TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
THE INTERNAL REVENUE SERVICE MAY NOT ACHIEVE ITS 100 PERCENT ANALYSIS AND VALIDATION OBJECTIVES FOR YEAR 2000 READINESS
Reference No. 2000-10-005
The Year 2000 presents a significant challenge to the Internal Revenue Serviceís (IRS) operations. Most IRS computer systems employ a two-digit year format in date representations, rather than four digits. Unless the affected software and data files are corrected before January 1, 2000, serious problems may occur during tax processing.
In response to previous Treasury Inspector General for Tax Administration audit recommendations regarding the need for a review of converted application code to ensure Year 2000 (Y2K) compliance, the IRS contracted with Northrop Grumman Technical Services, Incorporated (Grumman). Specifically, Grumman was tasked to analyze 100 percent of the IRSí application code to ensure conversion efforts were successful and to validate the Y2K compliance of 100 percent of the IRSí tax processing commercial off-the-shelf (COTS) products with the manufacturer. Grummanís efforts contribute to lowering the risk that significant errors will go undetected.
The overall objectives of this review were to determine whether the IRS timely implemented corrective actions to previous audit recommendations related to Y2K compliance testing and to assess the effectiveness of the IRSí efforts to analyze and validate Y2K compliance of application code and tax processing COTS products.
The IRS has made significant progress in implementing corrective actions to previous audit recommendations, related to Y2K compliance testing efforts, to ensure the IRS meets its Y2K readiness objectives. The IRS has also taken actions to analyze all converted application code and to validate all tax processing COTS products. However, due to Information Technology (IT) inventory inaccuracies and delays in the IRS providing information for the contractor-performed analysis and validation, the IRS may not fully achieve its 100 percent analysis and validation objectives for Y2K readiness. As a result, the IRS cannot assure that all critical programs have been identified, are Y2K compliant, and will function properly in the Year 2000.
The Internal Revenue Service Has Made Progress in Implementing Corrective Actions; However, Information Technology Inventory Certifications Remain Incomplete
Our review of 22 Y2K compliance testing-related corrective actions scheduled to be implemented by January 1, 1999, showed that 15 corrective actions were timely implemented. Of the remaining seven corrective actions, five were either implemented late or had their estimated implementation dates extended. The risk of these five corrective actions on the IRSí Y2K objectives is minimal. However, the remaining two corrective actions, concerning the certification of the IRSí IT inventory, had not been implemented as of May 12, 1999. These two inventory certification corrective actions have a significant impact on Y2K implementation risk, since the IRS has based its processes for ensuring the timely analysis of all application code and validation of all tax processing COTS products on its IT inventory.
The 100 Percent Analysis of Application Code May Not Be Completed by the Year 2000
The IRS contracted with Grumman, in August 1998, to analyze all application code associated with the IRSí seven Y2K conversion phases. As of May 18, 1999, Grumman reported that it had analyzed over 30 million lines of code for phases one through four and identified 8,864 potential errors. Of the potential errors, 7,245 have been explained without corrections needed, 1,456 were confirmed as errors, and 163 had not been responded to by the IRS.
Though Grumman has made significant progress to date, it may not meet its ultimate objective of a 100 percent analysis due to impediments and delays in receiving information and responses from the IRS. Phases one through four were originally scheduled to be completed by December 1, 1998. As of May 18, 1999, Grumman still had not completed the analysis of all the lines of application code in those phases due to the delays in receiving responses and all application code from the IRS. Although the remaining code to be analyzed for the first four phases is small, the IRS does not know which of those components could result in a Y2K processing error.
The IRS has taken actions, such as providing guidance and distributing memoranda to its staff on past-due items, which have improved the IRSí responsiveness to Grummanís requests. However, because phases one through four were five months past due as of the end of our audit work and similar delays are being experienced in the analysis of phase five application code, we are concerned that the IRS will be unable to achieve its objective of 100 percent analysis of application code by the Year 2000. By not achieving its objective, the IRS cannot assure that all critical programs have been identified, are Y2K compliant, and will function properly in the Year 2000.
The 100 Percent Validation of Commercial Off-the Shelf Products May Not Be Completed by the Year 2000
The IRS has also contracted with Grumman to validate Y2K compliance of all tax processing COTS products with the manufacturer. Grumman began the validation process in the beginning of April 1999 and, as of May 19, 1999, had reviewed 2,864 of the approximately 11,300 identified products, which resulted in the identification of 999 potential errors. The majority of the potential errors were related to inaccuracies in the IRSí IT inventory.
Based on the numerous IT inventory errors which have to be corrected before the validation process can continue, we are concerned that problems similar to those experienced with code analysis will delay the process of validating the Y2K compliance of COTS products. As a result, the IRS may not achieve its objective of 100 percent validation of COTS products by the Year 2000.
By maintaining an IT inventory that is complete and accurate, the IRS can ensure that all application code is analyzed and all COTS products are validated, which reduces the risk that computer systems will not function properly in the Year 2000. Furthermore, by ensuring that all application code and COTS products are Y2K compliant, the IRS reduces the risk that taxpayers will be adversely burdened by system failures in the Year 2000. The proper functioning of the IRS systems will ensure that taxpayers receive quality service, including timely refunds, and the avoidance of erroneous notices.
Summary of Recommendations
To ensure that the 100 percent analysis of application code and validation of tax processing COTS products is completed timely, we recommend that IRS executive management ensure those organizations that have not certified their respective IT inventories do so immediately. In addition, management should ensure timely responses are provided to the contractorís requests for information and responses. Further, in the event that the 100 percent analysis and validation will not be completed, management should prioritize application code and COTS products, to ensure critical applications are Y2K compliant.
Managementís Response: IRS management has initiated a four-fold approach to verification and certification of the IT inventory. This includes a physical wall to wall inventory certification, an independent audit and readiness verification, a contractor performed independent verification and validation, and the issuance of a memorandum instructing IRS executives to provide personal attention to outstanding Y2K issues. Further, the Century Date Change (CDC) Project Office will report to the Chief Information Officer and the Commissioner weekly on open exception items, including completion of code review items. The CDC Project Office will also send a weekly report to the appropriate executives each week for any items that are overdue to the contractor performing the COTS validation. Since the review of applications code conversion work is nearly complete and all COTS products have been through an initial review, IRS management believes that any prioritization would not be beneficial. Managementís complete response to the draft report is included as Appendix VI.