Business Systems Modernization: IRS Needs to Better Balance Management Capacity with System Acquisition Workload
GAO reviewed the Internal Revenue Service's (IRS) fifth expenditure plan requesting $391 million from its Business Systems Modernization (BSM) fund. Although IRS's November 2001 expenditure plan satisfied the conditions specified in the appropriations act, IRS must still fully implement the controls and capabilities described in the plan. Since GAO's June 2001 report, IRS has made important progress in implementing modernization management controls and capabilities and addressing GAO's past recommendations. However, IRS's modernization management capacity is still not where it needs to be. Examples of modernization management controls and capabilities that are not yet fully implemented include software acquisition management, configuration management, quality assurance, risk management, enterprise architecture implementation, human capital management, integrated program scheduling, and cost and schedule estimating. The increased risk of IRS's proceeding without these controls and capabilities has contributed to project cost, schedule, and performance shortfalls. IRS acknowledges that it needs to strengthen its modernization management controls. IRS recognizes that these controls become more critical as the size and complexity of the BSM program continue to increase. Although IRS has actions underway to fully implement these controls, IRS plans to compensate for their immaturity by applying experienced human capital. Reliance on a combination of existing immature processes and individual expertise and heroic efforts is a short-term solution to a long-term need. Because the immaturity of these controls has already led to project cost, schedule, and performance shortfalls, IRS needs a better strategy to mitigate the risks associated with its fifth expenditure plan.
Recommendations for Executive Action
|Internal Revenue Service||To address the escalating risks facing the Internal Revenue Service (IRS) on its Business Systems Modernization (BSM) program, the Commissioner of IRS should reconsider the planned scope and pace of the BSM program as defined in the fifth expenditure plan, with the goal of better balancing the number of systems acquisition projects underway and planned with IRS's capacity to manage this workload. At a minimum, the Commissioner's reconsideration should include (1) slowing ongoing projects and delaying new project starts to reduce BSM Office resource demands, (2) making correcting modernization management weaknesses a top priority and a matter of top management attention, and (3) reapplying resources--financial and human capital--available from slowed and delayed projects toward correction of control weaknesses.||
In response to GAO's recommendation, IRS completed a reassessment of the FY 2002 BSM program in May 2002 and took the following actions to better balance system acquisition project workload with management: 1) IRS deferred the start of several new projects until FY 2003 and 2004 to reduce resource demands, 2) IRS reapplied a portion of the financial resources available from these deferred projects toward PRIME contractor management processes and MITRE management support to accelerate correction of modernization management control weaknesses, and 3) IRS increased its own efforts and executive focus on management process improvement. Subsequently, IRS further slowed the pace of the program by deferring future modernization project releases and reducing the BSM funding level for FY 2003 and 2004.
|Internal Revenue Service||The Commissioner of IRS should address weaknesses in software acquisition management by immediately assessing critical BSM projects (i.e. Customer Account Data Engine, Security and Technology Infrastructure Release, and e-Services) against the Software Engineering Institute's Software Acquisition Capability Maturity Model (SA-CMM) level 2 requirements.||
In June 2002, IRS completed an internal assessment of five core modernization projects (including the Customer Account Data Engine, Security and Technology Infrastructure Release, and e-Services) against the SEI SA-CMM level 2 requirements. The results of this assessment were reported in a briefing to GAO on July 17, 2002.
|Internal Revenue Service||The Commissioner of IRS should, based on this assessment, develop a plan for correcting identified weaknesses for these projects, including having an independent SA-CMM evaluation performed on them before submission of the next BSM expenditure plan.||
Based on an analysis of the findings and recommendations resulting from the June 2002 internal assessment of five core modernization projects, IRS developed a Business Systems Modernization Office (BSMO) Process Improvement Action Plan and initiated several improvement initiatives to address the identified weaknesses, in preparation for the planned independent SA-CMM Software Capability Evaluation in December 2002. In December 2002, an SEI-led Software Capability Evalution was conducted on the five core modernization projects.
|Internal Revenue Service||The Commissioner of IRS should submit, with the next expenditure plan, the results of this independent evaluation, along with a plan for ensuring that all BSM projects that have passed milestone 3 will meet SA-CMM level 2 requirements.||
In December 2002, an SEI-led Software Capability Evaluation was conducted on five core modernization projects, and these projects were rated as operating at SA-CMM Level 2. A briefing summarizing the results of this independent evaluation was provided to GAO. During FY 2002 and 2003, IRS developed and adopted a BSMO Process Improvement Stategic Plan to incrementally implement process improvements throughout the organization and ensure that all modernization projects ultimately meet the SA-CMM Level 2 requirements.
|Internal Revenue Service||The Commissioner of IRS should require all projects that did not pass milestone 3 as of December 31, 2001, to be assessed as SA-CMM level 2, and have a plan for correcting any project weaknesses found as a condition of milestone 3 approval.||
During FY 2002 and 2003, IRS developed and adopted a BSMO Process Improvement Stategic Plan to incrementally implement process improvements throughout the organization and ensure that all modernization projects ultimately meet the SA-CMM Level 2 requirements. This plan includes goals/objectives to conduct an organization-wide assessment of all BSM projects against the SA-CMM Level 2 key process area requirements by the end of FY 2004 and develop/implement an action plan to address any weaknesses resulting from the assessment.
|Internal Revenue Service||The Commissioner of IRS should, for configuration management, risk management, enterprise architecture implementation, human capital strategic management, integrated program scheduling, and cost and schedule estimating, ensure that commitments discussed herein for addressing residual weaknesses are implemented as planned, and report any deviations from these planned commitments to IRS's appropriations subcommittees.||
In reviewing IRS's FY 2003 and 2004 expenditure plans, GAO found and reported in a June 2003 report and March 2004 briefing that IRS had made significant progress in improving its modernization management controls and capabilities and implementing this recommendation. GAO reported that IRS had implemented its commitments to address previously reported management weaknesses in the areas of risk management, enterprise architecture implementation, and integrated program scheduling. IRS has established target plans and schedules to correct the residual weaknesses and to fully implement missing modernization management controls related to configuration management, human capital strategic management, and cost and schedule estimating by October 2004.
|Internal Revenue Service||The Commissioner of IRS should, until contractor quality assurance weaknesses are corrected, increase the level of IRS oversight, scrutiny, and quality assurance of contractor activities.||
In response to GAO's recommendation, IRS's BSMO quality assurance (QA) organization completed several process audits (including contractor QA functions), updated all QA process documents, and developed a rolling six-month audit schedule that included conducting joint audits with the PRIME contractor's quality management office (QMO). In May 2002, IRS reported that all corrective action requests resulting from its March 2001 audit of the PRIME QMO had been completed and closed. As a result, GAO reported in a June 2003 report (GAO-03-768) that IRS had completed its commitments to address this recommendation.