This is the accessible text file for GAO report number GAO-11-587 entitled 'Investment Management: IRS Has a Strong Oversight Process but Needs to Improve How It Continues Funding Ongoing Investments' which was released on July 20, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Ranking Member, Subcommittee on Financial Services and General Government, Committee on Appropriations, House of Representatives: July 2011: Investment Management: IRS Has a Strong Oversight Process but Needs to Improve How It Continues Funding Ongoing Investments: GAO-11-587: GAO Highlights: Highlights of GAO-11-587, a report to the Ranking Member, Subcommittee on Financial Services and General Government, Committee on Appropriations, House of Representatives. Why GAO Did This Study: The Internal Revenue Service (IRS) relies extensively on information technology (IT) to carry out its mission. For fiscal year 2012, IRS requested about $2.67 billion for IT. Given the size and significance of these investments, GAO was asked to evaluate IRS’s capabilities for managing its IT investments. To address this objective, GAO reviewed IRS policies and procedures and assessed them using GAO’s IT investment management (ITIM) framework and associated methodology, focusing on the framework’s stage relevant to building a foundation for investment management (Stage 2). GAO also interviewed officials responsible for IRS’s investment management process. What GAO Found: IRS has established most of the foundational practices needed to manage its IT investments. Specifically, the agency has executed 30 of the 38 key practices identified by the ITIM framework as foundational for successful IT investment management, including all the practices needed to provide investment oversight and capture investment information (see table below). For example, IRS has defined and implemented a tiered governance structure to oversee its projects and has several mechanisms for the boards to regularly review IT investments’ performance. The agency has also established procedures for identifying and collecting information about its investments to inform decision making. Despite these strengths, IRS can improve its investment management process in two key areas. First, IRS does not have an enterprisewide IT investment board with sufficient representation from IT and business units that is responsible for the entire investment management process, and as a result may not be optimizing its decision- making process. Specifically, project selection is carried out by a team of two senior executives representing IRS’s deputy commissioners, rather than a larger body composed of representatives from both IT and business units, and as a result, the perspective and expertise represented are not as broad as they would be with a larger board. Further, because the responsibility for the select and control phases lies with different groups rather than a single body, results of one process are not used to inform decisions made in the other, as would happen with a single board responsible for implementing all phases of the investment management process. IRS stated that it plans to address this coordination issue. Second, IRS does not have a process, including defined criteria, for reselecting (i.e., deciding whether to continue funding) ongoing projects. Given the size of its IT budget, IRS could be spending millions of dollars with no assurance that the funds are being used wisely. Table: Summary of Results for Investment Foundation Critical Processes and Key Practices: Critical process: Instituting the investment board; Key practices executed: 6; Total required by critical process: 8; Percentage of key practices executed: 75%. Critical process: Meeting business needs; Key practices executed: 5; Total required by critical process: 7; Percentage of key practices executed: 71%. Critical process: Selecting an investment; Key practices executed: 6; Total required by critical process: 10; Percentage of key practices executed: 60%. Critical process: Providing investment oversight; Key practices executed: 7; Total required by critical process: 7; Percentage of key practices executed: 100%. Critical process: Capturing investment information; Key practices executed: 6; Total required by critical process: 6; Percentage of key practices executed: 100%. Critical process: Total; Key practices executed: 30; Total required by critical process: 38; Percentage of key practices executed: 79%. Source: GAO analysis of IRS data. What GAO Recommends: GAO is making recommendations to the Commissioner of Internal Revenue, including assigning responsibilities for implementing the investment management process to optimize decision making, and defining and implementing a process for deciding whether to continue funding ongoing projects. In commenting on a draft of this report, IRS concurred with GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-587] or key components. For more information, contact David A. Powner at (202) 512- 9286 or pownerd@gao.gov. [End of section] Contents: Letter: Background: IRS Has Established Many of the Key Practices to Effectively Manage Its Investments, but Improvements Can Be Made to Optimize Decision Making and Continue Funding Ongoing Investments: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Internal Revenue Service: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: IRS Investment Management Governance Roles and Responsibilities: Table 2: Stage 2 Critical Processes--Building the Investment Foundation: Table 3: Summary of Results for Stage 2 Critical Processes and Key Practices: Table 4: Instituting the Investment Board: Table 5: Meeting Business Needs: Table 6: Selecting the Investment: Table 7: Providing Investment Oversight: Table 8: Capturing Investment Information: Figures: Figure 1: Simplified and Partial IRS Organizational Chart: Figure 2: ITIM Stages of Maturity: Abbreviations: BSM: Business Systems Modernization: ERT: Executive Review Team: ESC: Executive Steering Committee: IRS: Internal Revenue Service: IT: information technology: ITIM: information technology investment management: ITRAC: Item Tracking Reporting and Control: MEG: Modernization and Information Technology Services Enterprise Governance Committee: MITS: Modernization and Information Technology Services: OMB: Office of Management and Budget: S&CP: Strategy and Capital Planning: [End of section] United States Government Accountability Office: Washington, DC 20548: July 20, 2011: The Honorable José E. Serrano: Ranking Member: Subcommittee on Financial Services and General Government: Committee on Appropriations: House of Representatives: Dear Mr. Serrano: The Internal Revenue Service (IRS) relies extensively on information technology (IT) to annually collect over $2 trillion in taxes, distribute billions of dollars in refunds, and generally carry out its mission of providing America's taxpayers top-quality service by helping them understand and meet their tax responsibilities and by applying the federal tax laws with integrity and fairness to all. [Footnote 1] For fiscal year 2012, the agency's IT budget request is $2.67 billion.[Footnote 2] Given the size and significance of IRS's IT investments, you asked us to assess the agency's capabilities for managing these investments. To address our objective, we reviewed relevant policies and procedures and artifacts from IRS's investment management process and assessed them against the best practices identified in the GAO IT Investment Management (ITIM) framework.[Footnote 3] We interviewed officials responsible for defining and implementing various aspects of IRS's investment management process. We also selected four IT projects as case studies to verify that key practices were being implemented. [Footnote 4] We performed our work from January 2010 to July 2011, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Appendix I contains details about our objective, scope, and methodology. Background: The mission of the Internal Revenue Service, a bureau within the Department of the Treasury (Treasury), is to provide America's taxpayers top quality service by helping them understand and meet their tax responsibilities and by applying the federal tax laws with integrity and fairness to all. In carrying out its mission, IRS annually collects over $2 trillion in taxes from millions of individual taxpayers and numerous other types of taxpayers and manages the distribution of over $300 billion in refunds. To guide its future direction, the agency has two strategic goals: (1) improve taxpayer service to make voluntary compliance easier and (2) enforce the law to ensure everyone meets their obligations to pay taxes. IRS is organized into four primary operating divisions to meet the needs of specific taxpayer segments: * The Wage and Investment Division services individual taxpayers and provides the information, support, and assistance these taxpayers need to fulfill their tax obligations. * The Small Business and Self-Employed Division services all fully or partially self-employed individuals and corporations and partnerships with assets of $10 million or less. * The Large Business and International Division services corporations and partnerships with assets greater than $10 million. * The Tax Exempt and Government Entities Division services a large and unique economic sector of organizations, which include pension plans, exempt organizations, governmental entities, and tax-exempt bond issuers. IRS's Modernization and Information Technology Services (MITS) organization is responsible for delivering IT services and solutions to support tax administration as well as the operations of the broader organization. MITS also supports the delivery of IRS's business systems modernization efforts and improvement of customer service, and its responsibilities include management of all IT investments in both the development, modernization, and enhancement phase and the operations and maintenance phase. MITS is headed by the Chief Technology Officer. Within MITS, the Strategy and Planning Office, headed by the Associate Chief Information Officer for Strategy and Planning, has primary responsibility for defining and implementing the IT investment management process. The Strategy and Planning office includes a Strategy and Capital Planning (S&CP) group that focuses on IRS-wide IT strategy and capital planning and investment controls. [Footnote 5] The S&CP office also helps ensure the alignment of IT investments with Treasury's and IRS's strategies, as well as with best practices for investment management. It includes the following offices:[Footnote 6] * Investment Planning and Selection Office--responsible for enabling the prioritization and selection of significant IT investments. * IT Strategic Planning Office--responsible for determining strategic alignment between the functional areas of the Strategy and Planning office and MITS. * Transition Management Office--responsible for assessing organizational readiness through an examination of people, process, assets, and financials of new, enhanced, and retired systems through procedures and tools and communication with MITS business partners. * Estimation Program Office--responsible for developing and using government and industry best estimation practices in the delivery of full IT life cycle estimates. * Investment Management Office--responsible for serving as the primary interface with Treasury's capital planning and investment control organizations to coordinate actions including baseline change requests, budget formulation documents, and Office of Management and Budget (OMB) IT Dashboard reporting.[Footnote 7] * Investment Evaluation Office--responsible for examining whether an IT investment has met its intended objectives and yielded expected benefits as projected in the business case. The office is also responsible for examining the current performance of an investment and measures the performance against baseline parameters such as cost, schedules, and performance measures, and makes recommendations to IRS senior executives to aid investment management decisions to optimize the IRS IT portfolio. The Strategy and Planning office also includes the Financial Management Services group, which has responsibility for providing guidelines and direction on federal budget and financial policy for IT investments and operations. The group provides guidance on all matters pertaining to budget and financial policy, budget formulation, and financial analysis, including the management of IT expenses across the agency. Figure 1 shows a simplified and partial organizational chart of IRS. Figure 1: Simplified and Partial IRS Organizational Chart: [Refer to PDF for image: organizational chart] Top level: IRS Commissioner. Second level, reporting to IRS Commissioner: * Deputy Commissioner for Services and Enforcement; * Deputy Commissioner for Operations Support. Third level, reporting to Deputy Commissioner for Services and Enforcement: * Wage and Investment Division; * Small Business and Self-Employed Division; * Large Business and International Division; * Tax Exempt and Government Entities Division. Third level, reporting to Deputy Commissioner for Operations Support: * Modernization and information Technology Services (MITS). Fourth level, reporting to MITS: * Strategy and Planning. Fifth level, reporting to Strategy and Planning: * Financial Management Services; * Strategy and Capital Planning: - Investment Planning and Selection Office; - IT Strategic Planning Office; - Transition Management Office; - Estimation Program Office; - Investment Management Office; - Investment Evaluation Office. Source: IRS. [End of figure] IRS's Use of Information Technology: IT plays a critical role in enabling IRS to carry out its mission and responsibilities. For example, the agency relies on information systems to process tax returns, account for tax revenues collected, send bills for taxes owed, issue refunds, assist in the selection of tax returns for audit, and provide telecommunications services for all business activities, including the public's toll-free access to tax information. The President's fiscal year 2012 budget request for IRS is $13.3 billion. Of this requested amount, about $2.67 billion is for IT investments. According to IRS, about $447 million, or 17 percent, is to be spent on development, modernization, or enhancement activities; $1.88 billion,[Footnote 8] or 70 percent, is to be spent on operations and maintenance activities; and the remaining $344 million, or 13 percent, is for efforts associated with implementation of the Patient Protection and Affordable Care Act.