oversight

Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented

Published by the Office of the Treasury Inspector General for Tax Administration on 2021-05-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION




          Streamlined Critical Pay Authority for
           Information Technology Positions Is
             Being Successfully Implemented


                               May 27, 2021

                  Report Number: 2021-25-032




            TIGTACommunications@tigta.treas.gov | www.treasury.gov/tigta   1
                     HIGHLIGHTS: Streamlined Critical Pay Authority for Information
                        Technology Positions Is Being Successfully Implemented
Final Audit Report issued on May 27, 2021                                         Report Number 2021-25-032

Why TIGTA Did This Audit               What TIGTA Found
On July 1, 2019, Congress enacted      IRS SCP authority activities were compliant with the requirements of
the Taxpayer First Act to amend        Taxpayer First Act Section 2103, related policies, and regulations.
the Internal Revenue Code of           Specifically, all seven Calendar Year 2020 SCP candidate packages
1986 to modernize and improve          were approved by the IRS Commissioner, four-year appointment
the IRS. Specifically, Section 2103    terms were clearly stipulated in their Final Offer letters, and
of this Act, titled Streamlined        compensation limits were followed. In addition, none of the SCP
Critical Pay Authority for             appointees were previously employed at the IRS.
Information Technology Positions,
                                       The 10 SCP position descriptions created (new or updated from
reinstated streamlined critical pay
                                       existing positions) generally reflected the need for more advanced
(SCP) authority to the IRS.
                                       technical skills and experience. Further, initial annual salary offerings
This audit was initiated to            to the SCP appointees appear to be appropriate.
determine whether the IRS’s
                                       Based on documentation provided by the Human Capital Office, the
implementation of SCP authority
                                       preliminary background and tax compliance checks were completed
in the Information Technology
                                       prior to hiring the seven Calendar Year 2020 SCP appointees. TIGTA
organization conforms to
                                       validated the tax compliance check results by using the Integrated
established laws, policies, and
                                       Data Retrieval System to examine the Individual Master File tax
regulations.
                                       module information for Tax Years 2015 through 2019 of each SCP
Impact on Taxpayers                    appointee. The overall tax compliance ratings for all seven SCP
                                       appointees were accurate at the time the Tax Compliance Reports
Recognizing the IRS’s need to
                                       were created.
improve cybersecurity efforts to
protect taxpayers from identity        What TIGTA Recommended
theft and refund fraud, Congress
                                       TIGTA made no recommendations as a result of the work performed
reinstated SCP authority in the
                                       during this review. In its response to the report, the IRS agreed with
Taxpayer First Act. Specifically,
                                       the facts and conclusions presented.
the Taxpayer First Act Report from
the House of Representatives’
Committee on Ways and Means
stated “…the IRS must be able to
recruit and retain experts from
the private sector in highly
specialized areas of information
technology. The Committee
believes that the IRS’s ability to
recruit such experts was aided by
the now-expired streamlined
critical pay authority, and believes
that reauthorization is
appropriate.”
                                          U.S. DEPARTMENT OF THE TREASURY
                                                   WASHINGTON, D.C. 20220



TREASURY INSPECTOR GENERAL
  FOR TAX ADMINISTRATION



                                              May 27, 2021


MEMORANDUM FOR: COMMISSIONER OF INTERNAL REVENUE



FROM:                        Michael E. McKenney
                             Deputy Inspector General for Audit

SUBJECT:                     Final Audit Report – Streamlined Critical Pay Authority for Information
                             Technology Positions Is Being Successfully Implemented
                             (Audit # 202020513)

This report presents the results of our review to determine whether the Internal Revenue
Service’s (IRS) implementation of streamlined critical pay authority in the Information
Technology organization conforms to established laws, policies, and regulations. This review is
part of our Fiscal Year 2021 Annual Audit Plan and addresses the major management and
performance challenge of Modernizing IRS Operations.
Management’s complete response to the draft report is included as Appendix II.
Copies of this report are also being sent to the IRS managers affected by the report information.
If you have any questions, please contact me or Danny R. Verneuille, Assistant Inspector General
for Audit (Security and Information Technology Services).
                                               Streamlined Critical Pay Authority for Information
                                            Technology Positions Is Being Successfully Implemented




Table of Contents
Background .....................................................................................................................................Page   1


Results of Review .......................................................................................................................Page          3

            Ongoing Streamlined Critical Pay Authority Activities
            Were Compliant With the Requirements of Taxpayer First
            Act Section 2103, Related Policies, and Regulations ..............................................Page 3


Appendices
            Appendix I – Detailed Objective, Scope, and Methodology ................................Page 7
            Appendix II – Management’s Response to the Draft Report...............................Page 9
            Appendix III – Abbreviations ............................................................................................Page.10
                                      Streamlined Critical Pay Authority for Information
                                   Technology Positions Is Being Successfully Implemented




Background
Prior to enactment of the Taxpayer First Act (TFA), 1 the Internal Revenue Service (IRS)
Restructuring and Reform Act of 1998 2 initially provided the IRS with streamlined critical pay
(SCP) authority for 10 years; this authority was extended on two occasions and ultimately
expired on September 30, 2013. Since its expiration, the IRS had unsuccessfully requested
reinstatement of SCP authority every year in its annual budget request to Congress. The primary
reason the IRS provided for reinstating SCP authority was to address the challenges to recruit
top-level talent who could help protect taxpayer data from cyber-attacks and who could assist
with modernizing its information technology systems and infrastructure.
However, on July 1, 2019, Congress enacted the TFA to amend the Internal Revenue Code of
1986 to modernize and improve the IRS. According to the TFA Report3 from the House of
Representatives’ Committee on Ways and Means:
           The Committee is aware that, in order to identify and prevent identity theft or refund
           fraud, the IRS has focused on improving its efforts in cybersecurity, by providing
           continuous monitoring of systems, replacing old technology, developing new
           authentication measures, and working with the private sector to identify best practices.
           To do so, the IRS must be able to recruit and retain experts from the private sector in
           highly specialized areas of information technology. The Committee believes that the
           IRS’s ability to recruit such experts was aided by the now-expired streamlined critical pay
           authority, and believes that reauthorization is appropriate.
Section 2103 of the TFA, titled Streamlined Critical Pay Authority for Information Technology
Positions, reinstated SCP authority to the IRS. Specifically, Section 2103 states that in the case of
any position which is critical to the functionality of the information technology operations of the
IRS, 5 United States Code (U.S.C.) Section (§) 9503, Streamlined Critical Pay Authority (July 1998),
shall be applied. TFA Section 2103 also includes the requirement that appointees to such
positions should not be IRS employees prior to the date of its enactment.
In addition, the TFA updated and reinstated 5 U.S.C. § 9504, Recruitment, Retention, Relocation
Incentives, and Relocation Expenses (March 2013), authorizing payments to SCP appointees for
recruitment, retention, relocation incentives, and relocation expenses for positions in
information technology operations at the IRS. The Act also updated and reinstated 5 U.S.C.
§ 9505, Performance Awards for Senior Executives (March 2013), allowing for the payment of
performance bonuses to SCP appointees. All of these reinstated SCP authorities began on
July 1, 2019, and unless they are extended, end on September 30, 2025.




1
    Pub. L. No. 116-25, also referred to as 26 U.S.C. § 7812.
2
 Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2, 5, 16, 19, 22, 23, 26, 31, 38, and
49 U.S.C.).
3
    Dated April 9, 2019.
                                                                                                                 Page 1
                                   Streamlined Critical Pay Authority for Information
                                Technology Positions Is Being Successfully Implemented

SCP position identification and hiring process
According to Information Technology (IT) organization 4 management, SCP positions were
identified through conversations, held at the executive leadership level, regarding areas in which
vacancies existed and what positions were needed to effectively implement the IRS’s
Information Technology Strategic Plan FY2020 – FY2024. 5 In addition, these discussions
included what existing skills IT organization executives currently have, what skills are needed,
and how to best fill the identified SCP positions. IT organization management also stated that
the main reason the positions were initially identified as SCP was because the IT organization
did not currently have the high-level technical expertise and management experience on a
large-scale level in the specific areas that these positions required.
The identification, recruitment, and hiring of SCP candidates is a coordinated effort between the
IT organization and the Human Capital Office (HCO). 6 The HCO’s Office of Executive Services 7 is
administratively responsible for managing the SCP program for the IT organization. The Office
of Executive Services recruits potential SCP candidates through recruiting firms or online
networking sites, such as LinkedIn.
The Office of Executive Services obtains the candidates’ resumes from SCP vacancy
announcements and provides them to the IT organization. Then, IT organization executives
independently conduct up to two resume reviews. The first resume review determines if the SCP
candidate’s skills align with any available position. If the SCP candidate’s skills align with an
available position, then the resume is forwarded to the executive responsible for that position to
see if they would be a good fit within the organization.
Based on passing both resume reviews, candidates who appear to possess the necessary
qualifications for SCP positions are contacted and asked some preliminary screening questions.
If the candidate successfully answers the questions, more formalized interviews are conducted.
The first interview panel consists of three to four IT organization executives. If the first interview
panel approves the candidate to move forward, a second interview is held with a panel that
includes the Chief Information Officer and the Deputy Chief Information Officers. The best
candidate selected from the second interview is asked to provide references that are checked by
the Chief Information Officer who then notifies the HCO of the potential candidate selected.
The HCO sends the candidate an informal offer.
If the informal offer is accepted and the IRS Commissioner approves hiring the SCP candidate, a
formal offer is made. If the SCP candidate accepts the formal offer, they are brought on board
after clearing a preliminary background and tax compliance check, which generally takes four to
six weeks. A more thorough background investigation will be completed and finalized
sometime after the SCP candidate’s appointment.
According to IT organization management, they generally go through hundreds of resumes
prior to selecting someone for an SCP position. For example, the Web Applications Domain

4
 Responsible for delivering information technology services and solutions that drive effective tax administration to
ensure public confidence.
5
    Dated November 1, 2020.
6
 Responsible for providing human capital strategies and tools to recruit, hire, develop, retain, and transition a highly
skilled and high-performing workforce to support IRS mission accomplishments.
7
 Provides integrated executive policy and operational personnel support services in a centralized structure to Senior
Executive Service, SCP, Senior Level, and Senior Executive Services-in-Waiting employees.
                                                                                                                 Page 2
                                      Streamlined Critical Pay Authority for Information
                                   Technology Positions Is Being Successfully Implemented

Director SCP position vacancy had 210 applicants. Due to the stringent requirements to possess
the requisite experience and technical skills for the position, only 44 candidates met the basic
requirements. After additional evaluative steps, one of these candidates was offered the
position.
As of February 22, 2021, the IT organization has on boarded seven out of 10 identified SCP
positions. Figure 1 lists the SCP position titles and appointment dates.
                              Figure 1: SCP Position Titles and Appointment Dates

                       Count                    Position Titles               Appointment Dates

                                   Associate Chief Information Officer,
                          1                                                      3/30/2020
                                   Enterprise Operations
                                   Senior Advisor to the Information
                          2        Technology Technical Director, Strategic      4/27/2020
                                   Planning and Technology Direction
                          3        Director, Infrastructure Services             5/26/2020
                          4        Director, Web Applications Domain             6/8/2020
                          5        Director, Online Services                     8/3/2020
                                   Associate Chief Information Officer,
                          6                                                      9/28/2020
                                   Enterprise Services
                          7        Senior Data Architect                         9/28/2020
                                                                                Offer Made to
                          8        Chief Technology Officer
                                                                                 Candidate 8
                                                                              Candidate Search
                          9        Director, Technical Integration
                                                                                 in Process
                                   Director, Cybersecurity Architecture and   Candidate Search
                         10
                                   Implementation                                in Process
                   Source: HCO-provided information as of February 22, 2021.



Results of Review
Ongoing Streamlined Critical Pay Authority Activities Were Compliant With
the Requirements of Taxpayer First Act Section 2103, Related Policies,
and Regulations

The IRS Commissioner approved all SCP candidate packages
According to 5 U.S.C. § 9503, the Secretary of the Treasury may establish, fix the compensation
of, and appoint individuals to designated critical positions needed to carry out the functions of
the IRS. However, effective with the issuance of the Department of the Treasury Policy



8
    As of January 25, 2021.
                                                                                                  Page 3
                                 Streamlined Critical Pay Authority for Information
                              Technology Positions Is Being Successfully Implemented

Transmittal Number (TN)-09-009, Internal Revenue Service Streamlined Critical Pay Authority
(November 25, 2009), this authority was delegated to the IRS Commissioner.
After a viable SCP candidate is identified, a candidate package is put together containing the
documentation supporting their hiring and sent to the IRS Commissioner for approval.
Department of the Treasury Policy TN-09-009 requires that a candidate package include: a
position description, a resume, an appointment justification (including a rationale for
compensation and incentives), a Standard Form 52, Request for Personnel Action, an
organizational chart, and a memorandum of approval from the IRS Commissioner. Our review
and analysis of the documentation found that the candidate packages for all seven SCP
appointees in Calendar Year 2020 contained the required information9 and were approved by
the IRS Commissioner.
SCP position descriptions created (new or updated from existing positions) generally
reflected the need for more advanced technical skills and experience
As of February 22, 2021, the IRS has filled seven vacant positions and is in the process of filling
three more under its current SCP authority. According to the IRS, nine of these positions already
existed and required their position descriptions to be updated to reflect new technical skills and
experience requirements. The 10th position, Senior Data Architect, was newly created to fill an
identified organizational need, which required the development of a new position description.
For the nine updated position descriptions, we reviewed and compared their wording to their
prior versions. Eight of the updated position descriptions contained additional responsibilities
not listed in the pre-SCP position descriptions. Many of the additional responsibilities required
more extensive knowledge in information technology processes and focused on experience
related to senior level management of a large information technology organization. In addition,
our review found that the Enterprise Services Associate Chief Information Officer position
description was minimally updated. However, a few significant requirements were added to
expand the position’s responsibilities (bolded to show the newly added requirements).
        The work requires high level staff planning, negotiation, coordination, and liaison
        responsibilities. Decisions and judgements are reviewed almost exclusively in
        terms of results achieved…. The work affects the Service’s ability to successfully
        implement its stated mission and achieve major programs and goals…. Contacts are
        with all levels of IRS employees and officials, oversight organizations, other government
        agencies, foreign governments, Congress, technology, and tax officials, professional
        groups, organizations representing employees, educational and state institutions,
        trade associations, and other special interest groups. Contacts are to obtain,
        disseminate, or exchange information; request or provide assistance to resolve highly
        complex issues; coordinate, explain, or justify IRS policies, procedures, and decisions
        on systems development and operations; make policy decisions; negotiate changes
        in plans; and persuade top level officials to pursue a recommended course of
        action.




9
 Although the SCP candidate packages did not include an organizational chart, each of them included a description
of the position’s location in the IT organization and to whom they would report.
                                                                                                           Page 4
                                     Streamlined Critical Pay Authority for Information
                                  Technology Positions Is Being Successfully Implemented

Based on these expanded responsibilities, IRS officials indicated that this vacancy was filled
under SCP authority because there were no internal candidates who currently possess the
required technical skills and experience needed for the updated position.

Four-year appointment terms were clearly stipulated in the Final Offer letters, and
compensation limits were followed during Calendar Year 2020
The requirements of 5 U.S.C. § 9503 limit the terms of SCP appointments to four years and the
total annual compensation for any SCP appointees to the rate of pay of the U.S. Vice President
($253,300 in Calendar Year 2020 and $255,800 in Calendar Year 2021). We reviewed the Final
Offer letters for all seven Calendar Year 2020 SCP appointees and found that each Final Offer
letter stated that the appointment term limits would be no longer than four years. In addition,
each SCP appointee’s total compensation (including salary, plus any recruitment incentive,
potential performance bonus, etc.) for Calendar Year 2020 was under the $253,300 limit.
Initial annual salary offerings to SCP appointees appear to be appropriate
Our review of the appointment justifications, recruitment incentive requests, and the Final Offer
letters for all seven SCP appointees found that four of them are generally making less working
for the IRS due to the compensation limitation than what they made while employed in the
private sector. In addition, the remaining three SCP appointees received salary increases that,
according to the IRS, were on par to private sector information technology executives with
similar skills and qualifications.

None of the SCP appointees were previously employed at the IRS
According to 5 U.S.C. § 9503, appointees to critical pay positions should not have been IRS
employees prior to enactment of the TFA. We reviewed the resumes for all seven Calendar
Year 2020 SCP appointees and determined that none had listed any prior employment with the
IRS. In addition, we searched the Separated IRS Employee File and did not identify any prior IRS
employment for the seven appointees.

SCP appointee clearance checks were completed as required
Based on documentation provided by the HCO, the preliminary background and tax compliance
checks were completed prior to hiring the seven Calendar Year 2020 SCP appointees.
Department of the Treasury Policy TN-09-009 states the “IRS Human Capital Officer” is
responsible for initiating the appropriate clearances, including security and background checks,
tax compliance checks, etc., and for ensuring that any identified issues are resolved prior to
appointment. The IRS Personnel Security Office is responsible for performing the preliminary
background checks, which consist of reviewing the:
       1) Prospective SCP candidate’s Optional Form 306, Declaration for Federal Employment,
          which is used to assess their suitability for Federal employment.
       2) Automated Labor and Employee Relations Tracking System10 to confirm that the
          prospective SCP candidate was not a former IRS employee with conduct issues.
       3) Prospective SCP candidate’s criminal history.


10
     IRS system that tracks labor/employee relations case data.
                                                                                             Page 5
                                     Streamlined Critical Pay Authority for Information
                                  Technology Positions Is Being Successfully Implemented

In addition, all seven SCP appointees received tax compliance checks prior to starting
employment with the IRS. The results of which were provided to the HCO by the Tax Check
Compliance Service 11 in the form of a Tax Compliance Report (TCR). The TCR shows, on the day
the report is generated, whether the candidate:
       1) Filed their tax returns timely, including extensions, within the past four years.
       2) Paid their tax liabilities timely, within the past four years (only for the TCRs created after
          June 2020). 12
       3) Currently has any outstanding tax liabilities due (including on time payments through an
          active installment agreement or pending resolution through an ongoing administrative
          or judicial proceeding).
       4) Had any fraud penalties assessed within the last five years.
The TCR is created systemically from data obtained from the Custodial Detail Database, which
maintains balance due tax information related to individual income, excise, and employment
taxes. The late-filed and late payment information is obtained from the Individual Master File. 13
From the information obtained from these two systems, each SCP appointee’s TCR will provide
an overall tax compliance rating of:
       •   Compliant – There is no record of an overdue tax return or unpaid tax debt.
       •   Non-Compliant – A required tax return is not on file or a tax debt is past due. The
           individual needs to take corrective action.
       •   Compliance Issue – Indicates one or more of the following conditions: 1) a history of late
           paid tax debt; 2) filing issues; and 3) the individual is resolving an issue through an
           administrative or judicial proceeding, which allows due process for the individual to
           settle the tax matter.
As part of our review, we validated the TCR tax compliance check results by using the Integrated
Data Retrieval System 14 to examine the Individual Master File tax module information for Tax
Years 2015 through 2019 of each SCP appointee. The overall tax compliance ratings for all
seven SCP appointees were accurate at the time the TCRs were created.




11
   The Privacy, Governmental Liaison, and Disclosure organization is the enterprise owner of the Tax Check
Compliance Service, which allows authorized Federal officials to request a TCR with the submission of an individual’s
signed Form 14767, Consent to Disclose Tax Compliance Check.
12
   Prior to June 2020, the TCR did not include information on the untimely payment of tax liabilities. The TCR now
includes historical information on the untimely payment of taxes over the prior four years, even if the liabilities are
currently full paid.
13
     IRS database that maintains transactions or records of individual tax accounts.
14
  IRS computer system capable of retrieving or updating stored information. It works in conjunction with a
taxpayer’s account records.
                                                                                                                  Page 6
                                  Streamlined Critical Pay Authority for Information
                               Technology Positions Is Being Successfully Implemented


                                                                                                 Appendix I
                     Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS’s implementation of SCP
authority in the IT organization conforms to established laws, policies, and regulations. To
accomplish our objective, we:
    •    Interviewed IT organization and HCO officials and conducted a walkthrough of the SCP
         hiring process.
    •    Reviewed applicable laws, policies, and regulations related to hiring under SCP authority.
    •    Evaluated each SCP appointee’s candidate package, Final Offer letter, etc. to determine if
         the IT organization followed the applicable laws, policies, and regulations related to
         hiring under SCP authority.
    •    Evaluated any new or updated position descriptions to determine if they supported
         hiring under SCP authority.
    •    Reviewed each SCP appointee’s preliminary background check notification and the TCR.
         We validated the information contained in the TCR with the Individual Master File tax
         module information for Tax Years 2015 through 2019.

Performance of This Review
This review was performed with information obtained from the IT organization and the HCO in
the IRS National Headquarters in Washington, D.C., during the period September 2020 through
March 2021. We conducted this performance audit in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objective. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit objective.
Major contributors to the report were Danny R. Verneuille, Assistant Inspector General for Audit
(Security and Information Technology Services); Bryce Kisler, Director; Carol Taylor, Audit
Manager; and Ashley Weaver, Lead Auditor.

Validity and Reliability of Data From Computer-Based Systems
We performed limited tests to assess the reliability of data from the Separated IRS Employee File
maintained at the Treasury Inspector General for Tax Administration’s Data Center Warehouse.1
We evaluated the data by 1) visually scanning the source file to detect obvious errors and
unexpected missing data and 2) reviewing existing validation information about the data that
produced them. We determined that the data were sufficiently reliable for purposes of this
report.



1
 A collection of IRS databases containing various types of taxpayer account information that is maintained by the
Treasury Inspector General for Tax Administration for analysis during ongoing audits.
                                                                                                             Page 7
                             Streamlined Critical Pay Authority for Information
                          Technology Positions Is Being Successfully Implemented

Internal Controls Methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their
mission, goals, and objectives. Internal controls include the processes and procedures for
planning, organizing, directing, and controlling program operations. They include the systems
for measuring, reporting, and monitoring program performance. We determined that the
following internal controls were relevant to our audit objective: SCP guidance contained in
Section 2103 of the TFA, 5 U.S.C. § 9503, 5 U.S.C. § 9504, 5 U.S.C. § 9505, and Department of the
Treasury Policy TN-09-009 as well as IRS policies and requirements on preliminary clearance
checks. We evaluated these controls by interviewing HCO and IT organization management
personnel, and by comparing SCP candidate documentation to the requirements stated in the
SCP guidance.




                                                                                           Page 8
        Streamlined Critical Pay Authority for Information
     Technology Positions Is Being Successfully Implemented


                                                              Appendix II
Management’s Response to the Draft Report




                                                                    Page 9
            Streamlined Critical Pay Authority for Information
         Technology Positions Is Being Successfully Implemented


                                                                  Appendix III
                       Abbreviations

HCO         Human Capital Office
IRS         Internal Revenue Service
IT          Information Technology
SCP         Streamlined Critical Pay
TCR         Tax Compliance Report
TFA         Taxpayer First Act
TN          Transmittal Number
U.S.C.      United States Code




                                                                        Page 10
             To report fraud, waste, or abuse,
                call our toll-free hotline at:
                         (800) 366-4484


                              By Web:
                      www.treasury.gov/tigta/


                             Or Write:
         Treasury Inspector General for Tax Administration
                            P.O. Box 589
                        Ben Franklin Station
                   Washington, D.C. 20044-0589




Information you provide is confidential, and you may remain anonymous.