Executive Summary

Objectives and Scope

Background

Results

Detailed Objectives and Scope

The Non-Information Technology (Non-IT) environment encompasses equipment types that do not fall under the definition of Information Technology, such as facilities systems and office equipment. Although Year 2000 conversion efforts primarily focus on information systems, there are numerous facility systems and personal property items that could be impacted by the century date change. Systems and equipment that utilize computer software and/or microchips that are not Year 2000 compatible may not operate properly, therefore affecting IRS operations.

The Service has initiated steps to prepare its Non-IT environment for the Year 2000. These efforts focus on facility-type equipment and personal property items, which utilize microchips, software, firmware, or other mechanisms that control time and date logic. During the course of our review, we identified additional program management activities which should be utilized to enhance the Non-IT conversion efforts.

The overall objective of this review was to determine whether the Service is adequately preparing its Non-IT environment for the Year 2000. In addition, we determined whether the century Date change (cDc) Project Office’s program management approach would decrease the risk(s) associated with assessing and converting the Service’s Non-IT systems and equipment.

Although the Service has initiated steps to prepare its Non-IT environment for the Year 2000, a significant amount of work must still be completed to ensure Non-IT equipment becomes Year 2000 compliant. In addition, the cDc Project Office needs to enhance its program management efforts to better direct and coordinate Non-IT conversion activities.

The requirements for all phases of the Non-IT conversion strategy have not been completely defined. The Non-IT conversion strategy consists of five phases: awareness, assessment, renovation, validation, and implementation. We determined that the Non-IT Milestone Plan and supplemental work breakdown schedules developed to support these activities were not complete. That is, the plans and/or schedules did not define the specific tasks to be accomplished during the renovation, validation, or implementation phases. The lack of a complete, comprehensive, and well-supported strategy/work breakdown schedule can increase the risk associated with converting systems and equipment.

Service personnel have not prioritized all IRS occupied facilities to aid in determining overall Year 2000 impact. IRS personnel occupy over 800 facilities nationwide. While GSA maintains responsibility for the majority of these buildings, the Department of Treasury has requested agencies to prioritize occupied buildings to aid GSA in its conversion efforts. However, the Service’s prioritization efforts only covered 129 of approximately 800 IRS occupied facilities. These buildings account for only 16% of the complexes where IRS employees are located. Without a complete list of prioritized sites, Service personnel cannot be assured that GSA will target equipment and/or systems in the appropriate IRS buildings for conversion/replacement.

The process used to certify the Service’s investigative equipment as Year 2000 compliant was not consistent with the Service’s overall Non-IT process. This primarily occurred because investigative equipment was not included in the Service’s overall Non-IT activities due to the sensitive nature of the equipment and concerns with disclosing the inventory. As such, reliance was placed on certifications provided by the respective heads of office. In addition, Inspection completed most of its conversion activities before the cDc Project Office drafted internal guidelines and obtained contractor support to assist in providing the necessary oversight and guidance. The criminal Investigation function primarily relied on the work completed by Inspection to avoid duplicating conversion efforts.

• The cDc Project Office should define the requirements for all phases of the Service’s Non-IT conversion process that should be identified and documented in a corporate milestone schedule. (Pages 3-6)
• The cDc Project Office should require supporting functions to provide detailed work breakdown schedules to supplement the corporate milestone schedules, and define the scope of their Non-IT conversion efforts. (Pages 3-6)
• Management and Finance, in conjunction with the chief/functional areas, should ensure all IRS occupied buildings are prioritized for conversion. (Pages 6-7)
• The cDc Project Office should determine whether the process used to certify investigative equipment was appropriate. If additional action is required, enhanced coordination should occur to ensure the proper steps are taken. (Pages 8-10)  

Management’s response was not available for inclusion in the report at the time this final report was issued. We were informed that management is developing actions to address our concerns and will provide us with a written description of their proposed corrective actions at a later date.

The overall objective of this audit was to determine whether the Service is adequately preparing its Non-Information Technology (Non-IT) environment for the Year 2000. In addition, we determined whether the century Date change (cDc) Project Office’s program management approach would decrease the risk(s) associated with assessing and converting the Service’s Non-IT systems and equipment.

Audit work was performed from March 1998 to July 1998 within the Information Systems (IS) cDc Project Office, the Office of Management and Finance, as well as the Inspection and criminal Investigation functions. The scope of the audit was limited to evaluating the activities that occurred during the assessment phase of the Service’s Year 2000 Non-IT Project. The audit was conducted in accordance with generally accepted government auditing standards.

It should be noted that the scope of our audit testing included review of the process used by the Service’s Internal Security function to assess/certify their equipment as Year 2000 compliant. Since both the Internal Audit and Internal Security functions report to the chief Inspector, our organizational independence in this area was impaired. However, a concerted effort was made not to allow this organizational alignment to impact our ability to conduct the tests as necessary. The review of audit work ensured that due professional care was taken. Also, the issues were discussed with the chief Inspector, Assistant chief Inspector (Internal Security) and representatives of the cDc Project Office as appropriate to ensure the issue was properly identified and the appropriate corrective action formulated. The detailed audit objectives and scope of our review are presented in Attachment I.

Management’s response was not available for inclusion in the report at the time this final report was issued. We were informed that management is developing actions to address our concerns and will provide us with a written description of their proposed corrective actions at a later date.

The Service’s Non-IT conversion efforts primarily focus on facility-type systems and equipment and personal property items that employ embedded microchips, software, firmware, or other mechanisms which control time and date logic. It is anticipated that many systems and equipment using 2-digit year fields (i.e., "98" instead of "1998"), will not work correctly after December 31, 1999, and that affected items must be modified or replaced to correct cDc problems.

The Non-IT environment encompasses systems and equipment that do not fall under the definition of Information Technology, such as facilities systems and office equipment (i.e., air conditioning and heating systems, power management systems, security systems, transportation and lab equipment). The cDc problem presents a significant challenge to IRS operations because personnel currently occupy over 800 buildings nationwide and there are over one million items of equipment in the IRS inventory.

The cDc Project Office is to direct the conversion of all IRS Information Technology systems and Non-IT elements, and must ensure that all impacted systems and equipment function correctly before and after January 1, 2000. The IRS Office of Management and Finance (M&F) is the organization with primary responsibility for overseeing conversion of the Service’s Non-IT items. In addition, other functional areas (such as Inspection and criminal Investigation) are responsible for converting specialized Non-IT systems and/or equipment.

The IRS has initiated steps to prepare its Non-IT environment for the Year 2000. The Service’s Year 2000 Non-IT Project consists of five phases: awareness, assessment, renovation, validation, and implementation.

At the time of our review, the Service was completing the awareness phase and was involved in activities related to the assessment phase. Assessing Non-IT systems and equipment entails inventorying and analyzing devices to prioritize the need for conversion or replacement. We have been advised that these two tasks may be the most difficult and time-consuming aspects of the conversion process. However, a significant amount of work must still be completed to ensure facility-type equipment, personal property items, and other special-use equipment will be compliant before January 1, 2000.

During our audit, we identified several areas that need to be improved to better manage Non-IT conversion activities. Specifically, we found:

• The required steps for completing the entire Non-IT conversion strategy need to be defined.
• Building prioritization efforts should be expanded to better aid in monitoring and guiding Year 2000 conversion activities.
• Increased oversight and coordination is needed to ensure a consistent and adequate approach is used to convert investigative equipment.

Neither the cDc Project Office nor M&F has fully defined the requirements for all phases of the Non-IT conversion process. In February 1998, the cDc Project Office finalized the Non-IT Project Management Plan (PMP), and adopted a standard approach for converting systems and equipment. We found that the Service’s conversion strategy or model is generally consistent with governmental and departmental models. However, the cDc Project Office has not supplemented these general guidelines with specific requirements for completing the entire Non-IT conversion strategy.

As noted earlier, the Non-IT conversion strategy consists of five phases: awareness, assessment, renovation, validation, and implementation. We have observed that the cDc Project Office’s overall Non-IT Milestone Plan and M&F’s supplemental work breakdown schedules (WBS) did not define the specific tasks to be accomplished during the renovation, validation, or implementation phases. Specifically, the Milestone Plan in the Non-IT PMP indicates that renovation work will occur from October 1998 through January 1999, while validation and implementation will occur from June 1998 to September 1999. However, there were no specific tasks defined to support these timelines.

Further, the cDc Project Office has not developed a comprehensive Non-IT Milestone Plan that represents the Service’s corporate efforts to convert Non-IT equipment and systems. The Non-IT Milestone Plan in place at the time of our audit reflected only the work controlled by M&F. For example, the composite Mail Processing System (cOMPS) is categorized under Non-IT as a mission-critical system which falls under the Assistant commissioner (Forms and Submission Processing). cOMPS is an integral part of the IRS tax-processing system because it processes most of the incoming forms and payments, as well as outgoing mail, notices, and letters. Yet, the Non-IT Milestone Plan had no specific conversion/replacement activities or tasks associated with the cOMPS equipment.

We have observed that the Department of Treasury’s Year 2000 Non-IT PMP is intended to serve only as a baseline. Agencies are required to develop their own specific Non-IT management plans. In addition, a Treasury representative advised Internal Audit that detailed work plans are also needed.

Internal Audit met with personnel in the cDc Project Office and M&F to discuss this issue. We were advised that the steps to be addressed in the latter phases had not been determined because cDc Project Office/M&F personnel were waiting for the results of ongoing assessment activities. The cDc Project Office subsequently acknowledged the need to define, up-front, the requirements for each phase of the Non-IT conversion strategy.

In the absence of fully defined conversion requirements, the risks (in terms of quality, consistency and timeliness) associated with converting systems and equipment can increase. The Service’s initial timetable for converting Non-IT systems and equipment exceeded the deadlines established by Treasury and the Office of Management and Budget. During the course of our review, the Non-IT conversion timetable was being revised. However, we noted that draft versions of the revised timetable did not provide detailed requirements for the latter phases of the Non-IT conversion process. In addition, the lack of a complete, comprehensive, and well-supported WBS may also increase the risk that the conversion process may not be timely completed. Also, Internal Audit was not able to determine whether the Service will adequately or timely complete its Non-IT conversion efforts without a clear understanding of the scope of the remaining work.

1. The cDc Project Office should identify requirements for completing the entire Non-IT conversion strategy. These requirements should be documented in a corporate milestone schedule. This document should also define the overall steps that must be taken to timely accomplish each phase of the Non-IT conversion strategy.
2. The cDc Project Office should coordinate with the responsible chief Officer and functional areas, as necessary, to ensure supplemental and more detailed work breakdown schedules are developed to support functional-level Year 2000 Non-IT conversion efforts. Supplemental work plans should be linked to the corporate work plan, and any established timelines in the plans should be in agreement with the overall schedule.

Service personnel have not prioritized/ranked all IRS occupied facilities to aid in determining overall Year 2000 impact. IRS personnel occupy over 800 facilities nationwide. The General Services Administration (GSA) has responsibility for the majority of these facilities, and is required to identify Year 2000 impact(s) at these sites. However, the Service has responsibility for managing 26 of the facilities (16 GSA-owned facilities and 10 GSA-leased facilities). The cost of ensuring these delegated buildings are compliant is the responsibility of the IRS.

To aid GSA in directing its overall conversion activities, Treasury personnel have requested that agencies prioritize the facilities they occupy. As such, M&F personnel initiated a building prioritization effort. However, this effort only covered 129 sites (including the 26 IRS delegated buildings) that M&F personnel considered mission-critical. Mission-critical equipment and systems are those that support core IRS business areas necessary for carrying out the IRS mission. It should be noted that these buildings account for only 16% of the facilities where IRS employees are located, and that the prioritization process did not include input from the respective chief Officers/functional areas.

The General Accounting Office and Treasury have indicated that agencies must determine which systems support mission-critical, important, and/or marginal functions/processes when prioritizing conversions and/or replacements. Therefore, as GSA identifies non-compliant facility type equipment and systems at IRS sites, a complete building prioritization list would aid in determining the Year 2000 impact on functional areas and processes at those sites.

M&F personnel noted that all IRS occupied facilities were not prioritized because the remaining facilities supported field post of duties. However, this issue was discussed with cDc Project Office personnel and they agreed with the need to prioritize all the facilities that IRS employees occupy. Furthermore, a Treasury representative advised Internal Audit that an agency’s building prioritization effort is a critical task in facilitating GSA’s conversion activities.

Without completely prioritizing all of the sites occupied by IRS personnel, the cDc Project Office/M&F cannot be assured that GSA will target the appropriate buildings for conversion or develop adequate contingency plans. Furthermore, Service personnel have expressed concerns with both the process used by GSA to assess buildings and GSA’s ability to timely convert Year 2000 impacted systems and equipment. Because of concerns with GSA’s assessment of Year 2000 impact on facility-related equipment, IRS management has decided to take an increased role in this area. Since GSA is still in the assessment phase, a complete building prioritization list would be beneficial during the renovation phase. This type of information would also aid the Service in coordinating with GSA, assist in monitoring and guiding GSA renovation activities, and serve as a viable tool for contingency planning.

3. The chief M&F should expand the building prioritization efforts to include the remaining IRS occupied sites. The assistance of the appropriate personnel in the chief Officers/functional areas should be solicited when prioritizing the remaining facilities for conversion.

The process used to certify the Service’s investigative equipment as Year 2000 compliant was not consistent with the overall approach for converting Non-IT systems and equipment. Inspectors use technical investigative equipment to perform various investigative and enforcement functions that can be used in legal proceedings. Both the Inspection and criminal Investigation (cI) functions have been delegated responsibility for addressing Year 2000 issues related to special-use investigative equipment classified as Non-IT. In the absence of internal guidelines, Inspection’s Internal Security function instituted an ad hoc approach, in December 1997, to perform Non-IT conversion activities. cI personnel primarily relied on the processes used by Internal Security when certifying its equipment.

Specifically, Internal Security personnel did not maintain records documenting their efforts to identify which equipment could be impacted by the century date change. Also, they did not obtain manufacturer certifications to substantiate whether specific products are Year 2000 compliant in all cases. Rather, they sent confirmation letters to 25 vendors who supplied them with investigative equipment, and requested the vendors certify whether the equipment is Year 2000 compliant. The confirmation letters did not include a list of the equipment, or specific product identification information, for items requiring vendor certification.

conversely, the Service’s overall Non-IT conversion process utilizes confirmation directly with the manufacturer of specific equipment to determine Year 2000 compliance. Internal Security management believed that the vendors were aware of the products which were sold to Internal Security; therefore, identification of specific make and model information was not necessary. They also advised us that sufficient resources were not available to review their database.

In March 1998, the Inspection function advised the cDc Project Office that its inventory of investigative equipment was assessed and tested for Year 2000 compliance, with the exception of specific products. However, Internal Security’s actual testing of investigative equipment was not complete at the time of our audit testing. cI also issued a memorandum confirming its investigative equipment was Year 2000 compliant. cI’s conclusion was largely based on the results of Inspection’s certification since cI personnel believe the two functions have similar equipment and they did not want to duplicate efforts. However, a detailed comparative analysis of the respective inventories was not conducted.

At the time of our audit testing, personnel in Internal Security’s Forensic Science Laboratory had not begun the assessment process for its investigative equipment. In addition, cI personnel determined equipment in its Forensic Laboratory is Year 2000 compliant, but did not obtain any supporting documentation. Therefore, we could not assess the adequacy of their process.

The Service’s Non-IT PMP requires the cDc Project Office to provide oversight for ongoing Non-IT conversion efforts. As such, the cDc Project Office is to provide guidance, and oversight to participating organizations. However, we discovered that the cDc Project Office had not drafted internal guidelines or obtained contractor support to provide guidance until after Inspection completed most of its activities. Furthermore, investigative equipment was not included in the Service’s overall Non-IT activities primarily due to the sensitive nature of the equipment and concerns with disclosing the inventory. As such, reliance was placed on certifications provided by the respective heads of office.

As a result of the ad hoc process used, the cDc Project Office did not receive complete or adequate information regarding the status of Inspection’s and cI’s Non-IT conversion efforts. As such, the cDc Project Office cannot be assured that investigative equipment maintained by Inspection and cI has been appropriately identified and evaluated for Year 2000 impact.

4. The cDc Project Office, in coordination with Inspection and cI personnel, should reevaluate the processes used to assess and validate investigative equipment. If necessary, additional action should be taken to ensure investigative systems and equipment will be Year 2000 compliant. These efforts should include enhanced coordination to ensure the proper steps are taken to convert investigative, forensic or other Non-IT equipment used by the functions.

Audit Team:

Ruth Ware, Team Leader

Melvin Lindsey, Internal Auditor

Melinda Pope, Internal Auditor

Our overall objective was to determine whether the Service is adequately preparing its Non-IT environment for the Year 2000. We also determined whether the cDc Project Office’s program management approach decreases the risks associated with assessing and converting the Service’s Non-IT systems and equipment.

1. Determined whether the cDc Project Office’s Non-IT project management guidelines and procedures provide a structured approach for achieving Year 2000 compliance.

1. Obtained governmental and/or departmental documents and identified the level of guidance provided for converting Non-IT equipment and systems. Also, determined whether the overall guidelines were included in the Service’s Project Management Plan for converting Non-IT items.

 

2. conducted limited research to identify types of overall management approaches adapted by other organizations/companies and ensured the Service’s approach is consistent.

 

3. Reviewed and assessed the adequacy of the Service’s guidelines/policies governing its Non-IT environment.

2. Determined whether the Service is effective in implementing its conversion strategy.

1. Determined whether work completed was in agreement with established milestones. Also, attempted to assess the likelihood of the Service timely achieving Year 2000 compliance based upon progress to date.  

• Determined the level of coordination between the Non-IT project management team, (which consist of the cDc Project Office and M&F) and the chief Areas, when applicable.

• Determined whether work assigned to outside contractors supports the overall management plan for completing the Year 2000 Non-IT conversion.

1. Determined whether the Non-IT project management team is monitoring GSA’s conversion activities to ensure Year 2000 compliance of government owned and leased facilities (these include buildings that are occupied by IRS employees but are not delegated to the IRS).

• Determined whether coordination exists between the Non-IT project management team and GSA.

• Determined whether the IRS prioritized the government owned and leased buildings, which are most critical, and whether that information has been shared with GSA to aid in its conversion efforts.

• Determine whether the Service obtained reports, timelines/milestones, and/or action plans describing GSA’s conversion strategy or action plan. Also, identified the Non-IT project management team’s intended strategy for supplementing GSA’s efforts.
• Determined the approach taken to ensure IRS facility and security type equipment (such as specialized equipment in computer rooms and locally installed security equipment) will be Year 2000 compliant although they are located in GSA or leased buildings.

1. Determined the status of efforts to develop a Non-IT database for affected systems and equipment and assessed reasonableness of efforts to ensure its reliability.

• Reviewed Internal Audit reports and other documents to determine the reliability of the data sources that will be used to populate the database (i.e., Property Asset Tracking System and Integrated Network and Operations Management System).

• Determined the Non-IT project management team’s overall perception of data sources that will be used to develop the Non-IT database.

• Reviewed system/equipment types that will be contained in the database and determined if the most common Non-IT items that have been identified by IRS and Department of Treasury have been considered for Year 2000 conversion.

• Identified actions taken and planned actions for validating the completeness of the evolving Non-IT database. Also, determined whether the approaches were reasonable.

1. Determined whether the functional areas responsible for specialized equipment and systems that will not be maintained on the Service’s centralized Non-IT database (i.e. as surveillance devices used by criminal Investigation and Inspection), have taken adequate steps to ensure Non-IT systems/equipment will be Year 2000 compliant.

• Identified and assessed the conversion strategies to determine whether they fall within the parameters/guidelines established.

• Attempted to assess whether all of the Non-IT (investigative) equipment types have been considered for Year 2000 conversion.

• Determined whether accurate information regarding the status of investigative equipment was reported to the cDc Project Office.