GAO-06-310, Business Systems Modernization: IRS Needs to Complete Recent Efforts to Develop Policies and Procedures to Guide Requirements Development and Management


This is the accessible text file for GAO report number GAO-06-310 
entitled 'Business Systems Modernization: IRS Needs to Complete Recent 
Efforts to Develop Policies and Procedures to Guide Requirements 
Development and Management' which was released on April 19, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Subcommittee on Transportation, Treasury, the 
Judiciary, HUD, and Related Agencies, Committee on Appropriations, U.S. 
Senate:

March 2006: 

Business Systems Modernization: 

IRS Needs to Complete Recent Efforts to Develop Policies and Procedures 
to Guide Requirements Development and Management: 

GAO-06-310: 

GAO Highlights: 

Highlights of GAO-06-310, a report to the Subcommittee on 
Transportation, Treasury, the Judiciary, HUD, and Related Agencies, 
Committee on Appropriations, U.S. Senate. 

Why GAO Did This Study: 

The Internal Revenue Service’s (IRS) effort to modernize its tax 
administrative and financial systems—Business Systems Modernization 
(BSM)—has suffered delays and cost overruns due to a number of factors, 
including inadequate development and management of requirements. 
Recognizing these deficiencies, IRS created a Requirements Management 
Office (RMO) to establish policies and procedures for managing 
requirements. GAO’s objectives were to assess (1) whether the office 
has established adequate requirements development and management 
policies and procedures and (2) whether BSM has effectively used 
requirements development and management practices for key systems 
development efforts. 

To improve the requirements development and management practices at 
IRS, GAO recommends that the Commissioner of Internal Revenue direct 
the Associate Chief Information Officer for BSM to (1) ensure that BSM 
completes delivery of policies and procedures for requirements 
development and management as planned and (2) immediately implement 
interim policies for BSM projects while final policies and procedures 
are being developed. The Commissioner agreed with our recommendations 
and described steps taken to address them. 

What GAO Found: 

BSM does not yet have adequate policies and procedures in place to 
guide its systems modernization projects in developing and managing 
requirements. In January 2006, the RMO developed a set of draft 
policies that address some key areas of requirements development and 
management; these policies are to serve as interim guidance while the 
final policies and processes are being developed. At the conclusion of 
GAO’s review, the RMO also provided a high-level plan that includes 
milestones for completing these policies. Since critical BSM projects 
continue to be pursued and completion of the policies and procedures is 
not expected until March 2007, it is critical that BSM immediately 
implement the draft policies and continue to develop the final 
policies. 

As a result of the lack of policies and procedures, the one ongoing 
project—Modernized e-File (MeF)—and the two completed projects—Filing 
and Payment Compliance (F&PC) and Customer Account Data Engine 
(CADE)—GAO reviewed did not consistently follow disciplined practices 
for systems development and management (see table). 

Table: Requirements Activities Completed on BSM. 

[See PDF for Image] 

[End of Figure] 

For example, all three projects had a key element of managing 
requirements—a change management process that requires approvals and 
impact assessments to be completed when there are changes to 
requirements—but none met all of the practices needed for effective 
requirements management. In addition, two projects did not have a 
clear, consistent way to elicit (gather) requirements, two did not have 
fully documented requirements, and two could not produce fully 
traceable requirements (i.e., the requirements could not be tracked 
through development and testing), which is another key element of 
managing requirements. Unless IRS takes the steps needed to develop and 
institutionalize disciplined requirements development and management 
processes and implements draft policies in the interim to cover key 
areas of requirements development and management, it will continue to 
face risks, including cost overruns, schedule delays, and performance 
shortfalls. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David A. Powner at (202) 
512-9286 or pownerd@gao.gov or Keith A. Rhodes at (202) 512-6412 or 
rhodesk@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

BSM Lacks Policies and Procedures for Requirements Management: 

BSM Projects Have Not Consistently Followed Disciplined Requirements 
Development and Management Practices: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendixes: 

Appendix I: Scope and Methodology: 

Appendix II: Project Descriptions: 

Appendix III: Comments from the Department of the Treasury: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Requirements Activities Completed on BSM Projects: 

Table 2: MeF Releases and Functionality: 

Table 3: Development and Steady State Costs for MeF: 

Table 4: F&PC Releases and Functionality: 

Table 5: Development Costs for F&PC: 

Table 6: CADE Releases and Functionality: 

Table 7: Development Costs for CADE: 

Figures: 

Figure 1: IRS BSM Funding Fiscal Year 1999 to Fiscal Year 2005: 

Figure 2: Requirements Development and Management Process and Typical 
Work Products/Activities: 

Abbreviations:

BSM: Business Systems Modernization: 

CADE: Customer Account Data Engine: 

CCS: Collection Contract Support: 

CM: Configuration Management: 

CMMI: Capability Maturity Model Integration: 

ELC: Enterprise Life Cycle: 

F&PC: Filing and Payment Compliance: 

IEEE: Institute of Electrical and Electronics Engineers: 

IRS: Internal Revenue Service: 

MeF: Modernized e-File: 

PDC: Private Debt Collection: 

RMO: Requirements Management Office: 

SEI: Software Engineering Institute: 

TIGTA: Treasury Inspector General for Tax Administration: 

Letter:

March 20, 2006: 

The Honorable Christopher S. Bond:
Chairman:
Subcommittee on Transportation, Treasury, the Judiciary, HUD, and 
Related Agencies Committee on Appropriations:
United States Senate: 

Dear Mr. Chairman: 

The Internal Revenue Service (IRS) has long relied on obsolete 
automated systems for key operational and management functions; its 
attempts to modernize these systems span several decades. IRS's current 
effort--Business Systems Modernization (BSM)--is a highly complex, 
multibillion dollar effort to modernize its technology and related 
business processes. Over the past 7 years, IRS has been appropriated 
approximately $1.9 billion for BSM. These systems modernization 
projects have experienced cost overruns and schedule delays due to, 
among other things, inadequate development and management of 
requirements.[Footnote 1] Lack of attention to these crucial processes 
has led to projects not meeting cost, schedule, and performance goals. 

IRS has recognized these deficiencies and established a Requirements 
Management Office (RMO) to, among other things, develop the policies 
and procedures that are to cover all aspects of requirements 
development and management. This report responds to your request that 
we assess (1) whether the RMO has established adequate requirements 
development and management policies and procedures and (2) whether BSM 
has used effective requirements development and management practices 
for key systems development efforts. 

To accomplish our objectives, we reviewed BSM requirements development 
and management policies, guidance, procedures, and tools. We also 
analyzed two completed and one ongoing BSM systems development 
projects[Footnote 2] and interviewed appropriate IRS and contractor 
officials. Further details on our objectives, scope, and methodology 
are provided in appendix I. Our work was performed from June 2005 
through February 2006 in accordance with generally accepted government 
auditing standards. 

Results in Brief: 

BSM does not yet have adequate policies and procedures in place to 
guide its systems modernization projects in developing and managing 
requirements. In January 2006, the RMO developed a set of draft 
policies that address key areas of requirements development and 
management; these policies are to serve as interim guidance while the 
final policies and processes are being developed. At the conclusion of 
our review, BSM provided us the draft policies and a high-level plan 
that includes milestones for completing these policies. Since critical 
BSM projects continue to be pursued and completion of the policies and 
procedures is not expected until March 2007, it is critical that BSM 
immediately implement the draft policies and continue to develop the 
final policies. 

As a result of the lack of policies and procedures, BSM projects did 
not consistently follow disciplined requirements development and 
management practices. For example, all three projects had a change 
management process in place that requires approvals and impact 
assessments to be completed when there were changes to requirements. 
However, none of the projects met all of the practices needed for 
effective requirements management. For example, two did not implement 
all needed practices in eliciting (gathering) requirements; two did not 
have fully documented requirements; and two could not produce fully 
traceable requirements (i.e., the requirements could not be tracked 
through development and testing). Unless BSM takes the steps needed to 
develop and institutionalize disciplined requirements development and 
management processes and to improve interim guidance, it will continue 
to face risks, including cost overruns, schedule delays, and 
performance shortfalls. 

We are recommending that the Commissioner of Internal Revenue direct 
the Associate Chief Information Officer for BSM to ensure that BSM 
completes the delivery of policies and procedures for requirements 
development and management, as planned. In addition, we also recommend 
that the interim policies for BSM be immediately implemented while the 
final policies and procedures are being developed. 

In providing written comments on a draft to this report, the 
Commissioner of Internal Revenue agreed with our findings and stated 
that the report provided a sound and balanced representation of the 
progress IRS has made to date as well as work that remains to be 
completed. The Commissioner also described the actions that IRS is 
taking to implement our recommendations, including establishing a 
schedule to complete the development of policies that address the areas 
of requirements elicitation, documentation, verification and 
validation, and management. The Commissioner's written comments are 
reprinted in appendix III. 

Background: 

IRS is currently replacing its antiquated tax administration and 
financial systems. This effort, as we have reported numerous 
times,[Footnote 3] has suffered delays and cost overruns due to a 
number of reasons, including inadequate development and management of 
requirements. 

History of IRS Modernization: 

The IRS tax administration system, which collects approximately $2 
trillion in annual revenues, is critically dependent on a collection of 
obsolete computer systems. Congress and IRS designed the BSM program to 
bring IRS tax administration systems to a level equivalent to private 
and public sector best practices, while managing the risks inherent in 
one of the largest, most visible, and sensitive modernization programs 
under way. Over the past 7 years, IRS has been appropriated 
approximately $1.9 billion for BSM (see fig. 1). 

Figure 1: IRS BSM Funding Fiscal Year 1999 to Fiscal Year 2005: 

[See PDF for image] 

[End of figure] 

BSM is critical to supporting IRS's taxpayer service and enforcement 
goals. For example, BSM includes projects to allow taxpayers to file 
and retrieve information electronically and to help reduce the backlog 
of collection cases. It also provides IRS with the reliable and timely 
financial management information it routinely needs to account for the 
nation's largest revenue stream. 

BSM has had some recent successes with its modernization efforts. 
During 2004, IRS implemented initial versions of (1) Modernized e-File 
(MeF), which provides electronic filing for large corporations and tax- 
exempt organizations; (2) e-Services, which created a Web portal and 
other electronic services to promote the goal of conducting most IRS 
transactions with taxpayers and tax practitioners electronically; (3) 
Customer Account Data Engine (CADE), which will replace the current 
system that contains the agency's repository of taxpayer information; 
and (4) the Integrated Financial System, which replaced aspects of 
IRS's core financial systems and is ultimately intended to operate as 
its new accounting system of record. 

However, despite these successes, IRS has had difficulty developing and 
managing requirements for its modernization efforts over the years. We 
reported in 1995[Footnote 4] that IRS did not have the requisite 
software development capability to successfully complete a major 
modernization effort and that the success of modernization would depend 
on whether IRS would promptly address the weaknesses in several 
software development areas, including requirements management. In 1998, 
we assessed IRS's systems life cycle document and reported[Footnote 5] 
a lack of sufficient information to document how business requirements 
were to be specified. More recently, in February and November of 2004, 
we reported in testimony and a report[Footnote 6] that cost overruns in 
various BSM projects, including CADE, MeF, and e-Services, were due in 
part to inadequate definition of requirements for their new systems, 
leading to incorporation of additional requirements late in the 
system's life cycle and at a higher cost than if they had been included 
in the initial requirements baseline. We continue to highlight 
management control weaknesses such as these in our annual expenditure 
plan reviews.[Footnote 7] 

Other organizations that have assessed BSM projects have also found 
that IRS has not developed and managed requirements sufficiently on 
various projects. In 2001, the Treasury Inspector General for Tax 
Administration (TIGTA) reviewed[Footnote 8] key systems development 
practices of four BSM projects[Footnote 9] and reported that weaknesses 
in several process areas, including requirements management, were 
responsible for cost increases and schedule delays. TIGTA noted that 
these weaknesses raised the risk that systems would be developed that 
would not meet the needs of the businesses they were intended to 
support and recommended that BSM strengthen and/or implement aspects of 
these key systems development practices. In 2003, an independent 
technical assessment[Footnote 10] of CADE noted significant breakdowns 
in developing and managing requirements, which resulted in the 
inability of CADE to meet its original schedule. The assessment further 
stated that IRS focused primarily on the high-level business 
requirements and paid less attention to the development of specific, 
testable requirements developed later in the development life cycle and 
that responsibility for developing and managing the requirements was 
distributed among their various organizational component, instead of 
being concentrated in a centralized authority. 

BSM has acknowledged that it has weaknesses in developing and managing 
requirements; since 2004, requirements management has been one of its 
high-priority initiatives.[Footnote 11] To demonstrate their commitment 
to improving the development and management of requirements, it created 
an RMO in October 2004. This office is to address issues related to (1) 
lack of quality and completeness of modernization requirements, (2) 
lack of alignment of modernization requirements with business strategy 
and needs, (3) risks incurred by projects transitioning to development 
without a sufficient requirements baseline, and (4) lack of visibility 
into a fully traceable set of modernization requirements. During 2005, 
the RMO created a Concept of Operations that showed, at a high level, 
the RMO's plans to address requirements practices, and, in November 
2005, it obtained contractor support to develop new policies and 
procedures. 

Requirements Development and Management: 

According to the Software Engineering Institute's (SEI) Capability 
Maturity Model Integration[Footnote 12] (CMMISM), the requirements for 
a system describe the functionality needed to meet user needs and 
perform as intended in the operational environment. A disciplined 
process for developing[Footnote 13] and managing[Footnote 14] 
requirements can help reduce the risks of developing or acquiring a 
system. A well-defined and managed requirements baseline can, in 
addition, improve understanding among stakeholders and increase 
stakeholder buy-in and acceptance of the resulting system. The 
practices underlying requirements development and management include 
eliciting, documenting, verifying and validating, and managing the 
requirements through the systems life cycle (see fig. 2). This set of 
activities translates customer needs from statements of high-level 
business requirements into validated, testable systems requirements. 

