oversight

IRS Systems Security and Funding: Additional Information on Employee Browsing and Tax Systems Modernization

Published by the Government Accountability Office on 1997-06-23.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States
General Accounting  Office
Washington, D.C. 20548

Accounting and Information
Management Division


B-277242

June 23, 1997

The Honorable Ben Nighthorse Campbell
Chairman, Subcommittee on Treasury and
 General Government
The Honorable Herb Kohl
Ranking Minority Member, Subcommittee on
 Treasury and General Government
Committee on Appropriations
United States Senate

Subject:     IRS Svstems Securitv and Funding: Additional Information on
             Emblovee Browsing and Tax Svstems Modernization

In our April 15, 1997, testimony before your Subcommittee, we reported on the
Internal Revenue Service (IRS) employees’ electronic browsing of taxpayer files
and IRS’ fiscal years 1998 and 1999 budget requests for tax systems
modemization.1 Enclosed are our responses to additional questions received
from you on April 22, 1997, for the hearing record. Enclosure I contains
responses to Chairman Campbell’s questions, and enclosure II contains
responses to Senator Kohl’s questions.

A copy of this letter is also being sent to the Acting Commissioner of IRS.
Please contact me at (202) 512-6412 or Lynda Willis, Director, Tax Policy and
Administration Issues, General Government Division, at (202) 512-9110, if you
have questions regarding our responses.



Dr. Rona B. Stillman
Chief Scientist for Computers
 and Telecommunications

Enclosures


%3S Svstems Securitv and Funding: EmDlovee Browsing Not Being Addressed
Effectivelv and Budget Reauests for New Svstems Development Not Justified
(GAO~-AIMD-97-82, April 15, 1997).

 GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE I                                                                ENCLOSURE I
                   RESPONSESTO QUESTIONS ON IRS COMPUTER
                      SECURITY AND ELECTRONIC BROWSING

QUESTIONS SUBMI’ITED BY CHAIRMAN CAMPBELL

GAO Discoverv of Browsing

Question: Based on what you have found, how common do you believe the browsing
problem is at IRS?

GAO Response: IRS does not collect sufficient information or sufficiently monitor
employee access to taxpayer data to deter-n-tinethe full extent of its browsing problem.
For example, information collected on each potential browsing case does not include the
number of taxpayer accounts inappropriately accessed or how many times each account
was accessed. A recent IRS study of browsing at 10 service centers also concluded that
the Service did not consistently count the number of browsing cases, and that it was
difficult to assess the overall effectiveness of IRS efforts to identify the extent of
browsing.

Also, IRS electronically monitors only employees who use the Integrated Data Retrieval
System (IDRS). IRS does not monitor the activities of IRS employees that use other
systems, such as the Distributed Input System, the Integrated Collection System, and the
Totally Integrated Examination System, which are also used to create, access, or modify
taxpayer data. In addition, information systems personnel responsible for systems
development and testing can browse taxpayer information on magnetic tapes, cartridges, .
and other files using system utility programs, such as the Spool Display and Search
Facility, which also are not monitored by IRS.

Current IRS Procedures and Standards

Question: How would you qualify the IRS’current standards?

GAO Resuonse: IRS’approach to computer security, which includes definition,
implementation, and enforcement of security policies and procedures (i.e., standards), is
not effective. Accordingly, we recommended that IRS reevaluate its current approach to
computer security, along with plans for improvement, and report the results to selected
congressional committees and subcommittees.’


‘IRS Svstems Securitv: Tax Processing Ouerations and Data Still at Risk Due to Serious
Weaknesses (GAO/AI&ID-97-49,April 8, 1997).


2           GAO/AIMD/GGD-97-140REmployee Browsing and Tax Systems Modernization
ENCLOSURE I                                                                   ENCLOSURE I


Question: Are there government or industry standards for the protection of this type of
sensitive information? What are these standards based on?

GAO Resnonse: Various federal laws and guidance govern the protection of sensitive and
critical federal data. The Privacy Act of 1974; the Paperwork Reduction Act of 1980, as
amended; and the Computer Security Act of 1987 all contain provisions requiring IRS and
other agencies to protect the confidentiality and integrity of the sensitive information that
they maintain. The Computer Security Act (Public Law 100-235) defines sensitive
information as “any information, the loss, misuse, or unauthorized access to or
modification of which could adversely affect the national interest or the conduct of
federal programs, or the privacy to which individuals are entitled under [the Privacy Act],
but which has not been specifically authorized under criteria established by an Executive
Order or an Act of Congress to be kept secret in the interest of national defense or
foreign policy.”

The adequacy of security and other internal controls over computerized data is also
addressed indirectly by the Federal Managers’ Financial Integrity Act (FhWIA) of 1982 (31
U.S.C. 3512(b) and (c)) and the Chief Financial Officers (CFO) Act of 1990 (Public Law
 101-576). FMFIA requires agency managers to annually evaluate their internal control
systems and report to the President and the Congress any material weaknesses that could
lead to fraud, waste, and abuse in government operations. The CFO Act requires agency
CFOs to develop and maintain financial management systems that provide complete,
reliable, consistent, and timely information. Under the act, major federal agencies; such
as IRS, annually issue audited financial statements. In practice, such audits generally
include evaluating and testing controls over information security.

In accordance with the Paperwork Reduction Act of 1980 (Public Law 96511), the Office
of Management and Budget (OMB) is responsible for developing information security
policies and overseeing agency practices. In this regard, OMB has provided guidance for
agencies in OMB Circular A-130, appendix III, “Security of Federal Automated Information
Resources.” Since 1985, this circular has directed agencies to implement an adequate
level of security for all automated information systems that ensures (1) effective and
accurate operations and (2) continuity of operations for systems that support critical
agency functions. The circular establishes a minimum set of controls to be included in
federal agency information system security programs and requires agencies to review
systems security at least every 3 years. Responsibility for developing technical standards
and providing related guidance for sensitive data belongs primarily to the National
Institute of Standards and’Technology (NIS?‘), under the Computer Security Act. OMB,
NIST, and agency responsibilities for information security were recently reemphasized in
the Clinger-Cohen Act.


3           GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE I                                                                 ENCLOSURE I
Question: Can you provide this subcommittee an outline of current IRS standards and
procedures relating to the security of taxpayers’ files?

GAO ResPonse: IRS security standards and procedures for taxpayer files are in the
Internal Revenue Code, IRS’ Tax Information Security Guidelines, IRS’Information
Security Policy, and Department of the Treasury guidance. The Internal Revenue Code
prohibits the unauthorized disclosure of federal returns and return information outside
IRS. IRS’ Tax Information Security Guidelines require that all computer and
communication systems that process, store, or transmit taxpayer data adequately protect
these data. The Service’s information security policy mandates that taxpayer information
is to be used only for necessary and lawful purposes.

In addition, the Department of the Treasury requires IRS to have CZ-level safeguards to
protect the confidentiality of taxpayer data. The Department of Defense defines a
hierarchy of security levels (i.e., Al, B3, B2, C2, Cl, and D) with Al being the highest
level of protection and D the lowest. Each level of safeguards includes all the
requirements of lower levels. C2-level safeguards are required by IRS for all sensitive but
unclassified data. These safeguards are designed to ensure need-to-know protection and
controlled access to data, including a security plan that requires access control;
identification and authentication that provide mechanisms to continually maintain
accountability; operational and lifecycle assurances that include validations of system
integrity and computer systems tests of security mechanisms; and documentation, such as
a security features user’s guide, test documentation, and design documentation.

Question: The Committee is concerned that the IRS is unable to closely monitor its
employees’ access to files. What do you believe is the best course of action for IRS in
terms of technology and procedures that it can implement to better monitor its systems
and employees?

GAO ResDonse: As we recommended in our April 1997 report and testimony,2 the IRS
Commissioner needs to ensure that IRS completely and consistently monitors, records,
and reports the full extent of electronic browsing for all systems that can be used to
access taxpayer data. In this regard, IRS needs to address the fact that the system it
developed to monitor and detect browsing-the Electronic Audit Research Log (EARL)-
does not have the capability to detect all instances of browsing. While EARL monitors


21RSSvstems Securitv: Tax Processing Operations and Data Still at Risk Due to Serious
Weaknesses (GAO/AIMD-97-49, April 8, 1997) and IRS Svstems Securitv and Funding:
Emplovee Browsing Not Being Addressed Effectively and Budget Reauests for New
Svstems Development Not Justified (GAO/T-A1MD-97-82, April 15, 1997).


 4           GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE I                                                                  ENCLOSURE I

those employees using the Integrated Data Retrieval System, it does not monitor the
activities of IRS employees using other systems which are also used to create, access, or
modify taxpayer data, such as the Distributed Input System, the Integrated Collection
System, and the Totally Integrated Examination System. IRS is evaluating options for
developing a newer version of EARL with the ability to distinguish between legitimate
activity and browsing. We encourage IRS to move forward with this effort, but caution
that until employee activity is effectively monitored on all systems used to access
taxpayer data, IRShas no effective means to monitor employee browsing.

Question: In your estimation, is it currently possible for the IRS to monitor employees
well enough to avoid a case of mistaken identity of an employee who is browsing?

GAO Resnonse: While our work did not specifically focus on whether IRS has the
capability to avoid this type of situation, we did review agency processes for investigating
browsing incidents. These processes include discussing matters under investigation with
involved employees. Having these discussions allows employees an opportunity to
explain instances of mistaken identity and IRS to consider this as a possible explanation
for accessing taxpayer information.

Question: Can GAO please provide the subcommittee with a recommendation as to
which procedures should be put in place by IRS to discourage future incidents of
browsing and how it can ensure the consistent implementation of punishments?

GAO Resnonse: As we recommended in our April 1997 report and testimony,3 the IRS
Commissioner should ensure that IRS completely and consistently monitors, records, and
reports the full extent of electronic browsing for all systems that can be used to access
taxpayer data and reports the associated disciplinary actions taken against employees
caught browsing. In doing this, IRS will need to enhance its capability to detect instances
of browsing and ensure that its policies and procedures on disciplining employees caught
browsing are applied consistently agencywide.




3GAO/AIMD-9749, April 8, 1997, and GAO/T-AIMD-97-82, April 15, 1997.


5           GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE II                                                                 ENCLOSURE II
                      QUESTIONS SUBMITTED BY SENATOR KOHL

Question: The GAO’s office has been very thorough in its review of the IRS and of its
Tax Systems Modernization efforts. Numerous reports have been issued and numerous
recommendations have been made. I am concerned about the fundamental management
problems within the IRS. Can you please tell us what progress you have seen the IRS
make over the past five years as it relates to its management problems?

GAO Resnonse: IRS is taking some steps to address fundamental management problems,
but the Service has been slow in implementing our recommendations aimed at correcting
these problems. As a result, many management problems remain.

For example, the one factor that has most contributed to IRS’problems is the absence of
the kind of data (operational and financial) needed to effectively manage such a large
organization. We have commented many times, for example, on the impact of incomplete
information on IRS’efforts to efficiently and effectively collect delinquent taxes. Good
data are also needed if IRS is to bring to fruition its efforts to develop and track the kind
of performance measures (such as return on investment) that are needed to effectively
manage the agency and make critical resource allocation decisions. IRS has made some
strides in accumulating more useful data, but much more needs to be done. It is this
need, more than anything, that makes systems modernization so criticaUy important.

In another instance, we briefed IRS management in early 1995 and later issued a report’
in July 1995 detailing pervasive management and technical weaknesses with IRS’Tax
Systems Modernization (TSM) program. At that time, we made over a dozen
recommendations to the IRS Commissioner to address these wealmesses.

Collectively, the recommendations called for IRS to (1) formulate a comprehensive
business strategy for maximizm g electronic iilings, (2) improve IRS’ strategic information
management by implementing a process for selecting, prioritizing, controlling, and
evaluating -the progress and performance of all major information systems and
investments, (3) implement disciplined, consistent procedures for software requirements
management, quality assurance, configuration management, and project planning and
tracking, and (4) complete and enforce an integrated systems architecture and security
and data architectures. IRS concurred with our findings and conclusions and agreed to
implement our recommendations.



‘Tax Svstems Modernization: Management and Technical Wealmesses Must Be Corrected
If Modernization Is To Succeed (GAO/AIMD-95-156, July 26, 1995).


6            GAO/AlMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSUREII                                                                ENCLOSUREII
Pursuant to congressional direction, we assessed IRS’ actions, as .delineated in Treasury’s
report on tax systems modernization, to correct its management and technical
weaknesses. Specifically, we reported in June and September 1996’ that while IRS had
initiated many activities to improve its modernization efforts, it had not yet fuhy
implemented any of our recommendations. Consequently, in order to minimize the risk
attached to continued investment in systems modernization, we suggested to the Congress
that it consider limiting modernization funding to only cost-effective efforts that (1)
support ongoing operations and maintenance, (2) correct IRS’ pervasive management and
technical weaknesses, (3) are small, represent low technical risk, and can be delivered
quickly, and (4) involve deploying already developed and fully tested systems that have
proven business value and are not premature given the lack of a completed architecture.

To help improve IRS’modernization and correct persisting management and technical
weaknesses, the Congress in the fiscal year 1997 Omnibus Consolidated Appropriations
Act, directed IRS to (1) submit by December 1, 1996, a schedule for transferring a
majority of its modernization development and deployment to contractors by July 31,
1997, and (2) establish a schedule by February 1, 1997, for implementing GAO’s
recommendations by October 1, 1997. In its conference report on the act, the Congress
directed the Secretary of the Treasury to (1) provide quarterly reports on the status of
IRS’ corrective actions and modernization spendin$ and (2) submit, by May 15, 1997, a
technical architecture for the modernization that has been approved by Treasury’s
Modernization Management Board. Also, the Board was directed to prepare a request for
proposals by July 31, 1997, to acquire a prime contractor to manage modernization
deployment and implementation or face suspension of funding for TSM operational
systems.

IRS has continued to take steps to address our recommendations and respond to
congressional direction. For example, IRS hired from outside the agency, a new Chief
Information Officer and a Director of the Service’s newly created Government Program
Management Office (GPMO). It also created an investment review board to select,
control, and evaluate its information technology investments. Thus far, the board has

?I’ax &stems Modernization: Actions Underway But IRS Has Not Yet Corrected
Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996) and m
Svstems Modernization: Actions Underwav But Management and Technical Weaknesses
Not Yet Corrected (GAO/T-AIMD-96-165, September 10, 1996).
3H.R. Report No. 863, 104th Cong., 2d Session (1996). The Congress also included the
requirement that Treasury provide a milestone schedule for developing and implementing
all modernization projects in Treasury’s fiscal year 1996 appropriations act (Public Law
10452, 109 Stat. 474, November 19, 1995).


7           GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE II                                                                ENCLOSURE II
reevaluated and terminated selected major TSM development projects, such as the
Document Processing System. In addition, IRS provided a November 26, 1996, report to
the Congress that set forth IRS’strategic plan and schedule for shifting modernization
development and deployment to contractors.

IRS has other actions underway to strengthen TSM management. For example, it is
developing a comprehensive strategy to maximiz e electronic filing. It is also updating its
system development life cycle methodology and is working across various IRS
organizations to dejine disciplined processes for software requirements management,
quality assurance, configuration management, and project planning and tracking. In
addition, on May 15, 1997, IRS issued for comment a technical architecture for the
modernization. Further, IRS has prepared a schedule for implementing our
recommendations and has provided it to the Congress.

While we are encouraged by IRS’and Treasury’s actions, we remain concerned that
continued progress is necessary to fully implement essential improvements. First,
increasing the use of contiactors will not automatically increase the likelihood of
successful modernization because IRS does not have the disciplined acquisition processes
needed to manage all of its current contractors. As a case in point, IRS’ Cyberiile-a
system development effort led by contractors to enable taxpayers to personally prepare
and file their tax returns electronically-exhibited many undisciplined software acquisition
practices as well as inadequate financial and management controls. Eventually, IRS
canceled the Cyberfile project after spending over $17 million and without fielding any of
the system’s promised capabilities. Therefore, if IRS is to use additional contractors
effectively, it will have to first strengthen and improve its ability to manage those
 contractors.

In addition, IRS needs to continue to make concerted, sustained efforts to fully implement
our recommendations and respond effectively to the requirements outlined by the
Congress. It will take both management commitment and technical discipline for IRS to
do this effectively. Accordingly, we plan to continue assessing IRS’progress in its critical
endeavor to modernize.

Question: Doctor Stillman, what should we do about the TSM project? Should we
continue to provide funding? What would happen to the nation’s collection systems if we
were to call a halt to the modernization efforts?




8            GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE II.                                                                 ENCLOSURE It
GAO Resuonse: As we noted in our recent high-risk reports addressing TSM,4 IRS needs
to continue to make concerted, sustained efforts to fully implement our recommendations
and respond to the requirements outlined by the Congress. These efforts should include
(1) limiting information system projects, both in house and contracted out, to small, low
risk, near-term projects that IRS has the ability to successfully develop or acquire,
(2) improving IRS’ system development and acquisition capabilities, (3) finalizing the
architecture and ensuring that all IRS system projects conform to it, (4) instituting
disciplined investment processes to ensure that all information technology investment
decisions (e.g., project selection, control, and evaluation) are based on reliable, objective,
and, whenever possible, quantitative data including cost and risk adjusted return on
investment, (5) reengineering IRS business processes, focusing on electronic filing, and
using these improved processes to determine those information technology investments
needed to support the new processes, and (6) ensuring that all future IRS information
systems budgets take into account IRS’performance as specified in the Clinger-Cohen
Act.

These efforts will take both management commitment, follow-through, and technical
discipline by IRS in partnership with the Treasury Department, OMB, and the Congress.
Once these essential improvements are made, IRS should have an effective
implementation strategy for achieving its business vision, the capacity to make sound
investments in information technology, and the necessary technical foundation for
effectively modernizing its processes and systems.

However, until these essential improvements are made and adequate justifications for
system investments provided, the Congress, as we suggested in June and September
1996,5 could continue to limit modernization funding to only cost-effective efforts that (1)
support ongoing operations and maintenance, (2) correct IRS’pervasive management and
technical wealmesses, (3) are small, represent low technical risk, and can be delivered
quickly, and (4) involve deploying already developed systems, only if these systems have
been fully tested, are not premature given the lack of a completed architecture, and
produce a proven, verifiable business value. As the Congress gains confidence in IRS’
ability to successfully develop these smaller, cheaper, quicker projects, it could consider
approving larger, more complex, more expensive projects in future years.

4Hieh-Risk Series: IRS Management (GAO/HR-97-8, February 1997) and High-Risk Series:
Information Management and Technologv (GAOHR-97-9, February 1997).
Vax Svstems Modernization: Actions Underwav But Manapement and Technical
Weaknesses Not Yet Corrected ‘(GAO/TAIMD-96165, September 10, 1996) and
Tax Svstems Modernization: Actions Underwav But IRS Has Not Yet Corrected
Management and Technical Weaknesses (GAO/AIMD-96106, June 7, 1996).


9            GAO/AIMD/GGD-97-140R Employee Browsing and Tax Systems Modernization
ENCLOSURE II                                                                ENCLOSURE If
Should the Congress completely halt and abandon modernization and IRS continue to
maintain its current operational systems and procedures, the Service would continue to
collect the vast majority of taxes as it does now through federal tax withholding and
deposit processes. IRS’ performance in collecting delinquent taxes would probably also
remain the same. However, IRS’performance in collecting delinquent taxes, as we have
reported,6 has generally been poor due to IRS’inefficient collection processes and
systems.

Question: It has been almost ten years since the 1988 amendments to the Inspector
General Act of 1978 placed IRS oversight responsibilities with the Inspector General
Of&ice of Treasury and internal audits and inspections with the Office of the Chief
Inspector. Do ‘you have any recommendations for improving this level of IRS oversight?

GAO Resnonse: We have not reviewed the responsibilities of Treasury’s Office of the
Inspector General (OIG), the OIG’s role in overseeing IRS, or the roles and responsibilities
of IRS’ Chief Inspector, and therefore, are not in a position to offer recommendations
regarding this level of IRS oversight.

However, our work has addressed the need for Treasury oversight of IRS’ modernization
activities and identified opportunities for improving this level of oversight. Specifically,
since our July 1995 report on the Tax Systems Modernization,T Treasury has become more
active in overseeing IRS’ modernization efforts. In May 1996, Treasury reported to the
House and Senate Appropriations Committees on steps under way and planned to exert
greater management oversight of IRS’ modernization efforts.’ For example, the
department established a Modernization Management Board (MMB), chaired by the
Deputy Secretary of the Treasury, to be the primary review and decision-making body for
modernization and TSM policy and strategic direction. In addition, Treasury scaled back
the overall size of the modernization by approximately $2 billion and is working with IRS
to obtain additional contractor help to accomplish the modernization. More recently, the
MMB and IRS have reevaluated and terminated selected major modernization
development projects, such as the Document Processing System.




6GAO/HR-97-8, February 1997.
7GAO/AIMD-95156, July 26, 1995.
*Reuort to the House and Senate Apnromiations Committees: Progress Renort on IRS’s
Management and Imulementation of Tax Svstems Modernization, Department of the
Treasury, May 6, 1996.-


10           GAO/AIMD/GGD-97”140R Employee Browsing and Tax Systems Modernization
ENCLOSURE II                                                           ENCLOSURE It
While we recognize Treasury’s actions to address IRS problems, much remains to be done
to fully implement essential IRS improvements. The department’s continued focus on
monitoring IRS’corrective actions will be a key factor in ensuring progress.




(511543)


11         GAO/AIMD/GGD-97”140R Employee Browsing and Tax Systems Modernization
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent   of Documents, when
necessary. VISA and Mastercard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by caBing (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

infoQwww.gao.gov

or visit GAO’s World Wide Web Home Page at:

httpzl/www.gao.gov
United States
General Accounting    Office
Washington,   D.C. 20548-0001


Official   Business
PeIlalty   for Private   Use $300

Address    Correction    Requested