May 20 Oversight Hearing on the Internal Revenue Service--Questions for the Record

Published by the Government Accountability Office on 2003-06-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States General Accounting Office
Washington, DC 20548

          June 27, 2003

          The Honorable William M. Thomas
          Joint Committee On Taxation

          Subject: May 20 Oversight Hearing on the Internal Revenue Service – Questions
          for the Record

          It was a pleasure to appear before the Joint Committee on Taxation on May 20, 2003,
          to discuss the Internal Revenue Service’s (IRS) accomplishments in the 5 years since
          the IRS Restructuring and Reform Act of 1998 was passed. Enclosed are our
          answers to questions from the Honorable Marsha Blackburn, dated June 3, 2003,
          which required a written response. I hope this information is helpful.

          Sincerely yours,

          James R. White
          Director, Strategic Issues


                                                                   GAO-03-962R IRS Oversight
(1)      How much money has IRS spent on upgrading its security? Are the
         challenges associated with ensuring information security technological
         or managerial?

According to IRS officials, spending for security in fiscal year 2003 is about $132
million, including about $39 million dedicated to information technology security
improvements. For fiscal year 2004, IRS officials state that they have requested about
$136 million for information technology security, with about $40 million dedicated to

The challenges facing IRS in ensuring information security are largely managerial.
Ensuring that known weaknesses affecting IRS’s computing resources are promptly
mitigated and that computer controls effectively protect its systems and data requires
support and leadership from senior management of IRS’s information technology and
operating divisions, disciplined processes, and consistent oversight. We have
reported that an underlying cause for the hundreds of information security
weaknesses identified during our reviews of IRS’s computer controls was that IRS
has not fully implemented its agencywide information security program.1
Implementing such a program requires that IRS take a comprehensive approach that
includes assessing risks and evaluating needs, establishing and implementing
appropriate policies and controls, enhancing awareness and technical skills, and
monitoring the effectiveness of controls on an ongoing basis. Further, a successful
program will need the active and accountable involvement of both (1) operating
division executives and managers who understand which aspects of their missions
and information systems are the most critical and sensitive and (2) technical experts
who know the agency’s systems and understand the technical aspects of
implementing security controls. At the same time, technology is certainly part of the

While there are no silver bullets, there are many tools today that are very helpful in
implementing information security and could assist IRS in its efforts to strengthen
security. Until IRS effectively and fully implements its agencywide information
security program, assurance will remain limited that IRS’s financial information and
taxpayers’ personal information are adequately safeguarded against unauthorized
use, disclosure, and modification, and its exposure to these risks will remain
unnecessarily high.

(2)      Is IRS taking sufficient steps to eliminate overpayments to the Earned
         Income Credit?

Because IRS’s latest compliance study uses tax year 1999 data and its new initiatives
are in the early planning stages, it is too early to determine whether IRS’s steps to
reduce Earned Income Credit (EIC) overpayments will be sufficient. IRS has plans to
evaluate the success of its initiatives, but data will not be available for some time. We

 U.S. General Accounting Office, Information Security: Progress Made, but Weaknesses at the
Internal Revenue Service Continue to Pose Risks, GAO-03-44 (Washington, D.C.: May 30, 2003).
Page 2                                                             GAO-03-962R IRS Oversight
are preparing a report on the precertification initiative, due in late July, which
discusses, among other things, IRS’s evaluation efforts for that program.

IRS has and continues to take steps aimed at reducing EIC overpayments. IRS
received about $875 million in special appropriations for EIC compliance initiatives
between 1998 and 2003. The most recent data available, for tax year 1999, showed
that overpayments for the EIC are estimated to be between about 27 and 32 percent
of dollars claimed or between $8.5 billion and $9.9 billion.

For fiscal year 2004, IRS has asked for a total of $251 million. This included $100
million to enhance its EIC compliance initiatives—about $45 million for technology
improvements and about $55 million for direct casework. The direct casework
involves three new initiatives, each of which would be tested over the next year and,
depending on the results, expanded in future years. The initiatives cover (1)
qualifying child verification, (2) income misreporting, and (3) filing status.

         Qualifying Child Verification Initiative: Filers that improperly claim
         qualified children represent the single largest area of EIC overclaims. Under
         this proposed initiative, IRS would notify taxpayers of their need to provide
         certain documentation to prove EIC eligibility and taxpayers would send in the
         required documentation prior to receiving the EIC portion of their refund, thus
         providing an opportunity for examiners to either accept or deny the claim. IRS
         plans to test this proposal beginning in late summer 2003 by mailing 45,000
         notices to taxpayers considered to be high risk because IRS could not verify
         eligibility for EIC through any available means.

         Income Misreporting Initiative: Income misreporting is another common
         problem with EIC claims. IRS plans to use document matching to identify EIC
         filers who have a history of misreporting income in order to increase (or
         receive) the EIC. Based on that history, 175,000 taxpayers’ returns would be
         flagged when their 2003 EIC claims are filed in the spring of 2004. Any EIC
         refund would then be frozen until IRS could verify the taxpayer’s income
         through document matching or audit procedures in the fall of 2004.

         Filing status Initiative: Another common problem associated with EIC
         claims is improper filing status. IRS plans to verify the filing status for 5,000
         cases, but the criteria for selecting the cases have not yet been determined.


We are sending copies of this letter to the Commissioner, Internal Revenue, and
interested congressional committees. We will also make copies available to others
upon request. In addition, this report will be available at no charge on the GAO Web
site at http://www.gao.gov.

If you have any questions about this letter or need additional information, please call
me on 202-512-9110 or Joanna Stamatiades, Assistant Director, on 404-679-1984. Key
contributors to this letter included Libby Mixon and Greg Wilshusen.

Page 3                                                        GAO-03-962R IRS Oversight