IRS software isn’t compliant with the MEGABYTE Act, report says

Despite efforts to improve its software license management, the IRS still doesn’t have policies, guidance or tools to be in compliance with federal law, a watchdog found.

The Treasury Inspector General for Tax Administration said in a Sept. 18 report that the IRS prematurely closed 11 recommendations from three prior audits of the agency’s software license management.

The audits, which occurred between June 2013 and September 2014, outlined 14 recommendations to improve the tracking of software licenses across the agency’s mainframe, service, and desktop and laptop environments, including developing roles and responsibilities in the Internal Revenue Manual for managing software assets.

TIGTA officials also said that the IRS was not in compliance with the Making Electronic Government Accountable By Yielding Tangible Efficiencies, or MEGABYTE, Act of 2016 for a series of conditions it has yet to meet. The law requires agencies to create plans to manage and inventory software licenses.

For the11 recommendations the IRS said it had taken steps to close in October 2016, investigators said the agency had not gone far enough into resolving the proposals before closing them.

Two recommendations centered on establishing an organizational structure to manage software assets and licenses. The IRS established the Enterprise Software Governance Board in December 2013 to oversee software assets, but it was decommissioned in 2015 as part of an agency organizational consolidation.

Presently, investigators say there is no organizational structure to oversee software asset management; information is sent to ex-ESGB members to resolve funding issues. Oversight issues are sent to Information Technology Infrastructure Strategy Team, an ESGB working group.

Two other recommendations called for the IRS to craft policy and guidance using the Information Technology Infrastructure Library, a recognized set of best practices for managing IT systems.

Agency officials did craft a policy for IT asset management titled IRM 2.149, but investigators said it didn’t “establish policy and guidance for IRS management as defined by the ITIL.” The report also said that the agency hadn’t written guidance of the level needed to close the recommendation.

The IRS also hasn’t created roles and responsibilities for personnel to handle software asset management or developed operating procedures for automated solutions to track software usage and costs, which represented four collective recommendations.

The agency is using an IBM-based program to track inventory, but TIGTA officials said asset management solutions should include license entitlement information.

The IRS has yet to implement software tools to fully track licensing data, and develop and maintain a software license inventory, saying that there is not one commercial-off-the-shelf tool to create an inventory. Since no tool has been implemented, TIGTA officials said a collective six recommendations should remain open.

“The IRS continues to be unable to report a complete and accurate inventory with associated costs. Until the IRS implements an effective SAM program to manage software licenses, it will continue to incur increased risks in managing software licenses,” the report said.

TIGTA officials offered three additional recommendations:

• Establish executive governance for software asset management within the IRS which acts as a centralized group to ensure that effective and knowledgeable decisions are being made timely by authorized personnel.
• Establish a software asset management framework using federal requirements and industry best practices as guidelines.
• Assess current SAM practices to identify gaps within the IRS’s management of software licenses and resolve them through centralized management practices that include inventory, discovery, metering and entitlement analysis.

IRS officials agreed with the new recommendations and said they are in the process of implementing them.