Executive Summary

Introduction

Objective and Scope

Background

Results 

conclusion

Detailed Scope and Objectives

Management’s Response to Internal Audit Memorandum #1

Management’s Response to Internal Audit Memorandum #2

Management’s Response to Internal Audit Memorandum #3

Management’s Response to Internal Audit Memorandum #4

Management’s Response to Draft Report

In 1996, the Service established the century Date change (cDc) Project Office with an objective to ensure that all current and future IRS systems are Year 2000 (Y2k) compliant prior to January 1, 2000. Bringing the IRS systems into Y2k compliance also requires close coordination with many external organizations that receive data from or provide data to the Service. External organizations interfacing with the IRS include state and local governments, banks, other Federal agencies, and foreign governments. These external organizations are known as External Trading Partners (ETPs).

We performed our audit to evaluate the Service’s efforts to implement Y2k compliance for externally traded data files with ETPs. The review was part of Internal Audit’s coordinated reviews of the Service’s Year 2000 efforts. We conducted the audit in an on-line environment in accordance with generally accepted government auditing standards. As the audit progressed, we immediately brought issues to management’s attention. Management was responsive to our recommendations and implemented corrective actions. We will continue our on-line auditing of ETP issues as the Service continues to renovate its systems for the Year 2000.

The cDc Project Office has made considerable progress to complete an inventory of external data exchanges and to communicate the Service’s Y2k format changes with ETPs. Ensuring Y2k compliance with the Service’s ETPs has required extensive coordination and effort by several organizations and Service functions. As a result, the cDc Project Office has encountered delays in completing several ETP activities.

Management’s continued efforts are needed to ensure that IRS systems meet Y2k compliant standards and that discrepancies in the inventory of externally exchanged data files and data exchanges are corrected. Additional details on these two critical issues are presented below. During our review, we also recommended that the cDc Project Office downgrade the ETP activity status on management information reports from green to yellow to more accurately reflect the current state of ETP activities. Management subsequently changed the project status and no further corrective action is warranted for this recommendation.

• As of August 5, 1998, the Service reported 356 externally traded data files. Our analysis of source code for 47 components supporting 72 of the 356 external exchanges showed that 51 percent did not meet Y2k standards and guidelines. Recently, the Service contracted to have an outside vendor inspect all IRS tax processing and administrative system code to identify Y2k non-compliant components. (See Pages 5-7)

• Recognizing the importance to effectively communicate the Service’s date standard format, the cDc Project Office developed a communications package and established a three-step process for working with ETPs. However, discrepancies in the Service’s inventory of externally exchanged data files impact effective communication of the date standard. For example, we identified an additional 132 data files that appeared to be externally exchanged, but were not included in the Service’s inventory. Also, we determined that some external exchanges with mass contacts were not included in the project office’s certification process. On June 29, 1998, the cDc Project Office requested that chiefs, Directors, and Regional commissioners certify that all files that their offices maintain have been linked to a data exchange and that the data exchange is correct. Management also agreed to validate the exchanges and complete the mass contact certification by October 1, 1998. (See pages 7-8)

Management’s complete responses are shown as Attachments II-VI.

The commissioner established a 12 step Servicewide combined Management Program for the Service’s century Date change and the 1999 Filing Season efforts. External Trading Partners (ETP) is one of the seven steps classified by the commissioner as a specific Year 2000 (Y2k) Program Management area. The Service’s Y2k efforts are one of four critical Information Systems projects monitored monthly by the commissioner’s Year 2000 Executive Steering committee. We initiated this review at the commissioner’s request, based on the Service’s need to inventory, establish milestones and establish an outreach program to ETPs.

We conducted the review between March and August 1998 as part of Internal Audit’s coordinated reviews of the Service’s Year 2000 efforts.

Our overall objective for this review was to evaluate the Service’s efforts to implement Y2k compliance for external data exchanges. Our audit evaluated programs scheduled by the Service for completion in phases one through three of the Y2k conversion process.

To accomplish this objective, we focused our tests in the following areas:

• Ensuring that a system is in place and operating effectively to accurately report the project’s progress to executive management.
• Determining whether all trading partners have been accurately identified.
• Assessing the completeness and accuracy of inventory of trading partners, data exchanges, and exchanged data files.
• Assessing converted Y2k compliant programs for compliance with Y2k standards.
• Determining if mass contacts are being identified and notified of the Y2k standards and the effective implementation date.

We performed our review at or obtained information from the following sites in accordance with generally accepted government auditing standards:

• The century Date change (cDc) Project Office in New carrolton, Maryland.
• Martinsburg and Detroit computing centers in Martinsburg, West Virginia and Detroit, Michigan respectively.
• All 10 service centers.
• All district offices located in the Southeast Region.

During the review, we issued four Internal Audit Memorandums (IAMs) to advise management on issues of concern. Management’s responses to the IAMs are included as Attachments II through V to this report. Attachment VI contains the response to our draft report.

The detailed scope and objectives of our review are included as Attachment I.

The cDc Project Office is responsible for monitoring the progress of the Service’s Y2k conversion efforts for externally traded files and for supporting functional areas to ensure that the ETPs understand the cDc conversion process. The cDc Project Office uses the Trading Partner Data Exchange (TPDX) on the Information Network and Operations Management System (INOMS) to facilitate the tracking and reporting of ETP activities.

To facilitate management of the conversion, the implementation process is divided into five phases based on the semi-annual IRS production cycles. The completion dates for the five phases range from January 1997 through January 1999. The applications in each phase were based on priority. For example, Tier I applications (mainframe-resident application programs) had the earliest conversion dates.

Other key dates related to the conversion of externally traded data files include the following:

• December 1997 - all ETP components were to be tracked on the INOMS.
• April 1998 - all certifications with ETPs were to be completed.
• August 1998 - all programs were to be tested.
• January 1999 - all programs were to be compliant.

The Project Office has made considerable progress in identifying ETPs and communicating the Service’s Y2k standards to ETPs. Their efforts include surveying all Information Systems and Field and customer organizations for ETPs and external exchanges, developing a system to collect and report inventory information, enhancing INOMS functionality to track ETP progress, communicating format changes and effective dates to key ETPs, and beginning to communicate Y2k standards to other external organizations and the public.

While progress has been made, Service management needs to continue to address certain issues to minimize the risk that applications related to externally traded files will not be Y2k compliant when the Year 2000 arrives.

During our review of the Service’s activities regarding ETPs, we reported the following concerns to management:

• computer source code for components that read or write to externally traded files did not always meet established Service standards and guidelines for Year 2000 compliance.
• Discrepancies in the Service’s inventory of externally exchanged data files impact effective communication of the date standard.
• Delays were encountered in meeting key target dates, such as the certification process of notifying and obtaining ETP agreements to comply with the standards, and matching data exchanges with data files.

Project management has taken or is planning corrective actions on these concerns. Management must also continue to follow up on the certification process to ensure trading partners are notified of the date standard and correct any components identified as not Y2k compliant. Additionally, efforts currently in place to monitor the completeness of the inventory should continue.

In response to a prior Internal Audit Report (Review of the Service’s Year 2000 conversion and Testing for Phase III, Report #083605, dated 6/24/98), the Service recently contracted with Northrop Grumman Technical Services, Inc., an outside contractor, to inspect all IRS tax processing and administrative system code to identify Y2k non-compliant components. The Project Office will be relying on the services of this contractor to help assure that the source code components for the externally traded files are actually Y2k compliant. This will address the concerns we identified and reported during our review regarding the source code components not being Y2k compliant.

A computer source code component is software code that may exist in the form of a software program, part of a software program, or a subroutine. Guidelines required year fields to be expanded to four positions, prohibited the use of non-compliant subroutines and required the use of numeric formats for the date field.

As of August 5, 1998, the Service reported 356 externally traded data files. We analyzed code for 47 components linked to 72 of the 356 externally traded data files. These components were Y2k compliant on INOMS as of April 3, 1998 and remained on INOMS in Phase 2 and 3 as of May 26, 1998. We found that despite the cDc Project Office’s efforts to monitor the progress of conversion activity for Phase 2 and 3 components, many components designated as Y2k compliant did not meet Y2k standards. Our analysis showed that 24 components (51 percent) linked to 41 data files (57 percent) did not meet Y2k standards and guidelines. For example:

• Nineteen components used improper formats.
• Fifteen components contained programming errors (for example, the use of routines that compared two-digit to four-digit fields or contained date fields with two digits for the year).
• Five components contained temporary fixes that will not work beyond 1999 (for example, hard coded century date-related fields).
• Three components contained non-compliant subroutines.
• One component contained a bridge.

By not meeting the standards, there is the probability that the programs will not run correctly in the Year 2000. We will not know definitively until they are tested.

The cDc Project Office established milestones for accomplishing the Y2k conversion of software programs within the Service. The milestones are critical and the deadline is non-negotiable; therefore, slippage of the schedule could risk the completion of the conversion process by the year 2000. Programming errors cause re-work that could delay the already aggressive implementation schedule. Every effort should be made to eliminate the amount of re-work.

While discussing results with the cDc Project Office management, we determined that the Service obtained the services of an outside contractor (Northrop Grumman Technical Services, Inc.) to analyze code for compliance with year 2000 standards for 100 percent of all phase components. This includes components linked to data files exchanged with ETPs. (Note: This was corrective action taken by management in response to issues raised by Internal Audit in a report on Phase III components (#083605)).

Ultimately, the Service plans to rely on Grumman’s final assessment of the Service’s progress on the code conversion. The results of our source code review may provide the Service the opportunity to evaluate and correct the non-compliant issues we identified prior to Grumman’s inspection of the code.

Recognizing the importance to effectively communicate the Service’s date standard format, the cDc Project Office developed a communications package and established a three-step process for working with ETPs. The first step was to inventory all ETPs and data exchanges. Next, the Service would obtain the ETPs’ certification that they had been informed of the standard and would be ready by the conversion date to exchange files using the IRS’s date standard. Finally, the Service would provide ongoing communication with the ETPs to resolve any problems.

The cDc Project Office has made significant progress to inventory ETPs and data exchanges. Their efforts have included an exhaustive survey of IRS organizations, development of a system to collect and report inventoried ETPs and data exchanges, and enhanced INOMS functionality to track ETP progress. These efforts have resulted in the identification of over 360 ETPs and 350 exchanged files.  

However, our interviews, on-site visits to service centers, districts and a computing center, and other contacts identified missing data files and several inaccuracies in the linking of the data files to the data exchanges and ETPs. Specifically, we identified 132 files that appeared to be externally exchanged, but were not included in the Service’s inventory. Most of these files were identified by reviewing documentation maintained by the scheduling unit in the service centers and computing center. In a separate review of 95 exchanged data files and related documents, we determined that 13 (14 percent) involving 36 trading partners were linked to the wrong data exchange and seven (7 percent) were linked to the wrong trading partner.

These discrepancies in the inventory affect the accuracy and completeness of the certification process, which was designed to ensure that the ETPs were informed of the IRS date standard and would be ready by the conversion date to exchange files. Our review of certifications for the mass contacts (i.e., filers of information returns on magnetic media and electronic transmitters of individual and business returns) identified that the cDc Project Office had only included 12 (63 percent) of the actual 19 mass contact data exchanges. The mass contacts had been notified by the responsible functions, but were not included in the certification process.

We informed the cDc Project Office of our concerns with missing files and the accuracy of data exchanges. We also recommended that management conduct another certification for mass contacts. On June 29, 1998, the cDc Project Office requested that chiefs, Directors, and Regional commissioners certify that all files that their offices maintain have been linked to a data exchange and that the data exchange is correct. The cDc Project Office also agreed to validate the mass contact exchanges and complete the mass contact certification by October 1, 1998.

The cDc Project Office uses the following indicators to reflect the variance between the planned and actual state of the conversion activity: (1) green status – considered in good standing, (2) yellow status – considered at risk, and (3) red status – considered at great risk. The assessments are used to inform the combined Management Program for century Date change and 1999 Filing Season Executive Steering committee of the status of the progress for a particular area of the implementation plan.

At the May 12,1998 Executive Steering committee meeting, the overall assessment for ETP activities was reported in a green status although several delays had occurred or were anticipated. Specifically, there were significant delays in:

• Matching the data file inventory with data exchanges; and
• completing of certifications with ETPs.

The Project Office was scheduled to complete the matching of data files to data exchanges by March 31, 1998. Delays in the matching of the data file inventory to data exchanges is significant since it impacts the timely distribution of certification forms to ETPs communicating the Y2k date format standard.

Also, the completion of certification forms was scheduled for April 30, 1998. The certification forms are very important since they provide the Service assurance that the ETPs are informed of the standards and that the ETPs will be ready to accept or provide externally traded files to the IRS using the cDc standard.

We recommended that management downgrade the overall assessment and conversion progress categories to a yellow status to more accurately reflect the current state of ETP activities. Management agreed and responded by downgrading the assessment status to yellow.

Significant progress has been made by the Project Office to link data files to data exchanges and complete the certification process. As of September 9, 1998, the Project Office reported that virtually all of the 162 data exchanges have been linked to data files and over 50 percent of the certification forms have been provided to ETPs.

Identifying all externally exchanged data files and updating them to ensure they are Y2k compliant is very important to the Service. The risk to the Service is high if external trading partners are not identified and they or the Service has not updated the files according to Year 2000 standards. Service management needs to continue its efforts to ensure that external trading partners’ data exchanges are Y2k compliant by following up on the certification process, correcting any components identified as not Y2k compliant, and continuing to monitor the completeness of the inventory.

During our review, we reported several project control concerns, including those risks mentioned above, to project management, which they corrected or are planning to correct.

Audit Manager

Our overall objective for this review was to evaluate the Service’s efforts to implement Y2k compliance for external data exchanges. Our audit evaluated programs scheduled by the Service for completion in phases one through three of the Y2k conversion process. To accomplish this objective we performed the following audit tests.

I. To ensure that the project office established measures to effectively monitor implementation of Y2k compliance for external data exchanges, we:

1. Determined whether an action plan with targeted completion dates and responsible officials was developed to identify ETP activities.
2. On a monthly basis, reviewed the reported status of completion for major ETP activities to ensure that it was accurately reflected and reported to the cDc Project Manager and Executive Steering committee.

II. To evaluate the Service’s efforts to develop the Data Exchange Information Management System (DEIMS) database and the TPDX on INOMS to provide an IRS-wide inventory of all ETPs, data exchanges, and agreements, we:

1. Reviewed the Software Requirements Specification to determine if the product was intended to meet the objective of the database and be completed in sufficient time to facilitate transition of programs to a Y2k compliant status.
2. Obtained the Statement of Work (SOW) for the development of the database to determine if the contractor met the contract requirements.
3. Determined whether the project office took appropriate measures to ensure that the delivered system meets stated requirements.
4. Assessed whether the database contained the necessary fields to adequately track ETPs, data exchanges, and agreements by determining if the database contained:

1. Specific listings of each functional area’s external data exchanges.
2. All relevant information about the data exchange, including the ETP name, the Service and ETP contact points, and whether the data is tax or non-tax related.
3. The data exchange format, frequency, and exchange site.
4. An indicator to establish whether the exchange has been made Y2k compliant and tested.

III. To assess the completeness and accuracy of the Service’s inventory of ETPs, data exchanges, agreements, and exchanged data files, we:

1. Reviewing the memorandum requesting the information and determining whether it clearly described the data to be included in the responses from the IS and non-IS organizations and whether the requested information was sufficient to establish an inventory.
2. Sampling 338 responses from the IS and non-IS organizations to the memorandum (See III.A.1) and determining if the identified ETP, data exchange, and data file was properly included in the DEIMS database and the TPDX on INOMS.
3. conducting interviews and surveys of 64 Y2k coordinators at the Headquarters and Regional offices, including all service centers and computing centers, regarding the process used to identify ETPs, data exchanges, and externally exchanged files to ensure that they had a clearly defined and structured approach to facilitate a complete inventory.
4. Performing on-site visits at six service centers, the Martinsburg computing center, and Georgia District office; and contacting the remaining service centers and Southeast Region district offices to identify any ETPs, data exchanges, or externally exchanged files that were not inventoried for the appropriate IS or non-IS organization.

1. Discussing with the project office the process used to identify key ETPs to determine if the approach was based on sound measures, such as core business functions.
2. Reviewing the SOW for the selected contractor to determine if the deliverables provide a value added service.
3. Reviewing the deliverables to determine if requirements of the contract were met.

1. Reviewing access privileges for DEIMS and TPDX, including the process for transferring ETP and data exchange information to determine if the integrity of the data is maintained.
2. Selecting a sample of ETPs from DEIMS and TPDX and determining whether the fields are populated to show:

1. The name of the ETP, type, office and employee.
2. The data exchange contains appropriate information such as a description, availability indicator, retired date, business owner contact, and tax data indicator.

1. The linking between the component, data file, data exchange, ETP and agreement was accurate by:

• Obtaining and reviewing documentation on data exchange, ETP and agreement for each data file.
• comparing the information obtained to the data contained on the appropriate tables/systems, for example, a data file on the APR is linked to the appropriate ETP in the ETP table.

1. The Input/Output Indicator, File Description and External Use Indicator for the Data File Specifications and the ETP contacted field for the component Y2k Milestone Achievement have been updated on the APR.
2. The status of the Y2k conversion has been updated accurately for each data file on the APR containing data exchanged with ETPs by:
3. Determining whether the INOMS field has been populated for the three conversion milestones for externally traded files.
4. Obtaining and reviewing documentation such as core record layouts, file specifications, run descriptions, source codes, and production data sets for all input, interim and output files for each Y2k compliant exchanged data file on INOMS to ensure programs are compliant by allowing a four character year field.
5. Determining that all exchanged files on the APR are reflected on the TPDX by matching data file names on the APR with data file names on the TPDX modules.

1. Discussed with the Project Office, the process used to identify the mass filers and monitor the issuance of revenue procedures that communicate the century date standard.
2. contacted the functions responsible for issuing the revenue procedures and determined the status of issuance.
3. Reviewed completed revenue procedures, other public documents, and bulletin board information to ensure the century date standard is included.