United States General Accounting Office Washington, DC 20548 June 27, 2003 The Honorable William M. Thomas Chairman Joint Committee On Taxation Subject: May 20 Oversight Hearing on the Internal Revenue Service – Questions for the Record It was a pleasure to appear before the Joint Committee on Taxation on May 20, 2003, to discuss the Internal Revenue Service’s (IRS) accomplishments in the 5 years since the IRS Restructuring and Reform Act of 1998 was passed. Enclosed are our answers to questions from the Honorable Marsha Blackburn, dated June 3, 2003, which required a written response. I hope this information is helpful. Sincerely yours, James R. White Director, Strategic Issues Enclosure GAO-03-962R IRS Oversight (1) How much money has IRS spent on upgrading its security? Are the challenges associated with ensuring information security technological or managerial? According to IRS officials, spending for security in fiscal year 2003 is about $132 million, including about $39 million dedicated to information technology security improvements. For fiscal year 2004, IRS officials state that they have requested about $136 million for information technology security, with about $40 million dedicated to improvements. The challenges facing IRS in ensuring information security are largely managerial. Ensuring that known weaknesses affecting IRS’s computing resources are promptly mitigated and that computer controls effectively protect its systems and data requires support and leadership from senior management of IRS’s information technology and operating divisions, disciplined processes, and consistent oversight. We have reported that an underlying cause for the hundreds of information security weaknesses identified during our reviews of IRS’s computer controls was that IRS has not fully implemented its agencywide information security program.1 Implementing such a program requires that IRS take a comprehensive approach that includes assessing risks and evaluating needs, establishing and implementing appropriate policies and controls, enhancing awareness and technical skills, and monitoring the effectiveness of controls on an ongoing basis. Further, a successful program will need the active and accountable involvement of both (1) operating division executives and managers who understand which aspects of their missions and information systems are the most critical and sensitive and (2) technical experts who know the agency’s systems and understand the technical aspects of implementing security controls. At the same time, technology is certainly part of the answer. While there are no silver bullets, there are many tools today that are very helpful in implementing information security and could assist IRS in its efforts to strengthen security. Until IRS effectively and fully implements its agencywide information security program, assurance will remain limited that IRS’s financial information and taxpayers’ personal information are adequately safeguarded against unauthorized use, disclosure, and modification, and its exposure to these risks will remain unnecessarily high. (2) Is IRS taking sufficient steps to eliminate overpayments to the Earned Income Credit? Because IRS’s latest compliance study uses tax year 1999 data and its new initiatives are in the early planning stages, it is too early to determine whether IRS’s steps to reduce Earned Income Credit (EIC) overpayments will be sufficient. IRS has plans to evaluate the success of its initiatives, but data will not be available for some time. We 1 U.S. General Accounting Office, Information Security: Progress Made, but Weaknesses at the Internal Revenue Service Continue to Pose Risks, GAO-03-44 (Washington, D.C.: May 30, 2003). Page 2 GAO-03-962R IRS Oversight are preparing a report on the precertification initiative, due in late July, which discusses, among other things, IRS’s evaluation efforts for that program. IRS has and continues to take steps aimed at reducing EIC overpayments. IRS received about $875 million in special appropriations for EIC compliance initiatives between 1998 and 2003. The most recent data available, for tax year 1999, showed that overpayments for the EIC are estimated to be between about 27 and 32 percent of dollars claimed or between $8.5 billion and $9.9 billion. For fiscal year 2004, IRS has asked for a total of $251 million. This included $100 million to enhance its EIC compliance initiatives—about $45 million for technology improvements and about $55 million for direct casework. The direct casework involves three new initiatives, each of which would be tested over the next year and, depending on the results, expanded in future years. The initiatives cover (1) qualifying child verification, (2) income misreporting, and (3) filing status. Qualifying Child Verification Initiative: Filers that improperly claim qualified children represent the single largest area of EIC overclaims. Under this proposed initiative, IRS would notify taxpayers of their need to provide certain documentation to prove EIC eligibility and taxpayers would send in the required documentation prior to receiving the EIC portion of their refund, thus providing an opportunity for examiners to either accept or deny the claim. IRS plans to test this proposal beginning in late summer 2003 by mailing 45,000 notices to taxpayers considered to be high risk because IRS could not verify eligibility for EIC through any available means. Income Misreporting Initiative: Income misreporting is another common problem with EIC claims. IRS plans to use document matching to identify EIC filers who have a history of misreporting income in order to increase (or receive) the EIC. Based on that history, 175,000 taxpayers’ returns would be flagged when their 2003 EIC claims are filed in the spring of 2004. Any EIC refund would then be frozen until IRS could verify the taxpayer’s income through document matching or audit procedures in the fall of 2004. Filing status Initiative: Another common problem associated with EIC claims is improper filing status. IRS plans to verify the filing status for 5,000 cases, but the criteria for selecting the cases have not yet been determined. ----- We are sending copies of this letter to the Commissioner, Internal Revenue, and interested congressional committees. We will also make copies available to others upon request. In addition, this report will be available at no charge on the GAO Web site at http://www.gao.gov. If you have any questions about this letter or need additional information, please call me on 202-512-9110 or Joanna Stamatiades, Assistant Director, on 404-679-1984. Key contributors to this letter included Libby Mixon and Greg Wilshusen. Page 3 GAO-03-962R IRS Oversight
May 20 Oversight Hearing on the Internal Revenue Service--Questions for the Record
Published by the Government Accountability Office on 2003-06-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)