TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Affordable Care Act Information Sharing and Reporting Project

 

 

 

August 20, 2015

 

Reference Number:  2015-23-062

 

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number  /  202-622-6500

E-mail Address /  TIGTACommunications@tigta.treas.gov

Website           /  http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

AFFORDABLE CARE ACT INFORMATION SHARING AND REPORTING PROJECT

Highlights

Final Report issued on August 20, 2015

Highlights of Reference Number:  2015-23-062 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

While the primary goal of the Affordable Care Act (ACA) is health care reform, the tax-related provisions in the law play a key role in achieving that goal.  There are approximately 50 ACA provisions that affect the IRS and the administration of taxes.  The ACA is intended to ensure coverage as well as simplify an applicant’s search for health coverage by offering Premium Tax Credits based on family size and income.

WHY TIGTA DID THE AUDIT

This audit was initiated because the ACA Information Sharing and Reporting (IS&R) Project is one of the core projects in ACA Release 5.0.  The IS&R system handles data requests and sends responses by communicating with other IRS systems.  ACA Release 5.0 was deployed in a controlled launch on January 5, 2015, with full deployment on January 12, 2015.  The overall objective of this audit was to determine whether the IRS sufficiently identified and mitigated risks potentially affecting the ACA IS&R systems and has properly managed requirements testing. 

WHAT TIGTA FOUND

While ACA IS&R Release 5.0 was deployed in time for the 2015 Filing Season, lapses occurred in risk and requirements management. 

TIGTA noted instances in which IS&R Project management did not timely begin initial monitoring efforts of risks and issues, update the risk management system, or resolve its risks and issues.  For example, in seven instances, between six and 391 days elapsed from the estimated closure date to the actual date the risks and issues were closed, and in six instances, it took between 29 and 79 days from the date the risks were identified to the date the risks were initially discussed by management in status meetings.

TIGTA also determined that the IS&R Project did not adequately maintain a central repository of system requirements.  Specifically, it took several attempts for IS&R Project management to identify a complete inventory of system requirements.  In addition, TIGTA determined that Section 508 requirements were not included in the requirements repository.  Finally, TIGTA was unable to verify the traceability of system requirements because the testing team did not maintain a current requirements traceability matrix.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer:  ensure that the IS&R Project Risk Management Plan is updated to establish time frames to effectively identify and monitor risks and issues and clearly reflect its high-priority risk and issue elevation process, ensure that only in‑scope requirements are included in requirements traceability documentation when release-level testing is conducted for future releases, ensure that written procedures to track and control functional and nonfunctional requirements throughout the development process at the IS&R Project and release levels are implemented for future releases, and standardize guidelines to ensure complete requirements traceability throughout the development life cycle.

The IRS agreed with our recommendations and plans to update the Project Risk Management Plan, implement changes to its high-priority and high-impact risk and issue elevation process, and include only in-scope requirements in its documentation.  While the IRS also highlighted its established guidance on tracking and controlling requirements and requirements traceability, TIGTA believes the guidance in the current version of the Internal Revenue Manual needs to be more specific.

 

August 20, 2015

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

 

FROM:                       Michael E. McKenney /s/ Michael E. McKenney

Deputy Inspector General for Audit

 

SUBJECT:                  Final Audit Report – Affordable Care Act Information Sharing and Reporting Project (Audit # 201420326)

 

This report presents the results of our review to determine whether the Internal Revenue Service sufficiently identified and mitigated risks potentially affecting the Affordable Care Act[1] Information Sharing and Reporting systems and has properly managed requirements testing.  This audit is included in the Treasury Inspector General for Tax Administration’s Fiscal Year 2015 Annual Audit Plan under the major management challenge of Implementing the Affordable Care Act and Other Tax Law Changes.

Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations.  If you have any questions, please contact me or Danny Verneuille, Acting Assistant Inspector General for Audit (Security and Information Technology Services).

