200020024fr

Management Advisory Report: The Internal Revenue Service Has Made Significant Progress in Converting Minicomputer Systems for the Year 2000, But Risks Remain

December 1999

Reference Number: 2000-20-024

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

December 28, 1999

MEMORANDUM FOR COMMISSIONER ROSSOTTI

FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner

Deputy Inspector General for Audit

SUBJECT: Final Management Advisory Report: The Internal Revenue Service Has Made Significant Progress in Converting Minicomputer Systems for the Year 2000, But Risks Remain

This report provides updated information on the status of actions taken by the Internal Revenue Service (IRS) to address concerns reported in our audit report entitled, Increased Validation and Oversight of Year 2000 Minicomputer Conversion Efforts are Needed to Strengthen Testing and To Avoid Further Delays (Report Reference # 199920054, dated August 1999). The IRS has made considerable progress in its minicomputer conversion effort, but risks remain, due to late conversion dates and gaps in contingency planning.

Although the IRS’ official comments were not available as of the date of this report, we incorporated comments provided by the Century Date Change Project Director. Copies of this report are also being sent to the IRS managers affected by the results.

Please contact me at (202) 622-6510 if you have questions, or your staff may call Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

Table of Contents

Risks Remain for Several Minicomputer Systems Due to Late Conversion Dates

A Contingency Plan Has Not Been Prepared for One of the Mission Critical Systems We Evaluated

Conclusion

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Minicomputer Systems Which Were Not Converted As of October 29, 1999

Executive Summary

One of the most critical issues the Internal Revenue Service (IRS) faces this year is the need to make its computer systems Year 2000 (Y2K) compliant. The IRS is a $1.7 trillion financial service organization, dependent on its computer systems to process tax returns, issue refunds, deposit payments, and provide employees access to taxpayer data. The conversion of the IRS’ minicomputer (Tier II) systems is critical to the success of the overall Y2K compliance effort.

This review was initiated to evaluate corrective actions taken in response to an earlier Treasury Inspector General for Tax Administration audit report entitled, Increased Validation and Oversight of Year 2000 Minicomputer Conversion Efforts are Needed to Strengthen Testing and To Avoid Further Delays (Report Reference # 199920054, dated August 1999). These corrective actions included:

Proper identification and classification of systems which did not meet compliance targets.
Implementation of an Independent Audit and Readiness Verification (IA&RV) process to validate renovation actions and results of system testing.
Monitoring conversion progress and issuance of contingency plans, as needed.

Results

The IRS took actions to address concerns raised in our earlier report. The Tier II Risk Assessment Dashboard Report, which monitors conversion of minicomputer systems, now focuses on systems that have not yet been made Y2K compliant, and reports on their progress. The IA&RV process was established to provide assurance that conversion activities are occurring as reported. Contingency planning has been ongoing and covers most IRS systems.

However, late conversion dates and gaps in contingency planning result in continuing conversion risks for IRS minicomputer systems.

Risks Remain for Several Minicomputer Systems Due to Late Conversion Dates

The IRS has made significant progress to ensure that the nation’s tax processing infrastructure will continue to function in the Year 2000 and beyond. However, based on the October 29, 1999, Tier II Risk Assessment Dashboard Report, three mission critical minicomputer systems and eight non-mission critical minicomputer systems had not yet been converted in the field sites where they operate (see Appendix IV for details).

A Contingency Plan Has Not Yet Been Prepared for One of the Mission Critical Systems We Evaluated

The IRS is committed to ensuring continuity of its business operations in view of potential Y2K disruptions. It has developed and implemented a contingency planning program to reduce the risk of failure and disruptions based on core business processes. However, our evaluation of contingency planning for four mission critical systems identified one, the Block Batch Tracking System (BBTS), that was not covered by an existing contingency plan. This system has been made Y2K compliant, but a contingency plan is necessary to address potential problems resulting from systems that transfer data to and from the BBTS.

