All Small-Scale Information
Technology Projects Should Be Included in the Investment Inventory, and Related
Procurement Requisitions Should Be Properly Reviewed and
Approved
March 2005
Reference Number:
2005-20-050
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
March
16, 2005
MEMORANDUM FOR
CHIEF INFORMATION OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - All Small-Scale Information Technology
Projects Should Be Included in the Investment Inventory, and Related
Procurement Requisitions Should Be Properly Reviewed and Approved (Audit #
200420009)
This
report presents the results of our review of
the procurement of information technology (IT) goods and services outside of
the Modernization and Information Technology Services (MITS) organization. The overall objective of this review was to determine
whether the Internal Revenue Service (IRS)
ensures IT goods and services procured outside of the MITS organization are effectively controlled, compliant with the
Enterprise Architecture (EA), do not duplicate other systems or initiatives,
and follow a disciplined systems development life cycle.
In summary, one of the major
objectives contained in the IRS Strategic Plan Fiscal Years (FY) 2005 – 2009 is
to modernize information systems to improve service and enforcement. For FY 2004, the IRS requested
nearly $1.67 billion for its Information Systems budget. Approximately $534 million (32 percent) of
the $1.67 billion was allocated for Automated Data Processing services, which
include funding for the acquisition of data processing services from the
private sector and the purchase of computer hardware and software.
In August 2002, we reported
the IRS’ process for selecting and monitoring systems improvement projects
needed to be revised to comply with the requirements contained in the Clinger-Cohen Act of
1996.
The
Clinger-Cohen Act requires agencies to use a disciplined Capital Planning and
Investment Control (CPIC) process to acquire, use, maintain, and dispose of IT
property. In November 2003, we also reported reviews of IT procurement
requisitions were not consistently performed to ensure computer hardware and
software purchases are consistent with the IRS’ current and projected EA.
Corrective
actions to those reports taken by the IRS included initiating
a refined enterprise-wide
modernization governance process to prioritize the entire inventory of IT and
modernization projects on an annual basis.
Other corrective actions taken by
the IRS included developing additional procedures, publishing an approved
computer equipment products list, and conducting reviews of
submitted requisitions for computer
hardware and software purchases to ensure reviews for
compliance with the EA are conducted and documented.
While the IRS has completed several corrective
actions to improve the CPIC process, our analysis of 271 requisitions for IT
goods and services submitted between October 1, 2003, and July 7, 2004,
determined system development projects funded by the MITS organization via a
Memorandum of Understanding (MOU) and projects not funded by the MITS
organization were most likely not to be identified by the CPIC process and
individually identified in the IRS’ IT investment portfolio. We
also determined requisitions submitted by organizations outside of the MITS
organization had an increased likelihood that required approvals and reviews
were not properly obtained and Requisition
Summaries were not attached to the requisitions. In addition,
the Requisition Signatory Authority List,
which is used to ensure requisitions have been properly approved, has not been consistently
updated. Without adequate management
controls over IT procurements initiated outside of the MITS organization, the
IRS risks acquiring IT goods and services that may duplicate other systems or
initiatives, spending funds on lower-priority projects,
and acquiring IT systems that are not compatible with the EA.
In addition, our analysis of
requisitions determined project costs were not completely captured to
accurately assess investment results.
While the IRS established a unique five-digit Project Cost Accounting
Subsystem (PCAS) code to accurately
capture project costs, we identified 3 requisitions totaling $681,522 submitted
for the Automated Background Investigation System on which the expenses were
charged to 3 separate codes not established for the project. We also identified 7 requisitions totaling
$726,174 for 2 IT investment projects that were not assigned a unique PCAS code
for tracking expenditures. By not
properly accounting for all costs, the IRS cannot determine the actual results
of the IT investment and comply with the Clinger-Cohen Act requirements to
identify significant deviations from costs, performance, or schedule.
To improve the identification of projects in the IT
investment portfolio, processing of IT requisitions, and accounting for project
costs, we recommended the Chief Information Officer (CIO) ensure the Internal Revenue Manual (IRM) and MOUs between the MITS and other
organizations are revised, as
necessary. We also
recommended the CIO ensure the Requisition Signatory Authority List remains
current, ensure the current small-scale projects are identified and mapped into
the IRS CPIC governance process, and work with the Chief Financial Officer to ensure monies spent on small-scale projects are accounted
for separately. In
addition, we recommended the CIO ensure a
mechanism is designed and implemented to identify all associated IT project
costs, regardless of the funding or PCAS codes used.
Management’s
Response: IRS management agreed with six of our seven recommendations. The IRS will revise existing MOUs and the IRM
to specify that all IT requisitions initiated by the business units are routed
through the appropriate Division Information Officer and the Director, Client
Services, to ensure projects are included in the IT portfolio, requisitions are
properly reviewed and approved, and a Requisition Summary is appropriately
attached. In addition, all small-scale investments will be
mapped to the EA and to the EA-aligned executive steering committees, which
execute the CPIC governance processes. The
IRS will also amend financial policy documents to ensure accurate accounting of
expenditures for small-scale projects and will establish an annual process for
updating the Requisition Signatory Authority List. Finally, the IRS will ensure all requisitions
are reviewed to ensure appropriate PCAS codes are used.
IRS management disagreed with our recommendation to
establish a mechanism designed and implemented to ensure all IT expenses are
accurately identified and associated with each IT investment project,
regardless of the funding or PCAS codes used.
While management disagreed with our recommendation, we agree with their
statement that the adoption of the other
recommendations constitutes an effective mechanism to ensure the accurate
identification and association of all IT expenses with each IT investment
project. Management’s complete response to the draft report is
included as Appendix V.
Copies of this report are
also being sent to the IRS managers affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector
General for Audit (Information Systems
Programs),
at (202) 622-8510.
Completed Corrective Actions Improved
the Capital Planning and Investment Control Process
The Portfolio of Information Technology Investments Is Incomplete
Requisitions for Information Technology Goods and Services Were Not Properly Reviewed and Approved
Project Costs Were Not Accurately Recorded
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV
– Outcome Measures
Appendix V –
Management’s Response to the Draft Report
One of the major objectives contained in the Internal Revenue
Service (IRS) Strategic Plan Fiscal Years (FY) 2005 – 2009 is to modernize
information systems to improve service and enforcement. In support of this objective, the IRS
instituted a strategy to prioritize all information technology (IT) projects to
support business operating needs, continually monitor the IT investment
portfolio, and ensure implemented systems meet technical standards. For FY 2004, the IRS requested nearly $1.67 billion
for its Information Systems budget.
Approximately $534 million (32 percent) of the $1.67 billion was
allocated for Automated Data Processing (ADP) services, which includes funding
for the acquisition of data processing services from the private sector and the
purchase of computer hardware and software.
The Clinger-Cohen Act of 1996 requires agencies to use a disciplined Capital Planning and Investment Control (CPIC) process to acquire, use, maintain, and dispose of IT property. The Treasury Inspector General for Tax Administration is currently conducting an audit to determine whether the IRS CPIC process complies with the requirements outlined in the Clinger-Cohen Act.
The IRS categorizes its IT investment projects into three tier levels:
·
Tier
A – These are large-scale
projects, generally developed over a long time period, designed to modernize
the IRS’ antiquated business systems to improve the speed, timeliness, and
accuracy of tax administration. The Tier
A projects are managed by the IRS Business Systems Modernization Office. The IRS receives a separate appropriation, in
addition to the Information Systems
budget of $1.67 billion, for its Tier A projects that provides for
planning and IT acquisitions, including related contractor costs. In FY 2004,
the IRS requested $429 million for its modernization projects. To manage the Business Systems Modernization
(BSM) investment portfolio, the IRS has established selection and monitoring
processes and executive steering committees to oversee project funding. To obtain funding, projects must provide
justification and be prioritized and selected by an investment review board
composed of multifunctional business executives.
·
Tier
B – The Tier B projects are
considered medium-sized projects, developed over a period of up to 3 years,
that modify or enhance existing systems or processes and establish bridges
between current production systems and the new modernization architecture. The Resources Allocation and Measurement
(RAM) organization within the Modernization and Information Technology Services
(MITS) organization is responsible for managing the IRS Tier B projects and
ensuring the projects are aligned with the agency-wide corporate and division
strategies. The RAM organization also
coordinates oversight activities for the IT investment projects and provides a
consolidated view of all current and proposed information systems work. In FY 2004, the IRS requested approximately
$50 million (9 percent) of the $534 million allocated for ADP services for its
Tier B investment portfolio that consists of 20 projects.
·
Tier
C – These are small-scale
projects to improve or enhance existing systems or processes to sustain
operations. The RAM organization is also responsible for
managing the IRS Tier C projects and maintaining the portfolio to assist the business
units in making investment decisions.
However, a portfolio of Tier C projects does not exist, and the IRS does
not account for monies spent specifically on Tier C projects.
The mission of the MITS organization Division Information Officer (DIO)
is to act as the MITS organization representative to the business units. When an organization identifies an IT
business requirement, the DIOs ensure their customer needs are met and the MITS
organization strategic plan is aligned with the business unit’s IT plan. As a result,
the DIOs play a critical oversight role for the delivery of Tier B and Tier C
projects, which includes assisting in the prioritization, costing, management,
and coordination of the IT investment projects.
In addition, the DIOs are responsible for developing the proposed Tier B
and Tier C portfolio and submitting it to senior IRS management for approval.
The Chief Information Officer (CIO) entered into a Memorandum of
Understanding (MOU) with organizations (e.g., the Office of Chief Counsel,
Appeals, and Criminal Investigation organizations) that formerly received their
own IT budget allocations. These MOUs
establish agreement between the organizations and the CIO as to budget
formulation and execution, acceptable level of service, staffing allocations,
and IT requisition procedures.
This review was performed in
the Office of Information Technology Services at the IRS National Headquarters in New Carrollton, Maryland,
during the period June 2004 through January 2005. The audit was conducted in accordance with Government Auditing Standards. Detailed
information on our audit objective, scope, and methodology is presented in
Appendix I. Major contributors to the
report are listed in Appendix II.
The Clinger-Cohen Act and
Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, introduced more
structure into how agencies approach the selection, control, and evaluation of
IT investment projects. For example, OMB
Circular A-130 stipulates the CPIC
process should include all stages of capital programming, including planning,
budgeting, procurement, management, and assessment. As part of the CPIC process, agencies are
required to prepare and maintain a portfolio of information systems to assist
in monitoring investments and preventing redundancy of IT capabilities. In addition, an agency’s CPIC process should
ensure consistency with the agency’s Enterprise Architecture (EA).
In August 2002, we reported the IRS’ process for selecting and monitoring systems improvement projects needed to be revised to comply with Clinger-Cohen Act requirements. The report recommended the IRS establish a centralized process for selecting, funding, and monitoring all of its IT investments. The IRS responded it would develop an IT Capital Planning Guide that would address its approach to manage risks and returns of IT investments by centralizing the investment review process.
In the MITS Strategy and
Program Plan (FY 2004-2005), the IRS announced it was initiating a refined enterprise-wide modernization governance process
that will include prioritizing the entire inventory of IT and modernization
projects on an annual basis. To
accomplish this, the IRS chartered the MITS Executive Governance (MEG)
Committee in November 2003. The MEG
Committee is responsible for approving all new projects and for creating one
IRS portfolio that includes all the individual IRS investments. In addition, the IRS established the
MEG Investment Management (MIM) Subcommittee,
which supports the MEG Committee by ensuring IT investments comply with IRS
policies and procedures and align with enterprise and business unit strategic
goals. The MIM Subcommittee is charged
with providing general IT investment portfolio oversight, including investment
prioritization recommendations, operational analysis reviews and reports, and
recommendations for adjustments to the IRS portfolio.
The IRS also
established the CPIC Office, which is responsible for ensuring the IRS
portfolio management process complies with the Clinger-Cohen Act. In
addition, the IRS is introducing a CPIC process that will manage a
central portfolio of IT investments across the IRS. By incorporating the “select, control, and
evaluate” model for managing IT investments,
the IRS intends to better align investment with strategy and mission to ensure
efficient resource use and maximized rates of return. The IRS is currently reviewing and revising
the CPIC governance process to be consistent with the OMB’s categorization of
projects, which are:
Projects within the two categories are further divided into subcategories
(i.e., major, nonmajor, and small-other) depending on the anticipated cost of
the investment project.
In November 2003, we also reported reviews of IT procurement requisitions were not consistently performed to ensure computer hardware and software purchases are consistent with the IRS’ current and projected EA. The report stated the IRS increased the risk of obtaining incompatible IT hardware and software that could necessitate additional purchases to provide EA compliance and increase the potential for inefficient use of resources. In response, the IRS developed additional procedures, published an approved computer equipment products list, and conducted reviews of submitted requisitions for computer hardware and software purchases to ensure reviews for compliance with the EA were conducted and documented.
A key component of the CPIC process required by OMB Circular A-130 is
the requirement that agencies prepare and maintain a portfolio of information
systems that assists in monitoring investments and preventing redundancy of IT
capabilities. OMB Circular A-11, Preparation, Submission, and Execution of
the Budget, specifies all IT investments must be individually reported by
the agency to the OMB. The Clinger-Cohen
Act also requires Federal Government agencies
to designate a CIO to help control system development risks and better manage
IT spending. According to a Government
Accountability Office (GAO) report issued in July 2004, CIO responsibilities
considered to be critical to effective IT management included the CIO being
responsible for IT capital planning and investment management and having
effective control of systems acquisition, development, and integration. In November 1999, the IRS issued Policy Statement
P-1-229, Management and Control of
Automated Data Processing Property, which established the CIO as the IRS
official responsible for ownership, management, and control of all IT property
within the IRS.
We are concerned about the implementation of IRS Policy Statement
P-1-229, which established the MITS organization as the only organization
authorized to purchase IT property.
Table 1 illustrates that some non-BSM appropriated monies are placed by
the CIO within the financial plans of organizations other than the MITS
organization for expenses associated with the acquisition of IT goods and
services. We reviewed the MOUs with
several non-MITS organizations and noted inconsistencies in the language
governing approval of IT requisitions.
Table 1 also shows some IT-related funds were originally appropriated by
the Congress to non-MITS organizations for the purposes of tax law enforcement,
tax returns processing, tax law and account assistance, and management
services. For example, of the $10.1
million appropriated to non-MITS organizations without an MOU for private
sector data processing services (see line 3 of Table 1), the Small
Business/Self-Employed Division received $6.7 million for a vendor to process
over 4 million paper documents.
Table 1: Allocation of the IRS’ FY 2004 Budget for
Select IT Expense Categories
|
Organization |
IT Expense Category |
Total Amount |
||
|
Private Sector Data Processing
Services |
Computer Hardware |
Computer Software |
||
|
1. MITS |
$275,548,211 |
$67,085,766 |
$125,552,625 |
$468,186,602 |
|
2. Non-MITS With an MOU |
$22,981,459 |
$5,683,849 |
$640,586 |
$29,305,894 |
|
3. Non-MITS Without an MOU |
$10,114,370 |
$1,814,849 |
$1,795,502 |
$13,724,721 |
|
Total |
$308,644,040 |
$74,584,464 |
$127,988,713 |
$511,217,217 |
Source: IRS
FY 2004 Financial Plan.
We reviewed all 271 requisitions for IT goods and services submitted
between October 1, 2003, and July 7, 2004, by organizations other than the MITS
organization. From the 271 requisitions,
we identified 30 requisitions requesting private sector data processing
services, computer hardware, and computer software associated with the development
of an information system. As illustrated
in Table 2, system development projects funded by the MITS organization via an
MOU and projects not funded by the MITS organization were most likely not to be
identified by the CPIC process and individually identified in the IRS’ IT
investment portfolio. Although these
projects were not individually identified in the portfolio, the project office
prepared the minimum project management documents (e.g., Project Management
Plan, Work Breakdown Structure, and Risk Management Plan) required by the IRS
for system development projects, and we did not identify duplicate acquisition
of IT goods and services.
Table 2: IT
Requisitions Submitted by Organizations Outside
of the MITS Organization for System Development Projects
|
Requisition Type |
Total Number of Requisitions |
Total Amount of Requisitions |
Number of System Development
Projects |
Number/ Percentage of Projects
Identified in Portfolio |
|
1. Funded by the MITS Organization |
17 |
$13,376,234 |
11 |
10 (91%) |
|
2. Funded by the MITS Organization via an MOU |
11 |
$1,483,164 |
5 |
2 (40%) |
|
3. Not Funded by the MITS Organization |
2 |
$400,000 |
1 |
0 (0%) |
|
Totals |
30 |
$15,259,398 |
16 |
12 (75%) |
Source: FY
2004 requisitions for IT goods and services.
In addition,
requisitions submitted for IT goods and services by organizations where funding
was not provided by the MITS organization are not being routed through the DIOs
within the MITS organization to ensure the projects are included in the IRS’ IT
investment portfolio.
Maintaining the IT investment portfolio is also more difficult because
some organizations with an MOU did not route IT requisitions through their
DIO. The IRS has also not maintained a
portfolio of Tier C projects, and monies spent on Tier C projects are not
accounted for separately. Therefore, the
IRS may not be spending its funds on IT resources in the most effective and
efficient manner and risks spending funds on lower-priority projects.
The
CIO should:
1.
Ensure the Internal Revenue Manual (IRM) and MOUs between the MITS
and other organizations are revised, as necessary, to specify all requisitions
for IT goods and services initiated by the business units are routed through
the appropriate DIO and the Director, Client Services, to ensure each system
development project is included in the IRS’ IT portfolio.
Management’s Response: The Director, Client Services, will revise
existing MOUs and work with the Directives Management Office to revise IRM
2.21.1 to specify that all IT requisitions initiated by the business units are
routed through the appropriate DIO and the Director, Client Services, to ensure
projects are captured and included in the IT portfolio.
2.
Ensure the current Tier C projects are identified and mapped into
the IRS CPIC governance process for managing the IT investment portfolio.
Management’s Response: The IRS will map all Tier C investments to the EA and to the EA-aligned executive
steering committees, which execute the CPIC governance processes.
3.
Work
with the Chief Financial Officer (CFO) to ensure monies spent on Tier C
projects are accounted for separately.
Management’s Response: The CIO, in conjunction with the CFO, will
amend financial policy documents in a manner that will ensure accurate
accounting of Tier C expenditures.
OMB Circular A-130 outlines the major IT planning and management requirements for Federal Government agencies, including that agencies develop policies and procedures that provide for timely acquisition of required IT. In addition, it requires agencies to document their EA and ensure EA procedures are being followed. The Department of the Treasury also stipulates that agencies are required to ensure proposed IT investments are consistent with the agency’s EA, and the CIO is responsible for reviewing and approving all requests for IT investments.
IRM 2.21.1, Requisition
Processing for Information Technology Products and Services, was issued
to improve accountability and standardize the IT requisition process by providing
specific guidance to all IRS personnel on the critical elements necessary to
complete the requisition approval process.
According to the IRM, the CIO has responsibility for all IT purchases of
products and services acquired by the IRS.
The IRM also stipulates that the MITS organization is responsible for
approving IT requisitions and that MITS executives are accountable for ensuring
their accuracy.
All requisitions submitted for IT goods and services require several
reviews prior to approval, including a Tier Review that consists of an
architectural, engineering, capacity, or standards review to ensure compliance with the IRS’ EA. The Tier Owner, which is the IRS organization
responsible for reviewing the requisition to ensure compliance with EA standards for hardware and software, depends upon the Tier
Level of the IT equipment (i.e., Tier I – Mainframes, Tier II – Servers,
and Tier III – Desktops and Laptops). Once all
the appropriate reviews have taken place, a Requisition Summary must be developed
and attached to the requisition within the web Request Tracking System (webRTS)
summarizing the findings. Afterwards, the requisition is provided to
the requisition approving authority to ensure the requisition is fully
compliant with IRS requirements for processing IT requisitions.
In August 2000, the IRS Commissioner issued Delegation Order (D.O.)
261, which delegated to the CIO the authority to acquire IT. In addition, D.O. 261 authorized the CIO to
redelegate the authority to senior executives within the MITS
organization. As a result, the CIO issued D.O. 28 to provide MITS organization executives
with delegated signature authority for approving IT requisitions submitted for
IT goods and services. D.O. 28 also authorized MITS organization executives
to redelegate approval to their senior managers. In addition, the CIO published a
Requisition Signatory Authority List, which specifically identifies the persons
authorized to approve requisitions for IT goods and services based on D.O. 28
and any redelegation orders. Evidence that the requisition was approved by
someone authorized by D.O. 28 or a redelegation order must be reflected in
either the requisition approval path or history record within the webRTS. Once the review and approval process is
complete, the requisition is forwarded to the Office of Procurement for
processing.