 

 

Table of Contents

 

Background

Results of Review

Critical Functionality Was Deployed in Time for the 2015 Filing Season, and Noncritical Functionality Was Appropriately Moved to a Future Release

Risk Management Needs Improvement to Ensure Timely Monitoring and Resolution of Project Risks and Issues

Recommendations 1 and 2:

Better Requirements Traceability Is Needed to Ensure Successful Deployment of Future Releases and Long-Term Operations

Recommendations 3 and 4:

Recommendation 5:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

Abbreviations

 

ACA

Affordable Care Act

IRM

Internal Revenue Manual

IRS

Internal Revenue Service

IS&R

Information Sharing and Reporting

ITRAC

Item Tracking Reporting and Control

PMO

Program Management Office

RMP

Risk Management Plan

RTVM

Requirements Traceability Verification Matrix

 

Background

 

The Patient Protection and Affordable Care Act of 2010 and the Health Care and Education Reconciliation Act of 2010 (hereafter collectively referred to as the Affordable Care Act (ACA)) were both signed into law in March 2010.[2]  By creating a new Health Insurance Marketplace, the ACA will simplify an applicant’s search for health coverage by providing multiple options in one place and comparing plans based on price, benefits, quality, and other important features that help consumers make a choice.

While the ACA’s primary goal is health care reform, the tax-related provisions in the law play a key role in achieving that goal.  There are approximately 50 ACA provisions that affect the Internal Revenue Service (IRS) and the administration of taxes.  The IRS is responsible for implementing and administering those provisions that have an impact on tax administration.  To implement these ACA tax provisions, the IRS had to build new systems, modify existing systems, and mitigate risks associated with the new and existing systems.  Between Calendar Years 2010 and 2018, the IRS’s plans call for development or modification of approximately 80 to 100 applications to implement nearly 50 ACA provisions.

To oversee the ACA provisions, the IRS uses two Program Management Offices (PMO).  The ACA office, under the Deputy Commissioner for Services and Enforcement, seeks to 1) ensure that stakeholders are aware of and understand their ACA tax benefits and responsibilities, 2) support new and existing partners to enable the operations of the ACA, 3) support high levels of voluntary compliance while protecting the tax system from fraud and other noncompliance, and 4) ensure efficient incorporation of the ACA into tax administration.  The ACA office includes a PMO and three core teams:  Filing and Premium Tax Credit, Compliance Strategy and Policy, and Customer Service and Stakeholder Relations. 

The IRS also has an ACA PMO within the Information Technology organization to manage strategic planning, development, and delivery of ACA capabilities in support of related business requirements.  The Information Technology organization ACA PMO develops, tests, and implements ACA functionality into a series of technical releases. 

Each ACA technical release may have multiple project releases implemented over a period of time.  The Information Sharing and Reporting (IS&R) Project is an important project with various functionalities implemented in ACA Releases 3.0, 4.0, 4.1, and 5.0.  ACA IS&R Release 5.0 functionality was deployed in a controlled launch on January 5, 2015, with full deployment on January 12, 2015. 

Table 1 shows the IRS systems that interface with the IS&R Project systems to request ACA Release 5.0 information, and Table 2 shows the IRS data systems that interface with the IS&R Project to fulfill the requests in ACA Release 5.0.

Table 1:  IRS Systems That Interface With the
IS&R Project Systems to Request ACA Release 5.0 Information

System Title

System Description

Account Management Services

IRS Customer Service Account Management System.

ACA Information Returns

System that checks if a State exchange is authorized.

Modernized e-File

System that enables electronic filing of IRS returns via the Internet.

Source:  IS&R Project overview document provided by IS&R Project management.

Table 2:  IRS Data Systems That Interface With the
IS&R Project Systems to Fulfill Requests in ACA Release 5.0

System Title

System Description

ACA Verification Service

IRS system that provides Premium Tax Credit calculations for Form 1040 class tax returns.[3]

Coverage Data Repository

Database that houses information from exchanges used for eligibility determination calculations.

Negative Taxpayer Identification Number Service

System that checks for user attempts to access data for restricted Taxpayer Identification Numbers.

Taxpayer Identification Number Validation Service

Enterprise common service for validating a Taxpayer Identification Number and name combination against IRS records.

Source:  IS&R Project overview document provided by IS&R Project management.

The IS&R Project is separated into two components:  IS&R Sharing and IS&R Reporting.  IS&R Sharing is managed by the Release Level Technical Support office in the Infrastructure Compliance organization, and IS&R Reporting is managed by the Information Applications Branch.  Although the two components are separated, there is only one project, and all project documentation is maintained together.  As part of ACA Release 5.0, the IS&R Project has the following functionality: 

This review was performed in the ACA IS&R Project offices in the New Carrollton Federal Building in Lanham, Maryland, and the Farmers Branch Federal Building in Farmers Branch, Texas, during the period December 2014 through April 2015.  During the review, we experienced consistent delays in receiving information requested from IS&R Project personnel.  For example, 48 of 102 formal information documents requested took longer than two weeks to obtain.    

We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Critical Functionality Was Deployed in Time for the 2015 Filing Season, and Noncritical Functionality Was Appropriately Moved to a Future Release

The ACA PMO has deployed several releases over the past few years.  The IRS delivered the first major ACA release (ACA 3.0) in October 2013 to support open enrollment in the Marketplaces.  ACA 3.0 delivered several major new capabilities to include:

ACA 4.1 was deployed in March 2014.  In support of certain non-Marketplace provisions, this release provided functionality that accomplished the following:

ACA 4.0 deployed after ACA 4.1 in September 2014 to support the increased data flows into the Coverage Date Repository, allowing the IRS to prepare for filing and post-filing activities.  A key component of this release was the receipt of exchange periodic data.[7]

The IS&R Project’s Release 5.0 planned functionality was implemented in January 2015, in time for the 2015 Filing Season, with the exception of providing the reporting capability for Form 1095-B, Health Coverage,[8] and Form 1095-C, Employer-Provided Health Insurance Offer and Coverage Insurance.[9]  Requirements to provide Forms 1095-B/C functionality have been reallocated to be developed and tested for a future release date.  IRS management provided documentation that represented this deferral was appropriately authorized with a change request.  Sufficient notice of the change was given to IS&R Project management to allow a coordinated effort and seamless realignment of requirements for the current release.  This notice and planning served to minimize wasted effort and ensure that completed work could be carried forward to a future release.

Risk Management Needs Improvement to Ensure Timely Monitoring and Resolution of Project Risks and Issues

Internal Revenue Manual (IRM) Section 2.16.1, Enterprise Life Cycle (ELC) Guidance, states that a risk management plan (RMP) should describe the processes, techniques, and tools that will be used to track, manage, and control project risks.  According to the Government Accountability Office’s Standards for Internal Control in the Federal Government, (GAO-14-704G dated September 2014), it is management’s responsibility to develop detailed policies, procedures, and practices for their agency’s operations and to ensure that they are built into and are an integral part of operations. 

The purpose of the IS&R Project RMP is to address risks[10] and issues[11] associated with the project and assist in performing risk and issue management.  The RMP will assist the IS&R Project in identifying risks, assessing the nature of the risks, and developing mitigation or management strategies.  The RMP instructs IS&R Project teams to develop mitigation plans for risks to help avoid or control the potential impact of a risk and to manage the risk if it progresses into an issue.  The RMP states that risks and issues are discussed during regularly scheduled meetings and must be addressed before closure.  When necessary, high-priority and high-impact risks and issues will be elevated to the Release and Program Management teams via regular status reporting or ad-hoc communications.

The RMP also provides that the IS&R Project must use the Item Tracking Reporting and Control (ITRAC) system as the system of record to log all IS&R Project risks and issues, and include a current inventory of risks and issues that have the potential to affect the project.  Regular periodic reviews are conducted to monitor and update risks in the ITRAC system. 

In our review of IS&R Sharing’s nine risks and five issues, we noted instances in which IS&R Sharing did not timely resolve issues and did not timely update the ITRAC system with a risk once it was identified.  We also determined that IS&R Sharing did not timely begin initial monitoring efforts[12] on all of its risks and issues in the ITRAC system.  For example,

·       In seven instances, between six and 391 days elapsed from the estimated closure date to the actual date the IS&R Sharing risks and issues were closed.  In two specific instances, it took IS&R Sharing 209 days and 370 days, respectively, from the due date to resolve or close the issues.  The first issue related to monitoring disc space in a file system.[13]  The issue was submitted into the ITRAC system on February 25, 2014, and was due to be resolved on April 18, 2014; however, it was closed/resolved on November 13, 2014 (almost seven months past due).  The second issue was a high priority and dealt with a need to integrate software systems libraries into one library that would support different ACA releases.  The issue was submitted into the ITRAC system on November 14, 2013, and was due to be resolved on November 27, 2013.  It was closed/resolved on December 2, 2014, which was more than 12 months past the due date.   

Multiple organizations, including both Enterprise Operations and Solutions Engineering, were involved in monitoring disc space and building a software systems library.  IS&R Sharing staff stated that it was a challenge to ensure that resolution deadlines were met and that they made further efforts to coordinate with the other organizations on risk or issue resolution when progress was delayed.  IS&R Sharing staff stated that in these situations, they will also contact frontline managers and involve their own management if necessary.  We determined that IS&R Sharing discussed the issues regularly during biweekly meetings and monitored them in the ITRAC system.  In each instance, IS&R Sharing coordinated with the other organizations to attempt to timely resolve the issues. 

·       In two instances, the risks/issues are still open and, as of March 25, 2015, are 103 days and 341 days, respectively, past the due date.  IS&R Sharing stated that the risk was closed on January 14, 2015.  However, no closure date is reflected in the ITRAC system. 

·       In six instances, it took IS&R Sharing between 29 and 79 days from the date the risks were identified to the date the risks were initially discussed by management in status meetings.

·       In three instances, it took IS&R Sharing between 15 and 22 days from the date the risks were identified to submit them into the ITRAC system.

·       In two instances, it took IS&R Sharing between 19 and 42 days from the date the issues were submitted into the ITRAC system to when they were discussed by management.  

We also identified two high-priority issues that were not properly elevated to the Release and Program Management teams.  While IS&R Sharing management believed the two high-priority issues were handled properly, they did not provide evidence that the issues were formally elevated to both the Release and Program Management teams.

The IRM is silent on specific timeliness standards for the periods between due date and closed date of the risk or issue and between risk identification or risk/issue submission and initiation of monitoring efforts.  Although IS&R Sharing staff stated that they have a two-week timeliness standard established for initiating monitoring efforts, we were unable to locate it in the RMP or other internal guidance.  Upon later discussion, IS&R Sharing personnel acknowledged that they do not have specific timeliness standards established in the RMP and are developing procedures to assist in facilitating risks and issues when delays occur.  IS&R Sharing personnel indicated that these procedures will include a two-week timeliness standard for initiating monitoring efforts and a process plan for collaborating with other parties involved in risk or issue resolution to ensure timely closure.  The procedures will also include general guidelines that will help ensure the timely inclusion of meeting minutes in the project files. 

The purpose of risk management is to identity potential problems before they occur so that risk handling activities can be planned and invoked as needed to mitigate adverse impacts on achieving objectives.  Without timely and effective management oversight and clear written policies and procedures in place, the IS&R Project cannot fulfill its responsibilities for risk management.  Risks and issues not addressed timely could disrupt work efforts, make necessary changes more challenging to accomplish, and endanger the achievement of critical objectives.

Recommendations

The Chief Technology Officer should:

Recommendation 1:  Ensure that the IS&R Project RMP is updated to establish time frames to effectively identify and monitor risks and issues.

Management’s Response:  The IRS agreed with this recommendation and will update and implement changes to the RMP for better monitoring and escalation of risks. 

Recommendation 2:  Ensure that the IS&R Project RMP is updated to clearly reflect its high‑priority and high-impact risk and issue elevation process.

Management’s ResponseThe IRS agreed with this recommendation and will implement changes to its high-priority and high-impact risk and issue elevation process and will make needed updates to the RMP for better monitoring and escalation of risks and issues. 

Better Requirements Traceability Is Needed to Ensure Successful Deployment of Future Releases and Long-Term Operations

We identified three IRM criteria related to the requirements management process:

·       IRM 2.6.1, Test Assurance & Documentation (TAD) Standards.

·       IRM 2.110, Requirements Engineering.

·       IRM 2.127.2, Software Testing Standards and Procedures.

Since the ACA was enacted into law in March 2010, IRM guidance regarding the generation of systems requirements traceability documentation has continually been superseded or removed.  For example, IRM 2.6.1, published in March 2010, contains instructions on how to complete the Requirements Traceability Verification Matrix (RTVM); the November 2010 revision, which supersedes the March 2010 version, contains no instructions.  In addition, the IRS revised and republished IRM 2.127.2 on April 21, 2014; May 16, 2014; and March 17, 2015.

In addition, requirements management best practices dictate that traceability occur throughout the creation of requirements and associated artifacts.  Traceability relationships are maintained in the project’s repositories, e.g., RequisitePro, and are reported in the Business System Report (previously named the Business System Requirements Report).  Requirements traceability matrices occur in several variously named documents.  The Implementation and Testing organization’s Consolidated Project-Level System Test Plan for ACA Release 5.0 states that an RTVM is a required test artifact. 

In November 2014, IS&R Project management informed us that there were a total of 470 requirements for IS&R Project Release 5.0.  IS&R Project personnel subsequently provided us with an updated number of 371 requirements.  IS&R Sharing management explained that the difference between the 470 requirements and the 371 requirements provided to us was a result of not correctly obtaining the first requirements count from the RequisitePro requirements tracking system.  Of the 371 total requirements, 185 requirements belonged to IS&R Reporting.  The remaining 186 requirements belonged to IS&R Sharing.  We determined that IS&R Reporting’s list of 185 requirements included 26 (14 percent) requirements that were labeled by the Implementation and Testing organization as out-of-scope, reallocated to a future release, or late.

Based on our inquiry, IS&R Project management confirmed that IS&R Reporting’s Section 508 Compliance nonfunctional requirements were inadvertently omitted from RequisitePro.  IS&R Project management stated that they did not have procedures to ensure that all nonfunctional requirements are assigned and tracked at the project level. 

Finally, we were not provided with complete traceability information for IS&R Sharing’s 186 requirements.  We obtained revised requirements counts and corresponding test results from IS&R Sharing on several occasions.  After reviewing the requirements traceability information, corresponding test cases, and cited test results, we developed a partially complete RTVM.  We asked IS&R Project management to complete the matrix by populating the remaining fields.  IS&R Sharing explained that the RTVM could not currently be completed and that it would be a product resulting from ACA PMO Implementation and Testing Team’s efforts and IS&R Sharing’s efforts. 

We concluded that the Implementation and Testing Team did not have an up-to-date RTVM in place to ensure complete traceability between the IS&R Project requirements and test cases.  IS&R Project management explained that they did not use the RTVM process during IS&R Project release-level requirements development and testing. 

The ACA Release 5.0 went live in a controlled launch on January 5, 2015.  IS&R Project management indicated that capacity testing was completed prior to implementation, but our review of performance requirements traceability documentation in conjunction with test results documentation does not clearly validate that sufficient capacity testing was completed.

As a result of the lack of complete requirements traceability information, we were unable to confirm that capacity testing was performed prior to implementation.  On January 15, 2015, the IRS reported that the Enterprise Service Bus queue log failed to drain, causing excessive response times in the Modernized e-File system.

A complete requirements traceability process is an important risk mitigation control for ensuring that all test cases are traced to specific requirements.  Without it, incomplete, missing, or invalid requirements could have an adverse impact on the functionality of the IS&R Project system or jeopardize the successful implementation of future IS&R Project system releases.

Recommendations

The Chief Technology Officer should:

Recommendation 3:  Ensure that only in-scope requirements are included in requirements traceability documentation when release-level testing is conducted for future releases.

Management’s ResponseThe IRS agreed with this recommendation and confirmed that Enterprise System Test procedures for requirements traceability include only requirements that are in-scope for the test effort.  Enterprise System Testing executive leadership reviewed the procedures with impacted senior management, and the RTVM will include only in-scope requirements for future releases. 

Recommendation 4:  Ensure that written procedures to track and control functional and nonfunctional requirements throughout the development process at the IS&R Project and release levels are implemented for future releases.

 

Management’s Response:  The IRS agreed with this recommendation and will ensure that for future releases, the IS&R Project staff understand and follow IRM 2.110 guidance on Requirements Engineering. 

Office of Audit CommentWhile the IRS agreed with the recommendation, IRM 2.110 does not currently provide adequate procedures to track and control functional and nonfunctional requirements throughout the development process.  IRM 2.6.1, Test Assurance & Documentation (TAD) Standards, dated March 2010, contained specific instructions to complete the RTVM.  These necessary instructions have been removed in subsequent revisions.

Recommendation 5:  Standardize guidelines to ensure that there is complete requirements traceability throughout the development life cycle.

Management’s Response:  The IRS agreed with this recommendation and stated that the standardized guidance for projects to maintain requirements traceability is outlined in Requirements Engineering IRM 2.110. 

Office of Audit CommentAs noted in our previous comment, IRM 2.110 does not currently provide adequate guidance to ensure consistency in requirements traceability.  IRM 2.6.1, Test Assurance & Documentation (TAD) Standards, dated March 2010, contained specific instructions to complete the RTVM.  These necessary instructions have been removed in subsequent revisions. 

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

Our overall objective was to determine whether the IRS sufficiently identified and mitigated risks potentially affecting the ACA IS&R systems and properly managed requirements testing.  To accomplish our objective, we:

I.          Determined whether risks were properly identified, monitored, and mitigated in accordance with applicable guidance.

A.    Reviewed the ACA PMO and IS&R Project information technology RMPs and the IS&R Program Management Plan.

B.    Reviewed the risk management process.

C.    Obtained and reviewed the current IS&R risk reports from the ITRAC system.

II.               Determined whether the IRS is adequately managing the requirements and systems testing activities for the IS&R Project.

A.    Reviewed the IS&R requirements management processes.

B.    Obtained and reviewed for completeness the RTVMs for both IS&R Reporting and IS&R Sharing.

C.    Obtained the total population of IS&R requirements to identify functional and nonfunctional requirements and to determine the extent of requirements traceability.

D.    Obtained the schedule for the various testing dates and the various tests of IS&R functional and nonfunctional requirements and determined if tested requirements (to include capacity testing) were traceable to test results.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined that the following internal controls were relevant to our audit objective:  IRM Sections 2.16.1, 2.110, and 2.127, ACA IS&R Project management documentation, and the Requirements Engineering Program Office policies.  We evaluated these controls by interviewing management and reviewing documentation supporting the effectiveness of ACA IS&R system risk and requirements management processes.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Danny Verneuille, Director

Myron Gulley, Audit Manager

Mark Carder, Lead Auditor

Mike Mohrman, Senior Auditor

Chanda Stratton, Senior Auditor

Craig LeQuire, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Deputy Chief Information Officer for Operations  OS:CTO

Associate Chief Information Officer, Enterprise Program Management Office  OS:CTO:EPMO

Director, Risk Management Division  OS:CTO:SP:RM

Chief Counsel  CC

National Taxpayer Advocate  TA
Director, Office of Program Evaluation and Risk Analysis  RAS:O

Director, Office of Audit Coordination  OS:PPAC:AC

Office of Internal Control  OS:CFO:CPIC:IC

 

Appendix IV

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

CHIEF, TECHNOLOGY OFFICER

 

 

July 23, 2015

 

 

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                      for Terence V. Milholland /s/ S. Gina Garza

                                          Chief Technology Office

 

SUBJECT:                       Affordable Care Act Information Sharing and Reporting Project (e-trak #2015-69985)

 

The IRS has successfully delivered significant changes to the tax code in recent years, which allows taxpayers to report health insurance coverage, claim health coverage exemptions, self-assert the shared responsibility payment and claim the premium tax credit, or reconcile the advanced premium tax credit received over the tax year.  Many of these changes were seamlessly integrated into Filing Season 2015 tax administration processing and the Information Sharing and Reporting (IS&R) project was a critical component  of this success.

 

We appreciate the audit team's recognition of the integral role the functionality being delivered through the IS&R project has played in supporting the IRS' obligations in the implementation of the ACA, and their recognition that this project team has successfully delivered functionality as part of several major program releases.  IRS has a well-defined and robust approach to project and program management across a range of disciplines. The ACA PMO's implementation of these practices has allowed us to deliver successfully.  We acknowledge that there is always room for improvement and believe your recommendations are consistent with our efforts to refine and improve our execution and documentation.

 

I am committed to continuously improving the IRS information technology systems and processes.  We value your continued support and the assistance and guidance your team provides.  Our corrective action plan for the recommendations is attached.   If you have any questions, please contact me at (240) 613-9373, or a member of your staff may contact Carmelita White, Program Oversight Coordination Manager, at (240) 613-2191.

 

Attachment

 

Attachment

 

RECOMMENDATION #1:  The Chief Technology Officer should ensure that the IS&R Project RMP is updated to establish time frames to effectively identify and monitor risks and issues.

 

CORRECTIVE ACTION #1: The IRS agrees with the recommendation.  The Information Sharing and Reporting project has a Risk Management Plan (RMP) document in place and will update and implement changes for better monitoring and escalation of risks and issues.  The updated version of the RMP will be made in accordance with existing ELC guidance.

 

IMPLEMENTATION DATE:  November 15, 2015

 

RESPONSIBLE OFFICIAL:  The Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #2:  The Chief Technology Officer should ensure that the IS&R Project RMP is updated to clearly reflect its high priority and high-impact risk and issue elevation process.

 

CORRECTIVE ACTION #2:  The IRS agrees with the recommendation.  The Information Sharing and Reporting project will implement changes to its high priority and high-impact risk and issue elevation process and will make needed updates to the RMP for better monitoring and escalation of risks and issues as part of the ELC defined process for documentation updates.

 

IMPLEMENTATION DATE:  November 15, 2015

 

RESPONSIBLE OFFICIAL:  The Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #3:  The Chief Technology Officer should ensure that only in-scope requirements are included in requirements traceability documentation when release-level testing is conducted for future releases

 

CORRECTIVE ACTION #3: .The IRS agrees with this recommendation and confirms Enterprise System Test procedures for requirements traceability include only requirements that are in-scope for the test effort.  Enterprise System Testing (EST) executive leadership reviewed the procedure with impacted EST Senior Managers, and the Requirements Traceability Verification Matrix (RTVM) will include only in-scope requirements for future releases.

 

IMPLEMENTATION DATE:  Completed, June 2, 2015

 

RESPONSIBLE OFFICIAL:  The Associate Chief Information Officer, Enterprise Services

 

CORRECTIVE ACTION MONITORING PLAN:  N\A

 

RECOMMENDATION #4The Chief Technology Officer should ensure that written procedures to track and control functional and nonfunctional requirements throughout the development process at the IS&R Project and release levels are implemented for future releases

 

CORRECTIVE ACTION #4:  The IRS agrees with this recommendation and will ensure for future releases the IS&R project staff understand and follow IRM 2.110 guidance on Requirements Engineering.

 

IMPLEMENTATION DATE:  January 15, 2016

 

RESPONSIBLE OFFICIAL:  The Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  We will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #5The Chief Technology Office should standardize guidelines to ensure that there is complete requirements traceability throughout the development life cycle.

 

CORRECTIVE ACTION #5:  The IRS agrees with this recommendation.  The standardized guidance for projects to maintain requirements traceability is outlined in Requirements Engineering IRM 2.110.

 

IMPLEMENTATION DATE:  N\A

 

RESPONSIBLE OFFICIAL:  N\A

 

CORRECTIVE ACTION MONITORING PLAN:  N\A



[1] Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.

[2] Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.

[3] Form 1040 class tax returns include various versions of individual income tax returns.

[4] A database that contains information returns data from third parties that have an information reporting requirement.  The database includes information from forms such as:  Form 1095-A, Health Insurance Marketplace Statement, Form 1095-B, Health Coverage, and Form 1095-C, Employer-Provided Health Insurance Offer and Coverage Insurance, used to report coverage from the ACA.

[5] A data warehouse that consolidates information from a variety of internal and external sources.  The information is used to conduct analysis, case selection, and report preparation.

[6] The IRS relies on its Integrated Enterprise Portal to ensure the success and security of electronic filing, and it serves as a preferred channel for interactions with the IRS.

[7] Includes monthly data on individuals, businesses, and policy purchase and exemption information.  The data are received, validated, and forwarded to the Coverage Data Repository for storage.

[8] Form 1095-B is used to report certain information to the IRS and taxpayers about individuals who are covered by minimum essential coverage and therefore are not liable for the individual shared responsibility payment.

[9] Form 1095-C is filed and furnished to any employee of an applicable large employer member who is a full-time employee for one or more months.  An applicable large employer is an employer that employed an average of at least 50 full-time employees on business days during the preceding calendar year.  Applicable large employer members must report that information for all 12 months of the calendar year for each employee.

[10] A risk is a potential event that could have an unwanted impact on the cost, schedule, business, or technical performance of the ACA Program or a project within the ACA Program and may develop into an issue.

[11] An issue is a situation or condition that either 1) currently has negative consequences for the ACA Program or a project or 2) has a 100 percent probability of having negative consequences for the ACA Program or a project.

[12] We recognize initial monitoring efforts as the date the first discussion of the risk or issue is recorded in the ITRAC system.

[13] The file system provides an area for large application software packages to be stored, and it needed to be monitored for disc spaceThe Enterprise Operations organization was responsible for monitoring disc space levels but this was not being done.  If available disc space is not monitored, the file system could become full and the application could become unresponsive and unable to process any other transactions.