TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
ADDITIONAL ACTIONS ARE NEEDED TO STRENGTHEN THE DEVELOPMENT AND ENFORCEMENT OF THE ENTERPRISE ARCHITECTURE
Reference No. 2000-20-158
The Internal Revenue Service (IRS) is in the process of modernizing its aging computer systems. A critical component of the modernization effort is the establishment of an enterprise architecture that defines concepts such as the organizationís mission, vision, and future business objectives. It also defines the organizationís business processes, business requirements, anticipated processing volumes, products and services to be offered and locations where they will be provided. Finally, it defines basic computer hardware and software that will be used to provide these services. The IRSí Modernization Blueprint, which provides the plan that is being used to guide and control the modernization efforts, contains the IRSí initial steps toward defining the architecture. Future architecture updates will become part of this Blueprint.
The IRS hired Computer Sciences Corporation (CSC) to help with the modernization effort. It also established the Architecture Systems and Engineering (AE) Division to oversee the development of the enterprise architecture and the update of the Modernization Blueprint. The overall objective of our audit was to determine whether the IRSí AE Division established an effective system of controls and processes to ensure the development of the IRSí enterprise architecture and the update of the IRSí Modernization Blueprint.
The IRS and CSC are currently developing 60 architecture work products, or documents, that will become part of the planned September 2000 update of the Modernization Blueprint. These documents will explain the IRSí architecture standards, business requirements, and strategy for when and how the new computer systems will be implemented.
However, the processes followed by the IRS do not fully address the development of the enterprise architecture, ensure that the Blueprint architecture meets the IRSí needs, or ensure that systems modernization projects follow architecture guidance.
The Enterprise Life Cycle Does Not Contain the Detailed Processes and Activities Necessary to Develop the Enterprise Architecture
The IRS is using a process called the Enterprise Life Cycle (ELC) to provide a disciplined and institutional approach for managing its information technology investments during conception, development, operation and maintenance. A critical piece of this ELC, the Enterprise Architecture supplement, has not been completed. This supplement establishes the processes, activities and work products needed to develop the enterprise architecture.
The delay in completing this supplement has resulted in an environment where the enterprise architecture is being developed at the same time as the required ELC processes and procedures. Ideally, the ELC processes and procedures should be established first so that the IRS will have this guidance to follow as it develops and updates the enterprise architecture. However, due to significant modernization project dependencies on the development of the enterprise architecture, we concur with the IRSí decision to continue developing the enterprise architecture in the absence of these required ELC processes.
A Validation Process Has Not Been Established to Ensure That Architecture Products Meet the Internal Revenue Serviceís Needs
The IRS paid CSC nearly $3 million for six architecture products. However, the IRS did not conduct a thorough validation of these products before accepting them to ensure these products met the IRSí needs. As a result, the IRS did not realize all the expected benefits from the funds invested in these products.
In the past, the General Accounting Office has recommended that the IRS define and implement processes to validate life cycle products, including architecture deliverables. The Clinger-Cohen Act of 1996 also requires government agencies to implement validation controls. This legislation requires government agencies to focus on the results they are achieving through their information technology investments. Agencies are required to put their technology procurement decisions in a true business context and analyze investments for their return on investment.
Processes Are Needed to Ensure That Architecture Requirements of Critical Modernization Projects Are Obtained and Addressed
Several projects are currently underway as part of the IRSí systems modernization. Since the project developers must design their systems in compliance with the IRSí enterprise architecture, they each have dependencies on the development and establishment of the enterprise architecture into the Modernization Blueprint. One of the architecture products, delivered by CSC in November 1999, was developed to address critical near-term topics for the early projects, which planned to deliver new and enhanced services in Fiscal Year (FY) 2001. However, the product did not provide solutions to some of the key architecture issues that needed to be addressed for these projects to move forward with the designs. This contributed to the delay of computer modernization initiatives that were originally planned for FY 2001. Some of the modernization projects continue to await architecture direction in key areas. Other projects, which management believes are low risk and not impaired by delays in development of the architecture, are continuing development efforts.
A Change Control Board Is Needed to Review and Approve Changes to the Modernization Blueprint
In May 1997, the IRS provided a Modernization Blueprint to the Congress that provided an initial foundation for IRSí future architecture. The first update to this Blueprint is due in September 2000, and additional updates will be made throughout the modernization effort. Currently, the Core Business Systems Executive Steering Committee serves as the final approval authority for changes to the Blueprint. However, this high-level Committee has numerous other responsibilities and may not be able to conduct sufficiently detailed reviews to ensure that updates to this Blueprint meet all business needs and are approved at all necessary levels.
Enforcement and Waiver Processes Are Needed to Ensure Compliance with Architecture Guidance
The AE Division is currently exploring opportunities to establish enforcement and waiver processes. These controls are necessary to ensure modernization projects design their new systems in compliance with the enterprise architecture. The AE Division has not yet established these processes because it has focused its efforts on working with the PRIME contractor to identify the 60 enterprise architecture products that must be completed to update the Modernization Blueprint. Without enforcement and waiver processes, project developers could design new computer systems that are not compliant with the enterprise architecture. This could result in wasted time and money.
Summary of Recommendations
Although efforts are underway to more fully develop an enterprise architecture, the IRS should strengthen its controls and processes to ensure the architecture products being developed will meet the IRSí needs and systems development projects follow this guidance. The Chief Information Officer needs to develop and implement a plan to expedite the completion of the Enterprise Architecture supplement to the ELC.
In addition, processes should be established to validate the architecture deliverables received from CSC, ensure that project needs are obtained and considered in the development of the architecture, control changes to the Modernization Blueprint, and enforce compliance with the future enterprise architecture.
Managementís Response: Managementís response was due on September 25, 2000. As of September 26, 2000, management had not responded to the draft report.