Office of Audit
THE ENTERPRISE CLOUD PROGRAM DEVELOPED A STRATEGY, BUT WORK REMAINS TO ACHIEVE CLOUD-BASED MODERNIZATION GOALS
Final Report issued on March 11, 2020
Highlights of Reference Number: 2020-20-010 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
In February 2011, the U.S. Chief Information Officer released the Federal Cloud Computing Strategy referred to as Cloud First. The IRS is planning to invest in cloud services to help modernize operations. Effective controls that comply with Federal guidance and enforce standards help mitigate the risk of inefficient or unsanctioned efforts to deploy cloud systems. Without an updated cloud strategy, the IRS may miss the opportunity to deliver public value by increasing operational efficiency and responding faster to taxpayer needs.
WHY TIGTA DID THE AUDIT
This audit was initiated to evaluate the implementation of the IRS’s enterprise-wide cloud strategy to ensure compliance with Federal guidance.
WHAT TIGTA FOUND
The IRS created an enterprise-wide cloud strategy that was approved and authorized in December 2017. The strategy partially meets the Cloud First policy. In June 2019, Cloud Smart was published, which updated the Cloud First policy. As of December 2019, the IRS cloud inventory included 26 Platform-, Infrastructure-, and Software-as-a-Service implementations.
To implement the enterprise-wide cloud strategy, the IRS identified 10 workstreams, including the cloud migration assessment and the cloud services procurement workstreams. A workstream is a collection of activities intended to produce an output that will help the IRS achieve the target cloud state. However, work has not started on all workstreams including the high priority cloud services procurement workstream. The IRS relies on its existing Enterprise Life Cycle process for cloud suitability, approval, and authorization. However, there is no Internal Revenue Manual guidance or formalized process specific to cloud services within the Enterprise Life Cycle process.
Enterprise Services personnel created a Cloud Governance Board charter, but it is not approved. The primary objective of governance is to ensure that assigned investment, program, and project objectives are met; risks are managed appropriately; and enterprise expenditures are fiscally sound.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer ensure that the December 2017 enterprise-wide cloud strategy is periodically updated to reflect current Federal and Department of the Treasury guidance and requirements; all workstreams are developed; the Cloud Governance Board charter is authorized and approved; enterprise‑wide policies and procedures are developed that specifically address cloud requirements that must be considered and met prior to deciding to procure cloud services; and all new information technology projects are evaluated by the Enterprise Cloud Program for cloud service consideration and approval.
The IRS agreed with all our recommendations. The IRS plans to ensure that the enterprise-wide cloud strategy is reviewed annually and updated as needed to reflect current Federal and Department of the Treasury guidance and requirements; review and update the scope of workstreams as needed and develop a multiyear plan to complete them dependent on available funding; based on budget availability, develop guidance and requirements to be considered when procuring cloud services; and evaluate and update existing policy and processes for design, architecture, and engineering solutions to consider cloud services for all new technology projects, as appropriate.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta