Skip to Highlights
Highlights

What GAO Found

The performance of the Internal Revenue Service's (IRS) selected information technology (IT) investments that GAO reviewed varied. Specifically, the four selected investments in the development phase that GAO reviewed spent less than planned, but most were behind schedule and delivered less scope than planned (see table below). In addition, the five selected investments in the operations and maintenance phase that GAO reviewed had performed internal qualitative assessments of performance as required by the Office of Management and Budget (OMB); however, none of the analyses addressed all key factors specified in OMB guidance.

Reported Performance of Selected Internal Revenue Service (IRS) Investments in Development during Fiscal Year 2016 and the First Two Quarters of Fiscal Year 2017

Investment name

Total budgeted cost of work performed (in millions)

Total actual cost of work performed (in millions)

Cost variance

Schedule variance

Percentage of planned scope delivered

Enterprise Case Management

$31.8

$30.3

Under budget  

4.7%

Late

-8.7%

91.3%

Customer Account Data Engine 2

$35.0a

$31.0

Under budget

11.5%

Late

-54.0%

46.0%

Return Review Program

$78.8

$49.3

Under budget

37.5%

Late -18.8%

81.2%

Affordable Care Act Administration

$199.0

$157.4

Under budget

20.9%

On time

n.d.

Source: GAO analysis of IRS data. | GAO-18-298

Notes: n.d. –no data tracked by the agency.

aAccording to IRS, this represents the amount that was planned for development activities. Additional funding was expended for planning and design activities.

Three investments GAO reviewed in the operations and maintenance phase that are legacy investments—Individual Master File (IMF), Integrated Data Retrieval System (IDRS), and Mainframes and Servers Services and Support (MSSS)— are facing significant risks due to their reliance on legacy programming languages, outdated hardware, and a shortage of human resources with critical skills. For example, IRS reported that it used assembly language code and Common Business Oriented Language (both developed in the 1950s) for IMF and IDRS, which exposes these investments to a rise in procurement and operating costs, and a decrease in staff available with the proper skill sets. Further, MSSS relies on a significant amount of outdated hardware exposing the investment to rising warranty and maintenance fees, as well as equipment failures. Despite these risks, the agency has not fully implemented key risk management practices and may be challenged in mitigating risks effectively so that they do not impact the agency's ability to carry out its mission.

IRS has not yet fully implemented any of the key IT workforce planning practices GAO has previously identified. Specifically, the agency has developed a tool to automate the IT workforce planning process, but the tool is in the initial stages of implementation. IRS officials attributed the limited progress in implementing IT workforce planning practices to resource constraints and competing priorities. Nevertheless, until the agency fully implements these practices, it will continue to face challenges in assessing and addressing the gaps in knowledge and skills that are critical to the success of its key IT investments.

Why GAO Did This Study

IRS relies extensively on IT investments to annually collect more than $3 trillion in taxes, distribute more than $400 billion in refunds, and carry out its mission of providing service to America's taxpayers in meeting their tax obligations. For fiscal years 2016 and 2017, the agency reported spending approximately $2.7 billion and $2.6 billion, respectively, for IT investments.

GAO was asked to review IRS's IT operations. GAO's specific objectives were to (1) evaluate the performance of selected IRS IT investments, (2) summarize any risks associated with selected legacy systems and evaluate the steps the agency has taken to manage such risks, and (3) determine the extent to which IRS has implemented key IT workforce planning practices.

GAO analyzed planned versus actual performance information for nine selected investments for fiscal year 2016 and the first 2 quarters of fiscal year 2017—four in development and five in the operations and maintenance phase; identified risks facing three legacy investments and analyzed IRS's efforts to manage these risks against key practices; and analyzed IRS's IT workforce planning efforts against best practices.

Skip to Recommendations

Recommendations

GAO recommends that IRS perform operational analyses consistent with guidance, implement key risk management practices, and fully implement key IT workforce planning practices. IRS did not agree or disagree with the recommendations, but said it would provide a plan for addressing each recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service 1. The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)
Open
In December 2020, IRS provided a partially complete fiscal year 2020 operational analysis for the Individual Master File and stated that it would complete it by mid-February of 2021. The document addressed the greater utilization of technology to better meet organizational goals. Specifically, it noted that the IRS used new technology to implement processing improvements via a more robust testing approach in order to reduce coding defects. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code for IMF. We will review the operational analysis when it is completed to determine if it fully addresses our recommendation.
Internal Revenue Service 2. The Commissioner of the IRS should ensure the operational analysis for IDRS addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 2)
Closed - Implemented
In June 2020, IRS provided GAO evidence that it had implemented this recommendation. Specifically, the IRS provided its fiscal year 2019 Operational Analysis report for the Integrated Data Retrieval System (IDRS) dated May 2020 demonstrating that it had incorporated three new performance metrics addressing the extent to which the intended investment functionality was being provided. As an example, IRS added a Penalty and Interest Explanation metric to support the penalty and interest calculation and explanation functionality--one of several actions on taxpayer account issues for which IRS employees use IDRS. In addition, IRS provided a "Correction Metrics" document with detailed descriptions of the new metrics, including reporting frequency and target thresholds for performance. Implementing this recommendation provides IRS greater assurance that it will have the critical information it needs to inform decisionmaking for IDRS.
Internal Revenue Service 3. The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)
Open
In June 2020, IRS provided its fiscal year 2019 operational analysis report for the Telecommunications Systems and Support investment. The report showed that IRS had identified metrics used to determine customer satisfaction and how well the investment is delivering the goods or services it was designed to deliver. However, the analysis did not address how the investment services such as video conferencing and enterprise voice and fax services are being delivered. We will continue to monitor IRS's actions to address this recommendation.
Internal Revenue Service 4. The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)
Closed - Implemented
In February 2021, IRS provided GAO evidence that it had implemented this recommendation. Specifically, IRS provided its fiscal year 2020 operational analysis for the Telecommunication Support Services (TSS) investment dated November 2020. The operational analysis included a comparison of current performance with a pre-established cost baseline, as we recommended, and accounted for user fees and multi-year costs. In addition, the operational analysis noted that the discrepancy between the current performance and the pre-established cost baseline was due to factors other than multi-year funding. Implementing this recommendation provides IRS greater assurance that it will have the critical information it needs to inform decisionmaking for TSS.
Internal Revenue Service 5. The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)
Closed - Implemented
In December 2020, IRS provided GAO its fiscal year 2020 Operational Analysis report for the End User Systems and Services (EUSS) investment dated November 2020. The document included a comparison of current performance with a pre-established cost baseline, and accounted for user fees and multi-year costs. The operational analysis also noted that the discrepancy between current performance and pre-established cost baseline was due to factors other than multi-year funding. Implementing this recommendation provides IRS greater assurance that it will have the critical information needed to inform decisionmaking for EUSS.
Internal Revenue Service 6. The Commissioner of the IRS should ensure the operational analysis for MSSS addresses alternative methods of achieving the same mission needs and strategic goals. (Recommendation 6)
Closed - Implemented
In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report for the Mainframe and Servers Services and Support (MSSS) investment, dated June 2019. Our review of the report showed that the IRS had identified alternative methods of achieving the same mission needs and strategic goals for the investment. For example, IRS noted it will be moving the MSSS applications to a new operating system. Implementing this recommendation provides IRS greater assurance that it will have the critical information needed to inform decisionmaking for MSSS.
Internal Revenue Service 7. The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)
Closed - Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document which describes the risk management procedures for all IRS IT investments, including the Individual Master File. The document also identifies IRS's process for preparing for risk management as we recommended, including identifying risk constraints and risk assumptions. Implementing this recommendation provides IRS greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 8. The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)
Open
In December 2019, IRS provided GAO with its October 2019 IT Risk Management Program Plan, which included an updated section on analyzing and prioritizing risk. Specifically it identified analyzing residual mitigations as one of the activities. However, IRS did not provide documentation showing that it has actually analyzed both inherent and residual risks for the Individual Master File. We will continue to monitor IRS's efforts to implement this recommendation.
Internal Revenue Service 9. The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)
Closed - Implemented
In December 2019, IRS provided GAO Risk and Issues Registry reports for August and September 2019. These reports identified IRS's implementation of the risk management practice for prioritizing risk by identifying a risk profile for the Individual Master File investment. The profile included project name, risk statement, mitigation plan, impact date, and overall status of risk. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 10. The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)
Open
In December 2019, IRS provided GAO with its updated Applications Development Risk and Issue Management Plan that includes steps to mitigate risk/manage issues, including a specific step to develop alternative course of action for all critical risks/issues. However, IRS did not provide evidence that it had developed an alternative course of action for each critical risk for the Individual Master File. We will follow up with IRS to obtain this documentation.
Internal Revenue Service 11. The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)
Closed - Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Individual Master File (IMF) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the IMF before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 12. The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)
Closed - Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document which defines the risk management procedures for all IRS IT investments, including the Integrated Data Retrieval System. The document describes IRS's process for preparing for risk management, including identifying risk constraints and risk assumptions. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 13. The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)
Closed - Implemented
In December 2019, IRS provided GAO its October 2019 IRS IT Risk Management Plan that identifies risk management practices for analyzing risk for all IRS investments, including the Integrated Data Retrieval System (IDRS). Specifically, the plan states that risks should be assessed on a residual and inherent basis. In addition IRS provided an IT Risk Register showing the prioritization of residual and inherent risks for IDRS. By implementing this recommendation, IRS has greater assurance that it can successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 14. The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)
Open
In December 2019, IRS provided GAO with its updated Applications Development Risk and Issue Management Plan document that describes steps to mitigate risks and manage issues, including a specific step to develop alternative courses of action for all critical risks and issues. However, IRS did not provide evidence, such as risk detail reports, showing that it had developed alternative courses of action for critical risks and issues for the Integrated Data Retrieval System. We will follow up with IRS to obtain this evidence.
Internal Revenue Service 15. The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)
Closed - Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Integrated Data Retrieval System (IDRS) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the IDRS investment before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 16. The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)
Closed - Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document. The document defines the risk management requirements for all IRS IT investments, including for the Mainframe and Servers Services and Support investment. Specifically, it describes IRS's process when preparing for risk management, including identifying risk constraints and risk assumptions. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 17. The Commissioner of the IRS should fully implement the risk management key practice associated with identifying risk for the MSSS investment. (Recommendation 17)
Closed - Implemented
In January 2020, IRS provided evidence that it had implemented the recommendation. Specifically, IRS provided a January 2020 risk log for the Mainframe and Servers Services and Support investment which identified risks including human resource risks, such as a lack of adequate resources to support organizational readiness activities for program and projects and a staffing shortage to support 24 X 7 operations. The risk log also included risk elements for each of the risks identified, such as probable impact date, mitigation status, and criticality. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 18. The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)
Open
In December 2019, IRS provided GAO with its October 2019 IT Risk Management Program Plan. The document includes an updated section on analyzing and prioritizing risk which identifies analyzing inherent and residual risks as a key activity. However, IRS did not provide evidence that it had analyzed both inherent and residual risks for the Mainframe and Servers Services and Support investment. We will continue to monitor IRS's efforts to implement the recommendation.
Internal Revenue Service 19. The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)
Open
In December 2019, IRS provided GAO with its updated Applications Development Risk and Issue Management Plan document that describes steps to mitigate risks and manage issues, including a specific step to develop alternative courses of action for all critical risks and issues. However, IRS did not provide evidence, such as risk detail reports, showing that it had developed alternative courses of action for critical risks and issues for the Mainframe and Servers Services and Support investment. We are following up with IRS to obtain this evidence.
Internal Revenue Service 20. The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)
Closed - Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Mainframe and Servers Services and Support (MSSS) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the MSSS investment before they adversely impact the agency's ability to carry out its mission.
Internal Revenue Service 21. The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)
Open
In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of January 2021, IRS had not provided any updates on the status of its efforts to implement the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Full Report

GAO Contacts