IRS legacy system problems could be worse than advertised

It's no secret that the IRS has a modernization problem. For decades the agency's outdated tech – with some critical systems dating back to the Eisenhower administration – has been a target for lawmakers, government watchdogs and technology advocates.

A new audit from the Treasury Inspector General for Tax Administration (TIGTA) suggests the legacy tech problem for the agency could be even worse than advertised.

Despite a number of different strategy documents – including a six-year, $2.7 billion business systems modernization plan – auditors say the IRS lacks specific plans to identify, retire and replace legacy systems. The documents provided to TIGTA outline a few dozen specific systems, but "for the majority of legacy systems, no efforts have been made to identify time frames, activities to be performed, and functions to be replaced or enhanced." Previous investigations from TIGTA and the Government Accountability Office have found that having specific plans and time frames in place for these activities can be crucial in pushing an organization to following through with them.

"The IRS cannot effectively manage its legacy systems [and applications] if it does not have an enterprise-wide strategy, and enterprise-wide definition and a complete and accurate inventory to address updating, replacing or retiring most of its legacy systems," TIGTA wrote. 

In fact, the tax agency does not appear to have its own definition for what constitutes a legacy system across different business units. The Department of Treasury defines a legacy system as one that "may be based on outdated technologies but is critical to day-to-day operations," one that is hampered by compatibility problems, is no longer supported with software updates or suffers from other forms of obsolescence.

Tech officials eventually provided auditors with a similar definition and presented a list of what they consider legacy items, but acknowledged that other business units have different definitions. Using the IT organization's definition, auditors found 46 additional systems and applications that would qualify as legacy but were not included on the list the agency provided to TIGTA, along with another 49 that would meet that definition in the next 10 years. Further, of the IRS' 669 systems and applications, 288 (or 43%) were missing "basic or essential" information that prevented auditors from determining whether they were legacy or not.

The report warns that "if further action is not taken to address the growing number of and reliance on legacy systems, the IRS faces the risk of increasing cybersecurity threats and maintenance costs as more of its systems become legacy."

The report makes five recommendations: institute and apply an enterprisewide definition for legacy systems across IRS business units; put more onus on system owners to track metrics around that definition; provide more complete information around the agency's legacy system environment and put a process in place to identify and prioritize systems for modernization. Additionally, the CIO should do more to capture operation and maintenance costs at the subsystem level.

IRS Acting CIO Nancy Sieger agreed in part or in whole with all five recommendations, promising an updated definition for the agency by December 2020 and implementation of the other recommendations by 2021 or 2022. IRS officials did dispute some of the findings around additional legacy systems identified, saying some are in fact in the midst of being modernized or have had changes in programming language or application age that no longer qualify them as legacy.

Sieger also defended the IRS modernization push as a whole, saying the organization is working to update as many legacy systems and applications as it can with available resources.

"We continue to make significant progress in delivering incremental modernization, including past and in-progress CADE2 deliverables and … the initial release of the Enterprise Case Management System," Sieger wrote in reply comments.