Windows 7's final security update will be shipped on Jan. 14, 2020.
In its response, the IRS contested some of TIGTA's numbers, saying that the missing PCs had been located and updated to Windows 7 by July 22, 2015. The agency also said it had boosted the portion of its servers running Windows Server 2003 to approximately 61% by that date.
TIGTA noted those amendments in its report, but also said that it had not been able to verify the information provided by the IRS.
The IRS also countered TIGTA's conclusion that it had mismanaged the migration, arguing that the process the auditors said should have been followed was unnecessary and inappropriate for an upgrade project. "However, we agree that large scale, enterprise-wide efforts such as the two Windows upgrade projects need to have a minimum set of product documentation requirements to ensure that effective project management is adhered to for projects of this size," the tax agency said.
Both TIGTA and the IRS pointed out that budget limitations contributed to the overlong and costly upgrades, with the former noting that lack of money forced the IRS to upgrade older PCs to Windows 7 rather than buying new devices, "which would have made the upgrade processor easier due to the compatibility of new hardware with new operating systems."
Some of the money the IRS spent went to Microsoft to pay for post-retirement support contracts that provide large customers with critical security updates, even though the same patches are not offered to the public. In April, 2014, the IRS disputed a Computerworld estimate of the cost of its custom support contract with Microsoft. The $11.6 million estimate was generated using data provided by several licensing consultants, but the IRS said it had paid just half a million dollars to keep its then-58,000 Windows XP machines secure for the next 12 months.
In its report, TIGTA said that the agency this year had also purchased a custom support contract to cover its remaining Windows Server 2003 systems for the next 12 months, but did not provide a dollar amount.
TIGTA knocked the IRS for that expense as well. "The IRS will begin paying a premium for extended service on an outdated server operating system that no longer receives critical security upgrades automatically from the vendor," its report said. "As a result, we determined the IRS has not adequately planned for the Windows server upgrade in regard to the costs, potential security implications, and amount of time necessary to complete the upgrade."
TIGTA's report can be downloaded from its website (PDF).
Sign up for CIO Asia eNewsletters.