Summary: The Internal Revenue Service's (IRS) Business Systems Modernization (BSM) program is a multi-billion-dollar, high-risk, highly complex effort that involves the development and delivery of a number of modernized systems that are intended to replace the agency's aging business and tax processing systems. As required, IRS submitted its fiscal year 2009 expenditure plan in August 2008 to the congressional appropriations committees, requesting $222 million from the BSM account. GAO's objectives in reviewing the expenditure plan were to (1) determine whether it satisfies the applicable legislative conditions, (2) determine IRS's progress in implementing prior expenditure plan review recommendations, and (3) provide additional observations about the plan and the BSM program. To accomplish the objectives, GAO analyzed the plan, reviewed related documentation, and interviewed IRS officials.
IRS's expenditure plan satisfies the applicable legislative conditions, which include meeting the Office of Management and Budget's (OMB) capital planning and investment control review requirements, and complying with federal systems acquisition requirements and management practices. IRS has addressed two of GAO's prior recommendations to improve its management capabilities and controls, including a recommendation to develop policies and procedures for developing and managing project requirements. However, work remains in order to fully implement other recommendations: developing long-term plans for completing BSM, including consolidating and retiring legacy systems; developing a quantitative measure of scope; and developing a plan for addressing its various human capital initiatives. GAO's observations about the expenditure plan and the BSM program include the following: IRS continued to implement BSM projects and meet cost and schedule estimates for most deliverables; however, one project milestone experienced a significant cost increase, and two milestones experienced significant schedule delays. In addition, over half of the milestones were reported completed, despite having unaddressed issues. Specifically, reported project costs and completion dates showed that 10 of the 11 milestones were completed within 10 percent of cost estimates and 9 were completed within 10 percent of schedule estimates. However, 6 out of the 10 milestones reported as complete had conditional milestone exits, meaning that they were allowed to proceed to the next milestone with unaddressed issues. Because IRS's guidance does not specify procedures for determining when to grant conditional exits, the process could potentially be used to mask cost and schedule overruns and could result in premature milestone exits, introducing cost, schedule, and performance risks. BSM project releases continue to face significant risks and issues, which IRS is addressing. For example, IRS reports that a release of its new taxpayer information database continues to face schedule risks. Further, IRS recently informed GAO that it had stopped work on releases of two key systems and would re-evaluate them in light of the long-term plans for BSM, which are being revisited and are expected to be defined at a high level by June 2009. While IRS is addressing the risks and issues confronting the BSM program, GAO will continue to monitor these efforts. Security weaknesses continue to affect IRS's modernization environment. As GAO recently reported, IRS continues to have weaknesses in its information security controls. In addition, the Treasury Inspector General for Tax Administration reported that two tax administration systems were deployed with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery.
