IRS Cloud Implementation Program Needs Improvement, TIGTA Says
2020-20-010
- Institutional AuthorsTreasury Inspector General for Tax Administration
- Subject Area/Tax Topics
- Jurisdictions
- Tax Analysts Document Number2020-9874
- Tax Analysts Electronic Citation2020 TNTF 52-16
The Enterprise Cloud Program Developed a Strategy, but Work Remains to Achieve Cloud-Based Modernization Goals
March 11, 2020
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Highlights
Final Report issued on March 11, 2020
Highlights of Reference Number: 2020-20-010 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
In February 2011, the U.S. Chief Information Officer released the Federal Cloud Computing Strategy referred to as Cloud First. The IRS is planning to invest in cloud services to help modernize operations. Effective controls that comply with Federal guidance and enforce standards help mitigate the risk of inefficient or unsanctioned efforts to deploy cloud systems. Without an updated cloud strategy, the IRS may miss the opportunity to deliver public value by increasing operational efficiency and responding faster to taxpayer needs.
WHY TIGTA DID THE AUDIT
This audit was initiated to evaluate the implementation of the IRS's enterprise-wide cloud strategy to ensure compliance with Federal guidance.
WHAT TIGTA FOUND
The IRS created an enterprise-wide cloud strategy that was approved and authorized in December 2017. The strategy partially meets the Cloud First policy. In June 2019, Cloud Smart was published, which updated the Cloud First policy. As of December 2019, the IRS cloud inventory included 26 Platform-, Infrastructure-, and Software-as-a-Service implementations.
To implement the enterprise-wide cloud strategy, the IRS identified 10 workstreams, including the cloud migration assessment and the cloud services procurement workstreams. A workstream is a collection of activities intended to produce an output that will help the IRS achieve the target cloud state. However, work has not started on all workstreams including the high priority cloud services procurement workstream. The IRS relies on its existing Enterprise Life Cycle process for cloud suitability, approval, and authorization. However, there is no Internal Revenue Manual guidance or formalized process specific to cloud services within the Enterprise Life Cycle process.
Enterprise Services personnel created a Cloud Governance Board charter, but it is not approved. The primary objective of governance is to ensure that assigned investment, program, and project objectives are met; risks are managed appropriately; and enterprise expenditures are fiscally sound.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer ensure that the December 2017 enterprise-wide cloud strategy is periodically updated to reflect current Federal and Department of the Treasury guidance and requirements; all workstreams are developed; the Cloud Governance Board charter is authorized and approved; enterprise-wide policies and procedures are developed that specifically address cloud requirements that must be considered and met prior to deciding to procure cloud services; and all new information technology projects are evaluated by the Enterprise Cloud Program for cloud service consideration and approval.
The IRS agreed with all our recommendations. The IRS plans to ensure that the enterprise-wide cloud strategy is reviewed annually and updated as needed to reflect current Federal and Department of the Treasury guidance and requirements; review and update the scope of workstreams as needed and develop a multiyear plan to complete them dependent on available funding; based on budget availability, develop guidance and requirements to be considered when procuring cloud services; and evaluate and update existing policy and processes for design, architecture, and engineering solutions to consider cloud services for all new technology projects, as appropriate.
March 11, 2020
MEMORANDUM FOR
COMMISSIONER OF INTERNAL REVENUE
FROM:
Michael E. McKenney
Deputy Inspector General for Audit
SUBJECT:
Final Audit Report — The Enterprise Cloud Program Developed a Strategy, but Work Remains to Achieve Cloud-Based Modernization Goals (Audit # 201920008)
This report presents the results of our review to evaluate the implementation of the Internal Revenue Service's (IRS) enterprise-wide cloud strategy to ensure compliance with Federal guidance. This review is included in our Fiscal Year 2020 Annual Audit Plan and addresses the major management challenge of Modernizing IRS Operations.
Management's complete response to the draft report is included as Appendix V.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Danny R. Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services).
Table of Contents
Background
Results of Review
The Enterprise-Wide Cloud Strategy Partially Meets Federal Guidance
Recommendations 1 and 2:
There Are No Official Enterprise-Wide Cloud Suitability and Procurement Policies and Procedures
Recommendations 3 and 4:
Recommendation 5:
Appendices
Appendix I — Detailed Objective, Scope, and Methodology
Appendix II — Major Contributors to This Report
Appendix III — Report Distribution List
Appendix IV — Glossary of Terms
Appendix V — Management's Response to the Draft Report
ELC | Enterprise Life Cycle |
EnCP | Enterprise Cloud Program |
IRM | Internal Revenue Manual |
IRS | Internal Revenue Service |
Background
In February 2011, the U.S. Chief Information Officer issued the Federal Cloud Computing Strategy1 referred to as the Cloud First policy.2 The U.S. Chief Information Officer characterized the Federal Government's information technology environment as having low asset utilization, a fragmented demand for resources, duplicative systems, environments which are difficult to manage, and long procurement lead times. These inefficiencies negatively affect the Federal Government's ability to serve the American public. The cloud computing model can significantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite constrained resources. Cloud computing holds tremendous potential for the Federal Government to deliver public value by increasing operational efficiency and responding faster to taxpayer needs.
In August 2017, we reported3 that the Internal Revenue Service (IRS) did not have an enterprise-wide cloud strategy and did not adhere to Federal policy when deploying a cloud service. We also found that the IRS did not have a complete cloud inventory and recommended that the process of managing the cloud inventory be formalized using automated methods and updated on a periodic and ongoing basis as part of the enterprise-wide cloud strategy. The IRS maintains a cloud inventory and publishes an inventory report quarterly. As of December 2019, the IRS cloud inventory included 26 Platform-, Infrastructure-, and Software-as-a-Service implementations. The current inventory process includes reconciling reports from multiple sources and confirming information with system owners individually. The IRS disagreed with the prior report recommendation that the cloud inventory process be automated, stating automation of the inventory process was not necessary and would not be cost effective.
According to the April 2019 IRS Integrated Modernization Business Plan, the IRS is revisiting core processes and resources across the enterprise and is planning to invest in cloud services to help modernize operations.4 Modernizing systems is critical to meeting IRS business needs and enhancing services. The IRS's ability to successfully modernize its information technology foundation is critical to delivering modern taxpayer service and enforcement in a cost-effective way. Moreover, legacy technology is preventing the IRS from collecting billions of dollars, protecting against fraud, and truly transforming the taxpayer's experience. The plan also outlines its strategy to transition applications to the cloud, where applicable.
This review was performed at the New Carrollton Federal Building in Lanham, Maryland, and IRS Headquarters in Washington, D.C., during the period April through December 2019. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Results of Review
The Enterprise-Wide Cloud Strategy Partially Meets Federal Guidance
The IRS created an enterprise-wide cloud strategy that was approved and authorized in December 2017. Enterprise Services personnel stated that they have since built upon the initial enterprise-wide cloud strategy and developed additional documents to guide cloud implementation within the IRS. We assessed the enterprise-wide cloud strategy and related documents (hereafter referred to as the strategy) and the current implementation status against major elements of the Cloud First policy.
The Cloud First policy identifies a framework for agencies considering and planning for cloud migration, which covers three primary phases:
Select — consists of assessing potential information technology systems for cloud migration by two factors: business value and cloud readiness.
Provision — consists of aggregating demand at the departmental level to pool purchasing power; integrating services into a wider information technology portfolio; generating contracts for cloud services with explicit service level agreements that include, but are not limited to, security, continuity of operations, and service quality; and ensuring that legacy systems are decommissioned to realize the full potential of the new cloud solution.
Manage — consists of beginning to manage services rather than assets. This process actively monitors the service level agreements in place as well as regular evaluation of the service provider to ensure that the vendor is meeting all expectations set by the contracts and agreements in place.
We evaluated the IRS's implementation of the strategy relative to the three primary phases outlined in the Cloud First framework. The strategy implementation partially met the Federal guidance for each phase:
Select — partially met
The strategy identifies the need for 10 workstreams5 such as the cloud migration assessment workstream and the cloud services procurement workstream. The cloud migration assessment workstream is under development with partial implementation while work on the cloud services procurement workstream, which the IRS identified as a high priority, has not started.
The strategy calls for an enterprise-wide cloud portfolio assessment, although Enterprise Services personnel reported this assessment has not been conducted primarily due to a lack of resources. Instead, the IRS considers projects on a case-by-case basis as the need arises. According to Enterprise Services personnel, system or project owners considering cloud services should register the project with the Enterprise Cloud Program's (EnCP) IRS Cloud Front Door6 and complete a Cloud Suitability Assessment.7 If a project does not engage the Cloud Front Door, it should be engaged by other IRS Information Technology teams as a project goes through the Enterprise Life Cycle (ELC) process. However, there is no specific mention of the Cloud Front Door in the existing ELC policy. The official decision of the project's architectural suitability for cloud services will be made by Enterprise Services personnel as a function of the ELC. Enterprise Services personnel should engage the EnCP team or its published guidance in making the suitability determination.
Provision — partially met
The strategy provides general terminology that contracts need to be clear, but it does not specify terms that need to be stated within the contract, such as explicit service level agreements for security, continuity of operations, and service quality that meet the IRS's needs.
Further, while the strategy generally speaks about cost and asset savings, there is not a consistent and repeatable mechanism to track cost and asset savings from the migration to and deployment of cloud services. There are also no specific details on decommissioning legacy systems. The lack of a consistent and repeatable mechanism to track cost and asset savings hinders the IRS's ability to realize the value of repurposing or decommissioning legacy systems and redeploying resources. A standardized mechanism would aid in the identification of saved assets (both monetary and physical) thus making it easier to determine which assets can be redeployed.
Manage — partially met
The strategy identifies the need for a cloud workforce development workstream and for developing guidance to standardize service level agreements with cloud service providers. Enterprise Services personnel communicated a plan for the cloud workforce development workstream in October 2019. However, work on this workstream may be delayed due to budget constraints which will impact the ability to establish a consistent and repeatable mechanism to monitor and track service level agreements to ensure compliance and continuous improvement.
In June 2019, Cloud Smart8 was published, which updated the Cloud First policy. While the Enterprise Services function has incorporated elements of Cloud Smart guidance to inform their prioritization of workstreams, they also stated they do not plan to update the December 2017 enterprise-wide cloud strategy to incorporate Cloud Smart guidance. In September 2019, the Department of the Treasury (hereafter referred to as the Treasury Department) released a special notice9 for informational purposes regarding the development of a Treasury cloud acquisition roadmap. If the roadmap becomes a Treasury directive, it will affect all Treasury bureaus including the IRS. Enterprise Services personnel stated they were aware of the special notice and had some communication with the Treasury Department to discuss how the IRS fits into the Treasury Department cloud acquisition roadmap.
Enterprise Services personnel stated that they relied on professional consultants to develop a strategy tailored to the IRS due to the progression of cloud knowledge and technology since 2011. Enterprise Services personnel also stated that resource constraints, the emphasis on Tax Reform,10 and the Federal Government shutdown contributed to the slow progress in developing and completing the workstreams. Without an updated cloud strategy and defined workstreams, the IRS may miss the opportunity to deliver public value by increasing operational efficiency and responding faster to taxpayers' needs.
Recommendations
The Chief Information Officer should:
Recommendation 1: Ensure that the December 2017 IRS enterprise-wide cloud strategy is updated periodically to reflect current Federal and Treasury Department guidance and requirements.
Management's Response: The IRS agreed with this recommendation. The Chief Information Officer will ensure that the IRS enterprise-wide cloud strategy is reviewed annually and updated as needed to reflect current Federal and Treasury Department guidance and requirements.
Recommendation 2: Ensure that all workstreams needed for implementing the enterprise-wide cloud strategy are developed.
Management's Response: The IRS agreed with this recommendation and stated that the development of many of the workstreams is already in progress. The EnCP will review and update the scope of the workstreams, as needed, and develop a multiyear plan to complete them, dependent on available funding.
There Are No Official Enterprise-Wide Cloud Suitability and Procurement Policies and Procedures
The Information Technology organization currently relies on the existing ELC process to manage information technology projects including cloud projects. Personnel in the ELC Office stated that there is no Internal Revenue Manual (IRM) guidance or formalized process with regard to cloud services projects. While all information technology projects are required to go through the ELC, the ELC Office relies on the business operating divisions to initiate contact. There are controls in place to ensure that all information technology projects are adhering to ELC requirements. However, we recently reported11 that not all information technology infrastructure projects follow the ELC process indicating these controls are not always effective.
Enterprise Services personnel created an EnCP charter and a Cloud Governance Board charter. For projects considering a cloud computing solution, the EnCP charter provides EnCP personnel the authority to develop cloud guidance and standards for project owners. The EnCP charter also authorizes EnCP personnel to provide cloud consultative services to business operating divisions and project owners. As of September 2019, the IRS had not authorized or approved the Cloud Governance Board charter. Enterprise Services personnel also developed a Cloud Suitability Assessment questionnaire. The purpose of the questionnaire is to register a project in the cloud inventory. It also serves to document the EnCP's perspective and recommendation, but is not binding and is not formally part of the procurement decision.
The Office of Management and Budget published a memorandum12 with guidance for the implementation of the Federal Information Technology Acquisition Reform Act.13 The stated objectives of the memorandum include enabling the Chief Information Officer's role, with respect to the development, integration, delivery, and operations of any type of information technology, information technology service, or information product to enable integration with the capabilities he or she supports wherever information technology may affect functions, missions, or operations; and strengthen the agency Chief Information Officer's accountability for the agency's information technology cost, schedule, performance, and security.
In addition, the IRM14 states that information technology governance is a function of internal control within the IRS. The primary objective of governance is to ensure that assigned investment, program, and project objectives are met; risks are managed appropriately; and enterprise expenditures are fiscally sound. The IRM also states that governance provides structure for aligning the information technology strategy with the business strategy, ensuring that it stays on track to achieve its strategies and goals, implements ways to measure performance, makes sure that all stakeholders' interests are taken into account, and that processes provide measurable results.
The Cloud Governance Board, once authorized and approved, will provide governance and oversight to projects within the EnCP that are undertaken to achieve the IRS Cloud Target State.15 The primary objectives of the Cloud Governance Board include ensuring that the EnCP delivers its scope according to the schedule, program expenditures are fiscally sound, and program risks are managed appropriately. An authorized Cloud Governance Board charter will empower the EnCP to officially communicate and approve formal agreements between the different IRS internal organizations, specifically, the Office of Procurement and the ELC Office. The charter also will provide direction from the Cloud Governance Board to prioritize and formally approve new workstreams, such as the cloud services procurement workstream.
Because the Cloud Governance Board charter is not approved, there is increased risk for potential wasted resources because the IRS could deploy multiple, duplicative, and overlapping systems with no coordination. Effective controls that comply with Federal guidance and enforce standards help mitigate the risk of inefficient or unsanctioned efforts to deploy cloud systems. In addition, if the ELC is not updated to require engagement with the EnCP and leverage their cloud expertise, there is further risk that the IRS will not realize program efficiencies in its systems modernization efforts.
Recommendations
The Chief Information Officer should:
Recommendation 3: Authorize and approve the Cloud Governance Board charter.
Management's Response: The IRS agreed with this recommendation. The Chief Information Officer has approved the Cloud Governance Board charter.
Recommendation 4: Develop enterprise-wide policies and procedures that specifically address cloud requirements that must be considered and met prior to deciding to procure cloud services.
Management's Response: The IRS agreed with this recommendation. Based on budget availability, the EnCP will develop guidance and requirements to be considered when procuring cloud services.
Office of Audit Comment: While the IRS agreed with the recommendation, we are concerned about the lack of timely action to develop policies and procedures that address cloud requirements. Cloud services are continuing to be purchased without defined requirements, potentially increasing the risk that the IRS's needs and interests will not be fully protected.
Recommendation 5: Ensure IRS adherence to the Federal Information Technology Acquisition Reform Act legislation and Cloud First policy by requiring all new information technology projects be evaluated by the EnCP for cloud service consideration and approval.
Management's Response: The IRS agreed with this recommendation. The Chief Information Officer will evaluate and update existing policy and processes for design, architecture, and engineering solutions to consider cloud services for all new technology projects as appropriate.
Appendix I
Detailed Objective, Scope, and Methodology
Our overall objective was to evaluate the implementation of the IRS's enterprise-wide cloud strategy to ensure compliance with Federal guidance. To achieve our objective, we:
I. Assessed whether the IRS implemented corrective actions to address prior Treasury Inspector General for Tax Administration report recommendations.1
A. Determined whether the IRS prioritized and completed an enterprise-wide cloud strategy that was in alignment with Federal guidance.
1. Reviewed the Joint Audit Management Enterprise System and identified the corrective actions the IRS planned to take in order to address the prior audit recommendations regarding a cloud strategy.
2. Obtained and reviewed the closing documentation from the Joint Audit Management Enterprise System.
3. Obtained and reviewed the Cloud First policy to identify critical elements Federal agencies must implement.
4. Obtained and reviewed evidence to support that the IRS cloud strategy addressed the identified critical elements from Federal guidance.
B. Determined whether the IRS cloud inventory is formalized and managed using automated methods.
1. Obtained and reviewed the existing cloud inventory.
2. Interviewed the EnCP team and collected evidence about the process used to develop and maintain the cloud inventory.
3. Determined whether the inventory was updated periodically on an ongoing basis as part of the enterprise-wide cloud strategy.
4. Reviewed the Joint Audit Management Enterprise System to identify the corrective actions the IRS planned to take in order to address the prior audit recommendations regarding a cloud inventory.
5. Obtained the closing documentation from the Joint Audit Management Enterprise System.
II. Determined the extent to which the IRS effectively implemented cloud suitability and procurement and authorization processes.
A. Reviewed the cloud suitability process.
1. Reviewed IRM, National Institute of Standards and Technology publications, and other Federal guidance and best practices for determining cloud suitability.
2. Identified and interviewed the personnel responsible for a systematic sample of existing cloud implementations.2
B. Evaluated the cloud procurement approval and authorization process.
1. Reviewed the IRM, National Institute of Standards and Technology publications, and other Federal guidance regarding cloud approval and procurement.
2. Interviewed Office of Procurement, Office of Information Technology Acquisition, Enterprise Services, and Enterprise Architecture personnel.
Internal controls methodology
Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: the Cloud First policy; the National Defense Authorization Act for Fiscal Year 2015 (Title VIII, Subtitle D);3 IRM 2.16.1.2.1, Information Technology Governance, dated July 10, 2017; as well as various IRS policies, procedures, and processes. We evaluated these controls by interviewing Information Technology organization personnel, Office of Procurement personnel, and IRS business operating division personnel that have implemented or are considering implementing cloud services. We also compared the IRS enterprise-wide cloud strategy and accompanying EnCP documents to the Cloud First policy.
Appendix II
Major Contributors to This Report
Danny R. Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services)
Jena Whitley, Director
Michael Mohrman, Audit Manager
Benjamin Bryant, Lead Auditor
Natalie Russell, Auditor
Appendix III
Report Distribution List
Deputy Commissioner for Operations Support
Chief Information Officer
Deputy Chief Information Officer for Operations
Associate Chief Information Officer, Cybersecurity
Associate Chief Information Officer, Enterprise Operations
Associate Chief Information Officer, Enterprise Services
Director, Privacy and Policy Compliance
Director, Enterprise Audit Management
Appendix IV
Glossary of Terms
Term | Definition | ||
|---|---|---|---|
Business Operating Division | A title for major IRS organizations such as Appeals, Wage and Investment, Office of Professional Responsibility, and Information Technology. | ||
Cloud Computing | A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., network, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. | ||
Cloud First | As part of the U.S. Chief Information Officer's plan to reform Federal Information Technology Management, all Federal agencies were required to shift to a “cloud first” policy. When agencies are evaluating options for new information technology deployments, the Office of Management and Budget requires that agencies default to cloud solutions whenever a secure, reliable, cost-effective cloud option exists. | ||
Cloud Service Provider | An entity offering cloud-based platform, infrastructure, application, or storage services. | ||
Cloud Strategy | A means for uncovering opportunities including reducing costs, new ways of working, and the ability to sunset legacy systems. | ||
Continuity of Operations | A predetermined set of instructions or procedures that describe how an organization's essential functions will be sustained for up to 30 calendar days as a result of a disaster event before returning to normal operations. | ||
Control/Internal Control | A process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. It comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity. It also serves as the first line of defense in safeguarding assets. In short, they help managers achieve desired results through effective stewardship of public resources. | ||
Decommissioning | An approach to accomplishing consolidation that involves turning off equipment that is not being used or is used infrequently. | ||
Enterprise Cloud Program | A cross-functional program responsible for establishing enterprise-wide cloud foundational capabilities through the execution of 10 strategic workstreams, building the IRS multicloud ecosystem, and providing services to cloud-consuming projects. | ||
Federal Government Shutdown | The Federal Government shutdown of 2018-2019 occurred from midnight (Eastern Standard Time) on December 22, 2018, until January 25, 2019, due to a lapse in appropriations. | ||
Information Technology Organization | The IRS organization responsible for delivering information technology services and solutions that drive effective tax administration to ensure public confidence. | ||
Legacy Systems | A mainframe or minicomputer information system that has been in existence for a long period of time. | ||
Mechanism | Logical assembly of components, elements, or parts, and the associated energy and information flows, that enable a machine, process, or system to achieve its intended result. | ||
Project Owner | Person accountable and responsible for the performance of a project. | ||
Redeploying | Reallocating business assets which are not used much in one area for use in another area of business. | ||
Repeatable | A set of actions that can be easily duplicated. | ||
Security | A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise's risk management approach. | ||
Service Level Agreement | A document that describes the minimum performance criteria a provider promises to meet while delivering a service, typically also setting out the remedial action and any penalties that will take effect if performance falls below the promised standard. | ||
Strategy | A method or plan chosen to bring about a desired future, such as achievement of a goal or solution to a problem. | ||
Suitability | The fact of being acceptable or right for something. In this case, the fact of being acceptable for cloud deployment. | ||
System Owner | Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system. | ||
Appendix V
Management's Response to the Draft Report
January 30, 2020
MEMORANDUM FOR
DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM:
Nancy A. Sieger
Acting, Chief Information Officer
SUBJECT:
Response to Draft Report — The Enterprise Cloud Program Developed a Strategy, but Work Remains to Achieve Cloud-Based Modernization Goals (Audit # 201920008) (e-trak # 2020-18931)
Thank you for the opportunity to review the draft audit report and discuss our observations with the audit team. We are pleased that your report acknowledges our continuing efforts to define and implement a comprehensive cloud strategy. Over the past several years we have integrated cloud technologies into our operations and are using those experiences to shape our cloud strategy.
We agree with the recommendations, will update our cloud strategy and continue to evolve our existing processes to ensure new technologies implemented at the IRS follow rigorous methods.
The IRS values your continued support and the assistance your organization provides. If you have any questions, please contact me at (202) 317-5000 or a member of your staff may contact Sid Sinha, Director Enterprise Architecture, 240-613-6984.
Attachment
Attachment
Draft Audit Report — The Enterprise Cloud Program Developed a Strategy, but Work Remains to Achieve Cloud-Based Modernization Goals (Audit # 201920008) (e-trak # 2020-18931)
RECOMMENDATION 1: The Chief Information Officer should ensure that the December 2017 IRS enterprise-wide cloud strategy is updated periodically to reflect current Federal and Treasury Department guidance and requirements.
CORRECTIVE ACTION: The IRS agrees with this recommendation. The Chief Information Officer will ensure that the IRS enterprise-wide strategy is reviewed annually and updated as needed to reflect current Federal and Treasury Department guidance and requirements.
IMPLEMENTATION DATE: March 15, 2021
RESPONSIBLE OFFICIAL(S): Associate Chief Information Officer, Enterprise Services
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION 2: The Chief Information Officer should ensure all workstreams needed for implementing the enterprise-wide cloud strategy are developed.
CORRECTIVE ACTION: The IRS agrees with this recommendation and many of the workstreams are already in progress. The Enterprise Cloud Program will review and update the scope of the workstreams, as needed, and develop a multi-year plan to complete them, dependent on available funding.
IMPLEMENTATION DATE: August 15, 2021
RESPONSIBLE OFFICIAL(S): Associate Chief Information Officer, Enterprise Services
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION 3: The Chief Information Officer should authorize and approve the Cloud Governance Board charter.
CORRECTIVE ACTION: The IRS agrees with this recommendation. The Chief Information Officer has approved the Cloud Governance board charter.
IMPLEMENTATION DATE: January 15, 2020
RESPONSIBLE OFFICIAL(S): Associate Chief Information Officer, Enterprise Services
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION 4: The Chief Information Officer should develop enterprise-wide policies and procedures that specifically address cloud requirements that must be considered and met prior to deciding to procure cloud.
CORRECTIVE ACTION: The IRS agrees with this recommendation. Based on budget availability, the Enterprise Cloud Program will develop guidance and requirements to be considered when procuring cloud services.
IMPLEMENTATION DATE: August 15, 2021
RESPONSIBLE OFFICIAL(S): Associate Chief Information Officer, Enterprise Services
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
RECOMMENDATION 5: The Chief Information Officer should ensure IRS adherence to the Federal Information Technology Acquisition Reform Act legislation and Cloud First policy by requiring all new information technology projects be evaluated by the EnCP for cloud consideration and approval.
CORRECTIVE ACTION: The IRS agrees with this recommendation. The Chief Information Officer will evaluate and update existing policy and processes for design, architecture and engineering solutions to consider cloud for all new technology projects as appropriate.
IMPLEMENTATION DATE: September 15, 2021
RESPONSIBLE OFFICIAL(S): Associate Chief Information Officer, Enterprise Services
CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.
FOOTNOTES
1The White House, U.S. Chief Information Officer Vivek Kundra, Federal Cloud Computing Strategy (Feb. 2011).
2See Appendix IV for a glossary of terms.
3Treasury Inspector General for Tax Administration, Ref. No. 2017-20-032, The Internal Revenue Service Does Not Have a Cloud Strategy and Did Not Adhere to Federal Policy When Deploying a Cloud Service (Aug. 2017).
4IRS, IRS Integrated Modernization Business Plan (Apr. 2019).
5A readiness activity intended to produce an output that will help the IRS achieve the target cloud state, focused around the people, process, and technology elements necessary to support and enable the successful adoption of cloud services across the enterprise.
6A central hub of the Enterprise Cloud Program to connect directly to Enterprise Services personnel and navigate cloud resources.
7A questionnaire with a three-step approach that enables Enterprise Services personnel to assess, review, and recommend cloud candidates for migration or implementation.
8The White House, U.S. Chief Information Officer, Suzette Kent, Federal Cloud Computing Strategy (June 2019).
9Treasury Office of the Chief Information Officer, Cloud Acquisition Roadmap (Sept. 2019).
10Treasury Inspector General for Tax Administration, Ref. No. 2019-24-035, The Internal Revenue Service Completed Extensive Programming and Systems Changes in a Compressed Timeframe for the 2019 Filing Season, (June 2019).
11Treasury Inspector General for Tax Administration, Ref. No. 2019-20-060, E-Mail Records Management Is Generally in Compliance With the Managing Government Records Directive (Sept. 2019).
12Office of Management and Budget, Memorandum M-15-14, Management and Oversight of Federal Information Technology (June 10, 2015).
13Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, 128 Stat. 3292.
14IRM 2.16.1.2.1 Information Technology Governance (July 10, 2017).
15The future state of IRS cloud operations as outlined in the December 2017 IRS Cloud Strategy.
1Treasury Inspector General for Tax Administration, Ref. No. 2017-20-032, The Internal Revenue Service Does Not Have a Cloud Strategy and Did Not Adhere to Federal Policy When Deploying a Cloud Service (Aug. 2017).
2The Treasury Inspector General for Tax Administration reviewed a systematic sample of eight cloud implementations to evaluate the process each used to determine cloud suitability and acquisition.
3Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, 128 Stat. 3292.
END FOOTNOTES
- Institutional AuthorsTreasury Inspector General for Tax Administration
- Subject Area/Tax Topics
- Jurisdictions
- Tax Analysts Document Number2020-9874
- Tax Analysts Electronic Citation2020 TNTF 52-16
