Effective IRS Plans for COVID Relief Funds in Flux, TIGTA Says

The IRS Effectively Planned to Use and Provide Oversight of the American Rescue Plan Act Funds; However, Subsequent Reallocation of Modernization Funds Resulted in Significant Replanning

September 2, 2022

HIGHLIGHTS

Final Audit Report issued on September 2, 2022

What TIGTA Found

The IRS Information Technology Modernization portfolio consists of 21 programs. Nineteen programs in the portfolio received American Rescue Plan Act funding; six programs were expanded with these funds and additional capabilities for 13 programs were initiated. As of April 30, 2022, 26 percent of the $1 billion in American Rescue Plan Act funds allocated to the Information Technology organization have been obligated, expended, or disbursed.

Information Technology organization leadership collaborated with other IRS leadership to align and gain approval for programs selected to be included in the expanded portfolio enabled by the American Rescue Plan Act funding, including the IRS Commissioner's approval of selections. Information Technology organization leadership also briefed the Office of Management and Budget and the U.S. Department of the Treasury leadership on proposed funding allocation, planning, and execution time frames, along with other key factors.

Governance boards provide oversight of the American Rescue Plan Act programs and program risks are monitored and managed. Governance boards are responsible for baseline approvals and changes. Executive Steering Committees are top-level governance boards chaired by IRS senior leadership and have the authority to make key governance decisions. The Information Technology Executive Steering Committee approved 12 of the 19 American Rescue Plan Act programs' baselines and approved with conditions the remaining seven program baselines. The IRS Information Technology Modernization portfolio is able to address multiple enterprise risks because of the additional capabilities and functionality made possible by the American Rescue Plan Act funding.

Although the American Rescue Plan Act funding could result in significant progress for modernization, Information Technology organization leadership confirmed that approximately $400 million previously aligned to modernization efforts will be reallocated to assist with the taxpayer service backlog and to address a significant deficit within the operations support appropriation. The pending reallocation of funds caused significant ongoing replanning efforts. Since the issuance of our draft audit report, Congress passed the Inflation Reduction Act of 2022 that provides the IRS with approximately $4.8 billion for business systems modernization that will remain available until September 30, 2031.

What TIGTA Recommended

TIGTA made no recommendations as a result of the work performed during this audit.

---

September 2, 2022

MEMORANDUM FOR:
COMMISSIONER OF INTERNAL REVENUE

FROM:
Heather M. Hill
Deputy Inspector General for Audit

SUBJECT:
Final Audit Report — The IRS Effectively Planned to Use and Provide Oversight of the American Rescue Plan Act Funds; However, Subsequent Reallocation of Modernization Funds Resulted in Significant Replanning (Audit # 202220720)

This report presents the results of our review to evaluate the effectiveness of the Information Technology organization's planning and governance to modernize and secure systems in accordance with the American Rescue Plan Act of 2021. This review is part of our Fiscal Year 2022 Annual Audit Plan and addresses the major management and performance challenge of Administration of Tax Law Changes and Pandemic Relief Benefits.

Management's complete response to the draft report is included as Appendix III.

Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Danny R. Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services).

---

Table of Contents

Background

Results of Review

Appendices

---

Background

The American Rescue Plan Act¹ (ARPA) was enacted in March 2021 and is the latest in a series of Coronavirus Disease 2019-related relief and economic stimulus legislation. The ARPA provided the Internal Revenue Service (IRS) with approximately $1.8 billion in additional funding for the implementation of certain provisions, such as the administration of advance payments and taxpayer assistance. It also included provisions for modernizing and securing IRS systems. Much of this additional funding will remain available to the IRS through Fiscal Year 2023. The IRS's Information Technology (IT) organization was allocated approximately $1.2 billion of the $1.8 billion of ARPA funding appropriated² to the IRS, of which $1 billion was for modernization efforts.³ According to the IRS, the Business Systems Modernization⁴ portfolio and the new ARPA funded initiatives will form the evolving Information Technology Modernization portfolio to drive technology transformation and enhance the taxpayer experience. It will accomplish this by accelerating existing initiatives and introducing new initiatives based on emerging needs and technologies. Additional modernization funding also enables the IRS to address foundational needs in the areas of applications, infrastructure, security, data, and workforce to enable a modernized IT organization.

The Information Technology Modernization portfolio consists of 21 different IT organization programs with scheduled deliverables and capabilities.⁵ Of the 21 programs, 19 received ARPA funding, which enabled the expansion of six programs and the initiation of additional capabilities for 13 programs. Figure 1 lists the ARPA funded programs included in the expanded Information Technology Modernization portfolio and the amount of ARPA funding received for Fiscal Years 2021 through 2023, as of April 30, 2022.⁶ It also shows the obligations, expenditures, and disbursements, and the percentage used. As of April 30, 2022, approximately $260 million (or 26 percent) of ARPA modernization funds have been obligated, expended, or disbursed.

Figure 1: ARPA Funded Programs in the Information Technology Modernization Portfolio (Dollars in Thousands)

Program	3-Year ARPA Modernization Plan Funding	OED	Percentage OED 3-Year Plan
Live Assistance	$25,000	$7,321	29%
Taxpayer Accessibility	$5,000	$969	19%
Web Applications	$85,000	$13,529	16%
Customer Account Data Engine 2 Target State	$140,000	$17,446	12%
Enterprise Case Management Acceleration	$87,000	$26,760	31%
Enterprise Tax Calculator Service	$15,000	$88	1%
Individual Master File Modernization (Retirement Acceleration)	$125,000	$7,742	6%
Information Returns Modernization	$60,000	$37,043	62%
Return Review Program/Enterprise Anomaly Detection	$8,000	$1,598	20%
Cloud Execution	$70,000	$9,431	13%
Digitalization	$20,000	$231	1%
Enterprise Data Platform	$30,000	$14,434	48%
Information Technology Service Management	$30,000	$27,434	91%
Robotics Process Automation/Intelligent Automation	$25,000	$1,349	5%
Workforce Infrastructure	$15,000	$3,162	21%
Identity and Access Management	$53,169	$28,218	53%
Secure Access Digital Identity	$25,000	$17,862	71%
Security Operations and Management	$85,945	$32,164	37%
Vulnerability and Threat Management	$35,886	$3,988	11%
Support Projects	$60,000	$9,239	15%
ARPA Modernization Portfolio Totals	$1,000,000	$260,008	26%
Source: The IRS's Status of Funds report as of April 30, 2022. OED = obligations, expenditures, and disbursements.

Results of Review

Information Technology Organization's Effective Program Selection Process May Contribute to the Timely Use of the American Rescue Plan Act Funds

We interviewed IT organization leadership and reviewed briefing documents to determine how the IT organization selected the programs to be included in the expanded Information Technology Modernization portfolio enabled by the ARPA funding. IT organization leadership collaborated with other IRS leadership to align and gain approval of the ARPA program selection, including the IRS Commissioner's approval of selections. IT organization leadership also briefed the Office of Management and Budget and the U.S. Department of the Treasury leadership on proposed funding allocation and planning and execution time frames, along with other key factors.

The documents reviewed revealed what was entailed in forming the ARPA portfolio, including progress made on selecting the programs, an initial set of initiatives, and proposed ARPA program descriptions. The documents also showed the IT organization leadership's input on the scope and outcomes for programs with large taxpayer and employee impacts, goals, and next steps. The ARPA program selection discussions were held from March through May 2021. While it is too soon to evaluate whether the IT organization will use the ARPA funds timely and effectively, active engagement of stakeholders and senior leadership support are critical factors to the success of information technology investments.⁷ In addition, IT organization leadership stated that stakeholders (i.e., IRS, Office of Management and Budget, and U.S. Department of the Treasury leadership) are still supportive of the ARPA program. This, in part, may signify a well-planned program and also contributes to the timely and effective use of the ARPA funds.

In addition, we discussed with IT organization senior management some of the challenges and areas of concern regarding the ARPA funding. According to the IRS, the IT organization needs consistent and predictable funding to last over a longer period of time to meet its long-term modernization initiatives, but the ARPA funds cannot be used after Fiscal Year 2023. This short deadline could impact the IT organization's ability to effectively utilize all the funding. Although the ARPA funding could result in significant progress for modernization, the IRS's Omnibus report for the second quarter of Fiscal Year 2022 stated that the funds were realigned and will require replanning of multiple modernization programs during the third quarter of Fiscal Year 2022. This could significantly reduce the amount of ARPA funding available to the IT organization. IT organization leadership confirmed that approximately $400 million of the $1 billion in ARPA funds previously aligned to modernization efforts will be reallocated to assist with the taxpayer service backlog and to address a significant deficit within the operations support appropriation. They also stated that a redirection of ARPA funds means that the scope of the programs in the Information Technology Modernization portfolio will be replanned based on available funding, with many programs coming to a stop. Many modernization capabilities will remain incomplete if the IRS does not receive additional funding in the future. The IT organization has begun assessing for replanning, pending any final decisions on the IT organization's overall budget. Since the issuance of our draft audit report, Congress passed the Inflation Reduction Act of 2022⁸ that provides the IRS with approximately $4.8 billion for business systems modernization that will remain available until September 30, 2031. We will continue to monitor information technology projects and capabilities as part of our ongoing audit program.

Governance Boards Provide Oversight of the American Rescue Plan Act Programs

The Internal Revenue Manual (IRM) provides the policy and procedures⁹ to support, promote, and execute effective information technology governance. Information technology governance provides a framework for accountability, transparency, and decision-making.

A governance board is a chartered body responsible for conducting governance as set out in its governance board charter. Executive Steering Committees (ESC) are top-level governance boards chaired by IRS senior leadership. ESCs have the authority to make key governance decisions or delegate decisions down to a lower governance board. While governance boards do not assist with the day-to-day activities of the IT organization's projects and programs within a portfolio, governance boards play an important role in assisting the programs by monitoring cost, schedule, scope, and risk. We determined that governance board oversight activities for the ARPA programs followed IRS's policy and procedures.

We surveyed a judgmental sample of governance board members¹⁰ about the roles and responsibilities of the Information Technology ESC and two subordinate governance boards.¹¹ According to governance board members, the boards' primary purpose is to ensure that the programs' objectives are met and risks are managed appropriately. The governance boards also provide decision-making support for the programs. The Information Technology ESC oversees the delivery and annual baseline approval of the ARPA program capabilities and the timeline assigned to the Information Technology Modernization portfolio. The subordinate governance boards escalate risks to the higher governance boards when risks are unmitigated or have challenges that need attention. Governance board oversight support is provided through meetings where program status and risks are discussed.

During these meetings, the IT organization program management or program representatives inform governance board members of key topics about the programs subject to oversight; also meeting minutes are maintained. We reviewed documentation for Information Technology ESC meetings held during September 2021 through March 2022 and two subordinate governance boards' meetings held during February and March 2022. Our review of the documentation determined that meetings were held regularly: Information Technology ESC meetings were held bi-monthly and the two subordinate governance board meetings were held at least monthly. The meetings included input from program management, program representatives, subject matter experts, and governance board members including IT organization leadership. The meetings allowed an opportunity for individuals to discuss relevant issues (e.g., program risk, baseline scopes and schedules, approvals, change requests) that helped to provide an integrated view of program status. While some meeting documentation noted risk discussions, we did not note risk escalation details in any governance board meeting documentation. Therefore, we were unable to analyze how the governance boards handle risk escalation.

In addition, we reviewed baseline information captured in governance board meeting documentation and information from the IRS's baseline capabilities tracking tool used by the IT organization to determine if the information matched. The tool reflects the health status of IT organization programs by considering key elements of management and performance such as cost, schedule, scope, and existing or potential risks. The tool also shows recordings of baseline approvals and baseline change request approvals. According to IT organization senior management, the tool can be accessed by designated individuals from each program. In our review, we compared three baseline approvals and three baseline change request approvals for six ARPA programs captured in governance board meeting documentation to the same information recorded in the tool.¹² Our testing covered meeting documentation and tracking tool records from June 2021 to March 2022. We found that approvals from the two different sources of governance board approval information agreed.

The governance boards are also responsible for baseline approvals and changes. This includes approving costs,¹³ schedules, and scope plans for a given fiscal year for projects and programs within a respective portfolio, and addressing any requests for re-baselining due to unforeseen circumstances throughout the year. We reviewed baseline documentation to determine if the Information Technology ESC approved the ARPA program baseline capabilities for Fiscal Year 2022. Presentation documentation from the September 20, 2021, and January 20, 2022, Information Technology ESC bi-monthly meetings show that as a result of the meetings, the Information Technology ESC approved 12 of the 19 ARPA programs' baselines and approved with conditions the remaining seven program baselines. According to IT organization senior management, the Information Technology ESC was expected to fully approve the seven ARPA programs' baselines with conditional approvals during the March 2022 Information Technology ESC meeting. However, the March and May 2022 meetings were cancelled but an ad hoc meeting was held on June 27, 2022 to rebaseline some of the ARPA programs. As a result of the potential reallocation of approximately $400 million in ARPA funding previously aligned to modernization efforts, many capabilities could remain incomplete.

The American Rescue Plan Act Program Risk Is Monitored in the Item Tracking Reporting and Control System

The Office of Management and Budget states¹⁴ that risk management is the systematic process of identifying, analyzing, and responding to project risk. Risk management is an ongoing process that requires continuous risk identification, assessment, planning, monitoring, and response. Risk assessment is a component of risk management. According to the National Institute of Standards and Technology,¹⁵ risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses. Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Risk assessments identify: (i) threats, (ii) vulnerabilities, (iii) harm, and (iv) likelihood that harm will occur. The end result is a determination of risk. Risk assessments can support a wide variety of risk-based decisions and activities.

In addition, the IRM¹⁶ states that all information technology projects shall record and maintain risks and issues in the Item Tracking Reporting and Control System (ITRAC) repository.¹⁷ The IRM also states that all information technology programs and projects shall inventory and document risks, issues, and action items.

According to IT organization senior management, many of the ARPA programs, and the IRS modernization plan more broadly, directly address IRS enterprise risks for Fiscal Years 2021 and 2022, which influenced IRS leadership in the overall decisions around portfolio priorities. We reviewed enterprise risks for the ARPA programs and determined there are multiple risks that the IRS is able to address because of the additional capabilities and functionality made possible by the ARPA funding.

We interviewed the IT organization portfolio risk manager responsible for ARPA program risk at the Information Technology Modernization portfolio level to gain an understanding of risk management efforts. According to the portfolio risk manager, the portfolio risk management group prepares a consolidated Information Technology Modernization portfolio status report that includes risk information using ITRAC. The portfolio risk management group meets with the Associate Chief Information Officers monthly to discuss risk status, including risk mitigation efforts and any potential new risk included in the status report to ensure that the information is accurate. The portfolio status report is then used by the Associate Chief Information Officers to brief the Chief Information Officer monthly.

We also met with IT organization senior risk management for two ARPA programs. According to the program risk managers, when a risk is initially identified, it is submitted into ITRAC. Once the risk is submitted, program risk personnel meet to discuss the risk and develop mitigation efforts which are noted in ITRAC. The program risk managers stated that program risk personnel meet with their respective Associate Chief Information Officers weekly or bi-weekly to discuss risk and risk mitigation efforts, and any items that may impact cost, schedule, or program scope; briefing documents confirm that risk topics are discussed during these meetings.

We analyzed eight ARPA programs in ITRAC to determine whether risks are being monitored. Our analysis was based on risk detail reports as of December 21, 2021. These reports included mitigation status and activity, probable impact dates, projected completion dates, risk identification and submission dates, and risk escalation. Based on our testing criteria,¹⁸ we found that three of the eight programs had risks. We obtained additional risk detail reports as of March 29, 2022, and noted that all risks from December 21, 2021, were addressed and closed. We determined that overall the risks were actively monitored, responded to, and addressed.

---

Appendix I

Detailed Objective, Scope, and Methodology

Our overall objective was to evaluate the effectiveness of the IT organization's planning and governance to modernize and secure systems in accordance with the ARPA. To accomplish our objective, we:

• Determined whether oversight responsibilities are conducted in accordance with policy and guidelines by oversight personnel by reviewing documentation of the ARPA programs and baseline approvals including meeting minutes and identified policy and guidelines used to conduct risk assessments and reviewed risk assessment documentation.

• Determined how the ARPA programs were selected, how risks are monitored and considered during planning, and the roles and responsibilities of governance board members that help manage and monitor the ARPA programs by interviewing IT organization management and reviewing planning and governance documentation.

• Determined whether governance boards performed oversight of ARPA programs by judgmentally sampling¹ governance boards based on program risk criticality and reviewing evidence of actions and activities performed to ensure adequate oversight and management of ARPA program risk and risk escalation.

Performance of This Review

This review was performed with information obtained from the IT organization's Strategy and Planning function in New Carrollton, Maryland, and Washington, D.C., during the period September 2021 through June 2022. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

Major contributors to the report were Danny Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services); Jena Whitley, Director; Khafil-Deen Shonekan, Audit Manager; Chanda Stratton, Lead Auditor; and Marion Dortch, Auditor.

Internal Controls Methodology

Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: polices, procedures, and guidelines related to management oversight and risk management. We evaluated these controls by interviewing IRS employees and reviewing program documentation, financial summaries, ITRAC risk detail reports, tracking tool documentation, and program and executive level presentation documentation.

---

Appendix II

Business Systems Modernization and American Rescue Plan Act Funding for the Information Technology Modernization Portfolio (as of April 30, 2022)

Program Name	BSM Funded Only	ARPA Funded Only	ARPA Funded and BSM Funded
Live Assistance			X
Taxpayer Accessibility		X
Web Applications			X
Customer Account Data Engine 2 Target State		X
Customer Account Data Engine 2 Transition State 2	X
Enterprise Case Management Acceleration			X
Enterprise Tax Calculator Service		X
Individual Master File Modernization (Retirement Acceleration)		X
Information Returns Modernization		X
Return Review Program /Enterprise Anomaly Detection		X
Application Program Interface Implementation	X
Cloud Execution		X
Digitalization		X
Enterprise Data Platform		X
Information Technology Service Management		X
Robotics Process Automation /Intelligent Automation		X
Workforce Infrastructure		X
Identity and Access Management			X
Secure Access Digital Identity		X
Security Operations and Management			X
Vulnerability and Threat Management			X
Support Projects
Architecture, Integration and Management	X
Technology Planning and Program Oversight		X
Management Reserve
Management Reserve	X
Source: IRS's Status of Funds report as of April 30, 2022. Note: support projects and management reserve do not have scheduled deliverables or capabilities. BSM = Business Systems Modernization

---

Appendix III

Management's Response to the Draft Report

---

Appendix IV

Glossary of Terms

Term	Definition
Appropriation	Statutory authority to incur obligations and make payments out of Department of the Treasury funds for specified purposes.
Baseline	Establishes what versions of what work products comprise the solution at a specific point in the life cycle.
Change request	A proposal to alter a product or system from the agreed upon deliverable.
Disbursement	The paying out of funds, whether to make a purchase or other transaction.
Expenditure	Referred to as an outlay. An expense that occurs when the obligation is liquidated.
Governance Board Charter	Documents the roles, responsibilities, and authorities of board members and management in advising, directing, and managing the information technology portfolio.
Information Technology	An effort to deliver a product, service, or result. It has a defined beginning and end. Information technology projects are funded from a specific investment with a Unique Investment Identifier, which determines Executive
Project	Steering Committee alignment. Projects are assigned to a governance board based on functionality and organizational alignment and are responsible for regular performance reporting.
Internal Revenue Manual	The primary, official source of IRS instructions to staff related to the organization, administration, and operation of the IRS.
Item Tracking Reporting and Control System	A customized tool that allows users to submit and update Action Items, Issues, and Risks to the database.
National Institute of Standards and Technology	A part of the Department of Commerce that is responsible for developing standards and guidelines to provide adequate information security for all Federal agency operations and assets.
Obligation	A definite commitment that creates a legal liability for the payment of goods or services ordered or received. Obligations reduce the amount of funds available.
Office of Management and Budget	The Federal agency that oversees the preparation and administration of the Federal budget and coordinates Federal procurement, financial management, information, and regulatory policies.
Portfolio	The combination of all information technology assets, resources, and investments owned or planned by an organization in order to achieve its strategic goals, objectives, and mission.
Risk	A potential event or condition that could have an impact or opportunity on the cost, schedule, business, or technical performance of an information technology investment, program, project, or organization.
Risk Mitigation	Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Risk Monitoring	Maintaining ongoing awareness of an organization's risk environment, risk management program, and associated activities to support risk decisions.

---

Appendix V

Abbreviations

ARPA	American Rescue Plan Act
ESC	Executive Steering Committee
IRM	Internal Revenue Manual
IRS	Internal Revenue Service
IT	Information Technology
ITRAC	Item Tracking Reporting and Control System