IRS improves IT governance of modernization program

But IG says tax agency needs to improve oversight of information technology projects.

The Internal Revenue Service has greatly improved management of its information technology projects, but managers still do not provide the proper oversight to catch problems and to spend money efficiently, according to an audit by the Treasury Department's inspector general for tax administration.

Comment on this article in The Forum.In fiscal 2006, the IRS revamped its IT governance model by implementing a tiered-program management structure that assigned projects to executive-level steering committees for oversight. The effort was in direct response to delays and cost overruns with its business modernization program, which the IRS launched in 1999 to replace its aging computer systems within 15 years. IRS developed the current strategy to use legacy systems when possible and deploy modernized systems on an incremental basis.

The IRS has made progress in implementing the new enterprise governance model under the direction of the program control and process management division in the IT services organization, the inspector general reported. The audit, which was performed at the Modernization and Information Technology Services organization facilities in New Carrollton, Md., from June to December 2007, found that in the past two years the division developed and distributed standardized templates for IT projects, documented processes and procedures for steering committees, created a master list to track and monitor programs, and formed or is planning to form program management offices for each organization in the agency.

A few business practices, however, have limited the success of the new model, according to the report, including inconsistent reporting practices and inadequate oversight and monitoring of projects. For example, the inspector general reported that naming conventions for IT projects were not consistent agencywide, making it difficult to clearly identify and monitor the various components. The IRS is in the process of correcting the problem.

The audit also found that the IRS had not adequately developed processes for self-assessments of IT projects. Each IT team is required to evaluate its project, termed a "health assessment," and report how the project is adhering to estimates for cost, schedule, scope, risk, staffing, organizational change and technical features to managers, who then determine whether any corrective actions should be taken. The inspector general found that the IRS had not conducted health assessments for all IT projects, always developed corrective actions for significant problems identified, and did not fully measure and report all key performance indicators for IT projects.

In addition, the audit found that the executive steering committees in some cases failed to effectively oversee all IT projects and track corrective action on a monthly basis, claiming governance is provided on an as needed basis. This, at times, resulted in wasteful spending. For example, compliance with Homeland Security Presidential Directive 12, which requires agencies to issue smart identification cards to federal employees and contractors, was not discussed by the security services and privacy executive steering committee for five months, resulting in wasting potentially $3.5 million, according to the audit.

The IRS began correcting weaknesses identified by the inspector general, its chief information officer Arthur Gonzalez wrote in a letter of response to the audit.

"The IRS has made significant progress toward ensuring appropriate management of our IT portfolio," Gonzalez wrote. "[And] much has been accomplished since the data gathering for this audit was completed," including monitoring of 60 percent of the agency's IT portfolio using the health assessment processes, approval of all major project milestone decisions, and establishment of all executive steering committees.