Executive Summary

Objective and Scope

Background

Results

Conclusion

Appendix I - Detailed Objective, Scope, and Methodology

Appendix II - Major Contributors to This Report

Appendix III - Report Distribution List

Appendix IV - Glossary Of Terms

Executive Summary

One of the most critical issues the Internal Revenue Service (IRS) faces during 1999 is the need to make its computer systems Year 2000 (Y2K) compliant. Automated systems enable the IRS to process over 200 million tax returns, issue an estimated 90 million refunds, and provide employee access to taxpayer account data. Failure to identify, renovate, and test IRS systems for Y2K compliance could result in significant disruption to taxpayers and the government. Personal computers are an integral part of many important IRS systems. Employees use these personal computers to interface with the IRS’ tax administration computer systems.

The objective of this review was to determine if the IRS had an effective process to ensure that its personal computers will operate properly in the year 2000.

The IRS has an extensive effort underway to ensure that its estimated 166,000 personal computers will function properly in the year 2000. The goal was to achieve Y2K compliance by July 31, 1999, by retiring obsolete personal computers and installing up-to-date personal computers with standardized software. This effort is designed not only to make the IRS Y2K compliant, but also to standardize systems throughout the IRS.

Although Y2K conversion efforts have been extensive, the IRS needs to improve overall Tier III (personal computers) project management to ensure completion before January 1, 2000. During the review, issues were communicated to IRS officials as they were identified. IRS management agreed with the issues and began to take corrective actions in the following areas:

The Y2K conversion progress of the Tier III portion of some mission critical systems could not be readily determined. A tracking tool needed to be re-established and include all mission critical systems with Tier III components.

No final decision had been made on the non-standard software (not part of the IRS standard software package) to be tested for Y2K compliance. A decision needed to be made so software that will be needed in the year 2000 is tested and upgraded.

Although laboratory testing of software was ongoing, there was no plan to field test workstations after new hardware and software is installed.

Management needed to ensure that the IRS computer inventory system, the Integrated Network and Operations Management System, was accurate because personal computer hardware and software purchasing decisions should be made based on that inventory.

A comprehensive plan would have helped to control critical issues, assign responsibility, monitor progress, and ensure deadlines are met.

We recommended to the Century Date Change (CDC) Project Office that the Tier III dashboard (a report that tracks Y2K conversion progress) should be re-established and include all mission critical systems. The list of non-standard software products should be finalized and testing results communicated to the users. Similarly configured workstations should be tested after software/hardware installations and Y2K conversions. Efforts to validate the Tier III inventory should be renewed. Also, a comprehensive project plan should be prepared and consideration given to forming or contracting for a consulting team to help with problem solving and overall project management.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued. We provided the IRS with a draft of this report on November 12, 1999, with a 30-day calendar comment period.

Objective and Scope

The objective of this review was to determine if the Internal Revenue Service (IRS) had an effective process to ensure that its personal computers will operate properly in the year 2000. The following audit tests were performed:

• Determined whether the Tier III (personal computers) Office of the End User Computing Support Division and the Century Date Change (CDC) Project Office provided effective management oversight and guidance for the Tier III conversion effort.
• Determined whether conversion progress was adequate for high-risk mission critical Tier III systems and other systems that have a Tier III component.

This audit was conducted in the CDC Project Office, the End User Computing Support Division, and the Information Systems (IS) function at the National Office from November 1998 through April 1999. The audit work was performed in accordance with Government Auditing Standards.

Details of our audit objective, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

The IRS created the CDC Project Office in 1996 as an oversight group to direct the conversion of all Information Technology systems for the year 2000. The CDC Project Office oversees the IRS’ Year 2000 (Y2K) personal computer conversion work being performed by the Tier III Office, which is part of the End User Computing Support Division.

The CDC Project Office, the Tier III Office, and the system owners share responsibility for Tier III Y2K conversions. The CDC Project Office provides independent oversight of the conversion work being done by the Tier III Office. The Tier III Office is responsible for ensuring that mandated Y2K activities for personal computers are completed in accordance with guidelines. System owners are responsible for Y2K conversions of their individual systems.

Results

The IRS has an extensive effort underway to ensure that its estimated 166,000² personal computers will function properly in the year 2000. The goal was to achieve Y2K compliance by July 31, 1999, by retiring obsolete personal computers and installing up-to-date personal computers containing standardized software. This effort is designed not only to make the IRS Y2K compliant, but also to standardize systems throughout the IRS.

Although Tier III conversion efforts have been extensive, the IRS needs to improve overall project management to ensure completion by January 1, 2000. Issues were communicated to IRS officials as they were identified, and IRS management agreed with the issues and took the actions it deemed appropriate.

Specifically, the IRS needed to address the following management issues:

• Conversion Efforts for Personal Computers Tied to Certain Mission Critical Systems Were Not Being Tracked
• Software Testing Decisions Had Not Been Finalized
• A Plan Had Not Been Developed to Field Test Workstations After New Hardware and Software Installation
• The Inventory of Personal Computers Had Not Been Validated
• A Comprehensive Plan for Year 2000 Conversion of Personal Computers Had Not Been Developed

Conversion Efforts for Personal Computers Tied to Certain Mission Critical Systems Were Not Being Tracked

As of April 1999, the Tier III Office, whose responsibilities include ensuring that all Tier III products for the IRS are Y2K compliant, was not tracking the conversion progress of the Tier III portion of some mission critical systems. The Tier III Office originally created a "dashboard," a one-page report that was used to track the progress of Tier III Y2K conversions. The dashboard included only a portion of the IRS’ mission critical systems.

The Tier III Office stopped using the dashboard and, instead, used other reports that contained the same information. Since not all mission critical systems were on the dashboard, they were not monitored in the other reports.

Without measuring the progress of the Tier III portion of all IRS mission critical systems, the Tier III Office would be unaware of any conversion problems. Personal computers are important to many mission critical systems because employees use them to interface with the IRS’ tax administration computer systems.

By comparison, the Tier II Office, which is responsible for mini-computer systems, tracks the overall status of the Tier II mini-computer conversions and the status of individual Tier II mission critical systems. Tier III systems should be monitored in a similar way. Mission critical systems could affect thousands of taxpayer transactions, so each mission critical system has a high level of risk.

1. IS management should re-establish the Tier III dashboard and include all mission critical systems so that they can be closely tracked.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued.

Software Testing Decisions Had Not Been Finalized

The End User Computing Support Division may not have sufficient time to test the Tier III software that the IRS wants to convert. When the July 31, 1999, deadline was closing in, a final decision had not been made on which non-standard software, such as certain word processor and spreadsheet programs, were going to be converted.

Because of the limited time for testing, some necessary software may be retired rather than tested, while other software may be used untested. This could result in systems not operating properly in the year 2000.

In addition, an effective communications process needs to be developed. Software testing results need to be communicated to all users and necessary changes need to be made to all copies of the software. An effective communications process would ensure that vital information is developed, sent, received, and updated by users.

At the time of the review, software testing results were only posted on the Intranet. By using this method, the Tier III Office cannot confirm that all users who need the results receive them.

If software users do not receive the test results or do not have access to the Intranet, they will not be able to make their software Y2K compliant or purchase new software when needed. This could cause operational disruptions in the year 2000.

For example, as part of our analysis of the Tier III infrastructure conversion, we reviewed the Integrated Submission and Remittance Processing (ISRP) System’s Y2K conversion progress. The ISRP is an IRS mission critical system that uses personal computer workstations to enter tax and payment information into the IRS mainframe.

At the time of this review, the Tier III Office had limited contact with the ISRP Project Office about conversion of ISRP workstations. The ISRP Office was not aware that the Tier III Office had given the testing of an operating system for some of its Tier III workstations a lower priority because it was not a standard product. Standard products are those products that are used service-wide. The ISRP Office was relying on the results of the Tier III Office’s Y2K testing of specific software products to ensure its computers were Y2K compliant. Without the testing, there would be no assurance that the ISRP will operate properly in the year 2000.

2. IS management should finalize the decision regarding what non-standard software will be tested and ensure the testing is performed timely.
3. IS management should implement an effective methodology to ensure that software testing that needs to be done is completed and the results are communicated to all users, and that all users make the necessary changes.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued.

A Plan Had Not Been Developed to Field Test Workstations After New Hardware and Software Installation

As of March 1999, there was no plan to field test personal computer workstations after new hardware and software installations. The End User Computing Support Division had not yet considered testing these workstations in their operating environment.

Workstations need to be sample tested after software/hardware installations and Y2K conversions to ensure that laboratory results are achieved in the field. This testing should ensure that the changes did not adversely affect how the computers operate and that the workstations are Y2K compliant.

Test results need to be communicated to all users of similarly configured workstations. If workstations are not tested in their actual operating environment, they could fail to perform needed tasks in the year 2000.

For example, recently, some employees could not use a database program after Y2K compliant software was loaded onto their workstations. In this case, the Y2K solution had the unintended effect of disabling the database program. If the Tier III Office of the End User Computing Support Division performs testing in the field, problems similar to this can be identified and corrected.

4. IS management should sample test similarly configured workstations (software and hardware) after software/hardware installations and Y2K conversions to ensure that laboratory results are achieved in the field.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued.

The Inventory of Personal Computers Had Not Been Validated

Management needs to ensure that the IRS computer inventory system, the Integrated Network and Operations Management System, is accurate because Y2K hardware and software purchasing decisions should be based on that inventory. Without a complete and reliable inventory, some personal computers may be purchased unnecessarily while others may not be made Y2K compliant.

If a sufficient number of workstations cannot be purchased due to funding restrictions, the IRS will have to convert workstations it intended to retire. This would require testing the additional workstations in a very short time frame. Management indicated that the estimated number of Tier III personal computers has ranged from 112,000 to 206,000.

Since the exact number of personal computers is not known, the validation of the Tier III personal computer inventory is critical in order to determine which computers need to be converted and which need to be replaced. After holding discussions with IS management regarding this issue, we cannot make a definitive statement as to the reason for the inability to validate the personal computer inventory.

5. IS management should renew efforts to validate the Tier III inventory to ensure that procurements and conversions are based on complete and reliable information.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued.

A Comprehensive Plan for Year 2000 Conversion of Personal Computers Had Not Been Developed

The IRS did not have a comprehensive plan for the Tier III conversion. A well-developed plan should contain clear objectives and details on major tasks and deliverables (i.e., work breakdown structure). Activities need to be listed, a path developed, and adjustments made as the plan develops. Projects should be tracked and one person should be responsible for each activity. Resources need to be managed to deliver the plan.

The plan needs to include a method for monitoring progress, identifying hardware and software to be converted, and determining interdependencies. Also, a methodology for testing computers in their environment should be part of the plan.

Without a comprehensive plan, the End User Computing Support Division cannot be assured of meeting deadlines for Tier III Y2K conversions.

In our April 1999 discussion with the End User Computing Support Division, management stated that it might not be practical to prepare a consolidated plan.

Recommendations

6. IS management should prepare a comprehensive project plan that includes specific task deadlines, task responsibilities, sufficient details, and identification of necessary funds and resources needed to accomplish tasks.
7. IS management should consider forming or contracting for a consulting team which would help with problem solving and overall project management. The team is needed because of the critical timing, the magnitude of Tier III conversions, and the large number of tasks yet to be accomplished. The consulting team should have sufficient independence and experience in "large scale" efforts of this type.

Management’s Response: Management’s response was not available for inclusion in the report at the time this final report was issued. We provided the IRS with a draft of this report on November 12, 1999, with a 30-day calendar comment period.

Conclusion

Although transition efforts have been extensive, the IRS needs to improve overall project management of Y2K conversion activities to ensure the successful conversion of its personal computers. As of April 1999, management action was needed in the areas of tracking conversion progress, testing software, and validating the inventory of computers. The IRS does not have a comprehensive project plan for the Tier III conversion effort; however, it needs to develop one to serve as a device to address and control critical issues.

Detailed Objective, Scope, and Methodology

The objective of this review was to determine if the Internal Revenue Service (IRS) had an effective process to ensure that its personal computers will operate properly in the year 2000 (Y2K). The following audit tests were performed:

1. Determined whether the Tier III (i.e., personal computers) Office of the End User Computing Support Division and the Century Date Change (CDC) Project Office provided effective management oversight and guidance for the Tier III conversion effort.

1. Evaluated the adequacy of reports being generated concerning the overall progress of Tier III systems included in the Tier III infrastructure conversion effort.

1. Evaluated whether the information contained in the Tier III dashboard and reports was being used to monitor problems and assist functional organizations in their system conversions.

1. Determined whether conversion progress was adequate for high-risk mission critical Tier III systems contained in the Tier III infrastructure.

Major Contributors to This Report

Scott Wilson, Associate Inspector General for Audit (Information Systems Programs)

Kerry Kilpatrick, Director

Philip Shropshire, Deputy Director

Robert Irish, Audit Manager

John Chiappino, Senior Auditor

William Floyd, Senior Auditor

Douglas Heagle, Senior Auditor

Philip Peyser, Senior Auditor

Anne Piersa, Senior Auditor

Marcia Miller, Auditor

Gail Schuljan, Auditor

Report Distribution List

Deputy Commissioner Modernization C:DM

Deputy Commissioner Operations C:DO

Chief Information Officer IS

Deputy Chief Information Officer, Operations IS

Deputy Chief Information Officer, Systems IS

Assistant Commissioner National Operations IS:O

Assistant Commissioner (Program Evaluation and Risk Analysis) M:O

Assistant Commissioner Service Center Operations IS:SC

Director, End User Computing Support IS:F:SP

Director, System Support Division IS:S:TS

Director, Office of Information Resources Management IS:IR

Director, Century Date Change Project Office IS:CD

Project Director, Mainframe Consolidation IS:O:MC

National Director for Legislative Affairs CL:LA

Office of the Chief Counsel CC

Office of Management Controls M:CFO:A:M

Audit Liaison:

Office of Information Systems Program Oversight IS:IR:O

Century Date Change Project Office IS:CD

Chief, Information Systems Audit Assessment and Control Section IS:IR:O:A

Treasury Inspector General for Tax Administration Liaison IS:IR:O:A

Glossary of Terms

Century Date Change (CDC) Project Office - The full time, central coordinating organization that is responsible for managing the Year 2000 (Y2K) compliance project.

Commercial-Off-The-Shelf Products - Hardware and software developed by vendors and widely sold in the marketplace.

Dashboard - A project management tool used to display progress or the state of an event by the use of colors. Colors used are generally red, yellow, and green.

Deliverables - The result of meeting a promised service level or producing a product by a specified time.

End User Computing Support Division - Organization formerly called the Strategic Project Office, it is responsible for ensuring that Y2K activities for personal computers are completed.

Hardware - The physical computer components. Examples include computer monitors, keyboards, cables, central processing units, and printers.

Infrastructure -The basic facilities and equipment needed for a system to function.

Integrated Network and Operations Management System - The Internal Revenue Service’s (IRS) computer inventory system.

Intranet - Like the Internet, but only IRS employees have access to it.

Laboratory - A place where computers are tested.

Mission Critical System - A system supporting an IRS critical business activity. The system is deemed critical if it is used in tax processing, would result in loss of revenue if not operational, would result in a work stoppage if not operational, or is considered a national IRS system.

Software - A general term used for various types of programs used to operate computers. Most of the software used on personal computers is developed by vendors and is widely sold in the marketplace.

Standard Software - Computer programs purchased in bulk to ensure that IRS employees use the same programs.

Tier I - Mainframe computers and their associated computer programs.

Tier II - Minicomputers and their associated computer programs. These computers are generally larger than microcomputers and usually function as a server on a computer network.

Tier III - Microcomputers or personal computers and their associated computer programs. Tier III computers are those used in a desktop environment such as a personal computer, laptop, or workstation capable of working alone or connected to other computers.

Year 2000 Problem - The millennium change when the calendar changes to January 1, 2000, and the resultant impact and potential disruption to business services, computers, and software.

Y2K - An acronym used to represent the year 2000.