Information Technology: IRS Needs to Take Additional Actions to Address Significant Risks to Tax Processing
GAO-18-298
Published: Jun 28, 2018. Publicly Released: Jun 28, 2018.
Skip to Highlights
Highlights
What GAO Found
The performance of the Internal Revenue Service's (IRS) selected information technology (IT) investments that GAO reviewed varied. Specifically, the four selected investments in the development phase that GAO reviewed spent less than planned, but most were behind schedule and delivered less scope than planned (see table below). In addition, the five selected investments in the operations and maintenance phase that GAO reviewed had performed internal qualitative assessments of performance as required by the Office of Management and Budget (OMB); however, none of the analyses addressed all key factors specified in OMB guidance.
Reported Performance of Selected Internal Revenue Service (IRS) Investments in Development during Fiscal Year 2016 and the First Two Quarters of Fiscal Year 2017
|
Investment name |
Total budgeted cost of work performed (in millions) |
Total actual cost of work performed (in millions) |
Cost variance |
Schedule variance |
Percentage of planned scope delivered |
|
Enterprise Case Management |
$31.8 |
$30.3 |
Under budget 4.7% |
Late -8.7% |
91.3% |
|
Customer Account Data Engine 2 |
$35.0a |
$31.0 |
Under budget 11.5% |
Late -54.0% |
46.0% |
|
Return Review Program |
$78.8 |
$49.3 |
Under budget 37.5% |
Late -18.8% |
81.2% |
|
Affordable Care Act Administration |
$199.0 |
$157.4 |
Under budget 20.9% |
On time |
n.d. |
Source: GAO analysis of IRS data. | GAO-18-298
Notes: n.d. –no data tracked by the agency.
aAccording to IRS, this represents the amount that was planned for development activities. Additional funding was expended for planning and design activities.
Three investments GAO reviewed in the operations and maintenance phase that are legacy investments—Individual Master File (IMF), Integrated Data Retrieval System (IDRS), and Mainframes and Servers Services and Support (MSSS)— are facing significant risks due to their reliance on legacy programming languages, outdated hardware, and a shortage of human resources with critical skills. For example, IRS reported that it used assembly language code and Common Business Oriented Language (both developed in the 1950s) for IMF and IDRS, which exposes these investments to a rise in procurement and operating costs, and a decrease in staff available with the proper skill sets. Further, MSSS relies on a significant amount of outdated hardware exposing the investment to rising warranty and maintenance fees, as well as equipment failures. Despite these risks, the agency has not fully implemented key risk management practices and may be challenged in mitigating risks effectively so that they do not impact the agency's ability to carry out its mission.
IRS has not yet fully implemented any of the key IT workforce planning practices GAO has previously identified. Specifically, the agency has developed a tool to automate the IT workforce planning process, but the tool is in the initial stages of implementation. IRS officials attributed the limited progress in implementing IT workforce planning practices to resource constraints and competing priorities. Nevertheless, until the agency fully implements these practices, it will continue to face challenges in assessing and addressing the gaps in knowledge and skills that are critical to the success of its key IT investments.
Why GAO Did This Study
IRS relies extensively on IT investments to annually collect more than $3 trillion in taxes, distribute more than $400 billion in refunds, and carry out its mission of providing service to America's taxpayers in meeting their tax obligations. For fiscal years 2016 and 2017, the agency reported spending approximately $2.7 billion and $2.6 billion, respectively, for IT investments.
GAO was asked to review IRS's IT operations. GAO's specific objectives were to (1) evaluate the performance of selected IRS IT investments, (2) summarize any risks associated with selected legacy systems and evaluate the steps the agency has taken to manage such risks, and (3) determine the extent to which IRS has implemented key IT workforce planning practices.
GAO analyzed planned versus actual performance information for nine selected investments for fiscal year 2016 and the first 2 quarters of fiscal year 2017—four in development and five in the operations and maintenance phase; identified risks facing three legacy investments and analyzed IRS's efforts to manage these risks against key practices; and analyzed IRS's IT workforce planning efforts against best practices.
Recommendations
GAO recommends that IRS perform operational analyses consistent with guidance, implement key risk management practices, and fully implement key IT workforce planning practices. IRS did not agree or disagree with the recommendations, but said it would provide a plan for addressing each recommendation.
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4) |
Closed – Implemented
In February 2021, IRS provided GAO evidence that it had implemented this recommendation. Specifically, IRS provided its fiscal year 2020 operational analysis for the Telecommunication Support Services (TSS) investment dated November 2020. The operational analysis included a comparison of current performance with a pre-established cost baseline, as we recommended, and accounted for user fees and multi-year costs. In addition, the operational analysis noted that the discrepancy between the current performance and the pre-established cost baseline was due to factors other than multi-year funding. Implementing this recommendation provides IRS greater assurance that it will have the critical information it needs to inform decisionmaking for TSS.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20) |
Closed – Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Mainframe and Servers Services and Support (MSSS) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the MSSS investment before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5) |
Closed – Implemented
In December 2020, IRS provided GAO its fiscal year 2020 Operational Analysis report for the End User Systems and Services (EUSS) investment dated November 2020. The document included a comparison of current performance with a pre-established cost baseline, and accounted for user fees and multi-year costs. The operational analysis also noted that the discrepancy between current performance and pre-established cost baseline was due to factors other than multi-year funding. Implementing this recommendation provides IRS greater assurance that it will have the critical information needed to inform decisionmaking for EUSS.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21) |
Closed – Implemented
Between March 2020 and July 2023, IRS provided evidence that it had fully implemented the recommendation. Specifically, In March 2020, IRS issued its IT Workforce Strategy which identified the strategic direction of the agency to achieve a diverse, flexible, and engaged workforce. In addition, in June 2020, IRS performed a functional needs assessment to analyze and identify gaps between the current IT workforce and its desired workforce. Further, in July 2022, IRS issued its Fiscal Years 2022-2026 Strategic Plan that included objectives and specific strategies to address its workforce and skill gaps; and completed its skill gap mitigation plan that contained recommendations and next steps for workforce planning for the agency. Finally, in July 2023, IRS provided evidence of its continued monitoring and progress reporting for workforce planning. Specifically, it provided March and April 2023 meeting minutes for the Human Capital Office and IT organization synchronization monthly meetings where workforce planning is a continuous topic and monitoring the progress is discussed. By implementing key IT workforce planning practices as we recommended, IRS has better positioned itself to assess and address any gaps in knowledge and skills that are needed to ensure the success of its key investments. [Note: in GAO-19-176, a report examining IRS's enterprise-wide strategic workforce planning efforts, we made the following recommendation: the Commissioner of the IRS should fully implement the workforce planning initiative, including taking the following actions: (1) conducting enterprise strategy and planning, (2) conducting workforce analysis, (3) creating a workforce plan, (4) implementing the workforce plan, and (5) monitoring and evaluating the results. As of February 2024, IRS had created an enterprise workforce plan and was working to fully implement it.]
|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for MSSS addresses alternative methods of achieving the same mission needs and strategic goals. (Recommendation 6) |
Closed – Implemented
In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report for the Mainframe and Servers Services and Support (MSSS) investment, dated June 2019. Our review of the report showed that the IRS had identified alternative methods of achieving the same mission needs and strategic goals for the investment. For example, IRS noted it will be moving the MSSS applications to a new operating system. Implementing this recommendation provides IRS greater assurance that it will have the critical information needed to inform decisionmaking for MSSS.
|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1) |
Closed – Implemented
In March 2022, IRS provided its fiscal year 2021 operational analysis for IMF. The document, dated December 15, 2021, addressed greater utilization of technology and consolidation of investments to better meet the agency's organizational goals. In addition, it identified IRS's progress to date in modernizing IMF and the roadmap for retiring IMF. In addition, the operational analysis identified challenges associated with maintaining the investment, in particular with finding senior level developers and Assembly Language Code experts to support required updates. Implementing this recommendation increases the likelihood that IRS will have the critical information it needs to inform decisionmaking for IMF.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7) |
Closed – Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document which describes the risk management procedures for all IRS IT investments, including the Individual Master File. The document also identifies IRS's process for preparing for risk management as we recommended, including identifying risk constraints and risk assumptions. Implementing this recommendation provides IRS greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for IDRS addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 2) |
Closed – Implemented
In June 2020, IRS provided GAO evidence that it had implemented this recommendation. Specifically, the IRS provided its fiscal year 2019 Operational Analysis report for the Integrated Data Retrieval System (IDRS) dated May 2020 demonstrating that it had incorporated three new performance metrics addressing the extent to which the intended investment functionality was being provided. As an example, IRS added a Penalty and Interest Explanation metric to support the penalty and interest calculation and explanation functionality--one of several actions on taxpayer account issues for which IRS employees use IDRS. In addition, IRS provided a "Correction Metrics" document with detailed descriptions of the new metrics, including reporting frequency and target thresholds for performance. Implementing this recommendation provides IRS greater assurance that it will have the critical information it needs to inform decisionmaking for IDRS.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8) |
Closed – Implemented
To address this recommendation, IRS took steps to analyze residual risk for IMF. Specifically, in December 2019, IRS provided GAO with its October 2019 IT Risk Management Program Plan which included procedures for analyzing risks, including residual risks. In addition, in May 2021, IRS provided detailed risk reports from the Item Tracking Reporting and Control tool it uses to manage risks and issues which showed that it had analyzed residual risks for IMF. As a result of its actions, IRS is better positioned to successfully analyze risk and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3) |
Closed – Implemented
In March 2022, IRS provided its fiscal year 2021 operational analysis report, dated December 21, 2021. The report demonstrated that IRS had identified metrics to determine customer satisfaction and how well the investment is delivering the goods and services it was designed to deliver. In addition, for the second consecutive year, the operational analysis addressed how the investment services such as video conferencing and enterprise voice and fax services are being delivered. Specifically, it identifies refreshed hardware and software allowing for increased enterprise voice services, customer call-back solutions, and overall increased services that deliver video conferencing, enterprise voice and fax services. By implementing this recommendation, IRS has increased the likelihood that it will have the critical information it needs to inform decisionmaking for TSS.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9) |
Closed – Implemented
In December 2019, IRS provided GAO Risk and Issues Registry reports for August and September 2019. These reports identified IRS's implementation of the risk management practice for prioritizing risk by identifying a risk profile for the Individual Master File investment. The profile included project name, risk statement, mitigation plan, impact date, and overall status of risk. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10) |
Closed – Implemented
To address this recommendation, IRS took steps to establish threshold values for categories of risks, and developed alternative courses of action for each critical risk for IMF. Specifically, in December 2019, IRS provided GAO with its July 2019 Risk and Issue Management Plan that includes steps to mitigate risks and manage issues, including a specific step to develop alternative courses of action for critical risks and issues. In addition, in March 2021, IRS provided several reports from its Item Tracking Reporting and Control that identified threshold values for risks and categorized risks by color. Further, in May 2021, the agency provided its Risk Review Registry that identified risks for IMF and alternative courses of action to take (i.e., mitigation plans) if risks are triggered. As a result of these actions, IRS is better positioned to successfully mitigate IMF risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11) |
Closed – Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Individual Master File (IMF) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the IMF before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12) |
Closed – Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document which defines the risk management procedures for all IRS IT investments, including the Integrated Data Retrieval System. The document describes IRS's process for preparing for risk management, including identifying risk constraints and risk assumptions. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13) |
Closed – Implemented
In December 2019, IRS provided GAO its October 2019 IRS IT Risk Management Plan that identifies risk management practices for analyzing risk for all IRS investments, including the Integrated Data Retrieval System (IDRS). Specifically, the plan states that risks should be assessed on a residual and inherent basis. In addition IRS provided an IT Risk Register showing the prioritization of residual and inherent risks for IDRS. By implementing this recommendation, IRS has greater assurance that it can successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14) |
Closed – Implemented
To address this recommendation, IRS took steps to develop risk mitigation plans for identified risks and maintain dates for risk handling activities. Specifically, in December 2019, IRS provided GAO with its July 2019 Risk and Issue Management Plan that includes steps to mitigate risk and manage issues, including a specific step to develop alternative course of action for all critical risks/issues. Further, in May 2021, the agency provided its Risk Review Registry that identified risks for IDRS and alternative courses of action to take (i.e., mitigation plans) in the event risks are triggered. IRS also provided Risk Detail Reports which identified for each risk a "submit date," a "probable impact date," and a "projected completion date." As a result of these actions, IRS is better positioned to successfully mitigate risks for IDRS before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15) |
Closed – Implemented
In March 2021, IRS provided GAO with evidence that it fully implemented the practice associated with monitoring, reporting and controlling risk for the Integrated Data Retrieval System (IDRS) investment. For example, IRS provided support for review board meeting minutes which shows that the board is regularly monitoring, reporting, and controlling risk status. In addition, IRS provided evidence that it reviews all aspects of the risk management process at least once a year as part of the annual investment operational analysis reviews conducted by the Information Technology organization's Investment and Portfolio Control and Oversight group. By implementing this recommendation, IRS has greater assurance that it will successfully monitor, report and control risks for the IDRS investment before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16) |
Closed – Implemented
In February 2021, IRS provided GAO its April 2020 Risk Issue and Action Item Management Process document. The document defines the risk management requirements for all IRS IT investments, including for the Mainframe and Servers Services and Support investment. Specifically, it describes IRS's process when preparing for risk management, including identifying risk constraints and risk assumptions. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with identifying risk for the MSSS investment. (Recommendation 17) |
Closed – Implemented
In January 2020, IRS provided evidence that it had implemented the recommendation. Specifically, IRS provided a January 2020 risk log for the Mainframe and Servers Services and Support investment which identified risks including human resource risks, such as a lack of adequate resources to support organizational readiness activities for program and projects and a staffing shortage to support 24 X 7 operations. The risk log also included risk elements for each of the risks identified, such as probable impact date, mitigation status, and criticality. By implementing this recommendation, IRS has greater assurance that it will successfully identify and mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18) |
Closed – Implemented
To address this recommendation, IRS took steps to document criteria for evaluating and quantifying risk likelihood and severity (impact) levels for MSSS and include both inherent and residual risks in the risk analysis for the investment. Specifically, in December 2019, IRS provided GAO with its October 2019 IT Risk Management Program Plan, which included an updated section on analyzing and prioritizing risk. In addition, in February 2021, IRS provided its April 2020 Risk Issue and Action Item Management procedures which defined and documented criteria for evaluating and quantifying risk likelihood and severity (impact) levels and grouping risks into defined categories. Further, in May 2021, IRS provided evidence that it analyzed residual risk for the MSSS investment. Specifically, IRS provided examples of detailed risk reports from the Item Tracking Reporting and Control tool it uses to catalog programmatic risks and issues and track risk from beginning to end. The reports showed that risks were analyzed for both inherent and residual risk. As a result of these actions, IRS is better positioned to successfully analyze risk and mitigate risks for MSSS before they adversely impact the agency's ability to carry out its mission.
|
| Internal Revenue Service | The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19) |
Closed – Implemented
In January 2020, IRS provided evidence that it had fully implemented the risk management key practice associated with mitigating risk for the MSSS Investment. Specifically, IRS provided Risk Reports, among other things, which identified that each risk has a "submit date", a "probable impact date", and a "projected completion date". As a result of its actions, IRS is better positioned to successfully mitigate risks before they adversely impact the agency's ability to carry out its mission.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Best practicesBusiness systems modernizationHuman capital managementIT infrastructureIT investmentsIT personnelInformation storage and retrievalInformation technologyOperations and maintenanceRisk managementTax administrationTaxpayers