Figure 2: Requirements Development and Management Process and Typical 
Work Products/Activities: 

[See PDF for image] 

[End of figure] 

Requirements Development and Management Processes: 

Elicitation: 

The requirements development process starts with project teams 
eliciting, or gathering, requirements from stakeholders or participants 
involved in the project (e.g., customers and users). Since the 
usefulness of the system to its users and stakeholders is critically 
dependent on the accuracy and completeness of the requirements, all 
user groups and stakeholders should be identified and involved in 
defining requirements. In addition to gathering requirements from users 
and other stakeholders, analysis and/or research can be used to 
identify additional requirements that balance stakeholder needs against 
constraints and ensure that the requirements can be met in the proposed 
operational environment. 

Documentation: 

After requirements have been elicited, they are analyzed in detail; 
documented as the business, or high-level, requirements; and agreed to 
by all stakeholders. Stakeholder agreement is an important part of this 
activity and is needed to demonstrate that the requirements accurately 
define intended uses. The business requirements should then be 
decomposed into detailed system requirements, which are analyzed to 
ensure that they can be implemented in the expected operational 
environment and that they can satisfy the objectives of higher-level 
requirements. The final requirements are approved by all stakeholders 
and documented as the requirements baseline. Once the baseline is 
established, it is placed under configuration management (CM)[Footnote 
15] control. 

Verification and Validation: 

Once the requirements baseline has been developed, the requirements are 
analyzed and broken down into more specific system-level requirements 
and eventually into the code that makes up the system. The verification 
process ensures that the system-level requirements and the resulting 
code are an accurate representation of stakeholder needs. This process 
includes checking selected work products, such as software code, 
against the initial baseline requirements to ensure that the lower- 
level items fully satisfy the higher-level requirements. It is an 
inherently incremental process, occurring throughout the development of 
the product. This agreement between work products, such as code and 
baseline requirements, is verified by conducting peer reviews. Peer 
reviews can also be used to identify action items that need to be 
addressed. Without such reviews, an organization is taking a risk that 
substantial defects will not be detected until late in the development 
and/or testing phases, or even after the system is implemented. 

While the system is being developed, each component must be tested to 
ensure that its outputs are accurate. Testing (e.g., unit, system 
integration, and user acceptance) is the process of executing a program 
with the intent of finding errors. Clear, complete, and well-documented 
requirements are needed in order to design and implement an effective 
testing program. Linking the testing activities back to the 
requirements assures the organization that, once testing activities are 
successfully completed, all requirements have been addressed and will 
be met by the system. Without such assurance, it is possible for a 
requirement to be missed in development and the resulting lack of 
functionality not noticed until late in testing, or even after 
deployment. 

Management: 

Requirements, once developed and approved, also need to be managed 
throughout the system life cycle. Two key areas of requirements 
management are addressing changes to requirements and establishing and 
maintaining bidirectional traceability from high-level requirements 
through detailed work products to test cases and scenarios. As 
mentioned earlier, once a set of high-level requirements is documented, 
verified, and approved, it is placed under configuration control. From 
this point, changes to the requirements are evaluated and validated as 
part of the change control process.[Footnote 16] Change control 
includes reviewing and assessing proposed changes to the requirements 
to determine the reasons for the changes, determining if these changes 
are occurring due to flaws in the requirements development process, and 
ensuring that any effects of the change on other requirements as well 
as on the cost, schedule, and performance goals of the project are 
determined and assessed. 

Establishing and maintaining traceability from initial requirements to 
work products and the resulting system is also important. A 
requirements traceability matrix demonstrates forward and backward 
(bidirectional) traceability from business requirements to detailed 
system requirements all the way through to test cases. 

BSM Lacks Policies and Procedures for Requirements Management: 

BSM does not yet have adequate policies and procedures in place to 
guide its systems modernization projects in developing and managing 
requirements. In January 2006, the RMO developed a set of draft 
policies that address key areas of requirements development and 
management; these policies are to serve as interim guidance while the 
final policies and processes are being developed. At the conclusion of 
our review, the RMO provided us the draft policies and a high-level 
plan that includes milestones for completing these policies. Since 
critical BSM projects continue to be pursued and completion of the 
policies and procedures is not expected until March 2007, it is 
critical that BSM immediately implement the draft policies and continue 
to develop the final policies. 

BSM Lacks Comprehensive Policies and Procedures for Requirements 
Development and Management, but Has Initiated Their Development: 

BSM does not have comprehensive, detailed policies and procedures for 
requirements management and development activities that include 
requirements elicitation, documentation, verification and validation, 
and management. During our review, BSM officials were unable to provide 
us with detailed policies and procedures and agreed that they do not 
have such documents. Project teams were not consistent in their 
understanding of which guidance they should use for the development and 
management of requirements; some project team members mentioned BSM's 
Enterprise Life Cycle[Footnote 17] (ELC); others said they were waiting 
for guidance from the RMO. Our review of the ELC showed that it did not 
provide the procedures project managers would need to properly perform 
the steps in the requirements development and management process. BSM 
program officials agreed that the ELC did not provide the needed 
guidance. 

In December 2005, the RMO completed an analysis of requirements 
development and management areas that need improvement. The RMO found, 
as we did, that BSM lacks detailed guidance; their recommendations 
included developing process handbooks for aspects of requirements 
elicitation, documentation, verification and validation, and 
management. Subsequently, in January 2006, BSM officials developed 
draft guidance that covers aspects of requirements development and 
management. However, this guidance does not fully address requirements 
elicitation, documentation, verification and validation, and 
management. At that time, BSM also provided us with a high-level plan 
that contains interim milestones and establishes a March 2007 
completion date for the final set of policies and procedures. BSM 
officials told us that these draft policies are to serve as interim 
guidance while the remaining policies and procedures are being 
developed. In addition, IRS also uses its governance processes, 
particularly the milestone exit reviews, to find and mitigate issues 
and problems with requirements development and management on existing 
projects. Finally, the RMO is allocating resources to key projects-- 
such as F&PC version 1.2--to assist them in developing requirements. 

Without a formal set of documents that detail organizational policies 
and associated procedures, employees and contractors will rely on their 
individual knowledge and expertise to complete requirements development 
and management activities. This raises the risk of cost overruns, 
schedule delays, and reduction of functionality. Since critical BSM 
projects are already under way, and completion of the policies and 
procedures is not set until March 2007, it is urgent that BSM 
immediately implement the draft policies. Until BSM develops and 
implements policies and procedures that fully address the key areas of 
requirements development and management, including elicitation, 
documentation, tracking of cost and schedule impacts associated with 
requirements changes, and establishing and maintaining full 
bidirectional traceability, ongoing projects will continue to run 
greater risk of cost and schedule overruns and poor system performance. 

BSM Projects Have Not Consistently Followed Disciplined Requirements 
Development and Management Practices: 

As a result of the lack of policies and procedures, BSM projects varied 
in the extent to which they followed disciplined requirements 
practices. All three projects we reviewed--MeF release 3.2 (to be 
deployed March 2006), and F&PC release 1.1 (deployed January 2006), and 
CADE release 1.1 (deployed July 2004)--performed some of the practices 
associated with sound requirements development and management. For 
example, all three projects had a change management process in place 
that requires approvals and impact assessments to be completed when 
changes are made to requirements. However, none of the three BSM 
project releases we reviewed consistently performed all of the 
practices needed for effective requirements management. Specifically: 

* Project teams did not have a clear, documented, and consistent method 
of eliciting requirements. 

* Project teams did not adequately document all requirements. 

* Project teams did not effectively verify requirements. 

* Project teams did not demonstrate adequate management of 
requirements. 

Table 1: Requirements Activities Completed on BSM Projects: 

Projects: Eliciting requirements; 
MeF 3.2: Practice Partially Implemented; 
F&PC 1.1: Practice Partially Implemented; 
CADE 1.1: Practice Not Implemented. 

Projects: Documenting requirements; 
MeF 3.2: Practice Partially Implemented; 
F&PC 1.1: Practice Fully Implemented; 
CADE 1.1: Practice Not Implemented. 

Projects: Verifying and validating requirements; 
MeF 3.2: Practice Partially Implemented; 
F&PC 1.1: Practice Partially Implemented; 
CADE 1.1: Practice Partially Implemented. 

Projects: Managing requirements; 
MeF 3.2: Practice Partially Implemented; 
F&PC 1.1: Practice Fully Implemented; 
CADE 1.1: Practice Not Implemented.

Source: GAO analysis of BSM data.

[End of table] 

Project Teams Have Inconsistent Requirements Elicitation Practices: 

Based on stakeholder information such as customer expectations, 
constraints, and interfaces for a system, the requirements elicitation 
team discovers, defines, refines, and documents business-level 
requirements. Due to the importance of this activity, plans or 
strategies should be in place to guide project officials in defining 
elicitation-related activities and in outlining how the requirements 
will be gathered (e.g., interviewing the users or analyzing the current 
or expected business processes). 

BSM project teams did not have a clear, consistent, and documented 
method of eliciting requirements for the projects. For example, 
although the teams identified stakeholders in their project plans, only 
MeF 3.2 provided evidence that working group meetings were conducted 
with stakeholders to understand their needs and to identify their 
problems and expectations and that strategies or plans were developed 
for eliciting requirements. CADE 1.1 project team members could not 
describe how they elicited requirements or provide a requirements plan 
that documented elicitation procedures or strategies. An F&PC project 
team member stated that, for release 1.1, the project did not have a 
fully documented process for elicitation; however, the team member 
stated that the team had held workshops and obtained resources and 
assistance from the RMO to help mitigate the lack of a process. The RMO 
used lessons learned from this effort to develop a new requirements 
elicitation process, which they expect will assist F&PC in elicitation 
for its next release. 

BSM project and program officials agreed that requirements elicitation 
processes could be improved and stated that they were planning to 
address some of the problems we found. For example, when we asked 
project officials about the policies and procedures underlying their 
current requirements elicitation activities, some stated that they were 
waiting for new policies to be issued by the RMO, and others cited the 
ELC as guidance. As mentioned earlier, the ELC does not provide the 
information needed for the requirements elicitation process. 
Furthermore, F&PC officials could not state which sections in the ELC 
described the requirements elicitation process. BSM program management 
and RMO officials acknowledged the lack of policies and procedures and 
stated that the RMO has since developed new guidance for eliciting 
requirements that will be piloted on F&PC version 1.2, which is 
currently entering the requirements development phase. 

BSM project teams performed elicitation processes in a nonstandard 
manner due to the lack of policies, procedures, and guidance. Without 
standardized policies and procedures to guide this key part of 
requirements development, BSM program officials cannot ensure that its 
systems development projects have collected and documented all the 
necessary requirements, which could result in systems being developed 
that do not meet user needs. 

Projects Do Not Fully Document Requirements: 

After collecting and documenting high-level requirements from 
customers, users, and other stakeholders, the requirements team should 
analyze these high-level requirements against the conceptual (or 
expected) operational environment to balance user needs and constraints 
and to ensure that the system developed will perform as intended. The 
resulting lower-level requirements should also be analyzed to make sure 
they can be performed in the expected environment and that they satisfy 
the objectives of the higher-level requirements. The final requirements 
are documented in the requirements baseline. 

The BSM projects we reviewed did not complete all of the activities 
needed to adequately document requirements. Although project teams 
provided evidence that they created a set of high-level requirements 
and obtained approvals from stakeholders on this set of requirements, 
two of the three projects did not provide evidence that requirements 
were thoroughly analyzed and decomposed to lower-level system 
requirements. For example, part of this analysis would link all lower- 
level systems requirements to the original higher-level business 
requirements. Only one of the project teams--F&PC--provided 
documentation showing the necessary linking or mapping of lower-level 
system requirements to the business requirements. MeF and CADE provided 
documentation; however, their documentation did not fully demonstrate 
the linking of system-level requirements to the business requirements. 

A MeF project official agreed that full linkage of system-level 
requirements to business requirements should be implemented. The MeF 
official stated that they planned to implement this in their next 
version--version 4.0. In addition, a BSM program official indicated 
that additional project guidance on requirements documentation would be 
part of the RMO's deliverables and would help to address this issue. 

Without feasible and clearly defined requirements, projects run the 
risk of cost overruns, schedule delays, and deployment of systems with 
limited functionality. For example, incomplete definition of 
requirements has been cited as one reason for schedule delays and cost 
overruns for both CADE and MeF. 

Projects Do Not Fully Verify Requirements; Validation Activities 
Completed, but Problems Remain: 

Once requirements are fully documented, software code and other work 
products that will guide development and testing activities need to be 
verified using peer review techniques against the original 
requirements. In addition, these products should be validated through 
testing to ensure that they will operate effectively in the intended 
environment. 

Projects Do Not Fully Verify Requirements through Peer Reviews: 

Requirements verification ensures that the lower-level requirements, 
software code, and other work products that will guide development and 
testing activities are an accurate representation of stakeholder needs. 
Peer reviews are an important part of the verification process and are 
a proven mechanism for effective defect removal. During peer reviews, 
teams of peers[Footnote 18] examine code and other work products to 
identify defects, determine the causes of the defects, and make 
recommendations that address changes needed to help ensure that the 
system will meet stakeholder and developer needs. Peer reviews should 
follow a structured, formalized process; peer review events should be 
planned in advance, with items, such as code and other work products, 
selected in advance; the results of the sessions should be incorporated 
into peer review reports that project teams are expected to address 
before moving further into development activities. 

The BSM project teams did not provide evidence that work products had 
been verified against requirements through the use of a formalized peer 
review process and project officials did not follow recommended 
practices for conducting peer reviews. BSM project team members stated 
that they conducted customer technical reviews and milestone exit 
reviews that they considered to be peer reviews; however, these kinds 
of reviews do not meet the criteria for peer reviews. They were not 
structured, did not select code and other items in advance to be 
evaluated, and did not produce formal peer reports with action items 
that projects were required to address. 

Project Teams Performing Validation, but Problems Remain: 

Requirements validation is the process of demonstrating that a product 
fulfills its intended use in its environment. It differs from the 
verification activities previously described, in that validation 
determines that the product will fulfill its intended use, while 
verification ensures that work products properly reflect the baseline 
requirements. Validation includes tests conducted on the product during 
development to prove that the product performs its intended functions 
correctly. In a disciplined software development process, planning for 
validation activities begins as requirements are developed; testing 
activities are critical to determining that a system not only operates 
effectively but addresses all baseline requirements. To complete 
validation activities, testing is conducted at several levels, each of 
which validates that the system will operate effectively at a different 
level. For example, unit testing validates individual sections of code, 
and system integration testing ensures that the system as a whole can 
operate effectively in its environment. User acceptance testing allows 
the user community to determine whether the system, as developed, can 
be used to effectively support their work. It also validates that the 
system meets user expectations. An effective testing process confirms 
the functionality and performance of the product prior to delivery. It 
is a crucial process and needs to be well planned, well structured, 
well documented, and carried out in a controlled and managed way. 

The BSM projects provided evidence of validation activities, such as 
test plans and test results. CADE 1.1 officials provided both test 
plans and test reports. MeF release 3.2 and F&PC release 1.1 are still 
in the testing phase; they provided available test plans but do not yet 
have test reports. 

Despite the existence of test plans and reports, requirements are not 
fully documented or fully traced. In addition, while the ELC provides 
guidance on testing that discusses test planning, activities, and test 
responsibilities, program officials say that this guidance is limited. 
BSM's Enterprise Services organization has initiated an effort to 
review, revise, and enhance test procedures across BSM. Therefore, 
until BSM ensures full documentation and traceability of requirements, 
questions about the completeness of its testing will remain. 

Project Teams Not Adequately Managing Requirements: 

Finally, requirements must be managed through the system development 
life cycle. We found that the three projects did not fully demonstrate 
adequate management of their requirements. Although the projects had a 
formal change control process in place to analyze and manage changes to 
requirements, associated costs and schedule changes resulting from 
requirements changes were not always tracked or updated. In addition, 
projects' documentation did not demonstrate adequate traceability of 
requirements from the business requirements (high-level requirements) 
to system requirements (low-level requirements) to test cases. 

Project Teams Not Updating Cost and Schedule to Reflect Requirements 
Changes: 

Managing changes to the original requirements is a formal process to 
identify, evaluate, track, report, and approve these changes. As work 
products are developed and more is learned about the system that is 
being developed, information is occasionally found that requires a 
change to the original requirements. Modifications to project scope or 
design can also result in requirements changes. Therefore, projects 
need to manage these changes to requirements in a structured way. 

The BSM project teams used a change management process to manage 
changes to requirements that included documenting the rationale for 
changes, developing assessments of the impact of the change, and 
obtaining approvals by the Configuration Change Board. However, only 
the MeF and F&PC teams provided evidence that their cost and schedule 
baselines were updated when changes to requirements impacted cost and/ 
or schedule. For example, CADE officials did not provide any evidence 
to show how they updated and tracked cost changes resulting from 
changes to requirements, nor did they provide evidence that the work 
breakdown structure[Footnote 19] was updated to reflect schedule 
changes. F&PC officials provided evidence for tracking changes to the 
cost and schedule. MeF officials provided a document that tracked the 
cost implications of changes to requirements and the work breakdown 
structure to reflect schedule changes. 

A BSM project official indicated that the BSM project was implementing 
cost and schedule tracking on its current releases. However, it was not 
clear whether BSM was doing this consistently or whether appropriate 
guidance for tracking cost and schedule would be provided by BSM. 

Project teams that do not effectively track cost and schedule changes 
as a result of changes to requirements will not be able to effectively 
mitigate the potential impact of these changes to overall cost, 
schedule, and performance goals, thus raising the risk of cost 
overruns, schedule delays, and deferral of functionality. 

Project Teams Not Ensuring Full Traceability of Requirements: 

Another key element of requirements management is establishing and 
maintaining the traceability of requirements. Traceability of 
requirements is tracking the requirements from the inception of the 
project and agreement on a specific set of business requirements to 
development of the lower-level system requirements, detailed design, 
code implementation, and test cases necessary for validating the 
requirements. Tracing a requirement throughout the development cycle 
provides evidence that the requirements are met in the developed system 
and ensures that the product or system will work as intended. 
Requirements must be traceable forward and backward through the life 
cycle. Each business requirement must be traceable to associated system 
requirements and test cases. Without adequate traceability, errors in 
functionality could occur and not be found until the testing phase, 
when problems are more costly to fix and time frames for fixing 
problems without causing a schedule slip for deployment are limited. 

Of the three projects, only the F&PC team showed evidence of full 
traceability of the requirements from high-level requirements to low- 
level requirements. MeF and CADE documentation did not demonstrate 
clear traceability from the business requirements to lower-level system 
requirements, coding, and test cases. MeF program officials 
acknowledged weaknesses in this area and stated that they planned to 
develop full bidirectional traceability to the business level 
requirements as part of MeF release 4.0. 

According to project officials, one reason they do not have full 
bidirectional traceability is due to the lack of detailed procedures 
and guidance for traceability of requirements. Until recently, BSM 
projects were not required to develop and use a traceability matrix. 
While interim guidance issued by BSM does require the use of 
traceability matrices and use of its configuration management 
repository to manage requirements, the guidance lacks the detail needed 
to ensure that projects meet criteria. BSM program officials agreed 
that this was an area that needed additional guidance. The RMO is 
currently reviewing new guidance on how to improve requirements 
traceability. 

Without adequate traceability of requirements, system requirements can 
be missed during development and the agency cannot be assured that 
validation activities fully demonstrate that all the agreed-upon 
requirements have been developed, fully tested, and will work as 
intended. 

Conclusions: 

BSM lacks policies and procedures to develop and manage requirements 
for their systems modernization projects. BSM has acknowledged this 
deficiency since late 2004 when it listed requirements management as 
one of its high-priority initiatives and created an RMO. The office has 
now developed draft policies that cover aspects of eliciting, 
documenting, verifying and validating, and managing requirements. These 
draft policies are to serve as guidance to projects teams as BSM 
projects are pursued. It is critical that BSM implement these draft 
policies immediately and continue to develop the remaining policies. 

The three BSM development projects that we reviewed showed significant 
differences in how they implemented practices for developing and 
managing requirements. Until BSM and the RMO complete the development 
of policies and procedures to ensure disciplined requirements 
development and management practices, projects will not have sufficient 
guidance to ensure implementation of these practices, which will impair 
their ability to effectively manage the development and acquisition of 
critical systems and increase the risk of cost overruns, schedule 
delays, and deferral of functionality. 

Recommendations for Executive Action: 

To improve the requirements development and management policies and 
practices of the IRS's BSM, we recommend that the Commissioner of 
Internal Revenue direct the Associate Chief Information Officer for BSM 
to take the following two actions: 

1. Ensure that BSM completes the delivery of policies and procedures 
for requirements development and management as planned. The policies 
and procedures should fully describe the processes, include a minimum 
set of activities required for each project, and provide detailed 
procedures for each of the key areas of requirements elicitation, 
documentation, verification and validation, and management. As part of 
this effort, the policies and procedures should specifically include 
the following: 

* A standardized process for the elicitation of requirements that 
ensures that projects fully investigate the requirements needed for a 
specific system, including gathering requirements from all relevant 
users and stakeholders. 

* A standardized process for the documentation of requirements that 
ensures full documentation of the baseline requirements. 

* A process for ensuring formal peer reviews are planned and completed 
for key products. 

* Guidance on tracking cost and schedule impacts of changes to 
requirements for all projects. 

* Guidance on establishing and maintaining full bidirectional 
requirements traceability. 

2. In addition, since BSM has ongoing projects that are developing and 
managing requirements and the development of new policies and 
procedures is not scheduled to be complete until March 2007, the 
Commissioner should direct the Associate CIO for BSM to immediately 
implement its draft policies while the final policies and procedures 
are being developed. 

Agency Comments: 

In providing written comments on a draft to this report, the 
Commissioner of Internal Revenue agreed with our findings and stated 
that the report provided a sound and balanced representation of the 
progress IRS has made to date as well as work that remains to be 
completed. The Commissioner also described the actions that IRS is 
taking to implement our recommendations, including establishing a 
schedule to complete the development of policies that address the areas 
of requirements elicitation, documentation, verification and 
validation, and management. The Commissioner's written comments are 
reprinted in appendix III. 

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the date of this letter. At that time, we will send copies of this 
report to the Chairmen and Ranking Members of other Senate and House 
committees and subcommittees that have appropriation, authorization, 
and oversight responsibilities for IRS. We are also sending copies to 
the Commissioner of Internal Revenue, the Secretary of the Treasury, 
the Chairman of the BSM Oversight Board, and the Director of the Office 
of Management and Budget. Copies are also available at no charge on the 
GAO Web site at [Hyperlink, http://www.gao.gov.]. 

Should you or your offices have questions on matters discussed in this 
report, please contact David A. Powner at (202) 512-9286 or or Keith A. 
Rhodes at (202) 512-6412. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix III. 

Sincerely yours, 

Signed by:

David A. Powner,
Director, Information Technology Management Issues: 

Signed by:

Keith A. Rhodes,
Chief Technologist, Center for Technology and Engineering: 

[End of section] 

Appendixes: 

Appendix I: Scope and Methodology: 

The objectives of our review were to assess (1) whether the 
Requirements Management Office (RMO) has established adequate 
requirements development and management policies and procedures and (2) 
whether the Business Systems Modernization (BSM) has effectively used 
requirements development and management practices for key systems 
development efforts. 

To assess the adequacy of BSM's requirements development and management 
policies and procedures, including IRS's Enterprise Life Cycle 
(ELC),[Footnote 20] we compared it against criteria based on industry 
standards and best practices, including the Software Engineering 
Institute's (SEI) Capability Maturity Model Integration (CMMISM) 
version 1.1. We also reviewed draft policies and procedures provided by 
the RMO in February 2006 and compared them against this criteria. In 
addition, we interviewed appropriate BSM officials to discuss the 
creation and goals of the RMO and whether there were BSM requirements 
development and management policies and procedures in place. 

To assess whether BSM project teams effectively used requirements 
development and management practices on its systems acquisitions, we 
selected three BSM projects to review: (1) Modernized e-File (MeF) 
release 3.2, which is to be deployed in March 2006; (2) Filing and 
Payment Compliance (F&PC) release 1.1, which was deployed in January 
2006; and Customer Account Data Engine (CADE) Individual Master File 
release 1.1, which was deployed July 2004. We selected these 
investments because they were (1) important to the goals and mission of 
the agency, (2) large-scale development efforts with significant costs, 
and (3) at different points in their development life cycles. 

To evaluate whether each of the three projects had effectively used 
requirements development and management practices for key systems 
development efforts, we compared the project's documentation and 
processes against criteria based on industry standards and best 
practices, including SEI's CMMISM version 1.1. The documentation 
reviewed for each of the projects included requirements management 
plans, traceability matrices, testing plans, baseline requirements, and 
other items. We also interviewed the program officials from each of 
these three projects to further clarify issues on their requirements 
development and management activities. 

Our work was performed from June 2005 to February 2006 in Washington 
D.C., in accordance with generally accepted government auditing 
standards. 

[End of section] 

Appendix II: Project Descriptions: 

The following are descriptions of the three projects we selected to 
review: Modernized e-File (MeF) release 3.2, Filing and Payment 
Compliance (F&PC) release 1.1, and Customer Account Data Engine (CADE) 
release 1.1. 

Modernized e-File: 

In fiscal year 2004, BSM introduced the Modernized e-File (MeF) system, 
which allows e-filing for tax-exempt organizations and large 
corporations and reduces the time to process their tax forms. The goal 
for MeF is to replace the current e-filing technology with a 
modernized, Internet-based electronic filing system. MeF is also 
expected to result in an increase in the use of electronic filing 
because it is efficient and easy to access, use, and maintain. 

Projected benefits of the MeF program are as follows: 

* Reduction in the BSM's effort associated with receiving, processing, 
manually entering data, and resolving data entry errors from paper 
returns; 

* Reduction in system maintenance costs; 

* Savings in time and money for taxpayers and tax practitioners due to 
not copying, assembling, and mailing a return; and: 

* Sharing of tax and information return data electronically throughout 
state agencies. 

The MeF project is projected to provide the capability for Internet- 
based filing of 330 different BSM forms. The following is table 2, 
describing MeF releases deployed and their functionalities, followed by 
table 3, which describes MeF financial data. 

Table 2: MeF Releases and Functionality: 

Release: Release 1;
Functionality: Deployed in February 2004;
Provides 53 forms and schedules for 1120/1120S and 5 forms for 990 e-
filing, along with the functionality to support those forms, including 
applicable interfaces, validations, retrieval and display options, the 
capability for large taxpayers to file using the Internet, and the 
capability to attach Adobe files. 

Release: Release 2;
Functionality: Deployed in August 2004;
Provides the remaining 43 forms and schedules for 1120/1120S and 
required public access (access to redacted information for nonprofit 
organizations) to the filed 990s. 

Release: Release 3.1;
Functionality: Deployed in January 2005;
Provides 990PF series forms, Form 7004 (Application for Automatic 
Extension of Time to File Corporation Return), and M-TRDB processing 
codes. 

Release: Release 3.2;
Functionality: Projected deployment in January 2006;
Expected to provide the Federal/State Single Point Filing System 
platform and retrieval system for all state, corporate, and tax-exempt 
tax returns and acknowledgments. 

Source: IRS. 

[End of table] 

Table 3: Development and Steady State Costs for MeF: 

Dollars in millions. 

Fiscal Year: FY 04;
Dollars in millions: Development: $57.1;
Steady state: $2.3;
Total: $59.4. 

Fiscal Year: FY 05;
Dollars in millions: Development: $67.1;
Steady state: $5.2;
Total: $72.3. 

Fiscal Year: FY 06;
Dollars in millions: Development: $60.6;
Steady state: $5.6;
Total: $66.2. 

Source: IRS.

[End of table] 

Filing and Payment Compliance: 

The Filing and Payment Compliance (F&PC) project is intended to improve 
technologies and processes that support BSM's compliance activities. 
According to BSM, their collection operations rely on 30-year-old 
technology and processes that are no longer compatible with the 
realities of today's taxpayer environment. F&PC plans to provide 
support for detecting, scoring, and working nonfiler and payment 
delinquency cases. It is to use advanced software to analyze tax 
collection cases and divide them into cases that require BSM 
involvement and those that can be handled by private collection 
agencies. Case attributes are to be identified, segmented, and 
prioritized to select the individual taxpayer cases that have a greater 
probability of paying the tax liabilities in full or through 
installment agreements. 

The F&PC project is also to serve as an inventory management system to 
assign, exchange, monitor, control, and update delinquent taxpayer 
accounts between the BSM Authoritative Data Source and the private 
collection agencies with whom BSM will contract. 

The F&PC project is expected to increase the following: 

* collection case closures by 10 million annually by 2014, 

* voluntary taxpayer compliance, and: 

* BSM's capacity to resolve the buildup of delinquent taxpayer cases. 

The BSM intends to deliver an initial limited private debt collection 
capability in January 2006. Full implementation of this aspect of the 
F&PC is projected to be completed by January 2008 with additional 
functionality to follow in later years. Following is table 4, 
describing F&PC releases deployed and their functionality, followed by 
table 5, which describes F&PC financial data. 

Table 4: F&PC Releases and Functionality: 

Release: Release 1.1;
Functionality: Projected deployment in January 2006;
Expected to provide limited functionality of commercial-off the- shelf 
(COTS) software with many manual processes employed by BSM, small case 
volumes and minimal number of private collection agencies supported. 

Release: Release 1.2;
Functionality: Projected deployment in January 2007;
Expected to provide full implementation, testing, and deployment of 
inventory management capabilities using the BSM infrastructure. 

Release: Release 1.3;
Functionality: Projected deployment in January 2008;
Expected to provide full COTS software functionality, private 
collection agencies fully installed, electronic data transfer between 
them fully established and operational. 

Source: IRS. 

[End of table] 

Table 5: Development Costs for F&PC: 

Dollars in millions. 

Fiscal Year: FY 04;
Dollars in millions: Development: $0.4;
Steady state: $0.0;
Total: $0.4. 

Fiscal Year: FY 05;
Dollars in millions: Development: $0.0;
Steady state: $0.0;
Total: $0.0. 

Fiscal Year: FY 06;
Dollars in millions: Development: $5.9;
Steady state: $0.0;
Total: $5.9. 

Source: IRS.

[End of table] 

Customer Account Data Engine: 

The Customer Account Data Engine (CADE), intended to replace BSM's 
antiquated tax administration system, is BSM's highest priority project 
and is intended to house tax information for more than 200 million 
individual and business taxpayers. The CADE databases and related 
applications are also to enable the implementation of other systems 
that will improve customer service and compliance and allow the online 
posting and updating of taxpayer account and return data. 

The CADE project is intended to: 

* generate refund notices, detect potential fraudulent transactions, 
and calculate taxes; 

* replace the group of BSM tax master files with a single database--the 
Tax Account Data Store; 

* accept, validate, and store taxpayer return and account data, along 
with financial account activity data, such as tax payments, 
liabilities, and installment agreements; and: 

* enable future business application systems. 

In July 2004 and January 2005, BSM implemented the initial releases of 
CADE, which have been used to process Form 1040EZ returns. CADE posted 
more than 1.4 million returns for filing season 2005 and generated more 
than $427 million in refunds. In 2006, CADE is expected to expand the 
number and type of returns beyond the Form 1040EZ. BSM is also 
projecting that CADE will process 33 million returns during 2007. 
Following is table 6, describing CADE releases deployed and their 
functionality, followed by table 7 describing CADE financial data. 

Table 6: CADE Releases and Functionality: 

Release: Release 1.0;
Functionality: Deployed in July 2004;
Provided the filing capabilities for 1040 EZ forms. 

Release: Release 1.1;
Functionality: Deployed in July 2004 (concurrent with Release 1.0);
Provided filing season 2003 and 2004 tax law changes. 

Release: Release 1.2;
Functionality: Deployed in January 2005;
Provided filing season 2005 tax law changes. 

Release: Release 1.3.1;
Functionality: Deployed in September 2005;
Provided new functionality to improve performance and allow address 
changes on tax returns as well as some filing season 2006 tax law 
changes. 

Release: Release 1.3.2;
Functionality: Projected deployment in January 2006;
Expected to provide the remaining filing season 2006 tax law changes 
and some additional functionality. 

Source: IRS.

[End of table] 

Table 7: Development Costs for CADE: 

Dollars in millions. 

Fiscal Year: FY 04;
Development: $100.6;
Steady state: $0.0;
Total: $100.6. 

Fiscal Year: FY 05;
Development: $109.9;
Steady state: $0.0;
Total: $109.9. 

Fiscal Year: FY 06;
Development: $109.9;
Steady state: $0.0;
Total: $109.9. 

Source: IRS.

[End of table] 

[End of section] 

Appendix III: Comments from the Department of the Treasury: 

Commissioner: 
Department Of The Treasury:
Internal Revenue Service:
Washington. D.C. 20224: 

March 1, 2006: 

Mr. David Powner: 
Director, Information Technology Management Issues;
United States Government Accountability Office: 
441 G Street, N.W.
Washington, D.C. 20548: 

Dear Mr. Powner: 

I have reviewed the Government Accountability Office (GAO) draft report 
titled "Business Systems Modernization: IRS Needs to Complete Recent 
Efforts to Develop Policies and Procedures to Guide Requirements 
Development and Management" (GAO-06-310). We continue to appreciate the 
sound and balanced work of the GAO and are pleased that the GAO: 

* Recognized the establishment of the Requirements Management Office 
(RMO) to develop the policies and procedures; 

* Acknowledged the issuance of interim guidance to address key areas of 
requirements management; 

* Recognized that developing the final requirements policies and 
procedures is not expected to be completed until March 2007. 

I would like to provide a few comments to the following report 
observation: "Unless IRS takes the steps needed to develop and 
institutionalize disciplined requirements development and management 
processes and implement draft policies in the interim to cover the key 
areas of requirements development and management, it will continue to 
face risks, including cost overruns, schedule delays, and performance 
shortfalls." We agree with this observation and complementing our 
progress in establishing the RMO, we are fully committed to continued 
management improvements to address cost overruns and schedule delays.

A recent GAO report: "Review of Internal Revenue Service (IRS) Fiscal 
Year 2006 Business Systems Modernization Expenditure Plan (EP)" (GAO- 
03-360), already recognizes our improved performance in meeting cost 
and schedule commitments on several of our modernized systems; 
acknowledges the taxpayer and agency value our systems have begun to 
add; affirms the effectiveness of our program improvement process; and 
endorses the recent steps we have taken to develop a Modernization 
Vision and Strategy for the BSM program. It is worth noting that since 
the Fiscal Year 2006 BSM EP was submitted, we expect the Integrated 
Financial Systems project to return $4 to $5 million to the BSM 
management reserve. Therefore, the 93 percent reported overrun in the 
last EP will be reduced. This further demonstrates the steady 
improvement and commitment we have made in working to control costs 
within the BSM program.

I would like to briefly comment on your report's recommendations: "To 
improve the requirements development and management policies and 
practices of the Internal Revenue Service's Business Systems 
Modernization, we recommend that the Commissioner of Internal Revenue 
direct the Associate Chief Information Officer for BSM to take the 
following actions: 1. Ensure that BSM completes the delivery of 
policies and procedures for requirements development and management as 
planned. The policies and procedures should fully describe the 
processes; include a minimum set of activities required for each 
project; provide detailed procedures for each project; and provide 
detailed procedures for each of the key areas of requirements 
elicitation, documentation, verification and validation, and 
management. As a part of this effort, the policies and procedures 
should specifically include: 

* A standardized process for the elicitation of requirements that 
ensures that projects fully investigate the requirements needed for a 
specific system, including gathering requirements from all relevant 
users and stakeholders. 

* A standardized process for the documentation of requirements that 
ensures full documentation of the baseline requirements.

* A process for ensuring formal peer reviews are planned and completed 
for key products. 

* Guidance on tracking cost and schedule impacts of changes to 
requirements for all projects. 

* Guidance on establishing and maintaining full bi-directional 
requirements traceability." 

The IRS agrees that this is a key focal point for the RMO, and we have 
established a schedule to build out the areas of elicitation, 
documentation, verification and validation, and management, as 
described above. It is expected that these activities will be ongoing 
through March 2007 when the RMO is planned to have a full suite of 
detailed policies and procedures. 

2. In addition, since BSM has ongoing projects that are developing and 
managing requirements, and the development of new policies and 
procedures is not scheduled to be complete until March 2007, the 
Commissioner should direct the Associate CIO for BSM to immediately 
implement its draft policies while the final policies and procedures 
are being developed." 

The IRS acknowledges that the draft documentation that is currently 
under review is robust enough to serve as interim guidance and can be 
implemented when developing and managing requirements for ongoing 
projects. 

We believe these steps will address your recommendation. 

We appreciate your continued support and the assistance and guidance 
from your staff. If you have any questions, or if you would like to 
discuss our response in more detail, please contact W. Todd Grams, 
Chief Information Officer, at (202) 622-6800. 

Sincerely, 

Signed by:

Mark W. Everson:

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David A. Powner, 202-512-9286, Keith A. Rhodes, 202-512- 6412

Staff Acknowledgments: 

In addition to those named above, Neil Doherty, Nancy Glover, George 
Kovachick, Tonia Johnson, Tammi Nguyen, Madhav Panwar, and Rona 
Stillman made key contributions to this report. 

(310490): 

FOOTNOTES 

[1] The requirements for a system describe the functionality to be 
developed or acquired. 

[2] We reviewed these three projects: Modernized e-File (MeF) release 
3.2 (to be deployed March 2006), Filing and Payment Compliance (F&PC) 
release 1.1 (deployed January 2006), and Customer Account Data Engine 
(CADE) release 1.1 (deployed July 2004). 

[3] GAO, Business Systems Modernization: IRS's Fiscal Year 2004 
Expenditure Plan, GAO-05-46 (Washington, D.C.: Nov. 17, 2004); GAO, 
Business Systems Modernization: IRS Needs to Better Balance Management 
Capacity with Systems Acquisition Workload, GAO-02-356 (Washington, 
D.C.: Feb. 28, 2002); and GAO, Business Systems Modernization, Internal 
Revenue Service's Fiscal Year 2005 Expenditure Plan, GAO-05-774 
(Washington, D.C.: July 22, 2005). 

[4] GAO, Tax System Modernization: Management and Technical Weaknesses 
Must Be Corrected If Modernization Is To Succeed, GAO/AIMD-95-156 
(Washington, D.C.: July 26, 1995). 

[5] GAO, Tax Systems Modernization: Blueprint Is a Good Start but Not 
Yet Sufficiently Complete to Build or Acquire Systems, GAO/AIMD/GGD-98- 
54 (Washington, D.C.: Feb. 24, 1998). 

[6] GAO, Business Systems Modernization: Internal Revenue Service Needs 
to Further Strengthen Program Management, GAO-04-438T, (Washington, 
D.C.: Feb. 12, 2004) and GAO-05-46. 

[7] GAO-02-356 and GAO-05-774. 

[8] Treasury Inspector General for Tax Administration, Modernization 
Project Teams Need to Follow Key Systems Development Practices, 
Reference Number 2002-20-025 (Washington, D.C.: November 2001). 

[9] The systems reviewed were Customer Communications 2001, Customer 
Relationship Management Exam, Telecommunications Enterprise Strategic 
Program, and e-Services. 

[10] Carnegie-Mellon Software Engineering Institute, Report of the 
Independent Technical Assessment (ITA) on the Internal Revenue Service 
(IRS) Business Systems Modernization (BSM) Customer Account Data Engine 
(CADE) (Washington, D.C.: Oct. 3, 2003). 

[11] The high-priority initiatives are a set of 6-month goals and 
strategies to address weaknesses in seven key focus areas affecting 
IRS's ability to design, develop, and deliver modernized IT systems. 
The seven key focus areas are (1) staffing and skill sets, (2) 
contractor management, (3) requirements and demand management, (4) 
systems engineering, (5) project management disciplines, (6) 
communication and collaboration, and (7) empowerment and 
accountability. 

[12] The CMMI is SEI's process model, which describes how to develop 
the processes needed for software development and specific practices 
that organizations should follow. 

[13] In requirements development, an organization gathers, generates, 
and analyzes customer, products, and product-component requirements. 
This includes elicitation, analysis, and communication of customer and 
stakeholder requirements as well as technical requirements. 

[14] In requirements management, an organization manages the business 
and system requirements and identifies inconsistencies among 
requirements and the project's plans and work products. This includes 
managing all technical and nontechnical requirements through the life 
cycle as well as any changes to the requirements as they evolve. 

[15] CM is a discipline that applies technical and administrative 
direction and surveillance to identify and document the functional and 
physical characteristics of hardware or software, control changes to 
those characteristics and their related documentation, record and 
report change processing and implementation status, and verify 
compliance with specified requirements. The purpose of CM is to 
systematically identify and baseline the items that make up a system 
(identification), formally control any modifications to those items 
(control), report on the status of the CM process (status accounting), 
and ensure that baseline configurations are implemented (audit). 

[16] Change control is a formal process that identifies, evaluates, 
tracks, reports, and approves changes to the requirements. 

[17] IRS's Enterprise Life Cycle is a structured method for managing 
system modernization projects and project investments throughout their 
life cycles. 

[18] Peers are other IRS project team members who have experience in 
requirements development and management. 

[19] The work breakdown structure is a tool used to manage project 
development plans and capture the project history. It provides logical 
summary points for assessing performance accomplishments and measuring 
cost and schedule performance. 

[20] IRS's ELC is a structured method for managing system modernization 
projects and project investments throughout their life cycles. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: