TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented May 27, 2021 Report Number: 2021-25-032 TIGTACommunications@tigta.treas.gov | www.treasury.gov/tigta 1 HIGHLIGHTS: Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Final Audit Report issued on May 27, 2021 Report Number 2021-25-032 Why TIGTA Did This Audit What TIGTA Found On July 1, 2019, Congress enacted IRS SCP authority activities were compliant with the requirements of the Taxpayer First Act to amend Taxpayer First Act Section 2103, related policies, and regulations. the Internal Revenue Code of Specifically, all seven Calendar Year 2020 SCP candidate packages 1986 to modernize and improve were approved by the IRS Commissioner, four-year appointment the IRS. Specifically, Section 2103 terms were clearly stipulated in their Final Offer letters, and of this Act, titled Streamlined compensation limits were followed. In addition, none of the SCP Critical Pay Authority for appointees were previously employed at the IRS. Information Technology Positions, The 10 SCP position descriptions created (new or updated from reinstated streamlined critical pay existing positions) generally reflected the need for more advanced (SCP) authority to the IRS. technical skills and experience. Further, initial annual salary offerings This audit was initiated to to the SCP appointees appear to be appropriate. determine whether the IRS’s Based on documentation provided by the Human Capital Office, the implementation of SCP authority preliminary background and tax compliance checks were completed in the Information Technology prior to hiring the seven Calendar Year 2020 SCP appointees. TIGTA organization conforms to validated the tax compliance check results by using the Integrated established laws, policies, and Data Retrieval System to examine the Individual Master File tax regulations. module information for Tax Years 2015 through 2019 of each SCP Impact on Taxpayers appointee. The overall tax compliance ratings for all seven SCP appointees were accurate at the time the Tax Compliance Reports Recognizing the IRS’s need to were created. improve cybersecurity efforts to protect taxpayers from identity What TIGTA Recommended theft and refund fraud, Congress TIGTA made no recommendations as a result of the work performed reinstated SCP authority in the during this review. In its response to the report, the IRS agreed with Taxpayer First Act. Specifically, the facts and conclusions presented. the Taxpayer First Act Report from the House of Representatives’ Committee on Ways and Means stated “…the IRS must be able to recruit and retain experts from the private sector in highly specialized areas of information technology. The Committee believes that the IRS’s ability to recruit such experts was aided by the now-expired streamlined critical pay authority, and believes that reauthorization is appropriate.” U.S. DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20220 TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION May 27, 2021 MEMORANDUM FOR: COMMISSIONER OF INTERNAL REVENUE FROM: Michael E. McKenney Deputy Inspector General for Audit SUBJECT: Final Audit Report – Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented (Audit # 202020513) This report presents the results of our review to determine whether the Internal Revenue Service’s (IRS) implementation of streamlined critical pay authority in the Information Technology organization conforms to established laws, policies, and regulations. This review is part of our Fiscal Year 2021 Annual Audit Plan and addresses the major management and performance challenge of Modernizing IRS Operations. Management’s complete response to the draft report is included as Appendix II. Copies of this report are also being sent to the IRS managers affected by the report information. If you have any questions, please contact me or Danny R. Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services). Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Table of Contents Background .....................................................................................................................................Page 1 Results of Review .......................................................................................................................Page 3 Ongoing Streamlined Critical Pay Authority Activities Were Compliant With the Requirements of Taxpayer First Act Section 2103, Related Policies, and Regulations ..............................................Page 3 Appendices Appendix I – Detailed Objective, Scope, and Methodology ................................Page 7 Appendix II – Management’s Response to the Draft Report...............................Page 9 Appendix III – Abbreviations ............................................................................................Page.10 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Background Prior to enactment of the Taxpayer First Act (TFA), 1 the Internal Revenue Service (IRS) Restructuring and Reform Act of 1998 2 initially provided the IRS with streamlined critical pay (SCP) authority for 10 years; this authority was extended on two occasions and ultimately expired on September 30, 2013. Since its expiration, the IRS had unsuccessfully requested reinstatement of SCP authority every year in its annual budget request to Congress. The primary reason the IRS provided for reinstating SCP authority was to address the challenges to recruit top-level talent who could help protect taxpayer data from cyber-attacks and who could assist with modernizing its information technology systems and infrastructure. However, on July 1, 2019, Congress enacted the TFA to amend the Internal Revenue Code of 1986 to modernize and improve the IRS. According to the TFA Report3 from the House of Representatives’ Committee on Ways and Means: The Committee is aware that, in order to identify and prevent identity theft or refund fraud, the IRS has focused on improving its efforts in cybersecurity, by providing continuous monitoring of systems, replacing old technology, developing new authentication measures, and working with the private sector to identify best practices. To do so, the IRS must be able to recruit and retain experts from the private sector in highly specialized areas of information technology. The Committee believes that the IRS’s ability to recruit such experts was aided by the now-expired streamlined critical pay authority, and believes that reauthorization is appropriate. Section 2103 of the TFA, titled Streamlined Critical Pay Authority for Information Technology Positions, reinstated SCP authority to the IRS. Specifically, Section 2103 states that in the case of any position which is critical to the functionality of the information technology operations of the IRS, 5 United States Code (U.S.C.) Section (§) 9503, Streamlined Critical Pay Authority (July 1998), shall be applied. TFA Section 2103 also includes the requirement that appointees to such positions should not be IRS employees prior to the date of its enactment. In addition, the TFA updated and reinstated 5 U.S.C. § 9504, Recruitment, Retention, Relocation Incentives, and Relocation Expenses (March 2013), authorizing payments to SCP appointees for recruitment, retention, relocation incentives, and relocation expenses for positions in information technology operations at the IRS. The Act also updated and reinstated 5 U.S.C. § 9505, Performance Awards for Senior Executives (March 2013), allowing for the payment of performance bonuses to SCP appointees. All of these reinstated SCP authorities began on July 1, 2019, and unless they are extended, end on September 30, 2025. 1 Pub. L. No. 116-25, also referred to as 26 U.S.C. § 7812. 2 Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2, 5, 16, 19, 22, 23, 26, 31, 38, and 49 U.S.C.). 3 Dated April 9, 2019. Page 1 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented SCP position identification and hiring process According to Information Technology (IT) organization 4 management, SCP positions were identified through conversations, held at the executive leadership level, regarding areas in which vacancies existed and what positions were needed to effectively implement the IRS’s Information Technology Strategic Plan FY2020 – FY2024. 5 In addition, these discussions included what existing skills IT organization executives currently have, what skills are needed, and how to best fill the identified SCP positions. IT organization management also stated that the main reason the positions were initially identified as SCP was because the IT organization did not currently have the high-level technical expertise and management experience on a large-scale level in the specific areas that these positions required. The identification, recruitment, and hiring of SCP candidates is a coordinated effort between the IT organization and the Human Capital Office (HCO). 6 The HCO’s Office of Executive Services 7 is administratively responsible for managing the SCP program for the IT organization. The Office of Executive Services recruits potential SCP candidates through recruiting firms or online networking sites, such as LinkedIn. The Office of Executive Services obtains the candidates’ resumes from SCP vacancy announcements and provides them to the IT organization. Then, IT organization executives independently conduct up to two resume reviews. The first resume review determines if the SCP candidate’s skills align with any available position. If the SCP candidate’s skills align with an available position, then the resume is forwarded to the executive responsible for that position to see if they would be a good fit within the organization. Based on passing both resume reviews, candidates who appear to possess the necessary qualifications for SCP positions are contacted and asked some preliminary screening questions. If the candidate successfully answers the questions, more formalized interviews are conducted. The first interview panel consists of three to four IT organization executives. If the first interview panel approves the candidate to move forward, a second interview is held with a panel that includes the Chief Information Officer and the Deputy Chief Information Officers. The best candidate selected from the second interview is asked to provide references that are checked by the Chief Information Officer who then notifies the HCO of the potential candidate selected. The HCO sends the candidate an informal offer. If the informal offer is accepted and the IRS Commissioner approves hiring the SCP candidate, a formal offer is made. If the SCP candidate accepts the formal offer, they are brought on board after clearing a preliminary background and tax compliance check, which generally takes four to six weeks. A more thorough background investigation will be completed and finalized sometime after the SCP candidate’s appointment. According to IT organization management, they generally go through hundreds of resumes prior to selecting someone for an SCP position. For example, the Web Applications Domain 4 Responsible for delivering information technology services and solutions that drive effective tax administration to ensure public confidence. 5 Dated November 1, 2020. 6 Responsible for providing human capital strategies and tools to recruit, hire, develop, retain, and transition a highly skilled and high-performing workforce to support IRS mission accomplishments. 7 Provides integrated executive policy and operational personnel support services in a centralized structure to Senior Executive Service, SCP, Senior Level, and Senior Executive Services-in-Waiting employees. Page 2 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Director SCP position vacancy had 210 applicants. Due to the stringent requirements to possess the requisite experience and technical skills for the position, only 44 candidates met the basic requirements. After additional evaluative steps, one of these candidates was offered the position. As of February 22, 2021, the IT organization has on boarded seven out of 10 identified SCP positions. Figure 1 lists the SCP position titles and appointment dates. Figure 1: SCP Position Titles and Appointment Dates Count Position Titles Appointment Dates Associate Chief Information Officer, 1 3/30/2020 Enterprise Operations Senior Advisor to the Information 2 Technology Technical Director, Strategic 4/27/2020 Planning and Technology Direction 3 Director, Infrastructure Services 5/26/2020 4 Director, Web Applications Domain 6/8/2020 5 Director, Online Services 8/3/2020 Associate Chief Information Officer, 6 9/28/2020 Enterprise Services 7 Senior Data Architect 9/28/2020 Offer Made to 8 Chief Technology Officer Candidate 8 Candidate Search 9 Director, Technical Integration in Process Director, Cybersecurity Architecture and Candidate Search 10 Implementation in Process Source: HCO-provided information as of February 22, 2021. Results of Review Ongoing Streamlined Critical Pay Authority Activities Were Compliant With the Requirements of Taxpayer First Act Section 2103, Related Policies, and Regulations The IRS Commissioner approved all SCP candidate packages According to 5 U.S.C. § 9503, the Secretary of the Treasury may establish, fix the compensation of, and appoint individuals to designated critical positions needed to carry out the functions of the IRS. However, effective with the issuance of the Department of the Treasury Policy 8 As of January 25, 2021. Page 3 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Transmittal Number (TN)-09-009, Internal Revenue Service Streamlined Critical Pay Authority (November 25, 2009), this authority was delegated to the IRS Commissioner. After a viable SCP candidate is identified, a candidate package is put together containing the documentation supporting their hiring and sent to the IRS Commissioner for approval. Department of the Treasury Policy TN-09-009 requires that a candidate package include: a position description, a resume, an appointment justification (including a rationale for compensation and incentives), a Standard Form 52, Request for Personnel Action, an organizational chart, and a memorandum of approval from the IRS Commissioner. Our review and analysis of the documentation found that the candidate packages for all seven SCP appointees in Calendar Year 2020 contained the required information9 and were approved by the IRS Commissioner. SCP position descriptions created (new or updated from existing positions) generally reflected the need for more advanced technical skills and experience As of February 22, 2021, the IRS has filled seven vacant positions and is in the process of filling three more under its current SCP authority. According to the IRS, nine of these positions already existed and required their position descriptions to be updated to reflect new technical skills and experience requirements. The 10th position, Senior Data Architect, was newly created to fill an identified organizational need, which required the development of a new position description. For the nine updated position descriptions, we reviewed and compared their wording to their prior versions. Eight of the updated position descriptions contained additional responsibilities not listed in the pre-SCP position descriptions. Many of the additional responsibilities required more extensive knowledge in information technology processes and focused on experience related to senior level management of a large information technology organization. In addition, our review found that the Enterprise Services Associate Chief Information Officer position description was minimally updated. However, a few significant requirements were added to expand the position’s responsibilities (bolded to show the newly added requirements). The work requires high level staff planning, negotiation, coordination, and liaison responsibilities. Decisions and judgements are reviewed almost exclusively in terms of results achieved…. The work affects the Service’s ability to successfully implement its stated mission and achieve major programs and goals…. Contacts are with all levels of IRS employees and officials, oversight organizations, other government agencies, foreign governments, Congress, technology, and tax officials, professional groups, organizations representing employees, educational and state institutions, trade associations, and other special interest groups. Contacts are to obtain, disseminate, or exchange information; request or provide assistance to resolve highly complex issues; coordinate, explain, or justify IRS policies, procedures, and decisions on systems development and operations; make policy decisions; negotiate changes in plans; and persuade top level officials to pursue a recommended course of action. 9 Although the SCP candidate packages did not include an organizational chart, each of them included a description of the position’s location in the IT organization and to whom they would report. Page 4 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Based on these expanded responsibilities, IRS officials indicated that this vacancy was filled under SCP authority because there were no internal candidates who currently possess the required technical skills and experience needed for the updated position. Four-year appointment terms were clearly stipulated in the Final Offer letters, and compensation limits were followed during Calendar Year 2020 The requirements of 5 U.S.C. § 9503 limit the terms of SCP appointments to four years and the total annual compensation for any SCP appointees to the rate of pay of the U.S. Vice President ($253,300 in Calendar Year 2020 and $255,800 in Calendar Year 2021). We reviewed the Final Offer letters for all seven Calendar Year 2020 SCP appointees and found that each Final Offer letter stated that the appointment term limits would be no longer than four years. In addition, each SCP appointee’s total compensation (including salary, plus any recruitment incentive, potential performance bonus, etc.) for Calendar Year 2020 was under the $253,300 limit. Initial annual salary offerings to SCP appointees appear to be appropriate Our review of the appointment justifications, recruitment incentive requests, and the Final Offer letters for all seven SCP appointees found that four of them are generally making less working for the IRS due to the compensation limitation than what they made while employed in the private sector. In addition, the remaining three SCP appointees received salary increases that, according to the IRS, were on par to private sector information technology executives with similar skills and qualifications. None of the SCP appointees were previously employed at the IRS According to 5 U.S.C. § 9503, appointees to critical pay positions should not have been IRS employees prior to enactment of the TFA. We reviewed the resumes for all seven Calendar Year 2020 SCP appointees and determined that none had listed any prior employment with the IRS. In addition, we searched the Separated IRS Employee File and did not identify any prior IRS employment for the seven appointees. SCP appointee clearance checks were completed as required Based on documentation provided by the HCO, the preliminary background and tax compliance checks were completed prior to hiring the seven Calendar Year 2020 SCP appointees. Department of the Treasury Policy TN-09-009 states the “IRS Human Capital Officer” is responsible for initiating the appropriate clearances, including security and background checks, tax compliance checks, etc., and for ensuring that any identified issues are resolved prior to appointment. The IRS Personnel Security Office is responsible for performing the preliminary background checks, which consist of reviewing the: 1) Prospective SCP candidate’s Optional Form 306, Declaration for Federal Employment, which is used to assess their suitability for Federal employment. 2) Automated Labor and Employee Relations Tracking System10 to confirm that the prospective SCP candidate was not a former IRS employee with conduct issues. 3) Prospective SCP candidate’s criminal history. 10 IRS system that tracks labor/employee relations case data. Page 5 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented In addition, all seven SCP appointees received tax compliance checks prior to starting employment with the IRS. The results of which were provided to the HCO by the Tax Check Compliance Service 11 in the form of a Tax Compliance Report (TCR). The TCR shows, on the day the report is generated, whether the candidate: 1) Filed their tax returns timely, including extensions, within the past four years. 2) Paid their tax liabilities timely, within the past four years (only for the TCRs created after June 2020). 12 3) Currently has any outstanding tax liabilities due (including on time payments through an active installment agreement or pending resolution through an ongoing administrative or judicial proceeding). 4) Had any fraud penalties assessed within the last five years. The TCR is created systemically from data obtained from the Custodial Detail Database, which maintains balance due tax information related to individual income, excise, and employment taxes. The late-filed and late payment information is obtained from the Individual Master File. 13 From the information obtained from these two systems, each SCP appointee’s TCR will provide an overall tax compliance rating of: • Compliant – There is no record of an overdue tax return or unpaid tax debt. • Non-Compliant – A required tax return is not on file or a tax debt is past due. The individual needs to take corrective action. • Compliance Issue – Indicates one or more of the following conditions: 1) a history of late paid tax debt; 2) filing issues; and 3) the individual is resolving an issue through an administrative or judicial proceeding, which allows due process for the individual to settle the tax matter. As part of our review, we validated the TCR tax compliance check results by using the Integrated Data Retrieval System 14 to examine the Individual Master File tax module information for Tax Years 2015 through 2019 of each SCP appointee. The overall tax compliance ratings for all seven SCP appointees were accurate at the time the TCRs were created. 11 The Privacy, Governmental Liaison, and Disclosure organization is the enterprise owner of the Tax Check Compliance Service, which allows authorized Federal officials to request a TCR with the submission of an individual’s signed Form 14767, Consent to Disclose Tax Compliance Check. 12 Prior to June 2020, the TCR did not include information on the untimely payment of tax liabilities. The TCR now includes historical information on the untimely payment of taxes over the prior four years, even if the liabilities are currently full paid. 13 IRS database that maintains transactions or records of individual tax accounts. 14 IRS computer system capable of retrieving or updating stored information. It works in conjunction with a taxpayer’s account records. Page 6 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Appendix I Detailed Objective, Scope, and Methodology The overall objective of this review was to determine whether the IRS’s implementation of SCP authority in the IT organization conforms to established laws, policies, and regulations. To accomplish our objective, we: • Interviewed IT organization and HCO officials and conducted a walkthrough of the SCP hiring process. • Reviewed applicable laws, policies, and regulations related to hiring under SCP authority. • Evaluated each SCP appointee’s candidate package, Final Offer letter, etc. to determine if the IT organization followed the applicable laws, policies, and regulations related to hiring under SCP authority. • Evaluated any new or updated position descriptions to determine if they supported hiring under SCP authority. • Reviewed each SCP appointee’s preliminary background check notification and the TCR. We validated the information contained in the TCR with the Individual Master File tax module information for Tax Years 2015 through 2019. Performance of This Review This review was performed with information obtained from the IT organization and the HCO in the IRS National Headquarters in Washington, D.C., during the period September 2020 through March 2021. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Major contributors to the report were Danny R. Verneuille, Assistant Inspector General for Audit (Security and Information Technology Services); Bryce Kisler, Director; Carol Taylor, Audit Manager; and Ashley Weaver, Lead Auditor. Validity and Reliability of Data From Computer-Based Systems We performed limited tests to assess the reliability of data from the Separated IRS Employee File maintained at the Treasury Inspector General for Tax Administration’s Data Center Warehouse.1 We evaluated the data by 1) visually scanning the source file to detect obvious errors and unexpected missing data and 2) reviewing existing validation information about the data that produced them. We determined that the data were sufficiently reliable for purposes of this report. 1 A collection of IRS databases containing various types of taxpayer account information that is maintained by the Treasury Inspector General for Tax Administration for analysis during ongoing audits. Page 7 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Internal Controls Methodology Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: SCP guidance contained in Section 2103 of the TFA, 5 U.S.C. § 9503, 5 U.S.C. § 9504, 5 U.S.C. § 9505, and Department of the Treasury Policy TN-09-009 as well as IRS policies and requirements on preliminary clearance checks. We evaluated these controls by interviewing HCO and IT organization management personnel, and by comparing SCP candidate documentation to the requirements stated in the SCP guidance. Page 8 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Appendix II Management’s Response to the Draft Report Page 9 Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented Appendix III Abbreviations HCO Human Capital Office IRS Internal Revenue Service IT Information Technology SCP Streamlined Critical Pay TCR Tax Compliance Report TFA Taxpayer First Act TN Transmittal Number U.S.C. United States Code Page 10 To report fraud, waste, or abuse, call our toll-free hotline at: (800) 366-4484 By Web: www.treasury.gov/tigta/ Or Write: Treasury Inspector General for Tax Administration P.O. Box 589 Ben Franklin Station Washington, D.C. 20044-0589 Information you provide is confidential, and you may remain anonymous.
Streamlined Critical Pay Authority for Information Technology Positions Is Being Successfully Implemented
Published by the Office of the Treasury Inspector General for Tax Administration on 2021-05-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)