TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service Should Improve Server Software
Asset Management and Reduce Costs

 

 

 

September 25, 2014

 

Reference Number:  2014-20-042

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number  /  202-622-6500

E-mail Address /  TIGTACommunications@tigta.treas.gov

Website           /  http://www.treasury.gov/tigta

 

HIGHLIGHTS

THE INTERNAL REVENUE SERVICE SHOULD IMPROVE SERVER SOFTWARE
ASSET MANAGEMENT AND REDUCE COSTS

Highlights

Final Report issued on September 25, 2014

Highlights of Reference Number:  2014-20-042 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Computer software is typically protected by Federal copyright law, which requires users of software programs to purchase licenses authorizing such use.  Software licenses are legal rights to use software in accordance with terms and conditions specified by the software copyright owner.  Efficient and cost-effective management of the IRS’s software assets is crucial to ensure that information technology services continue to support the IRS’s business operations and help it to provide services to taxpayers efficiently.

WHY TIGTA DID THE AUDIT

The overall objective was to determine whether the IRS is adequately managing server software licenses.  The audit is included in our Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Achieving Program Efficiencies and Cost Savings.

WHAT TIGTA FOUND

The IRS does not effectively manage server software licenses and is not adhering to Federal requirements and industry best practices.  The IRS does not have enterprise-wide or local policies, procedures, and requirements for managing server software licenses and does not have a centralized, enterprise-wide organizational structure for managing server software licenses.

The IRS does not have an enterprise-wide inventory of license purchase and deployment data on server-based software, nor does it have any specialized software license management tools for developing and maintaining such an enterprise-wide inventory.  TIGTA estimates that the amount wasted because of the inadequate management of server software licenses is in the range of $81 million to $114 million based on amounts spent for licenses and annual license maintenance that were not being used at the time of a compliance review.  This range could be lower or higher depending on the extent that the IRS had used the licenses prior to the compliance review.  However, the IRS does not know if the software licenses were ever used.  In addition, for some software, more licenses were deployed than purchased.  TIGTA estimates the value of these overdeployed licenses to be in the range of $24 million to $29 million.

WHAT TIGTA RECOMMENDED

To improve the management of server software licenses based on Federal requirements and recommended industry best practices, TIGTA recommended that the Chief Technology Officer incorporate server software license management in the enterprise-wide software management program currently under development.

In their response to the report, IRS management agreed with the recommendation, and server software is already being considered as a component of the enterprise-wide software management program under development.  An Enterprise Software Governance Board has been established along with a working group.  This effort includes the development of a standardized process for ensuring consistency in asset management across the enterprise.  The IRS is also working to complete other software management actions, including developing an enterprise-wide repeatable method to manage and track the deployment of licenses that can be uniformly used by all organizational entities responsible for managing licenses.

Although the IRS agreed that inadequate management of server software licenses is a problem, it did not agree that it has resulted in significant waste and believes it has mitigated some of these issues with a software contract that was awarded at the end of 2012.

 

September 25, 2014

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:                       Michael E. McKenney /s/ Michael E. McKenney

                                  Deputy Inspector General for Audit

 

SUBJECT:                  Final Audit Report – The Internal Revenue Service Should Improve Server Software Asset Management and Reduce Costs (Audit # 201320024)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) management of server software licensing.  The overall objective of this review was to determine whether the IRS is adequately managing server software licenses.  This review is included in our Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Achieving Program Efficiencies and Cost Savings.

Management’s complete response to the draft report is included as Appendix VI. 

Copies of this report are also being sent to the IRS managers affected by the report recommendation.  If you have any questions, please contact me or Danny Verneuille, Acting Assistant Inspector General for Audit (Security and Information Technology Services).

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Does Not Effectively Manage Server Software Licenses

Recommendation 1:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Glossary of Terms

Appendix VI – Management’s Response to the Draft Report

 

Abbreviations

 

GSA

General Services Administration

IBM

International Business Machines

IRS

Internal Revenue Service

IT

Information Technology

ITIL®

Information Technology Infrastructure Library

TIGTA

Treasury Inspector General for Tax Administration

VCMO

Vendor and Contract Management Office

 

Background

 

Software asset management is a process for tracking and reporting the use and ownership of software assets.  Forrester Research Inc.[1] defines software asset management as:

The systematic automation of processes to reconcile software licenses and statements of entitlement, maintenance contracts, and original media with installed software and those processes for discovering deployed software assets; to reconcile the assets to their licenses, maintenance contracts, and definitions of entitlement; and to report on compliance and discrepancies in such a way as to minimize the risk of legal action by software vendors as well as loss of service to users or of reputation in the wider world.

A critical part of software asset management is server software license management.  The objective of software license management is to manage, control, and protect an organization’s software assets, including management of the risks arising from the use of those software assets.  Proper management of software licenses helps to minimize risks by ensuring that licenses are used in compliance with licensing agreements and cost-effectively deployed and that software purchasing and maintenance expenses are properly controlled.

Software license management can be difficult because:

Federal requirements established by Executive Orders, the Federal Chief Information Officer Council, the National Institute of Standards and Technology, and the Department of the Treasury as well as recommended industry best practices govern the use and management of software licenses.  These sources provide guidance to ensure that software licenses are 1) efficiently purchased and are not being nondeployed or underdeployed, 2) used in compliance with copyright laws, and 3) inventoried through the use of adequate recordkeeping systems that control and track the use of licenses.

Due to the complexity of the Internal Revenue Service’s (IRS) software license environment, the Treasury Inspector General for Tax Administration (TIGTA) conducted three separate audits on the issue:  1) desktop and laptop environment, 2) mainframe environment, and 3) server environment.  In the two previous TIGTA audits,[2] we reported that for the desktop and laptop environment and the mainframe environment, the IRS did not:

To address the reported issues, the IRS planned corrective actions to implement TIGTA recommendations regarding:

·       Maintaining data in the inventory system that the IRS can use to more effectively review software licensing agreements, purchases, deployment, usage, and other related aspects of licensing to identify additional savings in software spending.

While the prior audits focused on the desktop and laptop environment and the mainframe environment, this audit focused on the software and license management of the IRS’s server environment.

This review was performed at the Information Technology (IT) organization’s Enterprise Operations and Strategy and Planning organizations in New Carrollton, Maryland, and the IRS Campus in Austin, Texas.  Additionally, information was obtained from the many business units that were managing software products we reviewed, such as the Research, Analysis and Statistics function; the Communications and Liaison function; the Wage and Investment Division; the Large Business and International Division; the Agency-Wide Shared Services; and other functions within the IT organization during the period May 2013 to March 2014. 

We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II. 

 

Results of Review

 

The Internal Revenue Service Does Not Effectively Manage Server Software Licenses

Executive Order 13103, Computer Software Piracy, requires and ITIL best practices recommend the development of software license management policies and procedures and roles and responsibilities.  The ITIL and industry best practices recommend a centralized, enterprise-wide management structure for software asset management.  These best practices indicate that some of the most significant benefits of software asset management, both cost and risk‑management benefits, come from managing software on an enterprise-wide basis.  An enterprise-wide management structure can actively manage software assets to know the location, configuration, and usage history of every product.  In addition, an enterprise-wide management structure supported by an enterprise-wide inventory and automated software license management tools can better provide procurement staff with the detailed and accurate information needed to negotiate flexible, cost-effective contracts and form the basis for cost reduction projects such as platform stabilization, volume bundling, securing longer term agreements, and vendor or hardware consolidation.  In September 2010, the IRS’s Chief Technology Officer outlined a goal to have the IT organization implement the ITIL best practices over the next several years.  The IRS reported that the IT organization had achieved ITIL Maturity Level 3 in October 2012.

Executive Orders;[3] Department of the Treasury Directive 85-02, Software Piracy Policy;[4] and Internal Revenue Manual 10.8.2[5] require and ITIL and industry best practices recommend creating and maintaining accurate enterprise-wide inventories of installed software and licenses.  These inventories should contain licensing models applicable to each software product and link the data on licenses bought and deployed, including costs.  This will help ensure that software purchased is not nondeployed or underdeployed and that software is used in compliance with copyright laws.

The National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations,[6] and Treasury Directive Publication 85-01, Treasury IT Security Program,[7] require and ITIL and industry best practices recommend implementing enterprise-wide software asset discovery, network scanning, license management, and license metering tools.  Software asset discovery tools are used to identify installed software and collect relevant details about each installed software product.  Network scanning tools are used to detect and remove any unauthorized or unlicensed installed software.  Software license management tools help to ensure compliance with licensing agreements by tracking license usage, linking upgrades to original licenses, linking licenses bought to licenses used, and managing the stock of unused licenses.  License metering tools help to ensure that licenses are used cost effectively by detecting installed software that is not being used, is being underutilized, or is being overutilized so that the licenses can be managed effectively.

The IRS does not have defined policies and procedures or roles and responsibilities for server software license management

The IRS does not have an enterprise-wide software licensing program designed around industry best practices.  The IRS does not have enterprise-wide or local policies, procedures, and requirements for managing server software licenses.  The IRS has defined software asset and license management roles and responsibilities only for the Chief Information Officer/Chief Technology Officer in Internal Revenue Manual 10.8.2, IT Security Roles and Responsibilities.[8]  Internal Revenue Manual 2.14.1, Asset Management, Information Technology (IT) Asset Management,[9] does not provide any additional roles and responsibilities for software asset and license management.

Two offices within the IT organization have mission statements that suggest those functions have some responsibility for managing server software assets and licenses.  However, personnel in the offices stated that they do not have any defined server software license management policies and procedures or roles and responsibilities.

The IRS also does not have a centralized, enterprise-wide organizational structure for managing server software licenses.  Functions managing server licenses are dispersed throughout the IT organization and business units depending on factors such as whether the software is platform infrastructure, a specialized application used by a specific business unit, and in general, what process the software is used to perform.  However, the VCMO has recently begun conducting activities that are partially related to centralized, enterprise-wide software license management for International Business Machines (IBM) and Microsoft server and workstation software, as explained in the next section.  VCMO personnel stated that, in response to a prior TIGTA audit report recommendation,[10] they are in the process of developing roles, responsibilities, and standards for an enterprise-wide software asset management program.

Our review of 23 server software products revealed that the IRS is not adequately managing server software licenses.  Figure 1 shows that licenses for eight software products were underdeployed by an average of 41.9 percent of the licenses owned, at an estimated cost of $5.3 million and an estimated average of $666,000 per software product.  Licenses for one software product were overdeployed by 1,150.0 percent of the licenses owned, at an estimated cost of $11.6 million.  Our figures on license underdeployments only include amounts in excess of 10 percent of the number of licenses purchased.[11]

Figure 1:  Software Licenses Underdeployed and Overdeployed

Software

Number of Licenses Purchased

Number of Licenses Underdeployed or Overdeployed

Percentage of Underdeployment or Overdeployment

Estimated Cost

Underdeployment[12]

Product 1

1,056

298

28.2

$1.7 million on licenses

Product 2

3,374

2,870

85.1

$1.6 million on licenses and one year of maintenance

Product 3

153,500

11,290

7.4

$850,000 on licenses and one year of maintenance

Product 4

104,920

16,478

15.7

$838,000 on licenses and one year of maintenance

Product 5

Unlimited across multiple modules

One entire module not deployed (20.9% of the contract)

20.9

$148,000 on licenses and five years of maintenance

Product 6

250,000

69,932

28.0

$96,000 on licenses and two years of maintenance

Product 7

18

18[13]

100.0

$68,000 on licenses and three years of maintenance

Product 8

4

2

50.0

$26,000 on licenses and one year of maintenance

Total 8 Products

 

 

41.9 (average)

$5.3 million
(average $666,000)

Overdeployment

Product 9

32

368

1,150.0

$11.6 million for additional licenses and maintenance for one year

Source:  TIGTA analysis of IRS purchase records, software and hardware data, and
discussions with IRS IT organization and business unit management and personnel.

In addition to underdeployment and overdeployment of server software licenses, our review of the 23 server software products identified the following instances of inadequate software license tracking and management:

The IRS does not use software license tools and does not maintain server license inventories in accordance with Federal requirements and industry best practices

Neither the Enterprise Operations organization nor the VCMO within the IT organization has an enterprise-wide inventory of license purchase and deployment data on server-based software or any specialized software license management tools for developing and maintaining such an enterprise-wide inventory.  The functions managing licenses are dispersed (decentralized) throughout the IT organization and business units.  Any license tracking records are stored locally.  Decentralized groups that may be managing and tracking licenses on server software are doing so by using queries, spreadsheets, record systems, scanning tools not specifically designed for software license management to gather rough software data, utilities unique to the software product being tracked, and manual calculations to maintain their own software licensing records. 

The VCMO was the only function we identified that was conducting activities that are partially related to centralized, enterprise-wide software license management, and they were doing it for only IBM and Microsoft server and workstation software.  However, these activities were not an adequate software license management process, did not use specialized software license management tools, and did not produce software license inventories for all IBM and Microsoft software.

Even though the IRS does not have written policies and procedures for managing server software licenses, through interviews, we obtained information on the local approach or processes used by the VCMO to manage server software licenses for IBM and Microsoft software.  To determine the number of licenses deployed, the VCMO begins by using a search tool to find IBM and Microsoft server software in an IRS database containing data on installed instances of software and the computers the software is installed on.  The data are on installed software instances because the scanning tool that creates the database has no licensing scanning capability.  The search for IBM and Microsoft server software within this database produces a server table that lists servers having installed instances of IBM and Microsoft software, along with data on the software and the servers.  Because licensing models can vary among different software, the VCMO then has to use the hardware and software data provided in the table, or from other sources as appropriate, to calculate the number of licenses deployed on the servers in this table.  The VCMO uses the data in the server table to create a license deployment table listing software and the number of licenses deployed.  The VCMO obtains from IBM and Microsoft data on software and licenses purchased by the IRS to create a license entitlement table listing software and the number of licenses purchased.

These tables do not contain any reports matching the number of licenses deployed to the number purchased on any IBM or Microsoft software product.  Performing a license reconciliation is not as simple as just matching a software product in the license deployment table to the license entitlement table because software titles are often named differently due to the data in the two tables coming from different sources.  Sometimes the server table with the query results needs to be researched again in a different way to more accurately determine the number of licenses deployed.  These three tables give the VCMO the capability to perform additional analysis and calculations on a request basis.  The VCMO uses these tables to produce license reports only on a case-by-case basis when a report is needed on specific IBM and Microsoft software products, e.g., when data are needed for contract renewals.  However, we could not review these reports because the VCMO did not save the reports or worksheets.

The activities performed by the VCMO for tracking the deployment of software licenses and entitlement on IBM and Microsoft software are not considered adequate software license management because:

For eight of the 23 server software products we reviewed, the IRS had reports that tracked the number of licenses deployed against the number of licenses purchased, but seven of the eight software products records were being maintained locally, not in a centralized inventory, and tools designed for software license management were not being used.

Without these tools and a software asset and license management structure in place, the IRS cannot effectively determine if the software contracts it enters into are reflective of its current or future projected server software license and support needs.  In addition, the IRS cannot, from an enterprise-wide basis, effectively manage its server software and license compliance to the contract option-year renewals.  In September 2007, the IRS entered into a one-year contract with four option years for the use and support of IBM software.  In September 2012, an external contractor hired by the prime contractor, i.e., IBM, completed a compliance review of the IRS’s contract for IBM software and related licensing.  Using asset discovery, network scanning, license management, and license metering tools, this contractor found several issues that included nondeployed, underdeployed, and overdeployed software licenses that the IRS had purchased under the contract.  In turn, the IRS hired its own contractor, costing $50,000, to evaluate the compliance review results and to assist the IRS in negotiating a new contract agreement.  The IRS-hired contractor did not dispute the results from the compliance review.  As shown in Figures 2 through 4, TIGTA used data from the original compliance review and the General Services Administration (GSA) list price costs to estimate the extent that the licenses for server software were nondeployed, underdeployed, and overdeployed and the related estimated value.[14]  Figure 2 shows that no licenses were deployed for 43 software products at the time of the compliance review, at an estimated range of value from $43.3 million to $62.0 million and an estimated average range of $1.0 million to $1.4 million per software product.  This range could be lower or higher depending on the extent that the IRS had used the licenses prior to the compliance review.  However, the IRS does not know if the software licenses were ever used. 

Figure 2:  IBM Software With No Licenses Deployed

Software

Estimated Values

GSA Price List

30-Percent Discount[15]

Product 1

$14.6 million

$10.2 million

Product 2

$10.4 million

$7.3 million

Product 3

$7.2 million

$5.0 million

Product 4

$5.4 million

$3.8 million

Product 5

$5.0 million

$3.5 million

 Product 6

$4.6 million

$3.2 million

Product 7

$1.9 million

$1.3 million

Product 8

$1.9 million

$1.3 million

Product 9

$1.3 million

$0.9 million

Product 10

$1.3 million

$0.9 million

33 Products

$8.4 million (average $255,000)

$5.9 million (average $178,800)

Total 43 Products

$62.0 million (average $1.4 million)

$43.3 million (average $1.0 million)

Source:  TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with
IRS IT organization management and personnel.

Figure 3 shows that licenses for 18 software products were underdeployed by an average of 66.5 percent of the licenses owned at the time of the compliance review, at an estimated range of value from $32.8 million to $46.8 million and an estimated average range of $1.8 million to $2.6 million per software product.  This range could be lower or higher depending on the extent that the IRS had used the licenses prior to the compliance review.  However, the IRS does not know if the software licenses were ever used.  Our figures on license underdeployments only include amounts in excess of 10 percent of the number of licenses purchased. 

Figure 3:  IBM Software With Licenses Underdeployed

Software

Percentage of Underdeployment

Estimated Values

GSA Price List

30-Percent Discount[16]

Product 1

79.9

$7.5 million

$5.2 million

Product 2

83.1

$6.3 million

$4.4 million

Product 3

80.0

$6.1 million

$4.3 million

Product 4

42.5

$5.4 million

$3.8 million

Product 5

86.1

$4.3 million

$3.0 million

Product 6

89.8

$3.8 million

$2.7 million

Product 7

89.7

$2.7 million

$1.9 million

Product 8

89.3

$2.4 million

$1.7 million

Product 9

89.7

$2.2 million

$1.5 million

Product 10

34.1

$2.0 million

$1.4 million

Eight Products

54.1 (average)

$4.1 million 
(average $513,000)

$2.9 million
(average $362,500)

Total 18 Products

66.5 (average)

$46.8 million
(average $2.6 million)

$32.8 million (average $1.8 million)

Source:  TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with
IRS IT organization management and personnel.

Figure 4 shows that licenses for 11 software products were overdeployed by an average of 309.1 percent of the licenses owned, at an estimated range of value from $12.0 million to $17.2 million and an estimated average range of $1.1 million to $1.6 million per software product.

Figure 4:  IBM Software With Licenses Overdeployed

Software

Percentage of Overdeployment

Estimated Values

GSA Price List

30-Percent Discount[17]

Product 1

129.0

$4.4 million

$3.1 million

Product 2

84.0

$4.3 million

$3.0 million

Product 3

462.5

$4.2 million

$2.9 million

Product 4

96.7

$2.0 million

$1.4 million

Product 5

445.0

$1.0 million

$0.7 million

 Six Products

363.8 (average)

$1.3 million

(average $217,000)

$0.9 million

(average $150,000)

Total 11 Products

309.1 (average)

$17.2 million 
(average $1.6 million)

$12.0 million
(average $1.1 million)

Source:  TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with
IRS IT organization management and personnel.

IRS management informed us of several potential factors it believed affected the software license nondeployments and underdeployments in Figures 2 and 3.

IRS management also commented that the estimated costs we provided are inflated because the IRS is a large purchaser of IBM software and it pays less than the GSA price.  However, the IRS was unable to provide documentation to support that the comment and potential factors specifically applied to the software in Figures 2 through 4.  Nonetheless, to account for the possibility that the IRS received a substantially discounted price, we provide a range of values in Figures 2 through 4.

The IRS does not have enterprise-wide or local server software asset and license management policies and procedures, an asset and license management structure, or defined roles and responsibilities in accordance with Federal requirements and industry best practices.  The IRS does not have an enterprise-wide inventory of server software assets and software licensing data in accordance with Federal requirements and industry best practices.  Additionally, the IRS has not identified and implemented automated software license tools for the enterprise-wide management of server software assets and licenses.  This is due, in part, to Internal Revenue Manual 2.14.1, Asset Management, Information Technology (IT) Asset Management (November 8, 2011), which states in section 13.17 that software management is under development and that procedures are being defined.

The lack of an enterprise-wide inventory with comprehensive data on all server software assets and software licensing impedes the IRS’s ability to more effectively analyze the relationships among its software license agreements and vendors to more cost effectively buy software licenses and maintenance.  In an effort to offset budget constraints, the IT organization created the VCMO with a mandate to create savings by promoting innovative sourcing alternatives that generate the same or additional value while minimizing risk.  Because the IRS does not have adequate software licensing tools and inventories, the VCMO has to improvise using various tools and data and search various record systems to manually compile hardware and software data and then perform additional calculations to conduct software licensing analysis.  The VCMO has achieved some software licensing savings during the last two years, but we believe that better software license inventories and tools would enable it to identify additional savings opportunities. 

Until the IRS addresses the issues presented in this report, it is incurring increased risks in managing software licenses.  These risks include:  1) not complying with licensing agreements, which could result in embarrassment, legal problems, and financial liability; 2) not using licenses in the most cost-effective manner; and 3) not effectively using licensing data to reduce software purchase and software maintenance costs.  In fact, these deficiencies have already resulted in licenses for server software being nondeployed or underdeployed (with an estimated cost in the range of $81.4 million to $114.1 million) and overdeployed (with an estimated value in the range of $23.6 million to $28.8 million.

Because the IRS does not have an enterprise-wide software licensing program designed around industry best practices, dispersed functions throughout the IT organization and business units are performing software license management at inconsistent levels of quality.  For example:

Recommendation

To improve the management of server software licenses based on Federal requirements and recommended industry best practices, the Chief Technology Officer should:

Recommendation 1:  Incorporate server software license management in the enterprise-wide software management program currently under development.

Management’s Response:  IRS management agreed with the recommendation, and server software is already being considered as a component of the enterprise-wide software management program under development.  Additionally, an Enterprise Software Governance Board has been established along with an Enterprise Software Governance Board Working Group.  This effort includes the development of a standardized process for ensuring consistency in asset management across the enterprise.  IRS management also stated that they have already completed actions to ensure that software management policies and guidance are aligned to and include the protocols, functions, and decisionmaking outcomes across enterprise units through the Enterprise Software Governance Board.  The IRS is working to complete a number of other software management actions, including developing an enterprise-wide repeatable method to manage and track the deployment of licenses that can be uniformly used by all organizational entities responsible for managing licenses.  These and other efforts under development will help move the IRS towards a comprehensive enterprise program for software license management.

While the IRS agreed with our recommendation to improve the management of server software licenses, the IRS disagreed with TIGTA’s findings on the overdeployment, underdeployment, and nondeployment of software licenses and the related outcome measures.  Specifically:

·       The IRS stated that it found discrepancies in TIGTA’s analysis that stem from a misinterpretation of how IBM software is licensed and what constitutes underdeployment, overdeployment, and nondeployment of perpetual licenses.  The IRS also stated that it found instances in which TIGTA calculated values using license costs but a maintenance cost would have been more appropriate.

·       The IRS disagreed with all of the IBM server software found by TIGTA to have nondeployed and underdeployed licenses in Figure 2:  IBM Software With No Licenses Deployed and in Figure 3:  IBM Software With Licenses Underdeployed.  The IRS stated that TIGTA’s estimated values should only contain the cost of annual support because the IRS already owns these licenses, whereas TIGTA based its estimated values on the cost of purchasing the nondeployed and underdeployed licenses as well as their annual support costs.

·       The IRS disagreed that licenses were overdeployed on nine of the 11 IBM software products shown in Figure 4:  IBM Software With Licenses Overdeployed.

·       The IRS also disagreed that licenses were underdeployed and overdeployed on six of the nine software products shown in Figure 1:  Software Licenses Underdeployed and Overdeployed.

Office of Audit Comment:  We did not include any unlimited licenses within the report calculations and not all IBM products reviewed and presented in this report were covered by a perpetual license.  To determine the extent that IBM licenses were underdeployed, overdeployed, and nondeployed, we relied on a study performed by a contractor, the results of which were reviewed and not disputed by another IRS contractor as well as IRS staff. 

In estimating the value of nondeployed, underdeployed, and overdeployed licenses, we used the one-time GSA price of purchasing the licenses at the point in time we performed our review.  We also included the GSA price of annual maintenance because it is an annual recurring cost of maintaining the licenses.  The IRS asserted that we should have only used maintenance costs.  This methodology would be appropriate if the IRS demonstrated that it had ever deployed or utilized these software licenses.  We requested but did not obtain software license utilization and costing information from the IRS on the IBM software in the contractor study. 

The IRS is unable to accurately track utilization of its software license assets and does not have any detailed costing information for the software license assets presented in this report.  We note in the report that the estimated range of the cost of nondeployed or underdeployed licenses could be lower if the IRS had ever used the software; however, it should be noted that the total cost over time of this software could actually be higher.  We only included the license cost and the cost of maintenance for one year even though the IRS owned and paid maintenance for several years on many of these software products.  The amount of underpayment for the overdeployed licenses could also be higher over time.  Moreover, the range we report also includes the potential discounted price to account for the possibility that the IRS received a substantial discount due to the volume and bundling even though the IRS does not have any documentation supporting this claimed discount. 

Finally, in our review of 23 server software products, we held numerous meetings with subject matter experts from the VCMO, Enterprise Operations organization, Office of Procurement, and various other business units involved in the procurement, installation, and use of the software.  When available, we obtained and reviewed documentation provided by these individuals to develop our estimated values.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS is adequately managing server software licenses.  To accomplish our objective, we:

I.                 Determined Government requirements and industry best practices[18] for software license management.

A.    Reviewed Government requirements and industry best practices for software license management and Government Accountability Office and TIGTA audit reports on software license management.

B.    Identified additional Government requirements for software license management that applied to the management of server software licenses.

C.    Identified additional industry best practices for software license management that applied to the management of server software licenses.

D.    Identified additional Government Accountability Office and TIGTA audit reports on software license management that applied to the management of server software licenses.

II.               Determined if the IRS has developed adequate policies, procedures, roles, and responsibilities for the management of server software licenses.

A.    Determined if the IRS has an enterprise-wide policy for server software license management that is consistent with Government requirements and industry best practices.

B.    Determined if the IRS has enterprise-wide procedures for server software license management that are consistent with Government requirements and industry best practices.  For example, procedures should cover 1) centralized inventories with licensing data, 2) using tools for discovering installed software and monitoring software use, 3) reconciling reports from tools with software license records, 4) monitoring the use of deployed licenses, and 5) using software licensing data to better negotiate software license purchases and maintenance agreements with vendors.

C.    Determined if the IRS has enterprise-wide roles and responsibilities for server software license management that are consistent with Government requirements and industry best practices and if the IRS has assigned roles and responsibilities for all software license management procedures.

D.    Determined if the Enterprise Operations organization has local policies, procedures, and roles and responsibilities for server software license management that are consistent with Government requirements and industry best practices.

E.     Determined if the IRS’s policies, procedures, and roles and responsibilities establish a centralized, rather than decentralized, organization and structure for server software license management.

III.             Determined if the IRS has a centralized server licensing inventory and manages and maintains the inventory with software tools designed for license management.

A.    Determined if the IRS has a centralized inventory of server software including licensing data. 

B.    Determined if the IRS adequately uses tools for discovering installed software and monitoring software use.

1.     Determined how frequently the IRS performs server software discovery and software use scans and generates management reports.

2.     Determined if the IRS’s scans are capable of detecting 1) unauthorized (unlicensed) software installed, 2) the deployment of more licenses than were bought, 3) the deployment of significantly fewer licenses than were bought, and 4) deployed licenses that are not being used and can be harvested and reissued to other users or servers.

3.     Determined if the IRS uses server software licensing reports from the discovery tool to reconcile known software and licenses against discovery results and to resolve exceptions or noncompliance with software licenses.

4.     Determined if the IRS uses server software and license inventory data to better negotiate, package, and consolidate software license purchases, renewals, and maintenance with vendors. 

IV.            Determined if the IRS is adequately managing software licenses by reviewing a selection of server software products.

A.    Determined the inventory data the IRS has on its server software products and how it could be used to select software products to review the IRS’s software license management.

B.    With a goal to illustrate the effect of the current IRS processes in place to track and manage software licenses, we chose to select a subset of 24 software products for review.  Because the IRS did not have a complete centralized inventory of its software, including licensing data, three lists of software products were used to select the server software products.  The Enterprise Standards Profile is a portfolio of all (enterprise-wide) approved commercial off-the-shelf software products that have been tested and approved for use on IRS computers.  The IRS may or may not choose to go forward with purchasing and installing the products on this list.  Because of this, 100 server software products were randomly selected from the Enterprise Standards Profile as potential cases.  To better refine the potential cases, two additional lists from the IRS were used:  1) software installed on IRS computers as identified via IRS network scans and 2) software purchased as identified from several recordkeeping systems.  If any of the 100 software products selected from the Enterprise Standards Profile could not be identified on either of these two sources, it was removed from the list of potential cases.  From the 34 potential cases identified through this process, information was requested and received from the IRS for 24 software products.  One product of the 24 was deleted as it was determined that the license for this product was not owned by the IRS.

C.    On each software product reviewed, 1) obtained the software licensing agreement or other documentation that named and explained the licensing metric, 2) reviewed software purchase documents, 3) reviewed records used by the IRS to manage and track the deployment of software licenses, and 4) determined the scope of the IRS’s software licensing management and tracking activities.

D.    On each software product reviewed, obtained additional documentation and interviewed IRS employees as necessary to substantiate the accuracy of the software licensing data being managed and tracked.

E.     On each software product reviewed, determined if the IRS was managing and tracking licenses for 1) the deployment of more licenses than were bought, 2) the deployment of significantly fewer licenses than were bought, 3) deployed licenses that were not being used and could be harvested and reissued to other users or computers, and 4) any other software license management activities that the IRS could be doing based upon comparison with other reviewed products.  We also calculated the estimated costs of license overdeployment and underdeployment.

F.     On each software product reviewed, determined how exceptions or noncompliance with software licenses are resolved.

G.    On each software product reviewed that was for annual software renewal or maintenance, determined if the number of software licenses that maintenance was purchased for was the minimum needed based on data that tracked the license deployment history of the software product.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined that the following internal controls were relevant to our audit objective:  the IT organization’s policies, procedures, and processes for managing and tracking software licenses.  We evaluated these controls by interviewing IT organization management, identifying Federal requirements and industry best practices for managing and tracking software licenses, and reviewing software license management and tracking on a selection of server software products. 

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Danny Verneuille, Director

John Ledford, Audit Manager

Richard Borst, Lead Auditor

George Franklin, Senior Auditor

Ryan Perry, Senior Auditor

Kasey Koontz, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Information Officer for Operations  OS:CTO

Associate Chief Information Officer, Enterprise Operations  OS:CTO:EO

Associate Chief Information Officer, Strategy and Planning  OS:CTO:SP

Director, Vendor Contract Management  OS:CTO:SP:VCM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Director, Risk Management Division  OS:CTO:SP:RM

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective action will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·       Inefficient Use of Resources – Potential; $97.8 million midpoint of the range (ranging from $81.4 million to $114.1 million) (see page 4).

Methodology Used to Measure the Reported Benefit:

On behalf of IBM, a third-party contractor conducted a compliance review of the IRS’s software license agreements[19] associated with its IBM software contract.  The review produced lists of software with data on the number of licenses that had been nondeployed, underdeployed, and overdeployed.  The IBM contract in effect when the compliance review was performed did not include itemized pricing information that TIGTA could use to determine the exact cost of the nondeployed, underdeployed, and overdeployed licenses and related software and subscription support.  Therefore, we used the 2012 IBM GSA Price List, the only itemized pricing information available, to estimate the cost with the exception of a small number of software products for which we could not match to a GSA price.  

Also, IRS management stated that because the IRS is a large purchaser of IBM software it pays 30 percent less than the GSA price, which could potentially affect the estimated value of license nondeployment, underdeployment, and overdeployment.  The IRS was unable to provide documentation showing that such discounts occurred for the software in our analysis; however, to account for this possibility, we show the potential discounted amount in the range.

Based on the compliance review, GSA prices, and IRS comment, we determined that the IRS had:

·       Purchased but not deployed software licenses and related software and subscription support on 43 IBM server software products at the time of the compliance review, at an estimated range of value from $43.3 million to $62.0 million with a midpoint value of the range at $52.7 million.  

·       Deployed significantly fewer software licenses and related software and subscription support than it purchased on 18 IBM server software products at the time of the compliance review, at an estimated range of value from $32.8 million to $46.8 million and a midpoint value of the range at $39.8 million.  Our figures on license underdeployments only include amounts in excess of 10 percent of the number of licenses purchased.  

These ranges could be lower or higher depending on the extent that the IRS had used the licenses prior to the compliance review.  However, the IRS does not know if the software licenses were ever used.  In addition to nondeployed and underdeployed licenses identified in the contractor review, we found that licenses were underdeployed for eight of 23 server software products we reviewed, at an estimated cost of $5.3 million.  This figure includes only the amount in excess of 10 percent of the number of licenses purchased.  To determine the extent that licenses were underdeployed and overdeployed in the products we reviewed, we obtained requisitions and purchase orders to determine the number of licenses purchased, the number of licenses that maintenance was purchased for, and the prices paid.  We also obtained IRS license tracking reports or, if none were available, we requested the data needed, depending on the license metric, for determining the number of licenses that had been deployed.

 

Appendix V

 

Glossary of Terms

 

Term

Definition

Best Practices

Proven activities or processes that have been successfully used by multiple organizations.

Campus

The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.

Enterprise Operations Organization

The part of the IRS IT organization that provides server and mainframe computing services for all IRS business entities and taxpayers.

Executive Orders

Legally binding orders given by the President, acting as the head of the Executive Branch, to Federal Administrative Agencies.  Executive Orders are generally used to direct Federal agencies and officials in their execution of congressionally established laws or policies.

Executive Order 13103, Computer Software Piracy

Requires Federal agencies to develop software license management policies and procedures.  It also requires Federal agencies to prepare inventories of software present on computers to help ensure that software is used in compliance with copyright laws.

Executive Order 13589, Promoting Efficient Spending

Requires Federal agencies to take inventory of their information technology assets and ensure that they are not paying for nondeployed or underdeployed installed software.

Federal Chief Information Officer Council

As the principal interagency forum on Federal information technology, the purpose of the Federal Chief Information Officer Council is to foster collaboration among Federal Government Chief Information Officers in strengthening Governmentwide information technology management practices.

Fiscal Year

Any yearly accounting period, regardless of its relationship to a calendar year.  The Federal Government’s fiscal year begins on October 1 and ends on September 30.

Forrester Research Inc.

A global research and advisory firm that provides research guidance to the information technology industry.

Government Accountability  Office

The audit, evaluation, and investigative arm of Congress that provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions.

Information Technology Infrastructure Library (ITIL®)

Provides guidelines for the use and management of software and licenses. 

The ITIL is a widely accepted set of concepts and practices for information technology service management derived from user and vendor experts in both the private and public sectors.  The ITIL focuses on the key service management principles pertaining to service strategy, service design, service transition, service operation, and continual service improvement, with each principle being covered in a separate ITIL core publication.  Software asset management is a key process described within the service transition core publication.  The ITIL also has a separate publication entitled Best Practice Software Asset Management that covers software asset and license management best practices in more depth than the core publication.  ITIL best practices recommend 1) the development of software license management policies and procedures and roles and responsibilities; 2) a centralized, enterprise-wide management structure for software asset management; 3) the use of software license management tools; and 4) the creation and maintenance of accurate enterprise-wide inventories of software licenses. 

Information Technology Infrastructure Library (ITIL) Maturity Levels

Maturity levels refer to an IT organization’s ability to perform.  An organization passes through the following five evolutionary levels as it becomes more competent:

Level 1:  Initial – Focuses on technology and technology excellence/experts.

Level 2:  Repeatable – Focuses on products/services and operational processes (e.g., Service Support).

Level 3:  Defined – Focuses on the customer and proper
service-level management.

Level 4:  Managed – Focuses on business/information technology alignment.

Level 5:  Optimized – Focuses on value and the seamless integration of information technology into the business and strategy making.

Information Technology Organization

The IRS organization responsible for delivering information technology services and solutions that drive effective tax administration to ensure public confidence.

National Institute of Standards and Technology

A part of the Department of Commerce that is responsible for developing standards and guidelines for providing adequate information security for all Federal Government agency operations and assets.

National Institute of Standards and Technology Special Publication
800-53, Recommended Security Controls for Federal Information Systems and Organizations

Requires that Federal agencies employ tracking systems, such as specialized fully automated applications depending on the needs of the organization, for software protected by quantity licenses to control copying and distribution and to help ensure that software is used in accordance with licensing agreements.

SharePoint

Microsoft SharePoint is a collection of products and software elements that includes web browser-based collaboration functions and a document management platform.  SharePoint can be used to host web sites that access shared workspaces, information stores, and documents.

Software License Agreement

The legal contract between the owner and purchaser of a piece of software that establishes the purchaser’s rights.  A software license agreement provides details and limitations on where, how, how often, and when the software can be installed and used, and provides restrictions that are imposed on the software.  The agreement includes the licensing model that will be used for defining and measuring the use of the software.  For example, a common simple license model could be based on how many people can use the software and how many systems the software may be installed on.  Software companies also make special license agreements for large business and Government entities that may be different from those provided to the general consumer.

Treasury Directive Publication 85-01, Treasury IT Security Program

Requires that bureaus periodically scan their networks to detect and remove any unauthorized or unlicensed software.

Treasury Directive 85-02, Software Piracy Policy

Issued to implement Executive Order 13103 and requires that bureaus establish and maintain an accurate software inventory to help ensure that software is used in accordance with software license agreements.

 

 

Appendix VI

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D. C. 20224

 

CHIEF TECHNOLOGY OFFICER

 

 

July 18, 2014

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                             Terence V. Milholland /s/ Terence V. Milholland

                                          Chief Technology Officer

 

SUBJECT:                       Draft Audit Report - The Internal Revenue Service Should Improve Server Software Asset Management and Reduce Costs (Audit# 201320024) (e-trak # 2014-56054)

 

Thank you for the opportunity to review and respond to the subject audit report.  We are pleased the report acknowledges that some software license savings have been made during the last two years and an enterprise-wide software management program is underway.

 

We believe the IRS has made progress in minimizing risks and improving controls for software asset management.  As noted in the report, we are conducting activities related to centralizing software license management for IBM and Microsoft server and workstation software.  Also, we have established an Enterprise Software Governance Board (ESGB) along with an ESGB Working Group.  This effort includes the development of an Integrated Process Management (IPM) document that will ensure consistency in asset management across enterprise processes.

 

While we agree and are already in line with the recommendation to include server software license management in enterprise-wide efforts underway, we strongly disagree with the analysis of estimated waste from software purchases.  As we discussed during the audit, we found discrepancies in the TIGTA analysis that stem from a misinterpretation of how the IBM software is licensed and what constitutes underuse, overuse, or nonuse of perpetual licenses.  We also found instances where TIGTA calculated values using license costs where a maintenance cost is more appropriate.

 

Specifically, the IRS disagrees with the findings in Figure 1:  Software Licenses Underdeployed and Overdeployed (shown in the attachment) of $5.08 million spent on underutilized software (products 1, 2, 3, 4 and 6) and the $11.6 million on over deployed software (product 9). However, we do agree with $242 thousand on underutilized software (products 5, 7, and 8).

 

The IRS disagrees with the findings of $108.8 million in Figure 2: IBM Software With No Licenses Deployed and Figure 3: IBM Software With Licenses Underdeployed.  For the products in Figures 2 and 3, the pricing TIGTA used to derive the under deployment figure is based on the licensing cost.  Since the IRS owned these licenses, this figure is misleading in that the IRS would only be paying annual support, which is 22 percent of the net cost of the license at original time of purchase.

 

We also disagree with the findings of $17.2 million in Figure 4: IBM Software With Licenses Overdeployed (shown in the attachment).  However, we do agree with $2.95 million (products 3 and 4 of the Six Products) in over deployed IBM software.

 

In summary, we agree with a total of $3.2 million:  $242k of underutilized software spend and $2.95 million of over deployed software.  Our corrective action plan is attached along with comments we shared during the audit that clarify and provide context for TIGTA's estimated costs of over and under deployed software in Figures 1 and 4 of the report.

 

The Service takes cost-effective management of software licenses seriously and places great emphasis on accountability at all levels.  We value your continued support and the assistance your organization provides.  If you have any questions, please contact me at (240) 613-9373 or a member of your staff may contact Lisa Starr, Senior Manager, Program Oversight at (240) 613-4219.

 

Attachment

 

Attachment

 

RECOMMENDATION #1Incorporate server software license management in the enterprise-wide software management program currently under development.

 

CORRECTIVE ACTION #1The IRS agrees with this recommendation.  The Service has already completed actions to ensure software management policies and guidance are aligned to and include the protocols, functions, and decision making outcomes across ACIO and other enterprise units through an Enterprise Software Governance Board.  The Service is also working to complete a number of other software management actions, including developing an enterprise-wide repeatable method to manage and track the deployment of licenses that can be uniformly used by all organizational entities responsible for managing licenses.  These and other efforts underway will help move the IRS towards a comprehensive enterprise program for software license management.  We agree with the recommendation as server software is already being considered as a component of the software management program under development.

 

IMPLEMENTATION DATEN/A

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, Strategy and Planning, Vendor and Contract Management.

 

CORRECTIVE ACTION MONITORING PLANN/A

 

Below are the IRS comments shared during the audit that clarify and provide context for TIGTA's estimated costs of over and under deployed software in Figures 1 and 4 of the report.

 

Figure 1:  Software Licenses Underdeployed and Overdeployed

 

Software

TIGTA Estimated Cost

IRS Comments

Product 1

$1.7 million on licenses

The IRS purchasing strategy is different from most of the other software agreements in place today.  While under most agreements the IRS would pay an annual maintenance charge, no such charge exists for this product.  The IRS purchases a new license as needed.  Due to this the prior version license remains in IRS inventory but is unused.

 

Product 2

$1.6 million on licenses and one year of maintenance

Prior to the IRS analysis of this product in 2012, there was a large amount of unused licenses.  Upon award of the new agreement in Dec 2012, this issue was mitigated and those licenses were taken off maintenance.  This was accomplished prior to this audit.

 

Product 3

$850,000 on licenses and one year of maintenance

The IRS is a very large user of this product.  During the analysis of the software entitlement and usage in 2012, the IRS harvested all unused instances and made them available to applications that needed them.  It was determined that it was more cost effective to maintain those licenses rather than discontinue payment.

Product 4

$838,000 on licenses  and one year of maintenance

The IRS is currently in a transition period while migrating most application server instances to a different product.  Due to this the IRS will have unused licenses of this product that are harvested.  At option year 2 of the licensing agreement it is the intent of the IRS to reduce the number of licenses maintained.

Product 5

$148,000 on licenses and five years of maintenance

IRS has no disagreement.

Product 6

$96,000 on licenses and two years of maintenance

We disagree that the product licenses are under deployed.  The active licensing tier was purchased to obtain the best pricing model for future growth and expansion.  The active licensing tier protects the IRS from licensing violations.

Product 7

$68,000 on licenses and three years of maintenance

IRS has no disagreement.

Product 8

$26,000 on licenses and one year of maintenance

IRS has no disagreement.

Product 9

$11.6 million for additional licenses and maintenance for one year

Upon further analysis of TIGTA's findings the IRS conducted a deployment analysis and results were provided to TIGTA.  The document shows that the IRS has entitlement to two licenses.  Each product is licensed for the RRP application in its entirety for compiled sequential java. According to the deployment data the IRS has deployed via that method and thus is fully compliant with the terms and conditions of the licensing.

 

Figure 4: IBM Software With Licenses Overdeployed

 

Software

TIGTA Estimated Cost

IRS Comments

Product 1

$4.4 million

In order to make a fair determination of this finding it should be taken into consideration that IRS stopped paying and discontinued maintenance and or license payments by TIGTA's count under both Figure 2 and 3 of $9.2M.  By taking that into consideration the IRS did not spend $8.7M, but rather saved $.5M on all of the Tivoli items identified in Figure 4.

Product 2

$4.3 million

In order to make a fair determination of this finding it should be taken into consideration that IRS stopped paying and discontinued maintenance and or license payments by TIGTA's count under both Figure 2 and 3 of $9.2M.  By taking that into consideration the IRS did not spend $8.7M, but rather saved $.5M on all of the Tivoli items identified in Figure 4.

Product 3

$4.2 million

IRS has an unlimited agreement for this product which covers this usage.  This was confirmed with IBM and as such no over deployment exists.  This agreement was provided to TIGTA.

Product 4

$2.0 million

IRS has no disagreement.

Product 5

$1.0 million

IRS has no records of paying for this product on the current or previous IBM agreement.

Six

Products

$1.3 million (average $217,000)

1. For three products totaling $956,000, the IRS has no disagreement.  2.  For one product totaling $235,000, the IRS has an unlimited agreement for this product which covers usage.  This was confirmed with IBM and as such no over deployment exists. This agreement was provided to TIGTA. 3.  For two products totaling $77,000, The IRS stopped paying and discontinued maintenance and or license payments by TIGTA's count under both Figure 2 and 3 of -$9.2M.  By taking that into consideration the IRS did not spend $8.7M, but rather saved $.5M on all of the Tivoli items identified in Figure 4.

 



[1] See Appendix V for a glossary of terms.

[2] TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately Performed (Jun. 2013) and TIGTA, Ref. No. 2014-20-002, The Internal Revenue Service Should Improve Mainframe Software Asset Management and Reduce Costs (Feb. 2014).

[3] Exec. Order No. 13103, Computer Software Piracy (1998), and Exec. Order No. 13589, Promoting Efficient Spending (2011).

[4] Dated May 4, 2010.

[5] Internal Revenue Manual 10.8.2 (Sept. 9, 2012).

[6] Dated Aug. 2009.

[7] Dated Nov. 3, 2006.

[8] Dated April 29, 2011.

[9] Dated November 8, 2011.

[10] TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately Performed (Jun. 2013).

[11] We allowed a 10-percent cushion for the purchase of additional licenses that might have been bought at volume discount prices in anticipation of additional licenses being needed in the near future.

[12] We allowed a 10-percent cushion for the purchase of additional licenses that might have been bought at volume discount prices in anticipation of additional licenses being needed in the near future.  The number of underdeployed licenses is in excess of the 10-percent cushion.

[13] Cushion not allowed because no licenses were deployed. 

[14] We used GSA list prices because the IBM contract in effect when the compliance review was performed did not include itemized pricing information that TIGTA could use to determine the exact cost of the nondeployed, underdeployed, and overdeployed software licenses and related software and subscription support.  The GSA list price was the only itemized pricing information available.

[15] The IRS commented that, due to its volume purchasing of IBM software, it received a 30-percent discount off the GSA price; however, the IRS is unable to provide any supporting evidence of the discount.

[16] The IRS commented that due to its volume purchasing of IBM software it received a 30-percent discount off the GSA price; however, the IRS is unable to provide any supporting evidence of the discount.

[17] The IRS commented that due to its volume purchasing of IBM software it received a 30-percent discount off the GSA price; however, the IRS is unable to provide any supporting evidence of the discount.

[18] See Appendix V for a glossary of terms.

[19] See Appendix V for a glossary of terms.