While these IRS-developed
procedures comply with OMB and Department of the Treasury requirements, the
DIOs do not consistently review the IT requisitions to ensure reviews and
approvals are conducted as required by the CIO in IRM 2.21.1. Overall, our review of the 30 requisitions
identified that requisitions were not properly approved and Requisition
Summaries were not prepared and attached to the requisitions within the webRTS. Table
3 provides details of our analysis of these requisitions.
Table 3: IT
Requisitions Submitted by Organizations Outside
of the MITS Organization
|
Requisition Type |
Total Number of Requisitions |
Number/ |
Number/Percentage With Requisition
Summary Attached |
|
1. Funded by the MITS Organization |
17 |
16 (94%) |
7 (41%) |
|
2. Funded by the MITS Organization via an MOU |
11 |
2 (18%) |
2 (18%) |
|
3. Not Funded by the MITS Organization |
2 |
0 (0%) |
0 (0%) |
|
Totals |
30 |
18 (60%) |
9 (30%) |
Source: FY
2004 requisitions for IT goods and services.
Since Tier Reviews were required only on the requisitions submitted for
the acquisition of computer hardware or software, only 6 of the 17 requisitions
funded by the MITS organization, and 4 of the 11 requisitions funded by
the MITS organization via an MOU, were
analyzed to determine if a Tier Review was completed to ensure compliance with
the IRS’ EA. Table 4 provides
details of our Tier Review analysis.
Table 4: Tier
Reviews for IT Requisitions Submitted by Organizations Outside of the MITS
Organization
|
Requisition Type |
Total Number of Requisitions |
Number of Requisitions
Requiring a Tier Review |
Number/ Percentage With |
|
1. Funded by the MITS Organization |
17 |
6 |
2 (33%) |
|
2. Funded by the MITS Organization via an MOU |
11 |
4 |
0 (0%) |
|
3. Not Funded by the MITS Organization |
2 |
0 |
Not Applicable |
|
Totals |
30 |
10 |
2 (20%) |
Source: FY
2004 requisitions for IT goods and services.
The processing of IT requisitions that do not adhere to IRS
management controls for proper reviews and approvals and the attachment of a
Requisition Summary increases the risk that the IRS might acquire IT systems
that are not compatible with the EA. In addition, the Requisition
Signatory Authority List, which is used to ensure requisitions have been
properly approved prior to being forwarded to the Office of Procurement for
processing, has not been consistently updated to reflect the persons authorized
to approve requisitions for IT goods and services based on the preparation of
redelegation orders under D.O. 28. This
occurred because IRM 2.21.1 did not specify the MITS organization responsible
for updating the Requisition Signatory Authority List, which is posted on the
MITS Directives Management Office’s web site.
The CIO should ensure:
4.
The IRM
and MOUs between the MITS and other organizations are revised, as necessary, to
specify all requisitions for IT goods and services
initiated by the business units are routed through the appropriate DIO and the Director,
Client Services, to ensure proper reviews and approvals are obtained and a Requisition Summary is attached to the requisition.
Management’s Response: The Director, Client Services, will work with
the Directives Management Office to ensure IRM 2.21.1 and the MOUs incorporate
language specifying that the business units route all IT requisitions through
the appropriate DIO and Director, Client Services. The Director, Client Services, will also ensure
the DIOs review and approve requisitions in accordance with IRM 2.21.1 and D.O.
28 and guarantee a Requisition Summary is appropriately attached.
5.
The Requisition
Signatory Authority List is updated and the IRM is revised to specify the
organization responsible for maintaining it and forwarding a copy to the
Directives Management Office.
Management’s Response: The Director, Financial Management Services,
will establish an annual process for updating the Requisition Signatory
Authority List and will forward a copy to all relevant offices, including the
Directives Management Office. In
addition, the Director, Financial Management Services, will ensure the
appropriate IRM is updated to this effect.
The Clinger-Cohen Act requires each agency to establish a process for maximizing the value and assessing and managing the risks of IT projects. It also requires agencies to identify significant deviations from costs, performance, or schedule. The Department of the Treasury stipulates that project costs include accounting for the spending of all resources, including items such as the cost of staff hours, contractor costs, equipment, and maintenance. To accurately capture project costs, IRS procedures require the tracking of IT expenditures within the IRS’ financial system using a five-digit subproject code called the Project Cost Accounting Subsystem (PCAS) code. Labor costs are also tracked through the payroll system by entering the code with the time and attendance records.
While the PCAS code was designed to track costs by each IT investment project, we found project costs were not always charged to the appropriate PCAS code. For example, we identified 3 requisitions totaling $681,522 submitted for the Automated Background Investigation System (ABIS) on which the expenses were charged to 3 separate PCAS codes. Of the three PCAS codes associated with the requisitions, none were the correct PCAS code that had been established for the ABIS project. We also identified 7 requisitions totaling $726,174 for 2 IT investment projects that were not assigned a unique PCAS code for tracking expenditures. Appendix IV presents details on the reliability of information outcome measure resulting from the recording of these costs.
By not properly accounting for all costs, the IRS cannot determine the actual results of the IT investment and comply with the Clinger-Cohen Act requirements to identify significant deviations from costs, performance, or schedule. The inaccurate capturing of project costs occurred because requisitions submitted for IT goods and services by organizations funded by the MITS organization via an MOU and non-MITS organizations are not being routed through the DIOs to ensure the expenditures are attributed to the correct PCAS code for the IT investment project.
The CIO should ensure:
6.
The IRM is revised to specify all requisitions for IT goods and
services initiated by the business units are routed through the appropriate
DIOs and the Director, Client Services, to ensure the IT investment project is
assigned and uses a unique PCAS code.
Management’s Response: The Director, Client Services, will work with the Directives Management Office to ensure IRM 2.21.1 incorporates language specifying the business units route all requisitions they initiate through the appropriate DIO and Director, Client Services. In addition, the Director, Client Services, will ensure the DIOs review all requisitions to ensure appropriate PCAS codes are used.
7.
A mechanism is designed and implemented to
ensure all IT expenses are accurately identified and associated with each IT
investment project, regardless of the funding or PCAS codes used.
Management’s Response: IRS management did not agree with this
recommendation on the basis that the adoption of the other recommendations
constitutes an effective mechanism to ensure the accurate identification and
association of all IT expenses with each IT investment project.
Office
of Audit Comment: While IRS management disagreed with the recommendation, we
agree the corrective actions they plan to take will address the recommendation.
Appendix I
Detailed Objective,
Scope, and Methodology
The overall objective of this review was to determine whether the
Internal Revenue Service (IRS) ensures information technology (IT) goods and
services procured outside of the Modernization and Information Technology Services
(MITS) organization are effectively controlled, compliant with the Enterprise Architecture
(EA), do not duplicate other systems or initiatives, and follow a disciplined
systems development life cycle. To
accomplish this objective, we:
I.
Reviewed national policies, procedures, and
directives for providing management controls over the procurement of IT goods
and services to determine whether sufficient controls were in place over
procurements made outside the MITS organization. We also interviewed management to
determine the roles and responsibilities for monitoring procurements,
identified additional guidelines for processing requisitions for IT goods and
services, and reviewed best practices for ensuring acquired IT goods and
services are compliant with the EA and do not duplicate other systems or
initiatives.
II.
Reviewed all 271 requisitions submitted for private sector data processing services,
computer hardware, and computer software between October 1, 2003, and July 7, 2004, by organizations other than
the MITS organization and determined whether each requisition was associated
with a system development effort and under what contract the requisition was
awarded.
For the 30 requisitions that were determined to be associated with a
system development effort, we determined whether the system development project
was managed by the Business Systems Development
office and whether the project was included in the IRS’ IT portfolio. We also determined whether the 30
requisitions were properly reviewed and approved and whether the requisitions
contained a Requisition Summary. In
addition, we determined whether the project duplicated other systems or
initiatives and whether the project office followed a Systems Development Life
Cycle methodology.
III.
Evaluated the results
of the corrective actions taken by management to address the internal controls
weaknesses over processing IT requisitions reported by the Treasury Inspector
General for Tax Administration in November 2003. For
example, we interviewed management on
the status of the implemented corrective actions, reviewed documents supporting
the implementation of proposed corrective actions taken, and determined whether
those actions adequately addressed the reported control weaknesses.
Appendix II
Major Contributors to This
Report
Margaret
E. Begg, Assistant Inspector General for Audit (Information
Systems Programs)
Gary
Hinkle, Director
Danny Verneuille, Audit
Manager
Van Warmke, Lead
Auditor
Charlene Elliston,
Auditor
Steven Gibson, Auditor
Olivia Jasper, Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Chief Financial Officer
OS:CFO
Associate Chief Information Officer, Information Technology
Services OS:CIO:I
Associate Chief Information Officer, Management OS:CIO:M
Director,
Financial Management Services OS:CIO:FM
Director, Resources Allocation and Measurement OS:CIO:R
Director, Stakeholder Management OS:CIO:SM
Director, Business Systems Development OS:CIO:I:B
Director,
Director, End User Equipment and Services OS:CIO:I:EU
Director,
Client Services OS:CIO:I:B:DIO
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk
Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Audit Liaisons:
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Chief Financial Officer OS:CFO
Manager, Program Oversight Office OS:CIO:SM:
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to the Congress.
Type and Value of Outcome Measure:
· Reliability of Information – Actual; $1,407,696 in project expenditures (see page 13).
Methodology Used to Measure the Reported Benefit:
To accurately capture Information Technology (IT) project costs, the Internal Revenue Service tracks expenditures within its financial system using a five-digit subproject code called the Project Cost Accounting Subsystem (PCAS) code. We identified 3 requisitions totaling $681,522 submitted in Fiscal Year (FY) 2004 for the Automated Background Investigation System (ABIS) project on which the expenses were charged to 3 separate PCAS codes. Of the three PCAS codes associated with the requisitions, none were the correct PCAS code that had been established for the ABIS project. Table 1 provides a listing of the IT requisitions submitted for the ABIS project and the projects that were charged with the ABIS project expenses.
Table 1: IT
Requisitions Submitted for the ABIS Project but Charged to Other Projects
|
Requisition Number |
Expense Type |
Expense Amount |
Project Charged With Expense |
|
M-4-M9-22-NB-A44-000 |
Computer Equipment |
$98,859 |
Security – Maintain and Enhance
Security Policy and Planning Capabilities |
|
P-4-P1-30-NB-A19-000 |
Data Processing Services |
$270,000 |
|
|
M-4-M9-22-NB-A19-000 |
Data Processing Services |
$312,663 |
National Background Investigations |
|
Total Expense
Amount |
$681,522 |
|
|
Source: FY
2004 requisitions for IT goods and services.
In addition, we identified two IT investment projects that were not assigned a unique PCAS code for tracking expenditures, and the project costs were charged to PCAS codes that included several activities. Specifically, 5 requisitions totaling $326,174 were submitted for the Enterprise Mission Assurance Portal (EMAP) project and 2 requisitions totaling $400,000 were submitted for the Internal Revenue Manual (IRM) e-Clearance project. Table 2 provides a listing of the IT requisitions submitted for the EMAP and IRM e-Clearance projects and the associated project expenses.
Table 2: IT
Requisitions Submitted for IT Projects Without an Assigned PCAS Code
|
Project |
Requisition Number |
Expense Type |
Expense Amount |
|
EMAP |
M-4-M9-01-MA-S26-000 |
Computer Hardware |
$5,985 |
|
EMAP |
M-4-M9-01-MA-S02-000 |
Data Processing Services |
$25,000 |
|
EMAP |
M-4-M9-01-MA-S08-000 |
Data Processing Services |
$25,000 |
|
EMAP |
M-4-M9-2A-AP-S00-000 |
Data Processing Services |
$70,189 |
|
EMAP |
M-4-M9-01-MA-S21-000 |
Data Processing Services |
$200,000 |
|
IRM e-Clearance |
M-4-M0-25-SP-A41-000 |
Data Processing Services |
$200,000 |
|
IRM e-Clearance |
M-4-M0-25-SP-B01-000 |
Data Processing Services |
$200,000 |
|
Total Expense Amount |
$726,174 |
||
Source: FY 2004 requisitions for IT goods and
services.
Appendix V
Management’s Response to
the Draft Report
The response
was removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.