The BBTS establishes control over incoming tax returns, and tracks them through processing. The failure of BBTS in the Year 2000 could halt the processing of over 100 million tax returns, including tax payments in excess of $200 million, and could impact approximately 1,500 employees nationwide.

Management’s Response: The IRS’ official comments were not available as of the date of this report. However, we summarized comments provided by the Century Date Change (CDC) Project Director below and incorporated more details in the body of the report.

The CDC Project Director indicated that Y2K compliant versions of all mission critical Tier II systems and all but five non-mission critical systems have been implemented. He agreed that a contingency plan had not been prepared for the BBTS, but that the IRS determined the impact of a loss of the BBTS would be minimal from a business standpoint because the tracking operation can be performed manually.

The CDC Project Director also responded that his office has an active process for monitoring Year 2000 risks, including Tier II applications. Based on their monitoring and the other actions taken, the risk that the IRS will be unable to provide critical Tier II service, to taxpayers or to internal users, is minimal.

Objective and Scope

The objective of our review was to provide the Internal Revenue Service (IRS) information on the effectiveness of corrective actions taken by management in response to a Treasury Inspector General for Tax Administration audit report entitled, Increased Validation and Oversight of Year 2000 Minicomputer Conversion Efforts are Needed to Strengthen Testing and To Avoid Further Delays (Report Reference # 199920054, dated August 1999).

We conducted testing in the Tier II Program Office and the Century Date Change (CDC) Project Office, from September 1999 to October 1999. In order to provide the IRS with timely information, we limited our tests to interviews with management and reviews of management reports.

We designed and conducted these tests to evaluate the corrective actions taken by the IRS in response to the recommendations made. The corrective actions taken by the IRS included:

Proper identification and accurate classification of minicomputer systems which did not meet compliance targets.
Implementation of an Independent Audit and Readiness Verification (IA&RV) process to validate renovation actions and results of system testing.
Monitoring conversion progress and issuance of contingency plans, as needed.

To evaluate these corrective actions, we:

Interviewed management officials in the CDC Project Office and in the Tier II Program Office.
Obtained and analyzed numerous management reports including Year 2000 (Y2K) weekly reports, results of IA&RV visitations, contingency plans, and risk reports.

In order to quickly evaluate the actions taken in the IA&RV and contingency planning areas, we selected four mission critical systems on which to focus our review. These systems were selected because they were mission critical systems that we had identified in a risk assessment performed in our earlier audit. These four systems were the Batch Block Tracking System (BBTS), the Electronic Management System (EMS), the Totally Automated Personnel System (TAPS), and the Telephone Routing Interactive System (TRIS). These systems handle some of the IRS’ major processing activities, including processing and tracking of paper and electronic tax returns, payroll processing, and handling of taxpayer telephone inquiries.

Details of our audit objectives, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

The Y2K date change is one of the most critical problems facing most organizations today. In the past, most computer systems have used a two-digit year format in order to reduce storage and processing capacity. Therefore, dates after December 31, 1999, using this format may not be processed correctly. If these dates are processed incorrectly, analysis based on inaccurate date calculations could produce incorrect results.

The Y2K Program is a top IRS priority. The IRS has made significant progress in preparing for the Year 2000. Nearly all of the mission critical systems were made Y2K compliant and placed into production for the 1999 filing season.

The conversion of minicomputer (Tier II) systems is a key element to the success of the IRS. A significant amount of critical processing is performed at the minicomputer level. For example, IRS minicomputers track tax returns through processing, support electronic filing of tax returns, and enable taxpayers to use the telephone to contact the IRS for tax information.

This audit was initiated as a follow-up review. The prior review found that minicomputer conversion risks continued to be high because one-third of the systems missed the target date, milestone dates were changed, and conversion delays were evident weeks before they were reported. In addition, the earlier report identified that systems testing did not consistently address critical Y2K processing issues, and formal contingency planning procedures were needed for certain systems.

Results

The IRS took actions to address concerns raised in our earlier report. The Tier II Risk Assessment Dashboard Report now focuses on the conversion status of "at risk" systems. Systems are considered to be "at risk" if they have not yet been made Y2K compliant. Most systems that have not yet been converted are classified on the report as having either "moderate risk" or "high risk" of not being timely completed.

The CDC Project Office initiated the IA&RV process to provide additional oversight and independent assurance that conversion activities have been conducted. This process consisted of oversight groups from the Tier II Program Office going into the field to audit and validate mission and non-mission critical systems. The teams visited application development sites, service centers and district offices, and conducted thorough validations of the conversion progress and inventory accuracy for minicomputer systems. Audit reports were sent to responsible managers for follow-up actions. The CDC Project Office is currently tracking corrective actions through the IA&RV Corrective Action Report.

Contingency plans were developed for minicomputer systems based on core business processes. In addition, the CDC Project Office used Contingency Plan Fact Sheets to determine which "high-risk" Tier II minicomputer systems were in need of an updated contingency plan.

Even with the increased attention on validating conversion progress and planning for contingencies, there are still risks remaining in the minicomputer area, primarily due to late conversion dates. In addition, one of the four systems we reviewed for contingency planning was not covered by an existing plan.

Risks Remain for Several Minicomputer Systems Due to Late Conversion Dates

In our earlier report, we identified that minicomputer risk remains high because one-third of the minicomputer systems were not converted by the January 31, 1999, target date. The IRS has made significant progress to ensure that the nation’s tax processing infrastructure will continue to function in the Year 2000 and beyond. However, as of the October 29, 1999, Tier II Risk Assessment Dashboard Report, 3 of the 49 (6 percent) mission critical systems, and 8 of the 55 (15 percent) non-mission critical systems were not yet converted in the field sites where they operate. In addition to these 11 systems, plans had been made to move one system to operate on a completely different computer in November 1999. At the time our fieldwork was completed, this move had not yet been completed. (See Appendix IV for systems and descriptions.) Changing system configurations at this late stage could add to the risk of Y2K failures.

The three mission critical systems that have not yet been converted include programs that run at the IRS Service Centers. These programs process estate taxes, perform electronic filing extracts, track non-compliant taxpayers, track erroneous refunds, assign temporary Social Security Numbers (SSN), give on-line access to print files, and certify account transcripts.

The severity of a failure of these systems would be felt internally by the IRS’ inability to provide necessary data to Revenue Agents and Criminal Investigators. Taxpayers filing estate taxes or needing temporary SSNs could also be affected by a failure of these systems.

Management’s Response: The CDC Project Director provided additional information on actions the IRS has taken to assure that Year 2000 compliant versions of all mission critical Tier II systems have been implemented. In addition, the IRS has implemented compliant versions of all except five of the non-mission critical Tier II systems. Of the five remaining non-compliant Tier II systems, three were scheduled to be implemented by December 22, 1999, one is scheduled to be implemented by January 10, 2000, and one is scheduled to be implemented by February 1, 2000.

In addition, the CDC Project Director stated that the Automated Underreporter (AUR) system was successfully re-hosted from one Pyramid platform to another Pyramid platform with roll-out to the fifth and final center completed November 20, 1999. No critical problems have been reported since the roll-out began. There appears to be no appreciable added risk of Year 2000 failures.

The CDC Project Director also responded that his office has an active process for monitoring Year 2000 risks, including Tier II applications. Based on their monitoring, the risk that the IRS will be unable to provide critical Tier II service, to taxpayers or to internal users, is minimal.

A Contingency Plan Has Not Been Prepared for One of the Mission Critical Systems We Evaluated

In our earlier report, we recommended that the CDC Project Office ensure formal contingency planning procedures cover all systems that did not meet the March 31, 1999, Office of Management and Budget target. During the earlier review, we identified several minicomputer systems that missed the target date and were not covered by contingency plans.

The IRS has implemented a contingency planning program to reduce the risk of failure and date change disruptions based on core business processes. The CDC Project Office was also assigned responsibility to identify risks to the processes, establish appropriate strategies to reduce the risks, and require development of contingency plans for the systems and critical business processes at risk.

However, a contingency plan was not prepared for one of the four mission critical minicomputer systems we evaluated. The BBTS establishes control over incoming tax returns, and tracks these returns through error processing and eventual posting to the IRS’ main computer system. The BBTS has been tested and certified as Y2K compliant, but because this System interacts with other systems that may or may not be compliant, the risk of system problems still exists. The processing of tax returns is a core business process that is essential to continuously providing critical products and services to taxpayers.

Failure of the BBTS in all 10 service centers would have an immediate impact on the IRS’ ability to process over 100 million tax returns, including tax payments in excess of $200 million. Approximately 1,500 employees nationwide would also be indirectly affected if the BBTS suffered a catastrophic event and was unable to operate.

Management’s Response: The CDC Project Director agreed that the IRS did not have a contingency plan for the BBTS. However, he noted that the IRS determined the impact of losing the BBTS would be minimal from a business standpoint because the tracking operation can be performed manually. In addition, Monthly System Risk Assessment Ratings from July 1999 to November 1999 have never rated the BBTS as high risk.

The November risk rating indicated the BBTS was not a high risk system. A high risk would require the Business Owner to determine if a Business Contingency Plan were needed, and if so, to prepare it. All components of the BBTS have completed Independent Validation and Verification (IV&V). End-to-End Testing was to be completed by December 17, 1999.

Conclusion

The IRS has made significant strides in converting its minicomputer systems. Effective actions were taken to address issues reported in the previous audit. However, oversight of the minicomputer conversion efforts remains critical to ensure that all systems are converted timely and that contingency plans are made ready as the Year 2000 approaches.

Appendix I

Detailed Objective, Scope, and Methodology

To address this objective, we:

Determined whether the IRS properly classified the risk and validated the milestone dates for each minicomputer system that did not meet the January 31, 1999, target date.

A. Determined what additional oversight mission critical Tier II application systems, which missed the target date, are receiving.

Interviewed Tier II Program Office and Century Date Change (CDC) Project Office managers to determine what oversight is being given to systems on the Tier II Risk Assessment Dashboard Report.
Attended the Tier II Program’s weekly briefings for October 6, 1999, and October 13, 1999, to evaluate the oversight that is being given to Tier II conversion.
Compared the October 1, 1999, Tier II Risk Assessment Dashboard Report with the January 29, 1999, and July 30, 1999, Tier II Risk Assessment Dashboard Reports to ensure that all systems that were previously non-compliant were covered in these oversight documents.

Determined whether the Tier II Program Office, through the Independent Audit and Readiness Verification (IA&RV) process, validated the results of the integration testing performed by application owners for Tier II mission critical systems.

Discussed with Tier II Program Office managers how systems were chosen for review under the IA&RV process.
Discussed with Tier II Program Office managers if the IA&RV process covered systems that were scheduled for phase VI (02/01/1999 - 07/31/1999) or phase VII (08/01/1999 – 01/01/2000).
Discussed how the Tier II Program Office was monitoring integration testing for those systems that were not compliant on March 31, 1999.
Reviewed the Audit Checklist used by the IA&RV team for the Electronic Management System (EMS), the Totally Automated Personnel System (TAPS), the Telephone Routing Interactive System (TRIS), and the Batch Block Tracking System (BBTS) for recommendations and follow-up action, and determined how management will monitor corrective action.
Reviewed the audit results from the IA&RV visits for the EMS, the TAPS, the TRIS, and the BBTS to determine whether any testing has been moved to Phase III of the End-to-End test.

Determined whether the CDC Project Office ensured that formal contingency planning procedures were in place for systems that did not meet the March 31, 1999, Office of Management and Budget target date.

Identified forty-one systems the Tier II Program Office considered "at risk," and evaluated steps taken to ensure they remain on schedule.
Interviewed managers in the CDC Project and Tier II Program Offices, and determined criteria for requesting a contingency plan for these systems.
Determined whether contingency plans existed for mission critical systems, and evaluated the contingency plans for four systems to determine if they were adequate. Our evaluation of the contingency planning efforts determined:

What happened if these systems failed.

How many taxpayers will be affected.
What is being done to prevent failure.
How this is being checked.

Appendix II

Major Contributors to This Report

Scott Wilson, Associate Inspector General for Audit (Information Systems Programs)

Scott Macfarlane, Director

Tammy Whitcomb, Audit Manager

Jimmie D. Johnson, Sr., Senior Auditor

George L. Franklin, Auditor

Michelle Griffin, Auditor

Appendix III

Report Distribution List

Deputy Commissioner Operations C:DO

Deputy Commissioner Modernization C:DM

Chief Information Officer IS

Deputy Chief Information Officer, Operations IS

Deputy Chief Information Officer, Systems IS

Assistant Commissioner (National Operations) IS:O

Assistant Commissioner (Program Evaluation and Risk Analysis) M:OP

Assistant Commissioner (Service Center Operations) IS:SC

Assistant Commissioner (Systems Development) IS:S

Director, System Support Division IS:S:TS

Director, Office of Information Resources Management IS:IR

Director, Century Date Change Project Office IS:CD

Director, Tier II Program Office IS:CD:T2

National Director for Legislative Affairs CL:LA

Office of the Chief Counsel CC

Office of Management Controls M:CFO:A:M

Audit Liaisons:

Office of Information Systems Program Oversight IS:IR:O

Century Date Change Project Office IS:CD

Chief, Information Systems Audit Assessment and Control Section IS:IR:O:A

Treasury Inspector General for Tax Administration Liaison IS:IR:O:A

Appendix IV

Minicomputer Systems Which Were Not Converted As of October 29, 1999

MISSION CRITICAL MINICOMPUTER SYSTEMS NOT YET CONVERTED AS OF OCTOBER 29, 1999
System Name	Description
Executive Officer for Service Center Operations National Standard Applications (EOSCO NSA)	This system consists of programs to process estate taxes, track tax protestors and erroneous refunds, assign temporary social security numbers (SSN), and give on-line access to print files.
Austin Service Center (AUSC) EOSCO NSA	This system tracks erroneous refunds (Form 1540).
Kansas City Service Center EOSCO NSA	This system assigns, controls, and maintains data regarding temporary SSNs in order to complete corrections of taxpayer name, address and other filing information.
NON-MISSION CRITICAL MINICOMPUTER SYSTEMS NOT YET CONVERTED AS OF OCTOBER 29, 1999
Automated Workload Management System	This system is an automated system currently in use by the service centers to manage computer media and workload. It is available for all systems, but is primarily used to schedule the UNISYS system.
Collection Support	This is an assortment of small programs that generate reports for National Office Collection division personnel.
Contractor Management System	This system tracks and reports contract task orders and their components, including sub-tasks, deliverables, milestone dates, and invoices.
Compliance Research Intranet 2000	This is the web technology system for the Internal Revenue Service’s (IRS) Office of Research.
Andover Service Center (ANSC) EOSCO NSA	This system generates Form 1099 interest statements to taxpayers.
Fresno Service Center EOSCO NSA	This system issues photocopy-fee refunds to taxpayers.
ANSC Mission Support	This system directly and indirectly supports the tax processing, administration, and enforcement functions of the IRS.
Travel Reimbursement and Accounting System	This system processes travel advances and vouchers for IRS employees.
MISSION CRITICAL SYSTEM CHANGING PLATFORMS
Automated Underreporter System	This system generates proposed assessments for cases where data from information returns do not match tax return information.