IRS Doesn’t Know How Many Legacy Systems It Has or How Much They Cost, IG Says
The tax agency needs to start with a single definition of what constitutes a “legacy system.”
The IRS is in the midst of a major legacy IT overhaul but is flying at least partially blind. A new report from the Treasury Inspector General for Tax Administration, or TIGTA, found the agency doesn’t have a comprehensive definition of “legacy system,” doesn’t know how many aged apps are on its systems and doesn’t have a clear picture of how much those systems cost to maintain.
“The reliance on legacy systems, aged hardware and software, and use of outdated programming languages poses significant risks, including increased cybersecurity threats and maintenance costs,” the IG wrote. “In addition, the IRS cannot effectively manage its legacy systems if it does not have an enterprisewide strategy, an enterprisewide definition, and a complete and accurate inventory to address updating, replacing, or retiring most of its legacy systems.”
The federal tax collector is on a multiyear, multi-program modernization journey for some of its key systems. One such plan spans six years and is projected to cost upwards of $2.5 billion.
During the IG’s review, auditors were given five documents outlining modernization efforts in different IRS units, including “identifying 21 systems for modernization or potential candidates for modernization and 25 systems for retirement,” the report states. Additional work by the IRS Portfolio Rationalization team found another 24 systems prime for an upgrade and nine candidates to shut down, bringing the totals to 45 to modernize and 34 to retire.
But TIGTA auditors identified 669 active systems managed by the IRS, 381 of which the IG was able to review. Of those reviewed, “TIGTA determined that 231 systems were legacy and 150 were not legacy,” the report states, with another 49 systems that “will become legacy within the next 10 calendar years.”
The remaining 43%—288 systems—did not have enough information on hand for the IG to determine whether they should be categorized as legacy or not, a separate but equally concerning issue for auditors.
Much of the issue stems from the agency’s lack of a clear, enterprisewide definition of “legacy system.”
Per the IG, the Treasury Department definition of “legacy system” is:
[A]n information system that may be based on outdated technologies but is critical to day-to-day operations. A legacy system, in the context of computing, refers to outdated computer systems, programming languages, or application software that are used instead of more modern alternatives. A legacy system may be problematic, due to compatibility issues, obsolescence, or the lack of support. What is key is that a legacy system has been identified as strategic, but in need of replacement.
IRS IT officials said they leaned on the department-level definition while adding any app more than 25 years old. However, they noted “other business units and functions may have different definitions,” the IG said.
After reaching out to several components within IRS, TIGTA auditors received a range of definitions, including:
- One business unit and three functions do not have a definition of a legacy system.
- One business unit and four functions have their own definition of a legacy system, e.g., a system that is in operations and maintenance, a system with software that is older than the prior version of the software currently available from the vendor, and development of a system that is older than five calendar years.
- One business unit partially used the IT organization’s definition of a legacy system, i.e., older than 25 years.
- Two business units asked for the TIGTA definition of a legacy system.
The report also dings the agency for not collecting enough data about maintenance costs for lower-tier and smaller, integrated legacy systems.
“The IRS generally does not capture operations and maintenance costs at the system or subsystem levels, only at the investment level,” the report states. “As a result, the IRS does not have sufficient and detailed cost data that can be used in its decision-making processes to prioritize its legacy system modernization efforts.”
Auditors made five recommendations, three of which IRS officials agreed with. Of the two recommendations for which IRS officials only partially agreed, TIGTA auditors found one response sufficient, while another gave them pause.
For the fifth recommendation, auditors suggested the chief information officer begin collecting data on maintenance costs down to the subsystem level. IRS officials partially concurred, stating that they “will continue to track operations and maintenance costs in the Integrated Financial System using the internal order codes.”
While that data includes costs at the project and program level, the IG countered that they “do not believe that the operations and maintenance costs for all systems and subsystems will be captured by this approach,” and urged the agency to take a more granular tack.