernized e-File Planning Included Key Performance Enhancements and Followed Prescribed Change Management Processes

Improvements Are Needed to Ensure Performance Enhancements Resolve Filing Season Problems

Recommendation 1:

Recommendation 2:

Modernized e-File Security Weaknesses Are Still Not Adequately Controlled

Recommendation 3:

Issue Management Processes Need Improvement

Recommendation 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Enterprise Life Cycle Overview

Appendix V – Modernized e-File System Unresolved Security Weaknesses Not Being Tracked in the Plan of Action and Milestones

Appendix VI – Glossary of Terms

Appendix VII – Management’s Response to the Draft Report

 

 

Abbreviations

 

 

 

Background

The MeF Release 6.2 will provide code optimization to support the anticipated volume of returns in the 2010 through 2012 Filing Seasons.  The MeF System must be capable of processing more than 100 million electronically filed tax returns.

In December 1998, the Internal Revenue Service (IRS) announced its mission to revolutionize the way taxpayers transact and communicate with the IRS.  In order to achieve this goal, the plan was to replace the current outdated technology with a modernized, Internet-based electronic filing (e-file) platform.  The system’s purpose was to streamline the tax return filing process and reduce costs associated with paper tax returns.  In February 2004, the IRS deployed the initial release of the Modernized e-File (MeF) System, which provided electronic filing of the U.S. Corporation Income Tax Return (Form 1120) and other associated corporate forms.  The overall scope of the MeF System includes filing of electronic tax returns for corporations, partnerships, nonprofit/tax exempt businesses, and individuals.  According to the MeF Information Technology Dashboard, dated March 31, 2011, the MeF Program’s overall budgeted amount until Fiscal Year 2020 is $575.8 million.

The IRS deployed MeF Release[2] 6.1 on February 17, 2010, to begin electronically processing the U.S. Individual Income Tax Return (Form 1040), along with 22 other forms and schedules.  Subsequently, MeF Release 6.2 went live on January 8, 2011, and focused on performance and ensuring all capabilities within the MeF System could process the anticipated volume of tax returns during the upcoming 2010 through 2012 Filing Seasons.  MeF Release 6.2 enhancements were developed to allow an increase in the number of users needing system access, enlarge the volume and types of forms being processed, continue operation and maintenance, and launch logical design activities for the disaster recovery solution.

The MeF System is expected to replace the IRS’s current tax return filing technology by the 2013 Filing Season.  To reach this goal, the MeF System must be capable of processing more than 100 million electronically filed individual income tax returns, allowing more individual taxpayers to use electronic filing.  Performance and stability will be paramount to successful implementation as the IRS moves forward.  Specific challenges faced by the MeF System include:

·         Improving service to taxpayers and practitioners.

·         Reducing processing congestion and errors.

·         Managing and processing a high volume of returns.

·         Improving processing-related issue management.

In February 2010, the MeF Project Office began work to address performance and stability requirements for Release 6.2.  As a result, the MeF Project Office established a MeF Performance Enhancement Team (PET) and held a kickoff meeting for the team on April 20, 2010.

This review was performed at the Modernization and Information Technology Services (MITS) organization facilities in New Carrollton, Maryland, during the period August 2010 through March 2011.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The MeF Project Office used Change Management processes and ensured key performance enhancements were included in MeF Release 6.2, thus meeting its established performance goals.  However, improvements are needed to strengthen management controls over resolving prior 2010 Filing Season performance issues.  Additionally, controls over the MITS organization General Support System’s[3] security weaknesses and issue management tracking need improvement.

Modernized e-File Planning Included Key Performance Enhancements and Followed Prescribed Change Management Processes

The MeF Project Office successfully projected and planned for system performance enhancements and Change Management processes.

MEF System performance enhancements included key activities

The MeF Project Office established a MeF PET that consisted of three independent subteams—Portals, Frontend, and Backend—to ensure the MeF System adequately processed and managed the high volume of tax returns for the 2010 through 2012 Filing Seasons.  The main objectives were to reduce return processing congestion and errors, manage a high volume of returns, and identify cost-efficient changes for service delivery.  Overall, the MeF PET incorporated key planning activities; for example, according to the Project Management Plan, the PET identified Enterprise Key Performance Indicators, established baselines and targets, and planned for resources, roles, and responsibilities.  The three independent subteams established a repository as a tool for managing and sharing information and developed a matrix used for guiding performance changes.

The IRS Quick Alerts online service provides tax professionals with up-to-date tax information.  It was enhanced to quickly disseminate real-time tax information during and after the filing season by sending e-file messages to its subscribers (e-file Transmitters, Authorized Providers, and Software Developers).  Our review of IRS Quick Alerts sent to e-file Providers during the time period May through July 2010 disclosed that the Alerts system worked as intended.  Specifically, during this time period, there were four Alerts citing portal login and acknowledgement issues, along with documented scheduled downtime for MeF System maintenance.

Change Management processes were adequate

Change Management processes used by MeF Project Office management to document and release updates to production were adequate and process improvement activities are ongoing.  Enterprise-wide Change Management processes are being designed for consistent use MITS‑wide.

Effective Change Management is the transition of a changed or new product from development into production, with minimum disruption to users.  It is initiated when a change to the current production environment is approved.  A Change Management Board (for the MeF Program, this is the Submission Processing Executive Steering Committee) should authorize the installation of new or modified products into the current production environment.  For each proposed change, the chairpersons of the Change Management Board formally assign a disposition (i.e., approve or defer), and the impacted business owners formally respond.

Our review of MeF Release 6.2 Change Management activities and processes supported that the MITS organization was proactive in improving or institutionalizing its processes.  For instance, the MeF Configuration Management Plan was timely and adequately updated by MITS Configuration Management.  Additionally, project documents revealed MeF Release 6.2 was properly authorized to update and change the MeF System production environment.  The MeF Release 6.2 exit from development, with transition to the production environment, was properly approved by the Chairperson, Submission Processing Executive Steering Committee, with concurrence by impacted business units and stakeholders.

Industry best practices (such as the Capability Maturity Model Integration^®) describe an evolutionary process improvement path leading from ad hoc or immature to more disciplined or mature processes with improved quality and effectiveness.  For any given process area, such as Change Management, a critical distinction between attaining capability level 2 and a more mature capability level 3 is found in process descriptions, procedures, and scope of standards.  Specifically, at capability level 2, these areas can be diverse for each particular project; however, at a more mature level 3, the areas are tailored from the organization’s own set of standard processes and become more institutionalized.  Therefore, it is commendable that the MITS organization, currently with Change Management processes for each domain (or set of projects), is designing enterprise-wide Change Management processes to improve consistency and to further institutionalize guidance for use MITS-wide.  As such, the effort can lead to a more disciplined organization with improved quality and effectiveness.

Testing was effectively accomplished prior to implementation

In our prior Treasury Inspector General for Tax Administration (TIGTA) audit report, Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement,[4] we reported that test results were not always being traced to requirements and not all unexpected results were thoroughly resolved.  However, the current audit disclosed that all system requirements were tested or conditional approval was granted.  Also, as required by the Enterprise Life Cycle, our review of test plans, execution schedules, and report and defect logs determined that they were adequately supported and maintained.  Additionally, the MeF Project Office appropriately documented and presented test results to the Submission Processing Executive Steering Committee, and meeting minutes provided evidence that testing reports were appropriately discussed prior to deployment. 

Improvements Are Needed to Ensure Performance Enhancements Resolve Filing Season Problems

According to the Capability Maturity Model Integration, there are five common features that indicate whether the implementation and institutionalization of a key process area is effective, repeatable, and lasting.  One of those features states that activities should typically involve establishing plans and procedures, performing and tracking work, and taking necessary corrective actions.  The MeF Project Office developed PET Matrices to capture performance enhancements for MeF Release 6.2; however, there was either inadequate or no support documentation for performing and tracking work or for showing that necessary corrective action was taken.  As a result, the TIGTA was unable to validate whether captured performance elements identified during the 2010 Filing Season were ever resolved.  Specifically:

·         During the 2010 Filing Season, MeF Project Office personnel did not initially map potential performance enhancements to performance and stability issues encountered by tax practitioners.  The PET indicated that performance issues were identified by reviewing resolved/closed Information Technology Asset Management System tickets and by polling customers during the filing season, and that performance enhancements were developed based on these issues.  However, MeF Project Office personnel were unable to provide any documentation to support that potential performance enhancements were implemented based on issues developed from the review of resolved tickets; therefore, the TIGTA was unable to validate that this had occurred. 

·         During the 2010 Filing Season, the PET identified 47 potential performance enhancements.  Although they subsequently developed 56 recommended solutions for the performance enhancements, the PET Matrix Summary disclosed that the majority were not appropriately achieved.  Specifically, of the 56 recommended solutions, only 15 (27 percent) indicated they were being actively worked (approved, implemented, or in progress); 32 (57 percent) were still listed as being under evaluation; and 9 (16 percent) did not stipulate a status at all (see Figure 1).  Further, of the 47 identified potential performance elements, there were 11 (23 percent) for which recommended solutions were never developed.

Figure 1:  Performance Enhancement Team Matrix Summary

Source:  Frontend/Portal Matrix dated January 11, 2011, and Backend Matrix dated November 29, 2010.

·         Internal controls or guidance were not established for using the matrices.  For example, MeF Project Office personnel stated that due to the Oracle 11g upgrade, many of the 47 performance enhancements were no longer necessary; however, the matrices were never updated to reflect that current information.  Also, personnel did not always use the matrices consistently.  Specifically, of the Number of Recommended Solutions for the Portal, 8 (89 percent) of 9 did not have status provided, and none of them provided a target release date (not shown in Figure 1).  Furthermore, the PET Matrices included a column titled “Status” for recording details/status on recommended solutions; however, the answers lacked consistent terminology.  For example, rows within this column used terms, such as Under Evaluation, Under Analysis, Needs Evaluation, and Evaluating, which were sometimes used interchangeably. 

Mapping performance enhancements to performance and stability issues identified in the 2010 Filing Season will help ensure performance issues are actively resolved for future filing seasons, duplication of effort is not occurring, and the entire resolution process is being accomplished.  Further, guidance is necessary for establishing internal controls to ensure the PET Matrices are complete, accurate, updated in a timely manner, and use consistent terminology.

Recommendations

Recommendation 1:  The Chief Technology Officer should direct the PET to effectively map all identified performance issues through to their resolution for all future filing seasons.

Management’s Response:  The IRS agreed with the recommendation.  The MeF Project Office has developed a PET Matrix which documents all MeF performance-related issues.  The matrix will be used by the PET to identify possible resolutions and to track the work associated with each of the resolutions.  Performance-related activities that were deferred from MeF Release 6.2 will be included in this matrix.  As part of the regularly scheduled PET status meetings, the matrix will be updated and reviewed. 

Recommendation 2:  The Chief Technology Officer should direct the PET to establish guidance requiring, at a minimum, timely updates and consistent terminology be used in the PET Matrices to accurately depict the status of performance enhancements and solutions.

Management’s Response:  The IRS agreed with the recommendation.  The PET Matrix will be put under tight configuration control.  A single point of contact will be identified to update the matrix.  Status updates from the members of the PET will be provided to the point of contact during the regularly scheduled PET meetings.  Once the updates are made by the point of contact, the matrix will be posted (in a read only mode) for all PET members to access.  Consistent terminology will be used to the extent possible and where relevant. 

Modernized e-File Security Weaknesses Are Still Not Adequately Controlled

In our prior TIGTA audit report, we recommended that the IRS Cybersecurity organization complete process implementation to ensure that system owners comply with IRS policy to enter and track all system security weaknesses in IRS control systems.  The MITS Cybersecurity organization responded it made continuous improvements to the Plan of Action and Milestones (POA&M) process in recent years, and it now considers the process complete and implemented as of March 25, 2010.

The MITS Cybersecurity organization is still not tracking all system security weaknesses

The MITS Cybersecurity organization reported 24 unresolved security weaknesses during MeF Releases 6.1 and 6.2 security assessments.  We reviewed the Fiscal Year 2011 MeF System and some MITS General Support System POA&Ms[5] to identify the tracking of these security weaknesses and to determine if the corrective action taken by the IRS to improve the POA&Ms was adequately implemented. 

Based on our review of the 24 security weaknesses, we identified 7 MITS General Support System security weaknesses affecting the MeF Program that were unresolved and not being tracked in the POA&M as required.[6]  Three of the seven security weaknesses have been reported multiple times by the Cybersecurity organization and still have not been included in the POA&M.  The MeF Project Office staff stated they are not responsible for the General Support System security weaknesses, and if security weaknesses have not been validated by security testing, they are not documented in the POA&M.  

However, the IRS MITS Plan of Action and Milestones (POA&Ms) Standard Operating Procedure specifies that the POA&M must be prepared for all system- and program-level security weaknesses.  The POA&M must include complete, comprehensive descriptions of the security weaknesses and detailed explanations of the steps and dates when the mitigations or remedies will be applied.  The IRS is required to report on a quarterly basis to the Department of the Treasury the status of its POA&M items.  The Department of the Treasury annually submits a consolidated agency report to the Office of Management and Budget and Congress.  The Trusted Agent Federal Information Security Management System is the application that the Department of the Treasury and the IRS use to track and monitor POA&M weaknesses.  All POA&M weaknesses must be entered into the Trusted Agent Federal Information Security Management System to satisfy the reporting requirements. 

Additionally, three of the seven security weaknesses identified in the security assessments included risk-based decisions for the MeF System to proceed without the required security controls in place.  The Cybersecurity organization should have included these security weaknesses in the General Support System POA&M to document and track them to resolution so the required security controls will eventually be in place for the MeF System. 

According to the IRS’s Request for Risk Acceptance and Risk Based Decision (RBD) Standard Operating Procedure (SOP), security weaknesses can be discovered at any point in a system’s lifecycle and by many different means.  It is also possible that some security weaknesses will be uncovered during development activities.  Additionally, the procedure states that regardless of the source, when a security weakness is discovered, the first steps are to thoroughly analyze the weakness, determine a plan to remediate or mitigate the weakness, and lay out a workable schedule for implementation of the corrective activities.  The procedure includes that for production systems, all of this is captured in a POA&M and entered into the Trusted Agent Federal Information Security Management System.  

Inadequate reporting of National Institute of Standards and Technology outstanding security controls

The IRS should protect the MeF System by implementing appropriate security controls to ensure the confidentiality, integrity, and availability of sensitive data, as recommended in the National Institute of Standards and Technology Special Publication 800-53.^[7]  These security controls include system access, audit logging, and contingency planning.  In addition, the IRS is specifically required by Federal law^[8] to keep taxpayer data confidential and prevent unauthorized disclosure or browsing of taxpayer records.  These requirements apply to all IRS computer systems that maintain sensitive data.

Because all of the security weaknesses related to the MeF System are not being tracked in the POA&M, it is difficult to determine which National Institute of Standards and Technology security controls are missing.  For example, the Submission Processing Executive Steering Committee presentation from December 29, 2010, requesting MeF Release 6.2, Milestone 4b exit,[9] showed that there were two remaining POA&M items relating to two security controls.  However, based on our review of the Fiscal Year 2011 MeF System POA&M items, there were actually three remaining POA&M items that addressed five security controls.  Additionally, based on our analysis of the ongoing General Support System security weaknesses affecting the MeF System, there were 12 additional security controls that were not in place. 

Without properly reporting all MeF System ongoing security weaknesses in the POA&M, the IRS cannot ensure that the security weaknesses are being properly reported and tracked to resolution.  If the security weaknesses are not resolved, the MeF System does not include all of the National Institute of Standards and Technology required security controls and remains vulnerable.  Additionally, the Office of Management and Budget uses the information in the POA&M to assess the IRS’s progress in alleviating system weaknesses, monitor the Federal Government’s ability to implement the Federal Information Security Management Act of 2002,[10] and make budgetary decisions.  Inaccurate or incomplete POA&M information affects the Office of Management and Budget’s ability to obtain an accurate status of IRS security weakness remediation.

Recommendation

Recommendation 3:  The Chief Technology Officer should ensure that all confirmed MeF security weaknesses from all sources, that are not mitigated immediately, are included in the POA&Ms to ensure adequate documentation, reporting, and tracking to resolution.

Management’s Response:  The IRS disagreed with the recommendation and stated the Chief Technology Officer ensures all confirmed security weaknesses from all sources that are not mitigated immediately are included in the POA&Ms to ensure adequate documentation, reporting, and tracking to resolution.  Further, the IRS stated that all confirmed weaknesses for the MeF System have been reported in the system POA&Ms or in the appropriate General Support System POA&M. 

Office of Audit Comment:  In its management comments, the IRS noted disagreement with the statement, “there were 12 additional security controls that were not in place.”  Specifically, the IRS disagreed with our assessment that all confirmed security weaknesses were not immediately mitigated and included in the POA&Ms and were not adequately documented, reported, and tracked to resolution.  The IRS stated it has currently accounted for all security controls confirmed as not in place within the POA&Ms by confirming these through a Security Assessment and Authorization currently in progress.  However, the TIGTA maintains that the POA&Ms should be continuously monitored and updated as weaknesses are identified or changes occur and milestones are achieved.  This will ensure the accuracy of the information that is reported quarterly to the Department of the Treasury.    

Issue Management Processes Need Improvement

The MeF Project Office did not follow the MeF Risk Management Plan, which requires all issues and candidate risks to be entered into the Item Tracking Reporting and Control (ITRAC) System to ensure monitoring and control by external stakeholders.  During our review of the administration and oversight of the MeF Program, we identified several issues and risks that the IRS did not properly track.  Specifically:

·         Even though issues were identified in the Information Technology Project Control Review, they were not tracked using the issue management tool. 

·         Even though MeF Project Office personnel tracked candidate risks using an external watch list, they did not enter those candidate risks into the ITRAC System as required by the MeF Risk Management Plan.

The MeF Risk Management Plan requires that all information technology major and nonmajor projects maintain risk, issue, and action item data in a central, common repository.  Specifically, personnel will periodically review, monitor, and update risks and issues in the ITRAC System.  MeF Project Office management stated that it was not realistic to track all possible risks in the ITRAC System.  Therefore, they developed an external watch list used for evaluating candidate risks and elevating them to active risks prior to entering them into the ITRAC System.  However, MeF Project Office personnel did not develop guidelines or procedures for using the watch list, which was used to supplement the requirements outlined in the MeF Risk Management Plan.  The lack of adherence to guidance negatively affects the IRS’s ability to efficiently monitor and track issues that are critical for external stakeholder awareness. 

Recommendation

Recommendation 4:  The Chief Technology Officer should ensure that all issues and candidate risks are included in the ITRAC System or those procedures outside the scope of the MeF Risk Management Plan are properly documented and approved. 

Management’s Response:  The IRS agreed with the recommendation.  The MeF Project Office will document candidate risks and issues in the ITRAC System.  The candidate risks and issues will be worked through the standard risk and issue process, and the ITRAC System will be updated accordingly.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

Our overall objective was to determine whether the IRS properly identified and corrected MeF System performance and stability problems identified during the 2010 Filing Season.[11]  To accomplish this objective, we:

I.                   Determined whether the 2010 Filing Season MeF System performance and stability problems have been identified, evaluated, and included as an action item for improvement for the 2011 Filing Season.

A.    Reviewed how MeF System performance and stability problems were identified, tracked, and evaluated to determine whether a corrective action is necessary for the upcoming 2011 Filing Season. 

B.     Reviewed the applicable problem reporting tracking documentation developed by the MeF Program Office for performance and stability problems and determined whether all 2010 Filing Season performance and stability problems identified were documented to show how the item would be resolved for the upcoming 2011 Filing Season.

C.     Reviewed all identified 2010 Filing Season potential performance and stability enhancements and determined if they were evaluated and included as a corrective action for improvement for the upcoming 2011 Filing Season.

II.                Determined whether the MeF Release 6.2 was adequately tested prior to implementation, the test plan includes all aspects of the updated system, and all unexpected results are thoroughly resolved.  As determined in our prior MeF System audit,[12] although the PET traced requirements between the Business System Requirements Report Final and the System Integration and Test Plan, the System Integration and End of Test Completion Report showed the test results were not traced to the requirements and the application did not execute all of the requirements as expected.  Additionally, we determined if project releases are deployed only after all system requirements were tested and met, and that test results were verified to ensure their completeness and accuracy.  If requirements were not met, defect reports should be prepared to allow for appropriate resolution by retesting or waiving the requirement prior to deployment.

A.    Determined if all aspects of the MeF System were tested, as outlined in the detailed requirements (whether all requirements listed in the Requirements Traceability Matrix and Business Systems Requirements Report are tested).

B.     Determined if all performance and stability problems identified during the 2010 Filing Season were tested as outlined in the performance evaluation documentation.  According to the prior TIGTA audit report, the IRS cited its milestone readiness review as a process for monitoring a project’s progress toward satisfying exit conditions and for making formal go/no-go recommendations to the Executive Steering Committee.  However, the TIGTA determined that with the significant number of failed tests reported and the subsequent problems with rejected individual income tax returns filed, the Executive Steering Committee did not have sufficient and timely information to make an informed risk-based decision for deploying MeF Release 6.1.  Therefore, we specifically determined whether all system requirements were tested and results were verified prior to deployment.  We reviewed Executive Steering Committee meeting minutes to determine if testing reports were discussed prior to deployment. 

C.     Determined if all testing process documentation exists as required by the Enterprise Life Cycle.  We obtained and reviewed testing-related documentation (e.g., test plans, test cases, test execution schedules, and end-of-test report and defects logs).

III.             Determined whether Change Management activities that will result in changes to the production environment are effective.  Activities include change initiation and approval, modification, development, and testing and acceptance.

A.    Determined if all changes to the MeF System are properly initiated and approved in accordance with the Enterprise Life Cycle.

B.     Verified code changes are modified/developed in an area separate from the testing/quality assurance and production environments.

C.     Verified code is tested in a segregated/controlled environment (testing/quality assurance, which is separate from development and production).

D.    Determined if all the test results are reviewed and approved by the end users.  We verified the method of user acceptance (e.g., verbal or written).

IV.             Determined whether corrective actions were implemented or modified since the last audit by discussing procedures with appropriate IRS personnel in the Cybersecurity organization.  Specifically, based on the due dates of the security material weakness discovered in the prior audit report, the security vulnerabilities discovered were not scheduled for completion until June 2010 and April 2011.  Two security vulnerabilities for audit trails were not adequately controlled to reach resolution as part of the MeF Release 6.1 deployment. 

A.    Determined whether the MeF System and database still have audit log weaknesses, including whether:

1.      All required auditable events are captured.

2.      An official is assigned to monitor and maintain system audit mechanisms.

3.      Database audit reduction tools are used.

4.      Users who only require limited access do not have full capabilities to access database records, including taxpayer information.

5.      An audit log review process is in place, and logs are being reviewed by MeF System officials.

B.     Determined what specific process improvements occurred to ensure all system owners follow IRS policy designed to ensure all system security weaknesses are entered and tracked to resolution.

C.     Determined if MeF System security issues are being tracked in the POA&M.

D.    Contacted the Security and Information Technology Services Security group to determine if security issues have been identified in the MeF Program.

E.     Reviewed the Joint Audit Management Enterprise System report associated with prior corrective actions from prior TIGTA audits to determine the current status of those actions and how the corrective actions are being documented.

Internal Controls Methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  the Enterprise Life Cycle and related IRS guidelines and the processes followed in the development of information technology projects.  We evaluated these controls by reviewing the guidelines, conducting interviews and meetings with management and staff, and reviewing project documents.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Kimberly R. Parmley, Acting Director

Ryan R. Perry, Lead Auditor

Charlene L. Elliston, Senior Auditor

Beverly K. Tamanaha, Senior Auditor

Suzanne M. Westcott, Senior Auditor

Louis V. Zullo, Senior Auditor

Monique S. Queen, Information Technology Specialist

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner - Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Information Officer for Strategy/Modernization  OS:CTO

Director, Privacy, Information Protection and Data Security  OS:P

Associate Chief Information Officer, Enterprise Operations  OS:CIO:EO

Deputy Associate Chief Information Officer, Applications Development  OS:CTO:AD

Director, Program Management  OS:CTO:AD:PM

Director, Submission Processing  OS:CTO:AD:SP

Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons: 

Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI

Associate Chief Information Officer, Applications Development  OS:CTO:AD

            Director, Risk Management Division  OS:CTO:SP:RM

 

Appendix IV

 

Enterprise Life Cycle Overview

 

The Enterprise Life Cycle is the IRS’s standard approach to business change and information systems initiatives.  It is a collection of program and project management best practices designed to manage business change in a successful and repeatable manner.  The Enterprise Life Cycle addresses large and small projects developed internally and by contractors.

The Enterprise Life Cycle includes such requirements as:

·         Development of and conformance to an enterprise architecture.

·         Improving business processes prior to automation.

·         Use of prototyping and commercial software, where possible.

·         Obtaining early benefit by implementing solutions in multiple releases.

·         Financial justification, budgeting, and reporting of project status.

In addition, the Enterprise Life Cycle improves the IRS’s ability to manage changes to the enterprise; estimate the cost of changes; and engineer, develop, and maintain systems effectively.  Figure 1 provides an overview of the phases and milestones within the Enterprise Life Cycle.  A phase is a broad segment of work encompassing activities of similar scope, nature, and detail and providing a natural breakpoint in the life cycle.  Each phase begins with a kickoff meeting and ends with an executive management decision point (milestone), at which IRS executives make “go/no-go” decisions for continuation of a project.  Project funding decisions are often associated with milestones.

Figure 1:  Enterprise Life Cycle Phases and Milestones

Phase	General Nature of Work	Milestone
Vision and Strategy/ Enterprise Architecture Phase	High-level direction setting.  This is the only phase for enterprise planning projects.	0
Project Initiation Phase	Startup of development projects.	1
Domain Architecture Phase	Specification of the operating concept, requirements, and structure of the solution.	2
Preliminary Design Phase	Preliminary design of all solution components.	3
Detailed Design Phase	Detailed design of solution components.	4A
System Development Phase	Coding, integration, testing, and certification of solutions.	4B
System Deployment Phase	Expanding availability of the solution to all target users.  This is usually the last phase for development projects.	5
Operations and Maintenance Phase	Ongoing management of operational systems.	System Retirement

Source:  The Enterprise Life Cycle Guide.

 

Appendix V

 

Modernized e-File System
Unresolved Security Weaknesses Not Being Tracked in the Plan of Action and Milestones

 

The following table presents unresolved security weaknesses identified by the IRS Cybersecurity organization affecting the MeF System.  Based on our review of these security weaknesses and information provided by the IRS, the weaknesses remain unresolved and are not being tracked in the POA&Ms as required.  The table includes the security weaknesses and when they were identified.

	Security Weakness	MeF Release 6.1, Security Risk Assessment Report, dated October 16, 2009	MeF Release 6.1, Security Risk Assessment Report, dated April 15, 2010	TIGTA Report 2010-20-041, dated May 26, 2010	MeF Release 6.2, Security Risk Assessment Report, dated November 1, 2010
1	After three unsuccessful attempts, the MeF System automatically locks out the offending user accounts for only 15 minutes.  Therefore, it did not enforce automatic account locks on user accounts for a minimum of 24 hours in accordance with IRS policies.	X	X	X	X Risk-Based Decision
2	MeF Release 6.1 will utilize Business Objects[13] for statistical reporting.  Ad hoc reports generated are not marked “Sensitive But Unclassified” and are not adequately protected.	X	X	X
3	MeF Security Audit and Analysis System logs are not populated with two required fields.  The two fields that were missing were the Error Code and Return Message.	X	X	X
4	The system is not configured to automatically alert personnel in the event of audit log failure.		X
5	The processes for establishing and confirming user identification on the MeF System did not meet Federal Government standards for accrediting cryptographic modules.			X	X Risk-Based Decision
6	Virus checking is disabled on state-specific responses in the Extensible Markup Language Gateways for the MeF System.				X Risk-Based Decision
7	Application-to-application sessions are not terminated after 15 minutes of inactivity.				X

Source:  MeF Release 6.1, Security Risk Assessment Report, dated October 16, 2009; MeF Release 6.1, Security Assessment Report, dated April 15, 2010; prior TIGTA report, Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and Security Need Improvement (Reference Number 2010-20-041, dated May 26, 2010); and MeF Release 6.2, Security Risk Assessment Report, dated November 1, 2010.

 

Appendix VI

 

Glossary of Terms

 

Term	Definition
Business Objects	Objects in an object-oriented computer program that represent the entities in the business domain that the program is designed to support.  For example, an order entry program might have business objects to represent each order, line items, and invoices.
Capability Maturity Model Integration®	A model or collection of “best practices” that organizations follow to dramatically improve the effectiveness, efficiency, and quality of their product and service development work.
Code Optimization	The process of modifying a software system to make some aspect of it work more efficiently or use fewer resources.
Configuration Management	A practice to establish proper control over approved project documentation, hardware, and software and assuring changes are authorized, controlled, and tracked.
Enterprise Life Cycle	A structured business systems development method that requires the preparation of specific work products during different phases of the development process.
Executive Steering Committee	A committee that oversees investments, including validating major investment business requirements and ensuring that enabling technologies are defined, developed, and implemented.
Extensible Markup Language	The universal format for structured documents and data on the Web.
Filing Season	The period from January through mid-April when most individual income tax returns are filed.
General Support System	OMB Circular A-130 defines a general support system as an “interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.”
Governance	An IRS-designed enterprise governance model that assigns all information technology projects to an appropriate executive oversight body.
Information Technology Asset Management System	This system delivers an inventory system that enables tracking, reporting, and management of information technology assets.
Issue	A situation or condition that either 1) currently has negative consequences for an information technology program/project or organization or 2) has 100 percent probability of having negative consequences for the program/project or organization.
Item Tracking Reporting and Control System	An information system used to track and report on issues, risks, and action items in the modernization effort.
MeF Backend	Represents the MeF System application servers and the application software hosted on the application servers that perform submission validation and processing.
MeF Frontend	Represents the Extensible Markup Language gateways and Simple Object Access Protocol Web Application Server architecture that performs entry and authentication services in order to get to the MeF Backend.
Milestone	Milestones provide for “go/no-go” decision points in a project and are sometimes associated with funding approval to proceed.
National Institute of Standards and Technology	An agency under the Department of Commerce responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all Federal Government agency operations and assets.
Oracle 11g	A relational database management system, with version 11g being first introduced in Calendar Year 2007.  Oracle 11g enables clusters of low-cost, industry standard servers to be treated as a single unit and features built-in testing for changes, the capability of viewing tables back in time, compression capability for all types of data, and enhanced disaster recovery functions.
Plan of Action and Milestones	A tool that Federal agencies must use to assist in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.  A POA&M identifies tasks to correct weaknesses, resources required, and scheduled completion dates.
Portal	A point of entry to a network system that includes a search engine or a collection of links to other sites usually arranged by topic.  It provides the infrastructure that allows users (including IRS employees and taxpayers) to have web‑based access to IRS information.
Release	A specific edition of software.
Requirement	A formalization of a need and the statement of a capability or condition that a system, subsystem, or system component must have or meet to satisfy a contract, standard, or specification.
Risk	A potential event that could have an unwanted impact on the cost, schedule, business, or technical performance of an information technology program/project or organization.
Risk-Based Decision	A risk-based decision is considered when meeting the requirement is technically or operationally not possible or is not cost-effective.  It is required for any situation in which the system will be operating outside of IRS information technology security policy or National Institute of Standards and Technology guidelines, whether related to a technical, operational, or management control.
Security Audit and Analysis System	This system implements a data warehousing solution to provide online analytical processing of audit trail data.

 

 

Appendix VII

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON. D.C. 20224

 

CHIEF TECHNOLOGY OFFICER

 

 

July 25, 2011

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                             Terence V. Milholland /s/ Terence V. Milholland

     Chief Technology Officer

 

SUBJECT:                       Draft Audit Report -The Modernized e-File Release 6.2 Included Enhancements, But Improvements Are Needed for Tracking Performance Issues and Security Weaknesses (Audit # 201020028) e-trak # 2011-22983

 

Thank you for the opportunity to review your draft audit report and to discuss earlier draft report observations with the audit team.

 

I was pleased to read your comments and observations acknowledging, that the Modernized eFile (MeF) Project Office met their performance goals in MeF release 6.2. I am pleased that the report recognizes that the IRS has effectively used Change Management processes and ensured key performance enhancements were included in this release.

 

The IRS acknowledges that during your review of the MeF 6.2 security findings, TIGTA identified 7 unresolved weaknesses during the audit. Those weaknesses are now being tracked in the Trusted Agent Federal Information Security Management Act to satisfy the reporting requirements.

 

I disagree with the statement, "there were 12 additional security controls that were not in place".  I believe we have accounted for all security controls confirmed as not in place within POA&M's now or by confirming them through a Security Assessment and Authorization currently in progress.

 

I further extend my appreciation for your agreement to modify the language in Recommendation 3 of the Draft Report, to a "MeF specific" Recommendation in Final Report.

 

We are committed to continuously improving our information technology systems and processes. We value your continued support and the assistance and guidance your team provides. If you have any questions, please contact me at (202) 622-6800 or Karen Mayr at (202) 283-0015.

 

Attachment

 

RECOMMENDATION #1: The Chief Technology Officer should direct the PET to effectively map all identified performance issues through to their resolution for all future filing seasons.

 

CORRECTIVE ACTION #1: The IRS agrees with this recommendation. The MeF Project Office has developed a Performance Enhancement Team (PET) matrix which documents all MeF performance related issues. The matrix will be used by the PET team to identify possible resolutions and to track the work associated with each of the resolutions. Performance related activities that were deferred from MeF Release 6.2 will be included in this matrix. As part of the regularly scheduled PET status meetings, the matrix will be updated and reviewed.

 

IMPLEMENTATION DATE: September 1, 2011

 

RESPONSIBLE OFFICIAL: Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion

 

RECOMMENDATION #2: The Chief Technology Officer should direct the PET to establish guidance requiring, at a minimum, timely updates and consistent terminology be used in the PET Matrices to accurately depict the status of performance enhancements and solutions.

 

CORRECTIVE ACTION #2: The IRS agrees with this recommendation. The PET matrix will be put under tight configuration control A single point of contact (POC) will be identified to update the matrix. Status updates from the members of the PET will be provided to the POC during the regularly scheduled PET meetings. Once the updates are made by the POC, the matrix will be posted (in a read only mode) for all PET members to access. Consistent terminology will be used to the extent possible and where relevant.

 

IMPLEMENTATION DATE: September 1, 2011

 

RESPONSIBLE OFFICIAL: Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion.

 

RECOMMENDATION #3: The Chief Technology Officer should ensure that all confirmed security weaknesses from all sources, that are not mitigated immediately, are included in the POA&Ms to ensure adequate documentation, reporting, and tracking to resolution.

 

CORRECTIVE ACTION #3: The Chief Technology Officer does ensure that all confirmed security weaknesses from all sources, that are not mitigated immediately, are included in Plan of Action and Milestones (POA&Ms) to ensure adequate documentation, reporting, and tracking to resolution. All confirmed weaknesses for the Modernized e-File system have been reported in the system POA&M or in the appropriate General Support System POA&M.

 

IMPLEMENTATION DATE: March 24, 2011

 

RESPONSIBLE OFFICIAL: Associate Chief Information Officer, Cybersecurity

 

CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion

 

RECOMMENDATION #4: The Chief Technology Officer should ensure that all issues and candidate risks are included in the ITRAC System or those procedures outside of the scope of the MeF Risk Management Plan are properly documented and approved.

 

CORRECTIVE ACTION #4: The IRS agrees with this recommendation. The MeF Project Office will document candidate risks and issues in ITRACS. The candidate risks and issues will be worked through the standard risk and issue process, and ITRACS will be updated accordingly.

 

IMPLEMENTATION DATE: September 1, 2011

 

RESPONSIBLE OFFICIAL: Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES). These Corrective Actions are monitored on a monthly basis until completion.