At one agency often cited as an example of the problems caused by continuing to operate outdated IT, the IRS, the situation could be even more serious than previous assessments have shown, an inspector general audit has said.
Dealing with legacy IT systems is a common problem across government, raising problems including that they can be more costly to maintain, are more exposed to cybersecurity risks, and are less effective in meeting their intended purpose. Reports from GAO and various agency IGs have found that some use outdated languages, have unsupported hardware and software, or are operating with known security vulnerabilities.
However, the problem has been a special concern at the IRS, given the agency’s importance in collecting revenue and the sensitivity of the data it maintains; at the same time, the agency has experienced a decade of flat or declining budgets, making replacing outdated IT all the more difficult there.
The report said that in 2019, the IRS spent some $2.9 billion to operate its current information technology infrastructure, nearly $2 billion of it for operations and maintenance. “The cost of operating these systems is overtaking other important components of effective tax administration and limiting the capacity to deliver quality service to taxpayers. Modernization is necessary to curtail these rising costs,” it said.
It said that through various initiatives, the IRS has identified 45 systems for modernization or candidates for modernization and 34 systems for retirement. However, it said, the agency does not have a consistent internal definition of what is a legacy system or a complete and accurate inventory of them.
In a review of 669 systems in the agency’s production environment, auditors used the agency’s IT organization’s definition and found insufficient information to determine whether 288 should be considered legacy. Of the remaining 381, 231 should be defined as legacy, it said.
“When comparing our list to the IRS’s lists of legacy systems, TIGTA identified 46 systems as legacy that the IRS had not and one system that the IRS incorrectly identified as legacy. Further analysis determined that an additional 49 systems will become legacy within the next 10 calendar years,” the report said.
It said the agency “plans to ensure the implementation and uniform application of an enterprise-wide legacy system definition and continue to update system information.”