TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Desktop and Laptop Software License Management Is Not Being Adequately Performed

 

 

 

June 25, 2013

 

Reference Number:† 2013-20-025

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number† /† 202-622-6500

E-mail Address /TIGTACommunications@tigta.treas.gov

Website†††††††††† /http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

DESKTOP AND LAPTOP SOFTWARE LICENSE MANAGEMENT IS NOT BEING ADEQUATELY PERFORMED

Highlights

Final Report issued on June 25, 2013

Highlights of Reference Number:† 2013-20-025 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Computer software is typically protected by Federal copyright law, which requires users of software programs to have a license authorizing such use.† Software licenses are legal rights to use software in accordance with terms and conditions specified by the software copyright owner.† Software license management at the IRS is not being adequately performed.† Efficient and cost-effective management of the IRSís software assets is crucial to ensuring that information technology services continue to support the IRSís business operations and help it to provide services to taxpayers efficiently.

WHY TIGTA DID THE AUDIT

This audit was initiated to determine whether the IRS is adequately managing software licenses.† Federal requirements and recommended industry best practices govern the use and management of software licenses.† The objective of software license management is to manage, control, and protect an organizationís software assets, including management of the risks arising from the use of those software assets.† The proper management of software licenses helps to minimize risks by ensuring that licenses are used in compliance with licensing agreements and cost-effectively deployed, and that software purchasing and maintenance expenses are properly controlled.

WHAT TIGTA FOUND

The IRS is not adequately performing software license management and is not adhering to Federal requirements and recommended industry best practices.† The IRS does not have enterprisewide or local policies, procedures, and requirements for software license management.† The User and Network Services organization was unable to provide us with essential licensing records for properly managing licenses on 24 of 27 software products reviewed during this audit.†

TIGTA also found that the IRS does not have specialized software license tools designed to be the repository for software and software license deployment.† These tools should be used to discover, track, manage, and detect inactive usage of software licenses.† Finally, the IRS does not have an accurate inventory of software and related licenses that contains licensing models applicable to each software product which links data on the licenses purchased and deployed with the purchase costs, procurement information, and monitoring and usage data.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer develop policies and guidance and roles and responsibilities for managing software assets and licenses; implement a specialized software license management tool and develop detailed standard operating procedures for using the tool; develop an inventory of software licensing data and maintain the inventory with a specialized software license tool; and maintain data in the inventory that the IRS can use to more effectively manage software spending.

In their response to the report, IRS officials agreed with all six recommendations with slight modifications on four of them.† The IRS plans to use best practices to develop enterprisewide software license management policies, procedures, roles, and responsibilities; identify and implement a standard enterprise toolkit with standard operating procedures for the management of software licenses; and collect software inventory data from the toolkit in a central data repository.

 

 

June 25, 2013

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:†††††††††††††††††††††† Michael E. McKenney /s/ Michael E. McKenney

Acting Deputy Inspector General for Audit

 

SUBJECT:††††††††††††††††† Final Audit Report Ė Desktop and Laptop Software License Management Is Not Being Adequately Performed (Audit # 201220018)

 

This report presents the results of our review of the Internal Revenue Serviceís (IRS) management of desktop and laptop software licenses.† We performed this review to determine whether the IRS is minimizing risks by ensuring that software product licenses are used in compliance with licensing agreements and cost-effectively deployed, and that software purchasing and maintenance expenses are properly controlled.† This review is included in the Treasury Inspector General for Tax Administrationís Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Achieving Program Efficiencies and Cost Savings.

In its response, the IRS indicated that the audit examined the IRSís desktop and laptop environment, which the IRS considers a part of its overarching approach for enterprise software governance.† Thus, its corrective actions addressing recommendations include desktop and laptop software licensing as a subset of the enterprise.† TIGTA disagrees with this statement.† During the audit period, the IRS did not have an overarching approach for enterprise software governance or the assimilation of Information Technology Infrastructure Library (ITIL) Maturity Level 3 processes regarding centralizing the responsibility for software license management.

Managementís complete response to the draft report is included as Appendix V.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.† If you have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services).

 

 

Table of Contents

 

Background

Results of Review

Software License Management Policies and Procedures Have Not Been Established

Recommendations 1 and 2:

Processes for Using Software License Tools Do Not Adhere to Federal Requirements and Best Practices

Recommendation 3:

Recommendation 4:

Processes for Software License Inventories Do Not Adhere to Federal Requirements and Best Practices

Recommendation 5:

Recommendation 6:

Appendices

Appendix I Ė Detailed Objective, Scope, and Methodology

Appendix II Ė Major Contributors to This Report

Appendix III Ė Report Distribution List

Appendix IV Ė Glossary of Terms

Appendix V Ė Managementís Response to the Draft Report

 

 

Abbreviations

 

CTO

IRM

Chief Technology Officer

Internal Revenue Manual

IRS

IT

ITILģ

SAM

UNS

Internal Revenue Service

Information Technology

Information Technology Infrastructure Library

Software Asset Management

User and Network Services

 

 

Background

 

Computer software is typically protected by Federal copyright law, which requires users of software programs to have a license authorizing such use.† Software licenses are legal rights to use software in accordance with terms and conditions specified by the software copyright owner.† Rights to use software are separate from the legal rights to the software itself, which are normally kept by the software manufacturer or other third party.† Licenses may be bought and are normally required whenever externally acquired software is used, which will typically be when the software is installed on a computer (or when executed on a computer even if installed elsewhere such as on a server).†

Software licenses are one of the main issues addressed by software asset management.† Software asset management is a process for tracking and reporting the use and ownership of software assets.† Forrester Research Inc.[1] defines software asset management as:

The systematic automation of processes to reconcile software licenses and statements of entitlement, maintenance contracts, and original media with installed software and those processes for discovering deployed software assets; to reconcile the assets to their licenses, maintenance contracts, and definitions of entitlement; and to report on compliance and discrepancies in such a way as to minimize the risk of legal action by software vendors as well as loss of service to users or of reputation in the wider world.

The objective of software license management is to manage, control, and protect an organizationís software assets, including management of the risks arising from the use of those software assets.† Proper management of software licenses helps to minimize risks by ensuring that licenses are used in compliance with licensing agreements and cost-effectively deployed, †and that software purchasing and maintenance expenses are properly controlled.

Software license management can be difficult because:

The Internal Revenue Service (IRS) reported that in Fiscal Year 2011 it spent $235 million on computer software products.† Efficient and cost-effective management of the IRSís software assets is crucial to ensuring that information technology services continue to support the IRSís business operations and help it to provide services to taxpayers efficiently.†

Federal requirements established by Executive Orders, the Federal Chief Information Officer Council, the National Institute of Standards and Technology, and the Department of the Treasury as well as recommended industry best practices govern the use and management of software licenses.† These sources provide guidance to ensure that software licenses are 1) efficiently purchased and are not being unused or underused, 2) used in compliance with copyright laws, and 3) inventoried through the use of adequate recordkeeping systems that control and track the use of licenses.†

This review was performed at the User and Network Services (UNS) organizationís Software Asset Management (SAM) office in Fresno, California, during the period June through December 2012.† We conducted this performance audit in accordance with generally accepted government auditing standards.† Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.† We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. †Detailed information on our audit objective, scope, and methodology is presented in Appendix I.† Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Software License Management Policies and Procedures Have Not Been Established

Executive Order 13103, Computer Software Piracy, requires and Information Technology Infrastructure Libraryís (ITILģ) best practices recommend the development of software license management policies and procedures and roles and responsibilities.† The ITIL and industry best practices recommend a centralized, enterprisewide management structure for software asset management.† These best practices indicate that some of the most significant benefits of software asset management, both cost and risk management benefits, come from managing software on an enterprisewide basis.† An enterprisewide management structure can actively manage software assets to know the location, configuration, and usage history of every product.† In addition, an enterprisewide management structure supported by an enterprisewide inventory and automated software license management tools can better provide procurement staff with the detailed and accurate information needed to negotiate flexible, cost-effective contracts and form the basis for cost-reduction projects such as platform stabilization, volume bundling, securing longer term agreements, and vendor or hardware consolidation.† In September 2010, the IRSís Chief Technology Officer (CTO) outlined a goal to have the Information Technology (IT) organization implement the ITIL best practices over the next several years. †The IRS reported that the IT organization had achieved ITIL Maturity Level 3 in October 2012.

The IRS does not have enterprisewide policies, procedures, and requirements for software license management. †The IRS does not have a centralized, enterprisewide organizational structure for managing software licenses, and decentralized units within the IT organization that manage software licenses also do not have local software licensing policies and procedures.† The UNS organization within the IT organization, which includes the desktop environment, is responsible for managing one of the largest software license inventories in the IRS, and it does not have policies and procedures for managing software licenses.

The IRS has defined software asset and license management roles and responsibilities only for the Chief Information Officer/CTO in Internal Revenue Manual (IRM) 10.8.2, IT Security Roles and Responsibilities.[2] †IRM 2.14.1, Asset Management, Information Technology (IT) Asset Management,[3] does not provide any additional roles and responsibilities for software asset and license management.† The IRS also does not have software asset and license management roles and responsibilities for the organizational entities that conduct software asset and license management.

The UNS organization was unable to provide us with essential licensing records for properly managing the licenses on 24 of 27 judgmentally selected[4] software products we reviewed during this audit.† The UNS organization could not provide licensing agreements for 23 products, documentation for the number of licenses purchased for 15 software products, and license deployment documentation for seven software products.

Our review of documentation provided determined that the UNS organization is not adequately managing software licenses.† Specifically, of the 27 software products reviewed, we found:

The IRS does not have enterprisewide or local software license management policies and procedures, an enterprisewide license management structure, or roles and responsibilities for the organizational entities that conduct software license management because the IRM section covering a software management program is under development.† IRM 2.14.1 states (in Section 13.17) that software management is under development and that procedures are in the process of being defined.†

Until the IRS implements an effective program to manage software licenses, the IRS is incurring increased risks in managing software licenses.† These risks include: †1) not complying with licensing agreements that could result in embarrassment, legal problems, and financial liability; 2) not using licenses in the most cost-effective manner; and 3) not effectively using licensing data to reduce software purchase and software maintenance costs.

Recommendations

To help ensure that the IRS has software license management policies and procedures and complete roles and responsibilities that adhere to Federal requirements and recommended industry best practices, the CTO should:

Recommendation 1:Develop policies and guidance in the IRM for managing software assets and licenses using ITIL best practices.

Managementís Response:The IRS agreed with this recommendation.† The IRS will utilize best practices such as the ITIL to develop policies and guidance for managing software and licensing from an enterprise perspective in support of and aligned to IRM 2.14.1.† The IRS will ensure that policies and guidance are aligned to and include the protocols, functions, and decisionmaking outcomes across Associate Chief Information Officer and other enterprise units by implementing an Enterprise Software Governance Board.

Recommendation 2:Develop UNS organization roles and responsibilities in the IRM for software asset and license management.

Managementís Response:The IRS agreed with this recommendation with a slight modification.† The IRS will develop enterprisewide roles and responsibilities in the IRM for software asset and license management that includes the UNS organization.† This slight modification to the recommendation will avoid inconsistent processes that may yield different results and information.

Processes for Using Software License Tools Do Not Adhere to Federal Requirements and Best Practices

The National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations,[5] and Treasury Directive Publication 85-01, Treasury IT Security Program,[6] require and ITIL and industry best practices recommend implementing enterprisewide software asset discovery, network scanning, license management, and license metering tools.† Software asset discovery tools are used to identify installed software and collect relevant details about each installed software product.† Network scanning tools are used to detect and remove any unauthorized or unlicensed installed software.† Software license management tools help to ensure compliance with licensing agreements by tracking license usage, linking upgrades to original licenses, linking licenses bought to licenses used, and managing the stock of unused licenses.† Metering tools help to ensure that licenses are used cost effectively by detecting installed software that is not being used so that the licenses can be redeployed to other users to avoid paying for additional licenses when they are not needed.†

Even though the IRS does not have written policies and procedures on software license management, through interviews we obtained information on the approach or processes used by the IRS to manage software licenses and compared them to Federal requirements and recommended best practices.† Software licenses in the IRS are tracked and managed by decentralized groups that use manual and non-manual techniques, queries, spreadsheets, record systems, scanning tools not specifically designed for software license management to gather rough software data, utilities unique to the software product being tracked, and manual calculations to maintain their own software licensing records.†

Due to the lack of an IRS enterprisewide structure for managing software licenses, we focused our testing on the SAM group within the UNS organization.† The SAM group is responsible for managing the IRSís Common Operating Environment and above-baseline desktop and laptop software solutions.† The SAM group, which is responsible for managing one of the largest software license inventories in the IRS, performs limited software licensing management.† The SAM group does not have specialized software license tools designed to discover, track, manage, detect inactive usage and be the repository for software and software license deployment.† The SAM group manually tracks the number of licenses deployed against the number bought.† When an employee needs a license, the SAM group verifies that unused licenses are available before issuing the requested license.† If no licenses are available, it will request the purchase of additional licenses.† When a computer is turned in, the SAM group will recover licenses and place the erased computer and recovered licenses into inventory.† When an employee needs a new computer, the SAM group reimages the computer from inventory and redeploys licenses onto the reimaged computer.† The SAM group is unable to scan computers to discover the licenses actually deployed and to identify the use of unauthorized software.† In addition, the SAM group does not monitor software usage to determine whether licenses deployed are not being used and could be recycled to be made available to other employees.† Three additional groups we reviewed that manage software licenses also do not use software tools to manage license compliance and deployment.

The SAM group has an ongoing project for developing a comprehensive software licensing management process that will include a specialized software license management tool.† It plans to initially use the tool to manage licenses for the Common Operating Environment and above‑baseline desktop and laptop software products that it is currently responsible for managing.† The SAM group plans for the tool to be a centralized inventory system for software inventory and software license management.† It plans to 1) use the tool to track, manage, and be the repository for software and software license deployment and usage, 2) use the toolís network scanning capabilities to perform software and licensing discovery, and 3) reconcile the scanned results of installed software and deployed licenses with contracted licenses.† The tool is currently in the testing environment and will then move into the system testing phase.† The SAM group expects it to be ready for full implementation by September 2013.

In addition, the SAM group is developing draft standard operating procedures to be used for managing the Common Operating Environment and above-baseline desktop and laptop software licenses when the tool is implemented.† The procedures will outline how the group plans to use the tool to scan computers for collecting data on installed software and match that data against authorized software, licenses, and user or computer entitlements.† The matches are designed to identify licensing conditions that pose a risk to software license compliance and to the cost‑effective use of licenses, such as 1) installed software that the IRS is not licensed to have, 2) installations of licensed software that were not authorized to have been installed, and 3) installed software that is not being used and for which the licenses could be redeployed to other users.† The SAM group also stated that roles and responsibilities will be developed for the project using the ITIL best practices.† However, the plans that are being developed by the SAM group are only for the Common Operating Environment and above‑baseline desktop and laptop software licenses, not an enterprisewide organizational structure for managing all of the IRSís software and licenses.† In the future, the SAM group indicated that the IRS will consider the possibility of extending the new applicationís software license management capability to additional software products used on servers, network devices, and other computers for use by the staff that manage licenses in the Enterprise Operations, Enterprise Networks, and Applications Development organizations.

The IRSís IT management has not identified and implemented automated software license tools for the enterprisewide management of software licenses, and the IRM section covering the software management program is under development.† As previously stated, the IRS was unable to provide us with the essential licensing records for properly managing the licenses for 24 of the 27 software products we reviewed during this audit.† Until the IRS implements enterprisewide software license management tools and processes to conduct software license management, the IRS is incurring increased risks in managing software licenses.†

Recommendations

To help ensure that the UNS organization has processes for using software license tools that adhere to Federal requirements and recommended best practices, the CTO should:

Recommendation 3:Develop detailed standard operating procedures for using software licensing tools to manage software licenses.

Managementís Response:† The IRS agreed with this recommendation.† As part of the IRSís enterprise approach, it will develop standard operating procedures for using existing and/or other toolsets as appropriate to manage software licensing for the enterprise.

Recommendation 4:Implement a specialized software license tool designed to discover, track, and manage software license deployment and usage.†

Managementís Response:The IRS agreed with this recommendation with a slight modification.† Based on experience, there is no single tool that can discover, track, and manage software license deployment and usage.† As such, the IRS will identify and implement a standard enterprise toolkit, which may include multiple tools, to accomplish the recommendation.

Processes for Software License Inventories Do Not Adhere to Federal Requirements and Best Practices

Executive Orders,[7] the Department of the Treasury Directive 85-02, Software Piracy Policy,[8] and IRM 10.8.2 require and ITIL and industry best practices recommend creating and maintaining accurate enterprisewide inventories of installed software and licenses.† These inventories should contain licensing models applicable to each software product and link the data on licenses bought and deployed, including costs.† This will help ensure that software purchased is not unused or underutilized and that software is used in compliance with copyright laws.

Interviews with the SAM group and the review of documents provided determined that the IRS does not have an accurate inventory of its software and related licenses.† Additionally, the inventory records do not contain licensing models applicable to each software product that links data on the licenses purchased and deployed with the purchase costs, procurement information, and monitoring and usage data.† The only location where we could identify an IRS list of the software it owns was within the IRSís Application Registration Database.† The Application Registration Database is not an authoritative database for software inventory, and licensing information within the database cannot be confirmed as complete and accurate.† The Application Registration Database is a control mechanism to ensure that required testing (integration, compatibility, and security testing) for all new desktop and laptop software products is performed before the software is placed into the production environment.† Although it contains licensing data, the data are entered at the beginning of the request and testing process and may not be updated when procurement and licensing information changes.†

The IRS does not have an enterprisewide inventory of software and software licensing data as a result of not having automated software licensing tools needed to compile such an inventory and because the IRM section covering a software management program is under development.† As previously stated, our review of software license documentation identified several instances of software licenses not being adequately managed.† For example, for eight of 21 products reviewed that did not have unlimited licenses, we could not determine whether licenses were over- or under‑deployed because the IRS could not provide us with records showing either the number of licenses purchased or the number of licenses deployed.† Until the IRS develops an enterprisewide software licensing inventory, the IRS is incurring increased risks in managing software licenses.

In addition, the lack of an enterprisewide inventory with comprehensive data on all software and software licensing impedes the ability of the IRS to more thoroughly analyze the relationships among its software license agreements and vendors to more cost-effectively buy software licenses and maintenance.† In an effort to offset budget constraints, the Strategy and Planning division within the IT organization established a Vendor and Contract Management office with a mandate to create savings by promoting innovative sourcing alternatives that generate the same or additional value while minimizing risk.† Because the IRS does not have adequate software licensing tools and inventories, the Vendor and Contract Management office has to improvise using various tools and data and search various record systems to manually compile the hardware and software data and then perform additional ad hoc calculations to conduct its software licensing analysis.† The Vendor and Contract Management office has achieved some software licensing savings during the last two years, but we believe that better software license inventories and tools would enable it to identify additional savings opportunities.†

Recommendations

To help ensure that the UNS organization has processes for software license inventories that adhere to Federal requirements and recommended best practices, the CTO should:

Recommendation 5:Develop an inventory of software licensing data and maintain the inventory with a specialized software license tool designed to discover, track, and manage software license deployment and usage.

Managementís Response:The IRS agreed with this recommendation with a slight modification.† The IRS has developed a software inventory and will leverage this as a starting point; however, based on experience, there is no single tool that can discover, track, and manage software license deployment and usage.† As such, the IRS will identify and implement a standard enterprise toolkit, which may include multiple tools, to accomplish this recommendation.† Data collected via the toolkit will be consolidated and maintained in a central data repository.

Office of Audit Comment: The IRS does not have an accurate enterprisewide inventory of installed software and licenses as required by Executive Orders, Department of the Treasury Directive 85-02, and IRM 10.8.2 and as recommended by ITIL and industry best practices.† Using current inventory information the IRS does have can be a starting point for implementing a standard enterprise toolkit that feeds into an enterprise software inventory and central data repository.

Recommendation 6:Maintain data in the inventory that the IRS can use to more effectively review software licensing agreements, purchases, deployment, usage, and other related aspects of licensing to identify additional savings in software spending.

Managementís Response:The IRS agreed with this recommendation with a slight modification.† While the IRS is currently maintaining a software inventory, it will enhance this process by leveraging tools.† Based on experience, there is no single tool that can discover, track, and manage software license deployment and usage.† As such, the IRS will identify and implement a standard enterprise toolkit that will be consolidated and maintained in a central data repository.† The IRS progress in this area resulted in reducing the IRSís commercial off-the-shelf software portfolio from 2,723 applications in November 2012 to a current 548 by standardizing the Windows 7 portfolio.† The IRS will leverage early progress towards its enterprise approach.

Office of Audit Comment: The IRS does not have an accurate enterprisewide inventory of installed software and licenses as required by Executive Orders, Department of the Treasury Directive 85-02 and IRM 10.8.2 and as recommended by ITIL and industry best practices.† Using current inventory information the IRS does have can be a starting point for implementing a standard enterprise toolkit that feeds into an enterprise software inventory and central data repository.† Reducing the portfolio does not address our recommendation to maintain data in the inventory that the IRS can use to more effectively review software licensing agreements, purchases, deployment, usage, and other related aspects of licensing to identify additional savings in software spending.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS is adequately managing software licenses.† To accomplish our objective, we:

I.                 Performed electronic research to identify and review Government criteria and requirements and non-Government best practices for software license management.

A.    Identified Government criteria and requirements.

B.    Identified non-Government best practices from recognized organizations.

C.    Identified Government criteria/requirements and previous IRS software license management findings from Government Accountability Office and Treasury Inspector General for Tax Administration audit reports.

D.    Reviewed, analyzed, and summarized the criteria and requirements found that were relevant to the IRSís management of software licenses.

II.               Determined if the IRS had developed adequate policies and procedures and roles and responsibilities for the management of software licenses.

A.    Determined if the IRS had an enterprise policy and procedures for software license management that were consistent with the criteria, requirements, and best practices.

B.    Determined if the IRS had roles and responsibilities for software license management that are consistent with the criteria, requirements, and best practices and that the IRS had assigned roles and responsibilities for all software license management procedures.

C.    Determined if the IRSís policies and procedures and roles and responsibilities established a centralized, rather than decentralized, organization and structure for software license management.

III.             Determined if the IRS had a centralized licensing inventory and manages/maintains the inventory with software tools designed for license management.

A.    Determined if the IRS had a centralized inventory of its software assets, including licensing data.†

B.    Determined if the IRS had adequately used software asset discovery tools and usage monitoring tools.

1.     Determined how frequently the IRS performed software asset discovery and usage scans and generated management reports.

2.     Determined if the IRS scans were capable of detecting various licensing conditions.†

3.     Determined if the IRS used software licensing reports from the discovery tool to reconcile known software assets and licenses against discovery results and to resolve exceptions or noncompliance with software licenses.

4.     Determined if the IRS used software license inventory data to better negotiate software license purchases and maintenance agreements with vendors.†

IV.            Determined if the IRS adequately managed software licenses on a sample of software products.

A.    To select a judgmental sample[9] of software products for review, we began with a population of 975 Common Operating Environment software products as of April 4, 2012. †We limited our sample to the Common Operating Environment and above-baseline software because such software is installed on workstations and laptops.†

B.    We deleted from the list products that the IRS had not approved for installation at the present time, Government internally developed software, freeware, older versions of a software product when a newer version was being used, patches, and utilities related to the software products.† This reduced the list to 372 software products from which to draw a judgmental sample.

C.    For the 372 products, we used several IRS sources to obtain data on the estimated number of users or licenses.† We determined which was baseline software installed on all workstations or above-baseline software not installed on all workstations.† For about 45 products, we also obtained data on the number of licenses bought and the purchase price.

D.    From the list of 372 products, we judgmentally selected 30 software products to sample as follows.

1.     Five products with at least 100,000 users or licenses were selected because we believed large volumes could present license management difficulties.

2.     Fifteen products having 500 to 99,999 users or licenses were also selected because we believed large volumes could present license management difficulties.

3.     Only three products having less than 500 licenses or users were selected to provide coverage and because we believed smaller volumes could present fewer license management difficulties.

4.     The four highest dollar value licensed products were selected because of the potential dollar impact if licenses were not adequately managed.

5.     Only three Common Operating Environment baseline products were selected because we believed if they are counted on all workstations it could present fewer license management difficulties.

E.     Performed the following on each of the selected software products.

1.     Requested the software licensing agreement.

2.     Reviewed the provided records used by the IRS to manage and track the deployment of software licenses.

3.     Determined the scope of the IRSís software licensing management and tracking activities.

F.     On each of the selected software products, obtained additional documentation and interviewed IRS employees as necessary to substantiate the accuracy of the software licensing data being managed and tracked.

G.    On each of the selected software products, determined if the IRS is managing and tracking licenses.

H.    On each of the selected software products, determined how exceptions or noncompliance with software licenses are resolved.

I.       Determined if the software licensing data that is managed and tracked on each of the selected software products is shared with the Office of Procurement staff to help better negotiate software license purchases and maintenance agreements with vendors.

Internal controls methodology

Internal controls relate to managementís plans, methods, and procedures used to meet their mission, goals, and objectives.† Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.† They include the systems for measuring, reporting, and monitoring program performance.† We determined the following internal controls were relevant to our audit objective:† the IT organizationís policies, procedures, and processes for managing and tracking software licenses.† We evaluated these controls by interviewing IT organization management, identifying Federal requirements and industry best practices for managing and tracking software licenses, and reviewing software license management and tracking on a sample of software products.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Danny Verneuille, Director

John Ledford, Audit Manager

Richard Borst, Lead Auditor

Chanda Stratton, Senior Auditor

Kasey Koontz, Auditor

 

Appendix III

 

Report Distribution List

 

Principal Deputy Commissioner

Office of the Commissioner Ė Attn:† Chief of Staff† C

Deputy Commissioner for Operations Support† OS

Deputy Chief Information Officer for Operations† OS:CTO

Associate Chief Information Officer, Strategy and Planning† OS:CTO:SP

Associate Chief Information Officer, User and Network Services† OS:CTO:UNS

Director, Operations Service Support† OS:CTO:UNS

Director, Vendor Contract Management† OS:CTO:SP:VCM

Chief Counsel† CC

National Taxpayer Advocate† TA

Director, Office of Legislative Affairs† CL:LA

Director, Office of Program Evaluation and Risk Analysis† RAS:O

Office of Internal Control† OS:CFO:CPIC:IC

Audit Liaison:† Director, Risk Management Division† OS:CTO:SP:RM

 

Appendix IV

 

Glossary of Terms

 

Term

Definition

Applications Development Organization

A part of the IRS IT organization responsible for building, testing, delivering, and maintaining integrated information applications systems to support modernized systems and the production environment.

Best Practices

Proven activities or processes that have been successfully used by multiple organizations.

Chief Information Officer Council

As the principal interagency forum on Federal information technology, the purpose of the Chief Information Officer Council is to foster collaboration among Federal Government Chief Information Officers in strengthening Governmentwide information technology management practices.

Common Operating Environment

A standardized, configured computer image on IRS workstation computers integrated with a set of standard software packages to support the needs of all IRS employees.

Enterprise Operations Organization

The part of the IRS IT organization that provides server and mainframe computing services for all IRS business entities and taxpayers.

Executive Orders

Legally binding orders given by the President, acting as the head of the Executive Branch, to Federal Administrative Agencies.† Executive Orders are generally used to direct Federal agencies and officials in their execution of congressionally established laws or policies.

Executive Order 13103, Computer Software Piracy

Requires Federal agencies to develop software license management policies and procedures.† It also requires Federal agencies to prepare inventories of software present on computers to help ensure that software is used in compliance with copyright laws.

Executive Order 13589, Promoting Efficient Spending

Requires Federal agencies to take inventory of their information technology assets and ensure that they are not paying for unused or underutilized installed software.

Forrester Research Inc.

A global research and advisory firm that provides research guidance to the information technology industry.

Government Accountability Office

The audit, evaluation, and investigative arm of Congress that provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions.

Information Technology Infrastructure Library (ITIL)

Provides guidelines for the use and management of software and licenses.†

The ITIL is a widely accepted set of concepts and practices for information technology service management derived from user and vendor experts in both the private and public sectors.† The ITIL focuses on the key service management principles pertaining to service strategy, service design, service transition, service operation, and continual service improvement, with each principle being covered in a separate ITIL core publication.† Software asset management is a key process described within the service transition core publication.† The ITIL also has a separate publication entitled Best Practice Software Asset Management that covers software asset and license management best practices in more depth than the core publication.† ITIL best practices recommend 1) the development of software license management policies and procedures and roles and responsibilities; 2) a centralized, enterprisewide management structure for software asset management; 3) the use of software license management tools; and 4) the creation and maintenance of accurate enterprisewide inventories of software licenses.†

Information Technology Infrastructure Library Maturity Levels

Maturity levels refer to an IT organizationís ability to perform.† An organization passes through five evolutionary levels as it becomes more competent:

Level 1: †Initial Ė Focuses on technology and technology excellence/experts.

Level 2: †Repeatable Ė Focuses on products/services and operational processes (e.g., Service Support).

Level 3: †Defined Ė Focuses on the customer and proper service level management.

Level 4: †Managed Ė Focuses on business/information technology alignment.

Level 5: †Optimized Ė Focuses on value and the seamless integration of information technology into the business and strategy making.

Information Technology Organization

The IRS organization responsible for delivering information technology services and solutions that drive effective tax administration to ensure public confidence.

National Institute of Standards and Technology

A part of the Department of Commerce that is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.

National Institute of Standards and Technology Special Publication
800-53, Recommended Security Controls for Federal Information Systems and Organizations

Requires that Federal agencies employ tracking systems, such as specialized fully automated applications depending on the needs of the organization, for software protected by quantity licenses to control copying and distribution and to help ensure that software is used in accordance with licensing agreements.

Software License Agreement

The legal contract between the owner and purchaser of a piece of software that establishes the purchaserís rights.† A software license agreement provides details and limitations on where, how, how often, and when the software can be installed and used and provides restrictions that are imposed on the software.† The agreement includes the licensing model that will be used for defining and measuring the use of the software.† For example, a common simple license model could be based on how many people can use the software and how many systems the software may be installed on.† Software companies also make special license agreements for large business and Government entities that may be different from those provided to the general consumer.

Treasury Directive Publication 85-01, Treasury IT Security Program

Requires that bureaus periodically scan their networks to detect and remove any unauthorized or unlicensed software.

Treasury Directive 85-02, Software Piracy Policy

Issued to implement Executive Order 13103 and requires that bureaus establish and maintain an accurate software inventory to help ensure that software is used in accordance with software license agreements.

User and Network Services Organization

A part of the IRS IT organization established in April 2012 that combined the End User Equipment and Services organization and the Enterprise Networks organization.† End User Equipment and Services provides information technology products and services to IRS end users.  It is the single point of accountability for personal computing, help desk support, asset management, local area networks, and telephone communications support.† The Enterprise Networks organization provides communications technologies for internal and external customers and manages the design and engineering of the IRSís telecommunications environment.

 

 

Appendix V

 

Managementís Response to the Draft Report

 

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

 

CHIEF TECHNOLOGY OFFICER

 

 

May 20, 2013

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENER FOR AUDIT

 

FROM:† †††††††††††††† ††††for† Terence V. Milholland /s/ Stephen Manning

†††††††††† Chief Technology Officer

 

SUBJECT:†††††††††††††††††††††† Draft Audit Report - Desktop and Laptop Software License Management Is Not Being Adequately Performed (Audit# 201220018) (e-trak #2013-39345)

 

Thank you for the opportunity to review and respond to the subject draft audit report.† We recognize that efficient and cost effective management of IRS software license(s) is crucial to ensuring that information technology services continue to support the IRS's business operations that provide services to taxpayers.

 

The subject audit examined our desktop and laptop environment which we consider a part of our overarching approach for enterprise software governance.† Thus, our corrective actions addressing recommendations include desktop and laptop software licensing as a subset of the enterprise.† As part of our assimilation of ITIL level 3 processes, we are centralizing responsibility for Software License Management.† This central function will focus on the processes and goals of this audit from the enterprise perspective, to ensure effective management controls around desktop, laptop, server and other delivery platform software licenses.

 

We did want to make note that to date we have implemented activities to dramatically reduce the size and complexity of our desktop and laptop software portfolio, oversight and control.

 

Our current focus is to charter an Enterprise Software Governance Board (ESGB) to provide oversight and decision making on both Enterprise Software License Management and the strategy and approval process for new and existing software license acquisitions.

 

We believe a standard enterprise approach will lead to more success and savings in the future.

 

We are committed to continuously improving our information technology systems and processes.† We value your continued support and guidance.† If you have any questions, please contact me at (202) 622-6800, or a member of your staff may contact Lisa J. Starr, Program Manager, Program Oversight Coordination at (202) 283-3607.

 

Attachment

 

 

Attachment

 

 

RECOMMENDATION # 1:† Develop policies and guidance in the IRM for managing software assets and licenses using ITIL best practices.

 

CORRECTIVE ACTION #1:† IRS agrees with this recommendation. †IRS will utilize best practices such as ITIL to develop policies and guidance for managing software and licensing from an enterprise perspective in support of and aligned to IRM 2.14.1 Asset Management.† IRS will ensure that policies and guidance are aligned to and include the protocols, functions, and decision making outcomes across ACIO and other enterprise units by implementing an Enterprise Software Governance Board (ESGB).

 

IMPLEMENTATION DATE:† December 31, 2013

 

RESPONSIBLE OFFICIAL:† ACIO Strategy and Planning

 

CORRECTIVE ACTION MONITORING PLAN:† We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #2: †Develop UNS organization roles and responsibilities in the IRM for software asset and license management.

 

CORRECTIVE ACTION #2:† IRS agrees with this recommendation, with a slight modification. †IRS will develop enterprise wide roles and responsibilities in the IRM for software asset and license management that includes UNS. †This slight modification to the recommendation will avoid inconsistent processes that may yield different results and information.

 

IMPLEMENTATION DATE:† January 31, 2014

 

RESPONSIBLE OFFICIAL:† ACIO Strategy and Planning

 

CORRECTIVE ACTION MONITORING PLAN:† We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #3:† Develop detailed standard operating procedures for using software licensing tools to manage software licenses.

 

CORRECTIVE ACTION #3: †IRS agrees with this recommendation. †As part of our enterprise approach IRS will develop standard operating procedures for using existing and/or other toolsets as appropriate, to manage software licensing for the enterprise.

 

IMPLEMENTATION DATE:† March 31, 2014

 

RESPONSIBLE OFFICIAL:† AGIO Strategy and Planning

 

CORRECTIVE ACTION MONITORING PLAN: †We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #4: †Implement a specialized software license tool designed to discover, track, and manage software license deployment and usage.

 

CORRECTIVE ACTION #4: †IRS agrees with this recommendation with a slight modification. †Based on experience, there is no single tool that can discover, track and manage software license deployment and usage. †As such the IRS will identify and implement a standard enterprise toolkit, which may include multiple tools, to accomplish the recommendation.

 

IMPLEMENTATION DATE:† May 29, 2015

 

RESPONSIBLE OFFICIAL:† AGIO Enterprise Services

 

CORRECTIVE ACTION MONITORING PLAN:† We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #5: †Develop an inventory of software licensing data and maintain the inventory with a specialized software license tool designed to discover, track, and manage software license deployment and usage.

 

CORRECTIVE ACTION #5: †IRS agrees with this recommendation with a slight modification. †IRS has developed a software inventory and will leverage this as a starting point, however based on experience, there is no single tool that can discover, track and manage software license deployment and usage.† As such the IRS will identify and implement a standard enterprise toolkit, which may include multiple tools, to accomplish the recommendation.† Data collected via the toolkit will be consolidated and maintained in a central data repository.

 

IMPLEMENTATION DATE:† September 30, 2014

 

RESPONSIBLE OFFICIAL:† AGIO Enterprise Services

 

CORRECTIVE ACTION MONITORING PLAN: †We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #6: †Maintain data in the inventory that the IRS can use to more effectively review software licensing agreements, purchases, deployment, usage, and other related aspects of licensing to identify additional savings in software spending.

 

CORRECTIVE ACTION #6: †IRS agrees with this recommendation with a slight modification. †While IRS is currently maintaining a software inventory, we will enhance this process by leveraging tools. †Based on experience, there is no single tool that can discover, track and manage software license deployment and usage.† As such the IRS will identify and implement a standard enterprise toolkit, which may include multiple tools, towards this recommendation.† Data collected via the toolkit will be consolidated and maintained in a central data repository. †IRS progress in this area resulted in reducing the Service's COTS portfolio from 2,723 applications in November, 2012 to a current 548 as we continue forward in our Windows 7 standardized portfolio. †IRS will leverage early progress towards our enterprise approach.

 

IMPLEMENTATION DATE:† September 30, 2014

 

RESPONSIBLE OFFICIAL:† ACIO Strategy and Planning

 

CORRECTIVE ACTION MONITORING PLAN: †We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.



[1] See Appendix IV for a glossary of terms.

[2] Dated April 29, 2011.

[3] Dated November 8, 2011.

[4] A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population. †We originally selected a judgmental sample of 30 software products but deleted three because we subsequently learned that one product was freeware, another product was internally developed, and another product was not renewed for use in Fiscal Year 2012. †See Appendix I for the sampling methodology.†

[5] Dated August 2009.

[6] Dated November 3, 2006.

[7] Executive Order 13103 (Sept. 30, 1998), Computer Software Piracy and Executive Order 13589, Promoting Efficient Spending (Nov. 09, 2011).

[8] Dated May 4, 2010.

[9] A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population. †