2.172.1 IT Enterprise Control Authority and Operations Directives 2.172.1.1 Program Scope and Objectives 2.172.1.1.1 Background 2.172.1.1.2 Authority 2.172.1.1.3 Responsibilities 2.172.1.1.4 Program Management and Review 2.172.1.1.5 Program Controls 2.172.1.1.6 Terms/Acronyms/Definitions 2.172.1.1.7 Related Resources Part 2. Information Technology Chapter 172. Enterprise Control Authority and Operations Section 1. IT Enterprise Control Authority and Operations Directives 2.172.1 IT Enterprise Control Authority and Operations Directives Manual Transmittal April 02, 2024 Purpose (1) This transmits revised IRM 2.172.1, IT Enterprise Control Authority and Operations, IT Enterprise Control Authority and Operations Directives. Material Changes (1) IRM 2.172.1 - Updated, reorganized, and renumbered, to include all required internal controls and related IRM subsections. (2) IRM 2.172.1 - Minor editorial changes to include plain language, correct broken links, update Program Scope and Objectives, and realign with required internal controls format. (3) IRM 2.172.1.1 - Original Section 2.172.1.1.1.1, Purpose, realigned to Program Scope and Objectives, IRM Section 2.172.1.1, to align with required internal controls format. (4) IRM 2.172.1.1 - Original Section 2.172.1.1.1.2, Scope, realigned to Program Scope and Objectives, IRM Section 2.172.1.1, under Audience, to align with required internal controls format. (5) IRM 2.172.1.1.3 - Original Section 2.172.1.3, Mandate, realigned to Responsibilities, IRM Section 2.172.1.1.3 to align with required internal controls format. (6) IRM 2.172.1.1.4 - Original Section 2.172.1.4, Audience, realigned to Program Management and Review, IRM Section 2.172.1.1.4 to align with required internal controls format. (7) IRM 2.172.1.1.5 - Original Section 2.172.1.5, Administration, realigned to Program Controls, IRM Section 2.172.1.1.5 to align with required internal controls format. (8) 2.172.1.1.6 - Original Section 2.172.1.6, Terms and Definitions, combined with Original Section 2.172.1.7, Acronyms, and realigned to Terms/Acronyms/Definitions, IRM Section 2.172.1.1.6 to align with required internal controls format. (9) IRM 2.172.1.1.7, Original Section 2.172.1.7, Acronyms, realigned to Related Resources, IRM Section 2.172.1.1.7 to align with required internal controls format. (10) IRM Original Section 2.172.1.8, Resources, removed from IRM 2.172.1 Effect on Other Documents IRM 2.172.1 dated April 21, 2021, is superseded. Audience All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio. Effective Date (04-02-2024) Rajiv Uppal Chief Information Officer 2.172.1.1 (04-02-2024) Program Scope and Objectives Purpose: The purpose of IT Enterprise Control Authority and Operations IRM is to establish requirements for the enterprise control functions, including the assessment of the health (performance) of the Information Technology (IT) program and project activities throughout implementation. The benefit of ongoing monitoring of program and project performance utilizing health assessments facilitates informed decision-making and effective governance and management of the IRS Information Technology (IT) portfolio. The IRM provides the mandates, guiding principles, roles, and responsibilities for institutionalizing the IRS enterprise control processes. The mandates require stakeholders perform enterprise control activities which facilitate informed decision-making and effective management of their IRS IT portfolio investment items. IRM 2.172 focuses on governance and the enterprise health assessment with the updated enterprise standard data set. It addresses the implementation of the IT Enterprise Health Assessment (EHA), its content, purpose, and relevance in IT management and governance. The IRM includes requirements for programs and projects executing under IT governance. Audience: All IRS employees and contractors managing and performing control activities on the IT program, projects and portfolio. This Directive applies to all IT programs and projects included in the IRS IT portfolio. The IRS IT portfolio includes all IT projects and programs that develop, enhance, maintain or modernize information technology capabilities to deliver the IRS’s mission (including the IRS Integrated Modernization Business Plan). Policy Owner: IRS IT, Strategy and Planning. Program Owner: IRS IT, Strategy and Planning, Investment and Portfolio Control and Oversight (IPCO), Portfolio Management & Oversight (PMO). Primary Stakeholders: All IRS IT organizations and business units. Program Goals: The goal is to provide IT Enterprise Control functions with IT Enterprise Control Authority and Operations Process and Procedures and to provide effective oversight and decision-making. This IRM establishes and mandates how projects and programs executing in the IT Portfolio are required to record and track progress, performance, and status information to ensure vital data for management, decision making and monitoring by governance is available. 2.172.1.1.1 (04-02-2024) Background The Enterprise Control Authority and Operations Directive issued April 2009, provided guidance for IT ACIO and business unit support organizations. This IRM replaces the 2009 Control Directive and incorporates Interim Guidance IT-02-0319-0007, Interim Guidance on Internal Revenue Manual (IRM) 2.172 Enterprise Control Authority and Operations Directive. 2.172.1.1.2 (04-02-2024) Authority The Information Technology (IT) Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division within the Strategy and Planning Associate Chief Information Officer area is responsible for developing, implementing and maintaining this IRM. Approval of this IRM, including updates, rests with the IPCO office. 2.172.1.1.3 (04-02-2024) Responsibilities This IRM establishes mandates for IRS IT enterprise control functions (IT ACIO and business unit support organizations). Through internal controls during the initiation, design, development, deployment, and operations of the agency’s IT systems, these mandates shall be satisfied. This Directive requires adherence to the following mandates: Compliance with Federal, Treasury, and IRS Policies Promulgation of enterprise-wide control processes 2.172.1.1.4 (04-02-2024) Program Management and Review The Information Technology (IT) Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division is responsible for the development, implementation, and maintenance of this IRM. All proposed changes to this document must be submitted in writing, with supporting rationale to IPCO. 2.172.1.1.5 (04-02-2024) Program Controls This program uses the IRS Internal Management Documents System to establish controls. 2.172.1.1.6 (04-02-2024) Terms/Acronyms/Definitions Below is a list of IT Terms and Definitions pertaining to this document: Term Definition IT Project An IT endeavor with a unique start and end date following a defined software development lifecycle, or an implementation schedule and has approved funding and staffing resources which can be planned, monitored, measured and controlled which directly result in a unique product for business functionality. IT Projects are undertaken for development, modernization, enhancement, disposal or maintenance and are funded from a specific investment with a Unique Investment Identifier (UII) which determines ESC alignment. Projects are assigned to a GB based on functionality and organizational alignment and are responsible for regular performance reporting. IT Program A group of organizational or functionally related projects managed in a coordinated way to obtain benefits and control not available from managing them individually. IT Portfolio A collection of IT projects, programs, and/or investments used to represent the inventory of IT work being conducted and executed throughout the service for the given fiscal year, and within the confines of the IT budget. IT Investment A single line item of funding in the IT Portfolio. Frequently a related set of procurements, projects, programs, and operations organized around a mission, related business functionality, or an end to end process. Milestones to Enter and Exit Review (MER) Milestones are used to mark project start and end dates. It can include the design phase, the deployment phase, and operations and maintenance phase. Governance Boards review and approve project milestones. Release A collection of changes made since the last deployment with a unique start and implementation date that may not be a formal project, but is being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee. Can represent a specific segment or segments of functionality. Significant Activity A set of actions with a start and end date that may not be a formal project or release, but are being monitored and tracked by ACIO, Governance Board, or Executive Steering Committee. IT Project Health Reflects the current status of executing projects and/or programs considering key elements of management and performance such as cost, schedule, scope, and existing or potential risks. Example: Is the project developing or implementing on schedule, within a range of the planned cost, on target to implement the planned scope or capabilities, and avoiding risks or mitigating risks to a degree that allows project to continue as planned? Health can be identified through the results/scoring of the key performance indicators and can be clarified through a narrative describing the specifics of that current performance (whether positive or negative). Key performance indicators can be assessed and used to simply raise awareness or to drive action on correction before more severe impacts occur. Enterprise Key Performance Indicator (EKPI) EKPIs are summary calculations of data elements represented by color/value indicators used to monitor the health of IT projects and programs. The standardized EKPIs for cost, schedule, scope, and risk provide initial indications of performance issues that may need further attention. EKPIs are used at the control organization level, as well as for enterprise level governance reports shared across the enterprise; providing internal IRS transparency, and a line of sight for external entities and oversight bodies. Governance Boards and Executive Steering Committees incorporate the established EKPI process in their analysis to provide efficient use of the data for both agenda development and decision making. Enterprise Health Assessment (EHA) The Enterprise Health Assessment is a data entry module/form used to establish a standard, repeatable process for assessing the health of IT development, maintenance, and infrastructure projects and programs - addressing key elements of reporting for Treasury, the Omnibus IT Investment Report, the IT BPR, CIO Op Reviews and providing governance and decision-makers with an insightful, consistent, and transparent data set. Risk Escalation Risk escalation is a process for reporting and escalating risk. Projects and programs trending yellow and red can be escalated for attention from the project manager to a governance board and if not mitigated, to an ESC. Below is a list of IT acronyms pertaining to this document: Acronym Description ACIO Associate Chief Information Officer AD Applications Development BCR Baseline Change Request BPR Business Performance Review CIO Chief Information Officer DACIO Deputy Associate Chief Information Officer DMQA Delivery Management and Quality Assurance EHA Enterprise Health Assessment EKPI Enterprise Key Performance Indicator ELC Enterprise Life Cycle EOps Enterprise Operations EPC Enterprise Program Controls ES Enterprise Services ESC Executive Steering Committee FITARA Federal Information Technology Acquisition Reform Act GB Governance Board IPCO Investment and Portfolio Control and Oversight IPG Investment and Program Governance MER Milestone Exit Review OMB Office of Management and Budget (White House) OPPM Oracle Primavera Portfolio Management PM Project Manager PM&O Portfolio Management & Oversight S&P Strategy and Planning SP&I Service Planning and Improvement UNS User and Network Services 2.172.1.1.7 (04-02-2024) Related Resources The Strategy and Planning (S&P), Investment and Portfolio Control and Oversight (SP:IPCO) division supports the IT ACIOs and business unit support organizations with resources located on the OPPM-ProSight Library including: Resource Description Enterprise Health Assessment Navigation Tip Card PDF document containing overview information on how to navigate the main modules and operate the basic functionality features available in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. Specific steps on how to locate and begin using the Enterprise Health Assessment (EHA) in IT Enterprise Control application included. Enterprise Health Assessment User Guide PDF document is a step-by-step guide containing detailed information for users on how to locate, utilize, and complete the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. This guide contains both text/category definitions, as well as image examples detailing each section of the Enterprise Health Assessment (EHA) form. Enterprise Health Assessment KPI Criteria PDF document providing explanation and highlighting the detailed criteria calculations used to generate the Cost, Schedule, Scope and Risk EKPIs used in the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. Enterprise Health Assessment Valid Key Code PDF document identifying the key set of required data elements, by location and explanation, which must be complete in order for a project and/or program to be considered “Valid” (i.e. up to date or contains current data) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. Enterprise Health Assessment FAQs PDF document containing Frequently Asked Questions regarding the Enterprise Health Assessment (EHA) in the IT Enterprise Control application in the Oracle Primavera Portfolio Management (OPPM) (aka ProSight) tool. More Internal Revenue Manual