2.172.1 IT Enterprise Control Authority and Operations Directives

Manual Transmittal

April 21, 2021

Purpose

(1) This transmits new IRM 2.172.1, IT Enterprise Control Authority and Operations, IT Enterprise Control Authority and Operations Directives

Material Changes

(1) This is a new IRM.

Effect on Other Documents

This new IRM incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive.

Audience

All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio.

Effective Date

(04-21-2021)

Nancy Sieger
Chief Information Officer

Program Scope and Objective

  1. This IRM provides Information Technology (IT) Enterprise Control Authority and Operations directives and procedures. It provides the purpose, scope, authority, mandates and responsibilities for IT Enterprise Control Authority and Operations policy.

Background

  1. The Enterprise Control Authority and Operations Directive issued April 2009, provided guidance for IT ACIO and business unit support organizations. This IRM replaces the 2009 Control Directive and incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive.

Purpose
  1. The purpose of IT Enterprise Control Authority and Operations is to establish requirements for the enterprise control functions; including the assessment of the health (performance) of the Information Technology (IT) program and project activities throughout implementation. The benefit of ongoing monitoring of program and project performance utilizing health assessments facilitates informed decision-making and effective governance and management of the IRS Information Technology (IT) portfolio.

  2. IRM 2.172 provides the mandates, guiding principles, roles, and responsibilities for institutionalizing the IRS enterprise control processes. The mandates require stakeholders perform enterprise control activities which facilitate informed decision-making and effective management of their IRS IT portfolio investment items. IRM 2.172 focuses on governance and the revised health assessment with the updated enterprise standard data set.

  3. IRM 2.172 specifically addresses:

    • Implementation of the IT Enterprise Health Assessment (EHA) its content, purpose, and relevance in IT management and governance

    • Restructured IT Governance

    • Requirements for programs and projects executing under restructured IT governance

    • Use of data captured through the Revised IT Health Assessment within IT and IT governance

Scope
  1. This Directive applies to all IT programs and projects included in the IRS IT portfolio. The IRS IT portfolio includes all IT projects and programs that develop, enhance, maintain or modernize information technology capabilities to deliver the IRS’s mission (including the IRS Integrated Modernization Business Plan).

Authority

  1. The Information Technology (IT) Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division within the Strategy and Planning Associate Chief Information Officer area is responsible for developing, implementing and maintaining this IRM. Approval of this IRM, including updates, rests with the IPCO office.

Mandate

  1. This IRM establishes mandates for IRS IT enterprise control functions (IT ACIO and business unit support organizations). Through internal controls during the initiation, design, development, deployment, and operations of the agency’s IT systems, these mandates shall be satisfied. This Directive requires adherence to the following mandates:

    • Compliance with Federal, Treasury, and IRS Policies

    • Promulgation of enterprise-wide control processes

Audience

  1. All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio.

Administration

  1. The Information Technology (IT) Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division is responsible for the development, implementation, and maintenance of this IRM. All proposed changes to this document must be submitted in writing, with supporting rationale to IPCO.

Terms and Definitions

  1. Below is a list of IT Terms and Definitions pertaining to this document:

    Term Definition
    IT Project An IT endeavor with a unique start and end date following a defined software development lifecycle, or an implementation schedule and has approved funding and staffing resources which can be planned, monitored, measured and controlled which directly result in a unique product for business functionality. IT Projects are undertaken for development, modernization, enhancement, disposal or maintenance and are funded from a specific investment with a Unique Investment Identifier (UII) which determines ESC alignment. Projects are assigned to a GB based on functionality and organizational alignment and are responsible for regular performance reporting.
    IT Program A group of organizational or functionally related projects managed in a coordinated way to obtain benefits and control not available from managing them individually.
    IT Portfolio A collection of IT projects, programs, and/or investments used to represent the inventory of IT work being conducted and executed throughout the service for the given fiscal year, and within the confines of the IT budget.
    IT Investment A single line item of funding in the IT Portfolio. Frequently a related set of procurements, projects, programs, and operations organized around a mission, related business functionality, or an end to end process.
    Milestones to Enter and Exit Review (MER) Milestones are used to mark project start and end dates. It can include the design phase, the deployment phase, and operations and maintenance phase. Governance Boards review and approve project milestones.
    Release A collection of changes made since the last deployment with a unique start and implementation date that may not be a formal project, but is being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee. Can represent a specific segment or segments of functionality.
    Significant Activity A set of actions with a start and end date that may not be a formal project or release, but are being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee.
    IT Project Health Reflects the current status of executing projects and/or programs considering key elements of management and performance such as cost, schedule, scope, and existing or potential risks. Example: Is the project developing or implementing on schedule, within a range of the planned cost, on target to implement the planned scope or capabilities, and avoiding risks or mitigating risks to a degree that allows project to continue as planned? Health can be identified through the results/scoring of the key performance indicators and can be clarified through a narrative describing the specifics of that current performance (whether positive or negative). Key performance indicators can be assessed and used to simply raise awareness or to drive action on correction before more severe impacts occur.
    Enterprise Key Performance Indicator (EKPI) EKPIs are summary calculations of data elements represented by color/value indicators used to monitor the health of IT projects and programs. The standardized EKPIs for cost, schedule, scope, and risk provide initial indications of performance issues that may need further attention. EKPIs are used at the control organization level, as well as for enterprise level governance reports shared across the enterprise; providing internal IRS transparency, and a line of sight for external entities and oversight bodies. Governance Boards and Executive Steering Committees incorporate the established EKPI process in their analysis to provide efficient use of the data for both agenda development and decision making.
    Enterprise Health Assessment (EHA) The Enterprise Health Assessment is a data entry module/form used to establish a standard, repeatable process for assessing the health of IT development, maintenance, and infrastructure projects and programs - addressing key elements of reporting for Treasury, the Omnibus IT Investment Report, the IT BPR, CIO Op Reviews and providing governance and decision-makers with an insightful, consistent, and transparent data set.
    Risk Escalation Risk escalation is a process for reporting and escalating risk. Projects and programs trending yellow and red can be escalated for attention from the project manager to a governance board and if not mitigated, to an ESC.

Acronyms

  1. Below is a list of IT acronyms pertaining to this document:

    Acronym Description
    ACIO Associate Chief Information Officer
    AD Applications Development
    BCR Baseline Change Request
    BPR Business Performance Review
    CIO Chief Information Officer
    DACIO Deputy Associate Chief Information Officer
    DMQA Delivery Management and Quality Assurance
    EHA Enterprise Health Assessment
    EKPI Enterprise Key Performance Indicator
    ELC Enterprise Life Cycle
    EOps Enterprise Operations
    EPC Enterprise Program Controls
    ES Enterprise Services
    ESC Executive Steering Committee
    FITARA Federal Information Technology Acquisition Reform Act
    GB Governance Board
    IPCO Investment and Portfolio Control and Oversight
    IPG Investment and Program Governance
    MER Milestone Exit Review
    OMB Office of Management and Budget (White House)
    OPPM Oracle Primavera Portfolio Management
    PM Project Manager
    PM&O Portfolio Management & Oversight
    S&P Strategy and Planning
    SP&I Service Planning and Improvement
    UNS User and Network Services

Resources

  1. The Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division supports the IT ACIOs and business unit support organizations with resources located on the OPPM-ProSight Library including:

    Resource Description
    Enterprise Health Assessment Navigation Tip Card PDF document containing overview information on how to navigate the main modules and operate the basic functionality features available in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. Specific steps on how to locate and begin using the Enterprise Health Assessment (EHA) in IT Enterprise Control application included.
    Enterprise Health Assessment User Guide PDF document is a step-by-step guide containing detailed information for users on how to locate, utilize, and complete the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. This guide contains both text/category definitions, as well as image examples detailing each section of the Enterprise Health Assessment (EHA) form.
    Enterprise Health Assessment KPI Criteria PDF document providing explanation and highlighting the detailed criteria calculations used to generate the Cost, Schedule, Scope and Risk EKPIs used in the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.
    Enterprise Health Assessment Valid Key Code PDF document identifying the key set of required data elements, by location and explanation, which must be complete in order for a project and/or program to be considered “Valid” (i.e. up to date or contains current data) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.
    Enterprise Health Assessment FAQs PDF document containing Frequently Asked Questions regarding the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool.