TIGTA: IRS wasted money in early HSPD-12 efforts

The development of standard identification cards under the governmentwide Homeland Security Presidential Directive 12 initiative is supposed to help provide security in a cost-efficient manner. But the Internal Revenue Service, the lead for the Treasury Department’s implementation of HSPD-12, wasted $3.5 million on unnecessary hardware, software and services in its early efforts because of poor management and oversight, the Treasury Inspector General for Tax Administration (TIGTA) said. “As the lead bureau for Treasury, IRS is charged with ensuring the funds are spent prudently,” said Michael Phillips, deputy IG for audit, in the report posted Dec. 20. Under HSPD-12, agencies so far were to have verified and/or completed background investigations and issued identification cards for all employees with fewer than 15 years of service. By October 2008, agencies must do the same for federal workers with more than 15 years’ service. Treasury has estimated that it would cost $421 million over 14 years to build and maintain an HSPD-12 system, including enrollment, card printing with encryption of personal data, systems infrastructure and card maintenance. It has committed $30 million to the HSPD-12 initiative to date. The TIGTA investigation evaluated IRS’ HSPD-12 activities from the beginning of the program in 2005 through May 2007. As a result of the audit, IRS switched in May from its stand-alone approach to the managed services available through the General Services Administration to acquire the smart cards. In its evaluation of IRS activities at the time, TIGTA found that the IRS project team did not manage contracts for the program effectively. Statements of work were too general to hold contractors accountable for work performed, and IRS paid vendors without verifying that work was performed, according to TIGTA. For example, IRS spent $837,616 to purchase 18 public-key infrastructure servers that were not used for the program and were not needed until sometime in the future of the program. IRS had hired Booz Allen Hamilton, Mitre and Presidio to develop and implement the HSPD-12 requirements. TIGTA found that the statements of work for Mitre’s task order were adequate but those for the other two were not well-defined. IRS also used existing contracts with Booz Allen Hamilton to perform work related to the HSPD-12 program and charging those existing contracts for HSPD-12 work. The products were identified too generally to track and manage, the report states. One of the problems was that IRS did not prepare a formal business case for the HSPD-12 program, which is one of its established governance procedures. The IRS HSPD-12 project management office did prepare an internal business case, but it did not comply with IRS’ business case requirements and was not submitted to the Treasury HSPD-12 governance committees, the report states. As a result, the governance committees did not have sufficient information with which to make critical management decisions for the program. “Many of the problems experienced by the HSPD-12 program are similar to those we have reported previously in the IRS Business Systems Modernization program,” Phillips said. Those include improving key management processes, managing the increasing complexity and risks of the program and ensuring that contractor performance and accountability are effectively managed. In response to the audit, IRS said it has already started to implement TIGTA’s recommendations, including the move to GSA’s shared service provider, said David Grant, director of IRS Procurement. IRS reorganized its HSPD-12 program management office to align with the change. “We continue to improve our internal administrative processes, document our project files and demonstrate our decision-making process,” Grant said in a letter dated Nov. 26. TIGTA directed that for future contracts, IRS should separate tasks by function to improve monitoring of contractor performance, ensure supporting documents for hours worked and require the HSPD-12 program manager to provide written certification for labor hours worked on contracts before any payments are made, TIGTA said. The program manager also should document all costs adequately and assign costs to specific task orders. IRS Chief Information Officer Art Gonzalez should also coordinate with Treasury to consider combining its PKI efforts with those of the General Services Administration and ensure that the executive steering committees responsible for providing oversight to information technology projects enforce use of IRS Enterprise Life Cycle requirements. Other examples of overspending that TIGTA found that IRS could have avoided were: