TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Audit

Highlights

THE ENTERPRISE CLOUD PROGRAM DEVELOPED A STRATEGY, BUT WORK REMAINS TO ACHIEVE CLOUD-BASED MODERNIZATION GOALS

Final Report issued on March 11, 2020

Highlights of Reference Number:† 2020-20-010 to the Commissioner of Internal Revenue.

IMPACT ON TAXPAYERS

In February 2011, the U.S. Chief Information Officer released the Federal Cloud Computing Strategy referred to as Cloud First.† The IRS is planning to invest in cloud services to help modernize operations.† Effective controls that comply with Federal guidance and enforce standards help mitigate the risk of inefficient or unsanctioned efforts to deploy cloud systems.† Without an updated cloud strategy, the IRS may miss the opportunity to deliver public value by increasing operational efficiency and responding faster to taxpayer needs.

WHY TIGTA DID THE AUDIT

This audit was initiated to evaluate the implementation of the IRSís enterprise-wide cloud strategy to ensure compliance with Federal guidance.

WHAT TIGTA FOUND

The IRS created an enterprise-wide cloud strategy that was approved and authorized in December 2017.† The strategy partially meets the Cloud First policy.† In June 2019, Cloud Smart was published, which updated the Cloud First policy.† As of December 2019, the IRS cloud inventory included 26 Platform-, Infrastructure-, and Software-as-a-Service implementations.

To implement the enterprise-wide cloud strategy, the IRS identified 10 workstreams, including the cloud migration assessment and the cloud services procurement workstreams.† A workstream is a collection of activities intended to produce an output that will help the IRS achieve the target cloud state.† However, work has not started on all workstreams including the high priority cloud services procurement workstream.† The IRS relies on its existing Enterprise Life Cycle process for cloud suitability, approval, and authorization.† However, there is no Internal Revenue Manual guidance or formalized process specific to cloud services within the Enterprise Life Cycle process.

Enterprise Services personnel created a Cloud Governance Board charter, but it is not approved.† The primary objective of governance is to ensure that assigned investment, program, and project objectives are met; risks are managed appropriately; and enterprise expenditures are fiscally sound.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Information Officer ensure that the December 2017 enterprise-wide cloud strategy is periodically updated to reflect current Federal and Department of the Treasury guidance and requirements; all workstreams are developed; the Cloud Governance Board charter is authorized and approved; enterprise‑wide policies and procedures are developed that specifically address cloud requirements that must be considered and met prior to deciding to procure cloud services; and all new information technology projects are evaluated by the Enterprise Cloud Program for cloud service consideration and approval.

The IRS agreed with all our recommendations.† The IRS plans to ensure that the enterprise-wide cloud strategy is reviewed annually and updated as needed to reflect current Federal and Department of the Treasury guidance and requirements; review and update the scope of workstreams as needed and develop a multiyear plan to complete them dependent on available funding; based on budget availability, develop guidance and requirements to be considered when procuring cloud services; and evaluate and update existing policy and processes for design, architecture, and engineering solutions to consider cloud services for all new technology projects, as appropriate.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

https://www.treasury.gov/tigta/auditreports/2020reports/202020010fr.pdf.

 

Phone Number ††/† 202-622-6500

E-mail Address †/TIGTACommunications@tigta.treas.gov

Website†††††† ††††††/https://www.treasury.gov/tigta