[Footnote 9] IRS expects to fund 31 major systems[Footnote 10] representing about $1.68 billion, or 63 percent, of the total IT request, and 124 nonmajor systems representing $1 billion, or 37 percent, of the total request.[Footnote 11] Prior GAO and Treasury Reviews of IT Management Issues at IRS: Over the years, we have reviewed IRS's Business Systems Modernization (BSM) program, the agency's ongoing effort to modernize its tax administration and internal management systems, on an annual basis and also performed other work relevant to investment management at IRS: [Footnote 12] * Since 1999, we have reviewed and reported on IRS's Business Systems Modernization program. In particular, we have reported on program management capabilities and controls that are critical to the effective management of this program, such as cost and schedule estimates, requirements development and management, and postimplementation reviews of deployed projects. Accordingly, we have made numerous recommendations aimed at strengthening these controls and capabilities. Most recently, in our May 2010 review of the Business Systems Modernization program, we reported that while IRS had done much to define the phases of its Customer Account Data Engine 2 strategy for managing individual taxpayer accounts, the agency had not defined specific time frames for addressing key planning activities for the second phase, including defining core requirements.[Footnote 13] We recommended that IRS take several actions to improve program management capabilities and controls, including defining specific time frames for planning activities for the second phase to guide progress. In commenting on a draft of this report, IRS stated it would review the recommendations and provide a detailed corrective action plan to address them. * As part of our annual audit of IRS's financial statements, we assess the effectiveness of the agency's information security controls over its key financial and tax processing systems, information, and interconnected networks.[Footnote 14] In March 2011, we reported that although IRS had made progress in correcting information security weaknesses that we have reported previously, many weaknesses had not been corrected, and we identified many new weaknesses during our audit of its fiscal year 2010 financial statements.[Footnote 15] Specifically, 65 out of 88 previously reported weaknesses--about 74 percent--had not yet been corrected. In addition, we identified 37 new weaknesses. These weaknesses relate to access controls, configuration management, and segregation of duties. Weaknesses in these areas increase the likelihood of errors in financial data that result in misstatement and expose sensitive information and systems to unauthorized use, disclosure, modification, and loss. An underlying reason for these weaknesses--both old and new--is that IRS has not yet fully implemented key components of a comprehensive information security program. These weaknesses continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS's systems and, considered collectively, were the basis of our determination that IRS had a material weakness in internal control over its financial reporting related to information security in fiscal year 2010. * In March 2011, we provided an update on IRS's implementation of its Customer Account Data Engine 2 strategy for managing individual taxpayer accounts, noting weaknesses in the agency's efforts to improve the credibility of cost estimates and that IRS had not yet finalized expected benefits or set related quantitative targets for the second phase.[Footnote 16] We recommended that IRS (1) improve the credibility of revised cost estimates by including all costs or provide a rationale for excluding costs, and adjust costs for inflation, and (2) identify all of the second phase benefits, set the related targets, and identify how systems and business process might be affected. IRS agreed with our recommendations. Treasury's Inspector General for Tax Administration has also recently reported on investment management issues at IRS: * In July 2010, the organization reported on IRS's process to manage and control IT investments.[Footnote 17] It reported that IRS had recently merged its investment management activities into the Strategy and Capital Planning office, and stated that this office was in the process of updating IRS's Capital Planning and Investment Control Process Guide, developing desk guides for business cases and data calls, and identifying the steps for implementing a systematic investment selection, monitoring, and review process. It also reported that it concurred with the Strategy and Capital Planning office's November 2008 self-assessment that IRS was at the ITIM Stage 2 maturity level,[Footnote 18] and was moving toward the Stage 3 level of developing a complete investment portfolio. IRS's Approach to Investment Management: In addition to the groups within the MITS Strategy and Planning office mentioned above, several groups and individuals play a role in IRS's process to manage its IT investments. Involvement from these groups and individuals is necessary to complete aspects of the process including reviewing, approving, and selecting proposed investments; monitoring the investments through their implementation; and evaluating the results once they have become operational. Table 1 identifies the groups that have a role in this process and shows their composition and responsibilities. Table 1: IRS Investment Management Governance Roles and Responsibilities: Governance entity: Modernization and Information Technology Services Enterprise Governance Committee (MEG); Description/membership: IRS's highest-level recommending and decision- making body to oversee and enhance management of information systems and technology. Its purpose is to ensure that strategic modernization and IT program investments are aligned with and support (1) business needs across the agency and (2) the modernized vision of IRS. Provides a forum for MITS executives and business and functional executives to oversee and enhance management of IRS's portfolio of IT investments, management of resources, and advancement of IRS's modernization strategy. Cochaired by the Chief Technology Officer and a business operating division Deputy Commissioner appointed by the Deputy Commissioner for Operations support. Cochairs determine voting membership; Examples of responsibilities: Oversee the control phase of IRS's IT investment management process. As the highest-level governance board in overseeing IT projects, it has the ultimate authority in resolving issues of project performance; Approve use of management reserve funds for modernization projects; Approve Business Systems Modernization initiatives and their prioritization. Governance entity: Executive Review Team (ERT); Description/membership: Two senior executives representing the agency's Deputy Commissioners for Services and Enforcement and Operations Support. The main purpose of this team is to facilitate the preselect and select phases of the investment management process; Examples of responsibilities: Review proposals for new investments submitted by IRS's business units for potential inclusion in the IT portfolio; Select potential investments based on factors including alignment with strategic priorities, business value, and return on investment; Work with the two Deputy Commissioners to reach consensus on newly proposed investments and enhancements to ongoing projects to recommend to IRS's Commissioner for approval. Governance entity: Executive Steering Committees (ESCs); Description/membership: ESCs, which are to provide governance of cross- functional IRS capabilities, are to ensure project objectives are met, risks are managed appropriately, and expenditure of resources is fiscally sound. They provide governance of major and nonmajor projects. IRS currently has 11 IT governance ESCs. Typically cochaired by a business leader and a MITS leader (the Infrastructure ESC is cochaired by two MITS executives, though it has business voting representation). Other ESC members include voting and nonvoting members; Examples of responsibilities: Provide support to the MEG in overseeing projects; Provide governance for projects within their respective areas of responsibility; Oversee completion or closure of project action items requiring correction; Oversee investment milestone exit reviews, corrective action plans, and baseline change requests; Adhere to accepted principles and practices of the Enterprise Life Cycle; Resolve enterprisewide issues for ESC projects; Coordinate issues with organizations having external expertise to assist with decision making, such as policy exceptions; Manage cost, schedule, and scope variance within ESC-assigned thresholds; Address matters as assigned by the MEG Committee; Escalate unresolved disputes to the MEG Committee. Governance entity: Organizational Level Governance Boards; Description/membership: Organizational Level Governance Boards, which oversee governance of departmental projects, are responsible for ensuring objectives for mainly nonmajor projects are met, risks are managed appropriately, and resources are expended in a fiscally prudent fashion. IRS currently has 10 IT governance Organizational Level Governance Boards. The chairs are appointed by IRS senior officials, and the chairs determine the voting and nonvoting membership based on the Organizational Level Governance Board project portfolio; Examples of responsibilities: Ensure appropriate governance for primarily nonmajor projects within their respective areas of responsibility; Manage cost, schedule, and scope variance within assigned thresholds; Address matters as assigned by the appropriate ESC; Escalate disputes not resolved to the appropriate ESC or to the MEG Committee; Adhere to accepted principles and practices of the Enterprise Life Cycle; Resolve enterprisewide issues for Wage and Investment Organizational Level Governance Board projects; Coordinate issues with organizations having external expertise to assist with decision making, such as policy exceptions. Governance entity: Management Level Governance Boards; Description/membership: Management Level Governance Boards, which are to provide appropriate governance for selected nonmajor projects, are to ensure project objectives are met, risks are managed appropriately, and enterprise resources are expended in a fiscally sound fashion. Currently IRS has 22 IT governance Management Level Governance Boards. The chairs are appointed by IRS senior officials, and the chairs determine the voting and nonvoting membership based on the Management Level Governance Board project portfolio; Examples of responsibilities: Ensure appropriate governance for primarily nonmajor projects within their respective areas of responsibility; Manage cost, schedule, and scope variance within assigned thresholds; Address issues delegated by a higher-level governance board; Escalate issues not resolved to a higher-level governance board; Adhere to accepted principles and practices of the Enterprise Life Cycle; Resolve enterprisewide issues for projects; Coordinate issues with organizations having external expertise to assist with decision making, such as policy exceptions. Governance entity: Governance Coordinator; Description/membership: Assigned to one or more chartered governance bodies (e.g., MEG, ESCs) within IRS, serving as the governance process subject matter expert; Examples of responsibilities: Schedule meetings and record attendance, minutes, action items, and decisions made at meetings; Open and track action items until completion or closure is reported to and accepted by the governance board; Provide orientation for new chairs and voting members as needed. Source: GAO analysis of IRS data. [End of table] Process for Managing Investments: IRS's investment management process consists of four phases: preselect, select, control, and evaluate. Each phase is to be completed before beginning the subsequent phase. The preselect phase, which IRS began using during the summer of 2009, is to determine which proposals for new investments can move into the select phase and be considered for inclusion in the IRS IT portfolio. The process is intended to identify the specific business need an investment is expected to address and determine its alignment with the IRS strategic plan. Only investments that best support IRS's strategic plan and priorities are to be promoted through the preselect process and progress to the following phases. During this phase, a business owner prepares a two-page business case summary that, among other things, documents alignment with the agency priorities established by IRS's Senior Executive Team.[Footnote 19] In addition, a preliminary economic analysis accompanies the business case for each proposal. The Strategy and Capital Planning office is to provide the ERT with an initial overview of the submissions ensuring the data are complete and consistent with Senior Executive Team priorities and the IRS strategic vision. The ERT is to review these documents and determines whether the proposals can move forward. The select phase is the process by which proposals approved during the preselect phase are further reviewed by the ERT and selected for inclusion in IRS's budget submission. Business cases are further developed from the two-page summary that is prepared for the preselect phase, to include added information such as three technical alternatives, a risk analysis, and performance measures. A solution concept and cost estimate document that further refines the investment proposal and strengthens the business case is also developed. The investment summary is to be provided to the Deputy Commissioners to be used to determine which investments are to be considered for inclusion in the agency's portfolio. The ERT makes recommendations based on an investment's strategic value assessment, benefits, economic/risk assessments, standards, performance measures, and major project milestones and deliverables and works with the Deputy Commissioners to reach consensus on the proposals to recommend for the agency's budget submission, which then go to the Commissioner for final approval. The investments selected by the Commissioner are forwarded to the Department of the Treasury and then to OMB for funding approval. Once IRS's budget appropriation is funded, the investments proceed to the control phase. The purpose of the control phase is to provide oversight of projects that have been selected or are already under way. Prior to entering the control phase, an investment must have a developed project plan that includes objectives, an acquisition plan, risk management plan, schedule, deliverables, and projected/actual cost and benefits. Additionally the investment must have established a governance board investment review schedule and obtained governance approval to enter the control phase. During the control phase, Organizational Level Governance Boards and Management Level Governance Boards are to oversee nonmajor projects within their respective areas of responsibility and lend support to the ESCs. The ESCs serve as advisory boards to the MEG, IRS's highest-level governance board in overseeing IT projects. The ESCs are to monitor and track the progress and performance of ongoing IT investments against projected cost, schedule, and performance measures, and against quantitative and qualitative measures delivered through various mechanisms including health assessments, reviews of corrective actions plans, and milestone exit reviews. Specifically, a monthly health assessment is conducted to determine the extent to which investments are being effectively managed by reviewing key indicators such as cost and schedule. The health assessments are submitted to the ESCs for review and used by project managers to manage the project. A corrective action plan or baseline change request must be submitted and approved by the appropriate governance boards for investments that vary more than 10 percent from their original baseline in cost, schedule, or scope. The S&CP's Investment Management Office works with the project managers to validate all data used in investment reviews for accuracy and completeness. During the control phase, the ESCs conduct milestone reviews to determine whether an investment is ready to proceed to the next stage of development. The IRS Chief Technology Officer is provided with summary IT portfolio cost and schedule reports, which include information on relevant performance measures. After an investment is deemed ready for deployment based on the decision of the Chief Technology Officer and governance bodies, it proceeds to the evaluate phase. The evaluate phase involves an annual process to determine the extent to which a major IT investment has met its intended objectives and yielded expected benefits. Once the investment has been implemented, it should be continually monitored for performance, reliability, maintenance activities, cost, resource allocation, defects, problems, and changes. There are two subprocesses that are undertaken depending on the age and life-cycle stage of the investment: the postimplementation review and the operational analysis. Nonmajor investments are not required to undergo either of these processes. * A postimplementation review is done to identify an IT investment's impact on mission performance, focusing on the investment's impact on stakeholders and customers as well as its ability to deliver results and meet baseline goals. It is intended to identify potential improvements to IT project management practices and is performed by completing an assessment that compares expected performance goals established during the select phase with actual results, and to identify lessons learned for both the investment and the investment management process. The postimplementation review is required annually for all major IT investments that (1) fully exited the acquisition phase and moved into operations and maintenance in the past 6-12 months, (2) implemented a major release or modification, or (3) were retired or terminated during either development or operations. Once the postimplementation review data have been collected and reviewed, the project sponsor is to provide a formal presentation to the Chief Technology Officer that summarizes the investment evaluation as well as provide recommendations. According to IRS, because of resource constraints, postimplementation reviews are being performed only for Business Systems Modernization projects. * An operational analysis is to be conducted once an investment or meaningful project segment has moved into the operations and maintenance stage and has had a postimplementation review conducted. The purpose of an operational analysis is to identify investments that are potential candidates for modification, acceleration, replacement, or retirement. It is to be done by assessing the ability of a mature system or application to continue meeting user needs and performance goals based upon the performance of the system relative to the cost of replacing the system. If the system is determined to be a potential candidate for replacement or modification, a business case will need to be developed in the preselect phase. The operational analysis is to be performed biannually for all major investments in operations and maintenance, but not for any major investments already identified as requiring replacement. If any changes to the investment's acquisition baseline goals are required, the appropriate governance authority must approve them. Project managers are to report the operational analysis results on an annual basis as part of their budget submission. These results may also be submitted as lessons learned back into the other phases of the investment management process. ITIM Maturity Framework: To provide a method for evaluating and assessing how well an agency is selecting and managing its IT resources, GAO developed the ITIM framework.[Footnote 20] The ITIM framework is a maturity model composed of five progressive stages of maturity that an agency can achieve in its investment management capabilities. It was developed on the basis of our research into the IT investment management practices of leading private-and public-sector organizations. In each of the five stages, the framework identifies critical processes for making successful IT investments. The maturity stages are cumulative; that is, in order to attain a higher stage, the agency must have institutionalized all of the critical processes at the lower stages. The framework can be used to assess the maturity of an agency's investment management processes and as a tool for organizational improvement. The overriding purpose of the framework is to encourage investment processes that increase business value and mission performance, reduce risk, and increase accountability and transparency in the decision process. We have used the framework in several of our evaluations,[Footnote 21] and a number of agencies have adopted it. These agencies have used ITIM for purposes ranging from self- assessment to the redesign of their IT investment management processes. ITIM's five maturity stages represent steps toward achieving stable and mature processes for managing IT investments. Each stage builds on the lower stages; the successful attainment of each stage leads to improvement in the organization's ability to manage its investments. With the exception of the first stage, each maturity stage is composed of critical processes that must be implemented and institutionalized in order for the organization to achieve that stage. These critical processes are further broken down into key practices that describe the types of activities that an organization should be performing to successfully implement each critical process. It is not unusual for an organization to be performing key practices from more than one maturity stage at the same time, but efforts to improve investment management capabilities should focus on implementing all lower-stage practices before addressing higher-stage practices. In the ITIM framework, Stage 2 critical processes lay the foundation for sound IT investment processes by helping the agency to attain successful, predictable, and repeatable investment control processes at the project level. Specifically, Stage 2 encompasses building a sound investment management foundation by establishing basic capabilities for selecting new IT projects. It involves developing the capability to control projects so that they finish predictably within established cost and schedule expectations and having the capability to identify potential exposures to risk and put in place strategies to mitigate that risk. It also involves instituting an IT investment board,[Footnote 22] which includes defining its membership, guidance policies, operations, roles, responsibilities, and authorities for one or, if applicable, more IT investment boards within the organization, and, if appropriate, each board's support staff. The basic selection processes established in Stage 2 lay the foundation for more mature selection capabilities in Stage 3, which represents a major step forward in maturity, in which the agency moves from project-centric processes to a portfolio approach, evaluating potential investments by how well they support the agency's mission, strategies, and goals. Stage 3 requires that an organization continually assess both proposed and ongoing projects as parts of a complete investment portfolio--an integrated and competing set of investment options. It focuses on establishing a consistent, well-defined perspective on the IT investment portfolio and maintaining mature, integrated selection (and reselection), control, and evaluation processes, which are to be evaluated during postimplementation reviews. This portfolio perspective allows decision makers to consider the interaction among investments and the contributions to organizational mission goals and strategies that could be made by alternative portfolio selections, rather than to focus exclusively on the balance between the costs and benefits of individual investments. Stages 4 and 5 require the use of evaluation techniques to continuously improve both the investment portfolio and the investment processes in order to better achieve strategic outcomes. At Stage 4 maturity, an organization has the capacity to conduct IT succession activities and, therefore, can plan and implement the deselection of obsolete, high-risk, or low-value IT investments. An organization with Stage 5 maturity conducts proactive monitoring for breakthrough information technologies that will enable it to change and improve its business performance. Organizations implementing Stages 2 and 3 have in place the selection, control, and evaluation processes that are consistent with the Clinger-Cohen Act.[Footnote 23] Stages 4 and 5 define key attributes that are associated with the most capable organizations. Figure 2 shows the five ITIM stages of maturity and the critical processes associated with each stage. Figure 2: ITIM Stages of Maturity: [Refer to PDF for image: illustration] Stage 1: Creating investment awareness; Critical process: IT spending without disciplined investment processes. Stage 2: Building the investment foundation; Critical process: - Instituting the investment board; - Meeting business needs; - Selecting an investment; - Providing investment oversight; - Capturing investment information; Stage 3: Developing a complete investment portfolio; Critical process: - Defining the portfolio criteria; - Creating the portfolio; - Evaluating the portfolio; - Conducting postimplementation reviews. Stage 4: Improving the investment process: Critical process: - Improving the portfolio's performance; - Managing the succession of information systems. Stage 5: Leveraging IT for strategic outcomes: Critical process: - Optimizing the investment process; - Using IT to drive strategic business change. Source: GAO. [End of figure] As defined by the model, each critical process consists of key practices that must be executed to implement the critical process. Recent Initiative to Reform Federal IT Emphasizes Improvements in Investment Management through Streamlining Governance and Improving Accountability: In December 2010, OMB issued its 25 Point Implementation Plan to Reform Federal Information Technology Management, a plan spanning 18 months to reform IT management throughout the federal government. A key goal of the plan is to foster more effective management of large- scale IT programs. One way the plan recommends this be done is through streamlining governance and improving accountability. According to the plan, this involves reforming and strengthening investment review boards to enable them to more adequately manage agency IT portfolios, redefining the role of agency chief information officers and the federal Chief Information Officers Council to focus on portfolio management, and rolling out "TechStat" reviews at the agency and bureau levels to focus attention on IT investments, including those that are poorly performing or may need to be retired if they no longer meet the needs of the organization.[Footnote 24] IRS Has Established Many of the Key Practices to Effectively Manage Its Investments, but Improvements Can Be Made to Optimize Decision Making and Continue Funding Ongoing Investments: In order to have the capabilities to effectively manage IT investments, an agency should (1) build an investment foundation by putting basic, project-level control and selection practices in place (Stage 2 capabilities) and (2) manage its projects as a portfolio of investments, treating them as an integrated package of competing investment options and pursuing those that best meet the strategic goals, objectives, and mission of the agency (Stage 3 capabilities). IRS has established most of the foundational practices needed to manage its IT investments. Specifically, the department has executed 30 of the 38 key practices identified by the ITIM as foundational for successful IT management (Stage 2), including all the practices needed to provide investment oversight and capture investment information, and most of those needed to ensure that projects support business needs. In addition, IRS has initiated efforts to manage its investments as a portfolio, which, if fully executed, will provide IRS with the capability to determine whether it is selecting the mix of investments that best meet the agency's mission needs. Despite these strengths, weaknesses remain in IRS's execution of certain critical Stage 2 processes. Specifically, IRS does not have an enterprisewide IT investment board with sufficient representation from IT and business units that is responsible for the entire investment management process, and the agency has not fully documented its investment management process. In addition, IRS does not have a process, including defined criteria, for reselecting ongoing investments. Until it addresses these weaknesses, IRS cannot be assured that it is making the best decisions regarding whether its investments support ongoing and future business needs. IRS Has Established Most of the Foundational Practices Needed to Manage Its Investments: At the ITIM Stage 2 level of maturity, an organization has attained repeatable, successful IT project-level investment control and basic selection processes. Through these processes, the organization can identify expectation gaps early and take the appropriate steps to address them. According to ITIM, critical processes at Stage 2 include (1) defining IT investment board operations, (2) identifying the business needs for each IT investment, (3) developing a basic process for selecting new IT proposals and reselecting ongoing investments, (4) developing project-level investment control processes, and (5) collecting information about existing investments to inform investment management decisions. Table 2 describes the purpose of each of these Stage 2 critical processes. Table 2: Stage 2 Critical Processes--Building the Investment Foundation: Critical process: Instituting the investment board; Purpose: To define and establish an appropriate IT investment management structure and the processes for selecting, controlling, and evaluating IT investments. Critical process: Meeting business needs; Purpose: To ensure that IT projects and systems support the organization's business needs and meet users' needs. Critical process: Selecting an investment; Purpose: To ensure that a well-defined and disciplined process is used to select new IT proposals and reselect ongoing investments. Critical process: Providing investment oversight; Purpose: To review the progress of IT projects and systems, using predefined criteria and checkpoints, in meeting cost, schedule, risk, and benefit expectations and to take corrective action when these expectations are not being met. Critical process: Capturing investment information; Purpose: To make available to decision makers information to evaluate the impacts and opportunities created by proposed (or continuing) IT investments. [End of table] Source: GAO. IRS has executed most of the key practices associated with the Stage 2 processes. These include all of the key practices associated with providing investment oversight and capturing investment information and most of the practices associated with meeting business needs. However, IRS can improve the practices associated with the instituting the investment board and selecting the investment critical processes. Table 3 summarizes the status of IRS's Stage 2 critical processes, showing how many associated key practices the agency has executed. Table 3: Summary of Results for Stage 2 Critical Processes and Key Practices: Critical process: Instituting the investment board; Key practices executed: 6; Total required by critical process: 8; Percentage of key practices executed: 75%. Critical process: Meeting business needs; Key practices executed: 5; Total required by critical process: 7; Percentage of key practices executed: 71%. Critical process: Selecting an investment; Key practices executed: 6; Total required by critical process: 10; Percentage of key practices executed: 60%. Critical process: Providing investment oversight; Key practices executed: 7; Total required by critical process: 7; Percentage of key practices executed: 100%. Critical process: Capturing investment information; Key practices executed: 6; Total required by critical process: 6; Percentage of key practices executed: 100%. Critical process: Total; Key practices executed: 30; Total required by critical process: 38; Percentage of key practices executed: 79%. Source: GAO. [End of table] IRS Has Instituted an Investment Management Process but Has Not Fully Documented It or Assigned Responsibilities to Optimize Decision Making: The establishment of decision-making bodies or boards is a key component of the IT investment management process. At the Stage 2 level of maturity, organizations define one or more boards, provide resources to support the boards' operations, and appoint members who have expertise in both operational and technical aspects of proposed investments. The boards should operate according to a written IT investment process guide that is tailored to the organization's unique characteristics, thus ensuring that consistent and effective management practices are implemented across the organization. The organization selects board members who are knowledgeable about policies and procedures for managing investments. Organizations at the Stage 2 level of maturity also take steps to ensure that executives and line managers support and carry out the decisions of the investment board. According to the ITIM, organizations should, among other things, (1) establish an enterprisewide IT investment board composed of senior executives from IT and business units that is responsible for defining and implementing the organization's IT governance process, (2) have a documented IT investment process that directs each investment board's operations, and (3) establish management controls for ensuring that investment boards' decisions are carried out. (The complete list of key practices is provided in table 4.) IRS has executed six of the eight key practices for this critical process. For example, the agency has adequate resources for supporting the investment management process. These include the Strategy and Capital Planning office, which supports the ERT in ensuring proposed investments align with the agency's Senior Executive Team priorities, and lower-level governance boards, which support the MEG in overseeing projects once selected. IRS also has a portfolio management tool that supports the process. In addition, to ensure investment boards' decisions are carried out, the agency has established for the MEG, as well as for the lower-level governance boards supporting it, a coordinator position responsible for recording and tracking all board action items until closure. Despite these strengths, IRS has not fully documented its investment management process. Specifically, while IRS has several documents defining various aspects of its investment management process, none fully describe the preselect phase, which IRS began using during the summer of 2009; the select phase; or the role of the Executive Review Team. In addition, the guidance does not specify the manner in which IT investment-related processes will be coordinated with other organizational plans, processes, and documents--including, at a minimum, the strategic plan, budget, and enterprise architecture. IRS's Associate Chief Information Officer for Strategy and Planning acknowledged the shortcomings in its documentation and stated that the agency intends to update it by the end of the fiscal year. Until this happens, IRS cannot be assured that its investment management process will be carried out in a consistent manner or coordinated with other relevant processes to ensure investment decisions are fully informed. In addition, IRS does not have an enterprisewide investment board with sufficient representation from both IT and business units that is responsible for the entire investment management process. Specifically, the select phase is primarily carried out by two senior executives (the Executive Review Team), working with several individuals, rather than a larger body composed of representatives from IRS's IT and business units, and as a result, the perspective and expertise represented are not as broad as they would be with a larger board. Further, the responsibility for the select and control phases lies with two different groups rather than a single body, and it is not clear whether or how these groups are coordinating to ensure that the results of one phase are used to inform decisions made in the other, as would happen with a single board responsible for implementing all phases of the investment management process. IRS officials recognized the need for this coordination and stated they would address it by briefing the MEG (and later the ESCs) semiannually on the results of the select phase. In addition, the Associate Chief Information Officer for Strategy and Planning stated that "touch- points" between the investment management phases would be included in the investment management guidance that is expected to be updated by the end of the fiscal year. However, until IRS takes these actions and provides for broader business and IT representation among the groups responsible for carrying out the selection phase, it will have less assurance that its decision-making process is being optimized. Table 4 shows the rating for each key practice required to implement the critical process for instituting the investment board at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 4: Instituting the Investment Board: Type of practice: Organizational commitments: Key practice: 1. An enterprisewide IT investment board composed of senior executives from IT and business units is responsible for defining and implementing the organization's IT investment governance process; Rating: Not executed; Summary of evidence: IRS's Strategy and Capital Planning office is responsible for defining and implementing IRS's IT investment governance process, while the agency's ERT and governance boards, including the MEG and the ESCs that support the MEG, are responsible for implementing different aspects of this process. However, IRS does not have an enterprisewide investment board with sufficient representation from IT and business units that is responsible for the entire investment management process and as a result has less assurance that it is optimizing its decision-making process. Key practice: 2. The organization has a documented IT investment process directing each investment board's operations; Rating: Not executed; Summary of evidence: Although IRS has documentation on its IT investment management process, including for the operations of the MEG and the ESCs, this documentation does not reflect the agency's current investment management activities. For example, IRS has established the ERT entity to oversee the preselect and select phases of the agency's IT investment management process, but has not documented its operations. According to the Associate Chief Information Officer for Strategy and Planning, IRS has completed an initial draft of its revised guidance and plans to have it fully updated by the end of fiscal year 2011. Type of practice: Prerequisites: Key practice: 1. Adequate resources, including people, funding, and tools, are provided for supporting the operations of each IT investment board; Rating: Executed; Summary of evidence: IRS has several resources supporting its investment management process. For example, the S&CP supports the ERT during the selection phase of the investment management process to ensure proposed investments are aligned with the agency's Senior Executive Team priorities. For the MEG, ESC governance boards serve as advisory committees in overseeing projects within their respective areas of responsibility. IRS also has automated tools to assist in the process, including a web-based tool for collecting, storing, and organizing IT investment and portfolio information. Key practice: 2. The board members understand the organization's IT investment management policies and procedures and the tools and techniques used in the board's decision-making process; Rating: Executed; Summary of evidence: Board members have several means to maintain an understanding of the investment management process, including (1) a governance board coordinator, whose duties include providing orientation for new board cochairs and voting members as needed; (2) a website with information on the agency's investment management process; and (3) IRS training on the governance process. Key practice: 3. Each board's span of authority and responsibility is defined to minimize overlaps or gaps among the boards; Rating: Executed; Summary of evidence: The span of authority and responsibility of the MEG and the ESC governance boards that support the MEG is defined to minimize overlaps or gaps among these boards. Type of practice: Activities: Key practice: 1. The enterprisewide investment board has oversight responsibilities for the development and maintenance of the organization's documented IT investment process; Rating: Executed; Summary of evidence: IRS's Strategy and Capital Planning office is responsible for defining and maintaining IRS's IT documented investment governance process. According to the Associate Chief Information Officer for Strategy and Planning, IRS is in the process of updating the current investment management process. Key practice: 2. Each investment board operates in accordance with its assigned authority and responsibility; Rating: Executed; Summary of evidence: The MEG and ESC governance boards operate in accordance with their assigned authority and responsibility, as reflected in meeting minutes. Key practice: 3. The organization has established management controls for ensuring that investment boards' decisions are carried out; Rating: Executed; Summary of evidence: IRS has established for the MEG and the ESCs a governance board coordinator position to ensure that decisions made by these boards are carried out, as well as an automated system for tracking the boards' action items. Source: GAO analysis of IRS data. [End of table] IRS Has a Process for Ensuring Projects Are Aligned with Ongoing and Future Business Needs: Defining business needs for each IT project helps to ensure that projects and systems support an organization's business needs and meet users' needs. This critical process ensures that an organization's business objectives and its IT management strategy are linked. According to the ITIM, effectively meeting business needs requires, among other things, (1) documenting business needs with stated goals and objectives, (2) identifying specific users and other beneficiaries of IT projects and systems, (3) providing adequate resources to ensure that projects and systems support the organization's business needs and meet users' needs, and (4) periodically evaluating the alignment of IT projects and systems with the organization's strategic goals and objectives. (The complete list of key practices is provided in table 5.) IRS has executed five of the seven key practices for ensuring business needs are met. Specifically, IRS has documented its business mission, with stated goals and objectives, in its IRS Strategic Plan for fiscal years 2009-2013. In addition, resources are devoted to ensuring that IT projects and systems support the organization's business needs and meet users' needs, including a portfolio management tool, several investment support groups, and a business case template in which new project proposals are required to show alignment with strategic goals and Senior Executive Team priorities. Further, IRS defines and documents business needs for both proposed and ongoing IT projects in its portfolio management tool. In addition, IRS's enterprise life-cycle guidance calls for users to participate in project management throughout each project's life cycle. For the four projects we reviewed, we verified that business needs and specific users and other beneficiaries were identified and documented in the portfolio management tool. In addition, we verified that users are involved in project management throughout the life cycle of the projects. Finally, IRS has several processes for defining and documenting business needs for proposed and ongoing projects and systems, including the preselect process in which proposed investments are aligned with the Senior Executive Team priorities that reflect strategic goals and objectives and the annual update of IRS's Enterprise Transition Plan. This document, which provides a 3-to 5- year road map for deploying IT investments, among other things, aligns investments with IRS's business domains (i.e., functions). Last year, IRS also initiated a Business-Technology Alignment initiative to align business units' strategic focus areas with key technologies. We verified that the four projects we reviewed were aligned with strategic goals and objectives. However, while IRS has documented procedures for ensuring that IT projects and systems support IRS's business needs, these procedures do not address actions to be taken when ongoing projects no longer support business needs. In addition, while IRS stated that proposed projects that do not align with the Senior Executive Team priorities are not accepted, the agency did not describe a process for taking corrective actions when ongoing projects are not aligned with business needs or provide supporting examples. Until IRS performs all the key practices associated with the Meeting Business Needs critical process, it will have less assurance that it is investing in only those projects that are needed to meet the agency's business needs. Table 5 shows the rating for each key practice required to implement the critical process for meeting business needs at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 5: Meeting Business Needs: Type of practice: Organizational commitment: Key practice: 1. The organization has documented policies and procedures for ensuring that IT projects or systems support the organization's ongoing and future business needs; Rating: Not executed; Summary of evidence: IRS has documented procedures for ensuring that IT projects and systems support the organization's business needs; however, these procedures do not address actions to be taken when ongoing projects no longer support business needs. Type of practice: Prerequisites: Key practice: 1. The organization has a documented business mission with stated goals and objectives; Rating: Executed; Summary of evidence: IRS has documented its mission, stated goals, and objectives in its 2009-2013 strategic plan. Key practice: 2. Adequate resources, including people, funding, and tools, are provided for ensuring that IT projects and systems support the organization's business needs and meet users' needs; Rating: Executed; Summary of evidence: IRS has adequate resources for ensuring that its IT projects and systems support the organization's business needs and meet users' needs. They include a portfolio management tool, and a Strategy and Capital Planning group comprising several support offices, including the Investment Planning and Selection Office. The agency also has created templates to develop business cases for new initiatives where project business needs are documented. Type of practice: Activities: Key practice: 1. The organization defines and documents business needs for both proposed and ongoing IT projects and systems; Rating: Executed; Summary of evidence: IRS requires that business needs be defined and documented within the IRS portfolio management tool for both proposed and ongoing projects. We verified that business needs were defined and documented in IRS's portfolio management tool for the four projects we reviewed. Key practice: 2. The organization identifies specific users and other beneficiaries of IT projects and systems; Rating: Executed; Summary of evidence: IRS identifies specific users and other beneficiaries of IT projects and systems through its portfolio management tool. We verified that end users were defined and documented in IRS's portfolio management tool for the four projects we reviewed. Key practice: 3. Users participate in project management throughout an IT project's or system's life cycle; Rating: Executed; Summary of evidence: IRS has procedures specifying the involvement of users throughout a project's life cycle. We verified that users participated in the project management activities for the four projects we reviewed. Key practice: 4. The investment board periodically evaluates the alignment of its IT projects and systems with the organization's strategic goals and objectives and takes corrective actions when misalignment occurs; Rating: Not executed; Summary of evidence: IRS has a process for annually evaluating the alignment of IT projects and systems with strategic goals and objectives. While IRS stated that proposed projects that do not align with the Senior Executive Team priorities are not accepted, the agency did not describe a process for or provide examples of corrective actions taken when ongoing projects are not aligned with business needs. Source: GAO analysis of IRS data. [End of table] IRS Has a Disciplined Process for Selecting New Proposals but Lacks a Process for Reselecting Ongoing Investments: Selecting new IT proposals and reselecting ongoing investments require a well-defined and disciplined process to provide the agency's investment boards, business units, and developers with a common understanding of the process and the cost, benefit, schedule, and risk criteria that will be used both to select new projects and to reselect ongoing projects for continued funding. According to the ITIM, this critical process requires, among other things, (1) providing adequate resources for investment selection activities, (2) making funding decisions for new proposals according to an established process, and (3) using a defined selection process to select new investments and reselect ongoing investments. (The complete list of key practices is provided in table 6.) IRS has executed 6 of the 10 key practices associated with selecting an investment. The agency has aligned its funding decisions with its selection process for new and ongoing investments by having the Financial Management Services group issue guidance that integrates the funding initiatives with the investment selection process. IRS's portfolio management tool contains forms for entering information related to the select phase. We verified that the four systems we reviewed--the Integrated Customer Communication Environment system, the Integration Collection System, the Integrated Data Retrieval System, and the Security Audit and Analysis System--used the forms in the portfolio management tool for entering select data. IRS has also documented criteria for analyzing, prioritizing, and selecting new investments in its capital planning guide that address its strategic goals. However, weaknesses remain in the organization's ability to select investments. Although IRS has documentation that addresses the investment selection process, the guidance does not fully document the current process being used. For example, the guidance does not specify the roles and responsibilities of the ERT that has been involved in the selection process over the last 2 years. As previously noted, IRS recognizes this shortcoming in its documentation and stated that it plans to address it by the end of the fiscal year. Until IRS has documented policies and procedures that reflect the current process for selecting new investments, there is a risk that projects will not be selected in a consistent manner and IRS will not have the transparency that is needed to increase effectiveness. In addition, IRS has not established a process, including supporting criteria, for analyzing, prioritizing, and reselecting ongoing investments. MITS senior managers are expected to use a series of questions to evaluate their continued need for IT investments--in particular those in operations and maintenance--however, these questions are more focused on identifying savings and efficiencies than on evaluating the need for continued funding. Examples of these questions include the following: (1) Is there a less expensive option to provide maintenance support? (2) Can multiple project resources be combined to reduce costs? Until IRS establishes a process including criteria for reselecting investments, it will not be adequately assured that it is objectively continuing to fund the right projects. Considering that investments in operations and maintenance represent $1.88 billion, or 70 percent of IRS's total IT budget request of $2.67 billion for fiscal year 2012, IRS could be funding millions of dollars in investments that are no longer needed and which could be made available for investments that better support the agency's needs. Table 6 shows the rating for each key practice required to implement the critical process for selecting an investment at the Stage 2 level of maturity and summarizes the evidence that supports these ratings. Table 6: Selecting the Investment: Type of practice: Organizational commitments: Key practice: 1. The organization has documented policies and procedures for selecting new IT proposals; Rating: Not executed; Summary of evidence: While IRS has documented policies and procedures for selecting new IT proposals, they do not reflect IRS's current process. For example, they do not address the role of the ERT in carrying out the selection process. Key practice: 2. The organization has documented policies and procedures for reselecting ongoing IT investments; Rating: Not executed; Summary of evidence: While IRS executives are expected to ensure that only investments that support IRS's needs continue to be funded, IRS has no process for reselecting ongoing investments. Key practice: 3. The organization has documented policies and procedures for integrating funding with the process of selecting an investment; Rating: Executed; Summary of evidence: IRS has policies and procedures for integrating funding with the selection of investments. The Financial Management Services group has issued guidance that integrates the funding Initiatives with the investment selection process. Type of practice: Prerequisite: Key practice: 1. Adequate resources, including people, funding, and tools, are provided for identifying and selecting IT projects and systems; Rating: Executed; Summary of evidence: IRS has adequate resources for identifying and selecting projects and systems. They include the Strategy and Capital Planning group. Also, IRS has implemented templates for developing its business cases. Key practice: 2. Criteria for analyzing, prioritizing, and selecting new IT investment opportunities have been established; Rating: Executed; Summary of evidence: IRS has established criteria for analyzing, prioritizing, and selecting new investments. They include the Senior Executive Team priorities, which IRS has used for the past two budget cycles. Key practice: 3. Criteria for analyzing, prioritizing, and reselecting IT investment opportunities have been established; Rating: Not executed; Summary of evidence: IRS has not established criteria for analyzing, prioritizing, and reselecting ongoing projects. Key practice: 4. A mechanism exists to ensure that the criteria continue to reflect organizational objectives; Rating: Executed; Summary of evidence: IRS has a mechanism in place to ensure that the criteria continue to reflect organizational objectives. For the past two budget cycles, IRS has issued budget guidance outlining the Senior Executive Team priorities that reflect the agency's organizational objectives. Type of practice: Activities: Key practice: 1. The organization uses its defined selection process, including predefined selection criteria, to select new IT investments; Rating: Executed; Summary of evidence: IRS uses a business case template to preselect and select new IT investments. The preselect template includes the Senior Executive Team priorities, which are used as selection criteria. While we were not able to verify the use of IRS's defined selection process for our case study projects (these projects predate this selection process), we verified that it was used for other projects. Key practice: 2. The organization uses the defined selection process, including predefined selection criteria, to reselect ongoing IT investments; Rating: Not executed; Summary of evidence: Type of practice: IRS does not have a process for reselecting ongoing projects. Key practice: 3. Executives' funding decisions are aligned with selection decisions; Rating: Executed; Summary of evidence: Because IRS uses its budget formulation process to select investments, executives' funding decisions are aligned with selection decisions. Source: GAO analysis of IRS data. [End of table] IRS Has an Effective Process for Overseeing Its IT Investments: An organization should effectively oversee its IT projects throughout all phases of their life cycles. An investment board should observe each project's performance and progress toward predefined cost and schedule expectations as well as each project's anticipated benefits and risk exposure. This does not mean that a departmental board should micromanage each project to provide effective oversight; rather, it means that the departmental board should be actively involved in all IT investments and proposals that are high cost or high risk or have significant scope and duration and, at a minimum, should have a mechanism for maintaining visibility of other investments. The board should also employ early-warning systems that enable it to take corrective actions at the first sign of cost, schedule, and performance slippages. According to the ITIM, effective project oversight requires, among other things, (1) having written policies and procedures for management oversight; (2) developing and maintaining an approved management plan for each IT project; (3) making up-to-date cost and schedule data for each project available to the oversight boards; (4) having regular reviews by each investment board of each project's performance against stated expectations; and (5) ensuring that corrective actions for each underperforming project are documented, agreed to, implemented, and tracked until the desired outcome is achieved. (The complete list of key practices is provided in table 7.) IRS has executed all seven key practices associated with effective project oversight. The agency has developed written policies and procedures for management oversight of its investments. These include (1) a tiered escalation guide that outlines the process for elevating a project to a higher level of control or governance for review, mitigation, and resolution when resolution cannot be reached at a project's respective level of control or governance, and (2) written procedures and a template for conducting milestone exit reviews to assess a project's readiness for moving to the next phase of its life cycle or exiting a milestone. In addition, the agency has adequate resources for overseeing IT projects that lend support to the MEG, IRS's highest governance board for overseeing projects during the control phase. To support the MEG, IRS has lower-level governance bodies--ESCs, Organizational Level Governance Boards, and Management Level Governance Boards--for overseeing the agency's IT investments. For example, each quarter, the ESC cochairs review projects that are experiencing significant cost variances and schedule slippages. The agency also maintains an automated system for tracking project action items assigned during governance board meetings until mitigated. IRS also requires project management plans that document cost, schedule, benefit, and risk expectations. We verified that these project management plans were developed for the four projects we reviewed. Table 7 shows the rating for each key practice required to provide investment oversight and summarizes the evidence that supports these ratings. Table 7: Providing Investment Oversight: Type of practice: Organizational commitment: Key practice: 1. The organization has documented policies and procedures for management oversight of IT projects and systems; Rating: Executed; Summary of evidence: IRS has written policies and procedures for management oversight of IT projects and systems. These include its (1) Tiered Program Management Escalation Guide, which outlines the process for elevating a project with a potential issue, action, or concern to a higher level of control or governance for review, mitigation, and resolution, and (2) written procedures and a template for conducting milestone exit reviews for determining a project's readiness to begin the next phase of its life cycle or exit a milestone. Type of practice: Prerequisites: Key practice: 1. Adequate resources, including people, funding, and tools, are provided for IT project oversight; Rating: Executed; Summary of evidence: IRS has adequate resources for providing IT project oversight. To support the MEG, IRS has several lower-level governance bodies--ESCs, Organizational Level Governance Boards, and Management Level Governance Boards--for overseeing the agency's IT investments. The agency also has several automated tools to assist in the process, including the Item Tracking Reporting and Control (ITRAC) system for tracking project action items through resolution assigned during governance board meetings. Key practice: 2. IT projects and systems, including those in steady state (operations and maintenance), maintain approved project management plans that include expected cost and schedule milestones and measurable benefit and risk expectations; Rating: Executed; Summary of evidence: IRS guidance requires all IT projects to have a project management plan that includes cost, schedule, benefits, and risk expectations. We verified for the four case study projects we reviewed that the agency maintained project management plans that included these expectations. Type of practice: Activities: Key practice: 1. Data on actual performance (including cost, schedule, benefit, and risk performance) are provided to the appropriate IT investment board[A]; Rating: Executed; Summary of evidence: IRS requires monthly assessments--referred to as health assessments--for all of its IT projects, including those in operations and maintenance, to be conducted by the responsible project team. These assessments collect data on six performance areas, including cost, schedule, and risk, and are reported to the respective ESC representing the IRS domain (business area) the project is in. IRS's escalation process can use the results of the health assessments for elevating projects with a potential issue to a higher governance level for review, mitigation, and resolution. We verified that health assessments were performed for the four case study projects we reviewed. Key practice: 2. Using verified data, each investment board regularly reviews the performance of IT projects and systems against stated expectations; Rating: Executed; Summary of evidence: IRS has a project health assessment process for updating project information monthly. As part of the control function, this is to ensure project status data are of the highest quality and to provide complete, timely, and relevant project information for governance decision making. IRS's Milestone Exit Review procedure requires governance oversight of all major and nonmajor investments to determine their readiness to begin the next phase of their life cycle, during which the status of the projects' cost, schedule, performance, and risk are reviewed. These exit reviews were noted in applicable governance board meeting minutes for all four of our case study projects. Key practice: 3. For each underperforming IT project or system, appropriate actions are taken to correct or terminate the project or system in accordance with defined criteria and the documented policies and procedures for management oversight; Rating: Executed; Summary of evidence: IRS requires quarterly reports on projects experiencing significant cost variances and schedule slippages, which are reviewed by the ESC cochairs. The agency provided examples of these reports, which identified both major and nonmajor projects and indicated the mitigation action taken. IRS also has an automated tool, its ITRAC system, for tracking project action items assigned during governance board meetings. Action items were identified for all four of our case study projects. Key practice: 4. The investment board regularly tracks the implementation of corrective actions for each underperforming project until the actions are completed; Rating: Executed; Summary of evidence: IRS maintains an automated system, ITRAC, for monitoring action items from creation to resolution, and assigns responsibility to a governance board coordinator to document action items in meeting minutes and ITRAC. IRS provided evidence of tracking ITRAC action items in a report that included action items for our three major project case studies (Integration Collection System, Integrated Customer Communication Environment, and Integrated Data Retrieval System). For our nonmajor project case study, the Security Audit and Analysis System, an action item was identified as being closed in its governance board meeting minutes. Source: GAO analysis of IRS data. AIn November 2008, we reported that IRS had not completed the process of developing and institutionalizing the use of full cost information for the range of its programs and activities. The "full cost" of a program or activity includes all the direct costs, including personnel time charges, and indirect costs, such as the allocation of overhead costs, that are applicable to the program or activity. While IRS has taken several steps to address this issue, it has not yet been fully addressed. See GAO, Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness, GAO-09-513R (Washington, D.C.: June 24, 2009). [End of table] IRS Has a Structured Process for Capturing Investment Information: To make informed decisions regarding IT investments, an organization must be able to acquire, store, and retrieve pertinent information about each investment. During this critical process, the organization identifies its IT assets and uses a comprehensive repository to store pertinent investment information. This repository of IT investment information is used to track the organization's IT resources to provide insights and trends about major IT cost and management drivers. The information in the repository serves to highlight lessons learned and to support current and future investment decisions. According to the ITIM framework, effectively capturing investment information requires, among other things, (1) developing documented policies and procedures for identifying and collecting information about IT projects and systems to support the investment management process, (2) assigning an official with responsibility for ensuring that the investment information collected meets the needs of the investment management process, (3) collecting and retaining easily accessible relevant investment information relating to identified IT investments, and (4) ensuring that information repositories are used by decision makers to support investment management and related decisions. IRS has executed all six practices associated with capturing investment information. For example, according to IRS officials, the Chief Technology Officer is responsible for ensuring that collected investment information meets the needs of the investment management process. Also, the agency has adequate resources for supporting the process, including the Investment Planning and Selection Office, the Estimation Program Office, and the Investment Management Office, which work together in the development and compilation of relevant investment information. Additionally, IRS has a number of tools to identify and collect investment information, including a portfolio management tool and project and action item tracking systems. Captured investment information is easily accessible to decision makers through reports generated by IRS's portfolio management tool, quarterly briefings, and monthly health assessments that use six key performance indicators to determine an investment's status. Table 8 shows the rating for each key practice required to implement this Stage 2 critical process and summarizes the evidence that supports these ratings. Table 8: Capturing Investment Information: Type of practice: Organizational commitments: Key practice: 1. The organization has documented policies and procedures for identifying and collecting information about IT projects and systems to support the investment management process; Rating: Executed; Summary of evidence: IRS's capital planning guide and its Enterprise and Domain Processes and Procedures Manual have documented policies and procedures for identifying and collecting information to support the investment management process. This includes the use of a portfolio management tool to collect and maintain information on IT investments. Key practice: 2. An official is assigned responsibility for ensuring that the information collected during project and systems identification meets the needs of the investment management process; Rating: Executed; Summary of evidence: According to IRS officials, the IRS Chief Technology Officer has overall responsibility for ensuring that investment information is collected to support business decisions and that it meets the needs of the investment management process. Type of practice: Prerequisite: Key practice: 1. Adequate resources, including people, funding, and tools, are provided for identifying IT projects and systems and collecting relevant investment information about them; Rating: Executed; Summary of evidence: The agency has adequate resources for meeting this key practice, including IRS's Investment Planning and Selection Office, Estimation Program Office, and Investment Management Office, which assist in the development and compilation of relevant information on IT investments. A coordinator serves as IRS's single point of contact to the Treasury Capital Planning and Investment Control Team and passes along information, instructions, and due dates to the IT investment project managers. IRS also has an automated portfolio management tool to identify and collect information on its IT investments. Type of practice: Activities: Key practice: 1. The organization's IT projects and systems are identified, and specific information is collected to support decisions about them; Rating: Executed; Summary of evidence: IRS has a number of tools to identify and collect information on its IT investments, including a portfolio management tool, a project tracking system, and an action item tracking system. These systems are used to collect investment information for use by decision makers. Key practice: 2. The information that has been collected is easily accessible and understandable to decision makers and others; Rating: Executed; Summary of evidence: IRS IT Investment Information is collected, synthesized, and reported through the IRS's portfolio management tool. Quarterly summary briefings are also prepared for executives to report key findings, milestone information, and other project performance information. Key practice: 3. The information repository is used by investment decision makers and others to support investment management; Rating: Executed; Summary of evidence: The IRS's portfolio management tool, Project Tracking System, and ITRAC are used by investment decision makers to support investment management decisions. MEG, ESCs, and other investment management decision makers use generated reports, quarterly reports, and views of OMB's Dashboard to formulate and support their decisions. Agency officials stated that integrated project teams are responsible for reviewing the information in the tool for accuracy and completeness. Source: GAO analysis of IRS data. [End of table] IRS Has Initiated Efforts to Manage Its Investments as a Portfolio: Once an agency has attained Stage 2 maturity, it needs to implement critical processes for managing its investments as a portfolio (Stage 3). Such capabilities enable an agency to consider its investments comprehensively, so that collectively the investments optimally address the organization's mission, strategic goals, and objectives. Managing IT investments as a portfolio also allows an organization to determine its priorities and make decisions about which projects to fund and continue to fund based on analyses of the relative organizational value and risks of all projects, including projects that are proposed, under development, and in operation. Although investments may initially be organized into subordinate portfolios-- based on, for example, business lines or life-cycle stages--and managed by subordinate investment boards, they should ultimately be aggregated into this enterprise-level portfolio. According to the ITIM framework, Stage 3 maturity includes (1) defining the portfolio criteria, (2) creating the portfolio, (3) evaluating the portfolio, and (4) conducting postimplementation reviews. During our review, we noted activities the agency had performed to manage its investments as a portfolio. For example, under the critical process for creating the portfolio, the agency provided evidence that it was capturing and maintaining investment information for future reference and that it had developed an Enterprise Portfolio and Sequencing Plan to guide its IT investments. IRS also has begun addressing the critical process for conducting postimplementation reviews. The agency has developed guidance that (1) specifies that the review should be conducted 6-12 months after a project's deployment, (2) defines roles and responsibilities for conducting the review, and (3) identifies templates for supporting the process. IRS provided examples of the results of two such reviews. According to IRS officials, the agency has not concentrated on implementing Stage 3 key practices because the agency has focused its resources on establishing the Stage 2 practices associated with building the IT investment management foundation. Full implantation of the Stage 3 critical processes associated with portfolio management will provide IRS with the capability to determine whether it is selecting the mix of products that best meet the agency's mission needs. Conclusions: Given the importance of IT to IRS's mission, it is critical that the agency adopt an effective institutional approach to IT investment management. To its credit, IRS has implemented most of the key practices for such an approach, laying the groundwork for greater maturity. Most notably, the agency has established a strong process for overseeing its investments, implementing all the key practices associated with providing investment oversight. This should provide greater assurance that projects' progress in meeting cost, schedule, risk, and benefit expectations is tracked and that corrective actions are taken when these expectations are not being met. However, IRS has yet to fully document its investment management process, which increases the risk that the process will not be implemented consistently or institutionalized. In addition, because of the Executive Review Team's composition and the manner in which responsibilities for the select and control phases are assigned, IRS may not be optimizing its investment decision-making process. Finally, IRS has not established a structured process, including supporting criteria, for reselecting these projects. Considering the size of IRS's IT budget, not having a process for reselecting ongoing projects could result in potentially millions of dollars being spent with no assurance that the funds are being used wisely. Recommendations for Executive Action: We recommend that the Commissioner of Internal Revenue direct the appropriate officials to take the following four actions. * ensure that the investment management guidance that is expected to be updated by the end of the fiscal year fully documents the preselect and select phases and the role of the Executive Review Team, and specifies the manner in which IT investment-related processes will be coordinated; * assign investment management responsibilities to optimize the decision-making process by ensuring that (1) selection decisions are made by a group that includes sufficient representation from business and IT units to provide broad perspective and expertise, and (2) investment decisions are fully informed by the results of relevant phases of the investment management process; * define and implement a process for taking corrective actions when ongoing projects are not aligned with strategic goals and objectives; and: * define and implement a process, including defined criteria, for reselecting ongoing projects. Agency Comments: In written comments on a draft of this report, IRS's Commissioner concurred with our recommendations and stated that the agency would provide a detailed corrective action plan addressing each recommendation. The Commissioner further stated that IRS appreciated that the report recognized the progress the agency has made in providing investment oversight and capturing investment information. He also noted that IRS is reviewing its existing governance structure and the accountabilities of the various boards and is in the process of creating an Investment Review Board with broad senior-level representation. IRS's comments are reprinted in appendix II. We are sending copies of this report to interested congressional committees and the Commissioner of Internal Revenue. In addition, the report will be available at no charge on GAO's website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions on the matters discussed in this report, please contact me at (202) 512-9286 or pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Appendix I: Objective, Scope, and Methodology: The objective of our review was to assess the Internal Revenue Service's (IRS) capabilities for managing its information technology (IT) investments. Our analysis was based on practices contained in GAO's Information Technology Investment Management (ITIM) framework[Footnote 25] and the framework's associated evaluation methodology, and focused on the agency's implementation of critical processes and key practices for managing its business systems investments. To address this objective, we asked IRS to complete a self-assessment of its investment management process and provide supporting documentation. We reviewed the results of this self-assessment of Stage 2 practices and compared them against our ITIM framework and validated and updated the results of the self-assessment through document reviews and interviews with officials. We reviewed written policies, procedures, guidance, and other documentation that provided evidence of executed practices, including IRS's Capital Planning and Investment Control Guide, Enterprise Transition Plan, Tiered Program Management Escalation Guide, Enterprise and Domain Processes and Procedures Manual-Release 1.3, Program Governance Office Procedure Guide v.1.0, Post Implementation Review Process Guide, Exhibit 300 Scoring Guide, portfolio management tool guidance, and various memorandums. We also reviewed Modernization and Information Technology Services Enterprise Governance committee, Executive Steering Committee, Organization Level Governance Board, and Management Level Governance Board meeting materials and other documentation. In addition, we conducted interviews with officials from IRS's Modernization, Information Technology, and Services organization, Strategy and Capital Planning office, and Financial Management Services group. Together, these three organizations have the responsibility to oversee and ensure that IRS's IT investment management process is implemented and followed. In comparing the evidence collected from our document reviews and interviews with the key practices in our ITIM framework, we rated the key practices as "executed" on the basis of whether the agency demonstrated (by providing evidence of performance) that it had met the criteria of the key practice. A key practice was rated as "not executed" when we found insufficient evidence of a practice during the review or when we determined that there were significant weaknesses in IRS's execution of the key practice. In addition, IRS was provided with the opportunity to produce evidence for key practices rated as not executed. We did not assess progress in establishing the capabilities found in Stages 3, 4, and 5 because the agency officials acknowledged that IRS had not executed the key practices in these higher-maturity stages. We confirmed our analysis of IRS's investment management process by examining supporting documentation. However, it was not within our scope to evaluate the outputs or outcomes of this process. As part of our analysis, we selected four projects as case studies to verify that the critical processes and key practices were being applied. The projects selected (1) are in different life-cycle phases, (2) represent a mix of major and nonmajor investments (different levels of funding), and (3) support different business domains. The four projects are described below: * The Integrated Collection System is a major information system within IRS's filing and payment compliance business domain that is to improve revenue collections by providing electronic case processing to revenue officers and their managers. The Integration Collection System is to enable field revenue officers access to the most current taxpayer information using laptop computers for quicker case resolution and improved customer service. The system has investments in development and operations and maintenance. It is a major system and had a fiscal year 2010 cost of approximately $9.1 million. * The Integrated Customer Communication Environment, within the customer service business domain, is to support issue resolution by providing taxpayers with fast and efficient access to the information they need for pre-and postfiling. These applications use voice response, Internet, and other computer technology to provide quick, accurate, and convenient service to taxpayers 24 hours a day in real time. The system has investments in development and operations and maintenance. It is a major system and had a fiscal year 2010 cost of approximately $16.6 million. * The Integrated Data Retrieval System is a mission-critical system within IRS's managing taxpayer accounts business domain, consisting of databases and operating programs that support IRS employees working active tax cases within each business function across the entire IRS. This system manages data that have been retrieved from the Tax Master Files, allowing IRS employees to take specific actions on taxpayer account issues, track status, and post transaction updates back to the Master Files. The system has investments in development and operations and maintenance. It is a major system and had a fiscal year 2010 cost of approximately $19.6 million. * The Security Audit and Analysis System, within the security services and privacy business domain, implements a data warehousing solution to provide online analytical processing of audit trail data. The system is to enable IRS to detect potential unauthorized accesses to IRS systems and provide analysis capabilities and reporting on data for all modernized and some current processing environment applications. The system has investments in development and operations and maintenance. It is a nonmajor investment and had a fiscal year 2010 cost of approximately $1.6 million. For these four projects, we reviewed the portfolio management tool documentation associated with each project and status reports. We also obtained investment information from the boards responsible for managing the projects. We conducted this performance audit from January 2010 to July 2011 at IRS's offices in the Washington, D.C., area. Our work was done in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain significant, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Internal Revenue Service: Department Of The Treasury Internal Revenue Service Commissioner: Washington, DC 20224: July 6, 2011: Mr. David Powner: Director, Information Technology Management Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Powner: Thank you for the opportunity to review the Government Accountability Office (GAO) draft report titled, Investment Management: IRS Has a Strong Oversight Process but Needs to Improve How it Continues Funding Ongoing Investments (GAO-11-587). We recognize the importance of managing Our information technology investments. Since the initiation of the audit, we have taken steps to further define and document our investment planning and selection. We are creating an Investment Review Board with broad senior-level representation, including both Deputy Commissioners, the Chief Financial Officer, the Chief Technology Officer, and the Commissioner's Chief of Staff. The existing governance structure and accountabilities of the various boards arc ai;so under review. Improvements will be made going forward to strengthen and align the process of controlling and evaluating the IRS's investment portfolio. We appreciate that the report recognizes the progress that we have made in providing investment oversight and capturing investment information within the Investment Foundation Critical Processes and Key Practices. We agree with your recommendations and will provide a detailed corrective action pion within the next 30 days. Thank you for your continued support and input If you have any questions, please contact me, or a member of your staff may contact Terence V. Milholland, Chief Technology Officer, at (202) 622-6800. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286 or pownerd@gao.gov: Staff Acknowledgments: In addition to the individual named above, Sabine R. Paul, Assistant Director; William G. Barrick; James M. Crimmer; Lee A. McCracken; and Tomas Ramirez made key contributions to this report. [End of section] Footnotes: [1] In 2010, IRS collected about $2.35 trillion in taxes and managed the distribution of over $300 billion in refunds. [2] IRS, Internal Revenue Service Fiscal Year 2012 Budget Request Congressional Budget Justification (Washington, D.C.: Feb.14, 2011). [3] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [4] We selected the Integrated Collection System, the Integrated Customer Communication Environment, the Integrated Data Retrieval System, and the Security Audit and Analysis System. The rationale for selecting these projects and their descriptions are found in appendix I. [5] The office of Strategy and Capital Planning was created in July 2009 as a result of the merger between the former Capital Planning and Investment Control office and the Portfolio Planning, Estimation, and Delivery Services organization. [6] At the conclusion of our review, IRS was proposing a new organization to realign some of the responsibilities among the offices within Strategy and Capital Planning. [7] The IT Dashboard is a public website established by OMB in June 2009 that provides detailed information on about 800 federal IT investments, including assessments of actual performance against cost and schedule targets. It is intended to improve the transparency and oversight of these investments. We recently issued a report in which we (1) determined what efforts OMB has under way to improve the Dashboard and the ways in which it is using data from the Dashboard to improve IT management, and (2) examined the accuracy of the cost and schedule performance ratings on the Dashboard for selected investments. See GAO, Information Technology: IRS Has Made Improvements to Its Dashboard, but Further Work Is Needed by Agencies and OMB to Ensure Data Accuracy, [hyperlink, http://www.gao.gov/products/GAO-11-282] (Washington, D.C.: Mar. 15, 2011). [8] Out of the $1.88 billion for operations and maintenance activities, $1 billion is for infrastructure activities. [9] Pub. L. No.111-148, 124 Stat. 119 (March 23, 2010) as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029 (March 30, 2010). IRS has responsibilities in the implementation of a number of provisions of this law. See GAO, Patient Protection and Affordable Care Act: IRS Should Expand Its Strategic Approach to Implementation, [hyperlink, http://www.gao.gov/products/GAO-11-719] (Washington, D.C.: June 29, 2011). [10] IRS defines major investments as those that, among other things, have an overall life-cycle cost of greater than $50 million or an annual budget of greater than $5 million. Investments that do not meet these criteria are considered nonmajor. [11] Numbers may not add up because of rounding. [12] IRS's BSM program involves the development and delivery of a number of modernized tax administration and internal management systems, as well as core infrastructure projects, that are intended to replace the agency's aging business and tax processing systems. A long history of continuing delays and design difficulties and their impact on IRS's operations led us to designate the program as a high-risk area in 1995. We recently reported that while IRS had made progress in addressing weaknesses in management controls and capabilities in response to GAO's recommendations, it now needs to leverage these controls and capabilities to successfully deliver its BSM projects, specifically to deliver a modernized taxpayer account database and move the processing of individual taxpayer accounts from a weekly processing cycle to a daily processing cycle by 2012. GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). Business System Modernization investments go through a different investment management process than other investments at IRS. Because we have been reviewing these investments for more than a decade and reporting on them on a now- annual basis, we did not include them in the scope of our review. Of the $2.67 billion requested for IT for fiscal year 2012, IRS requested about $333.6 million for the Business Systems Modernization program. [13] GAO, Business Systems Modernization: Internal Revenue Service's Fiscal Year 2010 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-10-539] (Washington, D.C.: May 10, 2010). [14] Information security controls include logical and physical access controls, configuration management, segregation of duties, and continuity of operations. These controls are designed to ensure that access to data is appropriately restricted, physical access to sensitive computing resources and facilities is protected, only authorized changes to computer programs are made, incompatible duties are segregated among individuals, and backup and recovery plans are adequate and tested to ensure the continuity of essential operations. [15] GAO, Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data, [hyperlink, http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15, 2011). [16] GAO, Taxpayer Account Strategy: IRS Should Finish Defining Benefits and Improve Cost Estimates, [hyperlink, http://www.gao.gov/products/GAO-11-168] (Washington, D.C.: Mar. 24, 2011). [17] Treasury Inspector General for Tax Administration, The Internal Revenue Service is Improving Management Controls for Information Technology Strategic Planning and Capital Investments, Reference Number: 2010-20-064 (Washington, D.C.: July 2010). [18] See below for a discussion of the GAO ITIM framework maturity stages. [19] Examples of these priorities include (1) Health Care, (2) Modernization--CADE 2, (3) Fraud Detection, and (4) Taxpayer Communication--Migrate to Online Services Framework. [20] [hyperlink, http://www.gao.gov/products/GAO-04-394G]. [21] GAO, Information Technology: HUD Needs to Strengthen Its Capacity to Manage and Modernize Its Environment, [hyperlink, http://www.gao.gov/products/GAO-09-675] (Washington, D.C.: July 31, 2009); Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments, [hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: Apr. 27, 2007); Information Technology: Treasury Needs to Strengthen Its Investment Board Operations and Oversight, [hyperlink, http://www.gao.gov/products/GAO-07-865] (Washington, D.C.: July 23, 2007); Information Technology: Centers for Medicare and Medicaid Services Needs to Establish Critical Investment Management Capabilities, [hyperlink, http://www.gao.gov/products/GAO-06-12] (Washington, D.C.: Oct. 28, 2005); Information Technology: HHS Has Several Investment Management Capabilities in Place, but Needs to Address Key Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-06-11] (Washington, D.C.: Oct. 28, 2005); and Information Technology: FAA Has Many Investment Management Capabilities in Place, but More Oversight of Operational Systems Is Needed, [hyperlink, http://www.gao.gov/products/GAO-04-822] (Washington, D.C.: Aug. 20, 2004). [22] An IT investment board is a decision-making body, made up of senior program, financial, and information officials, that is responsible for making decisions about IT projects and systems on the basis of comparisons and trade-offs among competing projects and has an emphasis on meeting mission goals. [23] 40 U.S.C. §§ 11311-11313. [24] According to OMB, TechStat Accountability Sessions are face-to- face reviews of agency IT programs with OMB and agency leadership. [25] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: