United States General Accounting Office GAO Testimony Before the Subcommittee on Oversight, Committee on Ways and Means, House of Representatives For Release on Delivery Expected at IRS HIGH-RISK ISSUES 10:00 a.m. EDT Tuesday, March 4, 1997 Modernization of Processes and Systems Necessary to Resolve Problems Statement of Lynda D. Willis, Director, Tax Policy and Administration Issues, General Government Division GAO/T-GGD-97-52 Madam Chairman and Members of the Subcommittee: We are pleased to be here today to assist the Subcommittee in its review of the Internal Revenue Service’s (IRS) efforts to improve the efficiency and effectiveness of its program areas that we have identified as high risk because of their vulnerability to waste, fraud, abuse, and mismanagement. A key factor in understanding IRS’ ongoing difficulties in the high-risk areas is the realization that its major processes and systems were developed and implemented decades ago and were not designed to address the critical needs and vulnerabilities that confront IRS in the 1990s. In addition, the problems IRS faces in attempting to eliminate its high-risk vulnerabilities are compounded by the interdependency of the high-risk areas. For example, IRS’ success in addressing the weaknesses in its program areas is clearly linked to its success in modernizing its information systems. However, this understanding of the difficulties IRS faces does not mitigate our concern over IRS’ progress in developing a comprehensive strategy or detailed business plan to modernize its outdated processes and systems. Without successfully modernizing its processes and systems, IRS cannot hope to resolve the problems in its high-risk areas. In February 1997, we issued our third series of reports on the status of Overview high-risk areas across the government.1 One report in the series discussed the four long-standing high-risk areas at IRS: (1) tax systems modernization—IRS’ development of the business and management strategies, software acquisition and development capabilities, and technical infrastructure and systems architecture needed to modernize its systems and processes; (2) financial management—IRS’ efforts to properly account for its tax revenues, obligations, and disbursements; (3) accounts receivable—IRS’ initiatives to better understand the composition of its tax debt inventory and to devise effective collection strategies and reliable programs to prevent future delinquencies; and (4) filing fraud—IRS’ efforts to gather sufficient information to determine the effectiveness of its attempts to deter the filing of fraudulent returns.2 Our 1997 high-risk report series also designated five new high-risk areas, two of which have government-wide implications and directly affect IRS’ 1 GAO/HR-97-20SET. 2 GAO/HR-97-8. Page 1 GAO/T-GGD-97-52 operations.3 One area is information security—IRS’ initiatives to better protect the confidentiality and accuracy of taxpayer data from unauthorized access and manipulation. The other area is the year 2000 problem—IRS’ plans to protect itself from the operational and financial impacts that could affect tax processing and revenue collection systems if its computer systems cannot accommodate the change of date to the year 2000. Today, we will briefly discuss the problems IRS faces in these six high-risk areas, the progress IRS has made since our last series of high-risk reports in 1995, and the measures IRS must take to resolve the problems in its high-risk areas. This testimony is based on our prior reports and recent information obtained from IRS. For years we have chronicled IRS’ struggle to modernize and manage its IRS’ High-Risk Areas operations, especially in the high-risk areas, and have made scores of recommendations to improve IRS’ systems, processes, and procedures. It is clear that in order to achieve its stated goals of reducing the volume of paper tax returns, providing better customer service, and improving compliance with the nation’s tax laws, IRS must successfully modernize its systems and operations. To accomplish this modernization, however, IRS needs to develop comprehensive business strategies to ensure that its new and revised processes drive systems development and acquisition. Solving the problems in the high-risk areas is not an insurmountable task, but it requires sustained management commitment, accurate information systems, and reliable performance measures to track IRS’ progress and provide the data necessary to make informed management decisions. Tax Systems Over the last decade, IRS has been attempting to overhaul its timeworn, Modernization paper-intensive approach to tax return processing. At stake is the over $3 billion that IRS has spent or obligated on this modernization since 1986, as well as any additional funds that IRS plans to spend on the modernization. In July 1995, we reported that IRS (1) did not have a comprehensive business strategy to cost-effectively reduce paper tax return filings; (2) had not yet fully developed and put in place the requisite management, software development, and technical infrastructure necessary to successfully implement its ambitious, world-class modernization; and 3 GAO/HR-97-9. Page 2 GAO/T-GGD-97-52 (3) lacked an overall systems architecture, or blueprint, to guide the modernization’s development and evolution.4 At that time, we made over a dozen recommendations to the IRS Commissioner to address these weaknesses. Pursuant to subsequent congressional direction, we assessed IRS’ actions to correct its management and technical weaknesses. We reported in June and September 1996 that IRS had initiated many activities to improve its modernization efforts but had not yet fully implemented any of our recommendations.5 We also suggested to Congress that it consider limiting modernization funding exclusively to cost-effective efforts that (1) support ongoing operations and maintenance; (2) correct IRS’ pervasive management and technical weaknesses; (3) are small, represent low technical risk, and can be delivered quickly; and (4) involve deploying already developed and fully tested systems that have proven business value and are not premature given the lack of a completed architecture. IRS has taken steps to address our recommendations and respond to congressional direction. For example, IRS hired a new Chief Information Officer. It also created an investment review board to select, control, and evaluate its information technology investments. Thus far, the board has reevaluated and terminated several major modernization development projects that were not found to be cost-effective. In addition, IRS provided a report to Congress in November 1996 that set forth IRS’ strategic plan and its schedule for shifting modernization development and deployment to contractors. IRS is also finalizing a comprehensive strategy to maximize electronic filing that is currently scheduled for completion in May 1997. It is also updating its system development life cycle methodology and is working across various IRS organizations to define disciplined processes for software requirements management, quality assurance, configuration management, and project planning and tracking. Additionally, IRS is developing a systems architecture and project sequencing plan for the modernization and intends to provide this to Congress by May 15, 1997. 4 Tax Systems Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995). 5 Tax Systems Modernization: Actions Underway But IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996) and Tax Systems Modernization: Actions Underway But Management and Technical Weaknesses Not Yet Corrected (GAO/T-AIMD-95-165, Sept. 10, 1996). Page 3 GAO/T-GGD-97-52 While we recognize IRS’ actions, we remain concerned because much remains to be done to fully implement essential improvements. Increasing the use of contractors, for example, will not automatically increase the likelihood of successful modernization because IRS does not have the technical capability needed to manage all of its current contractors. To be successful, IRS must also continue to make a concerted, sustained effort to fully implement our recommendations and respond effectively to the requirements outlined by Congress. It will take both management commitment and technical discipline for IRS to accomplish these tasks. Financial Management Our audits of IRS’ financial statements have outlined the substantial improvements needed in IRS’ accounting and reporting in order to comply fully with the requirements of the Chief Financial Officers Act of 1990 (CFO Act). The audits for fiscal years 1992 through 1995 have described IRS’ difficulties in (1) properly accounting for its tax revenues, in total and by reported type of tax; (2) reliably determining the amount of accounts receivable owed for unpaid taxes; (3) regularly reconciling its Fund Balance With Treasury accounts; and (4) either routinely providing support for receipt of the goods and services it purchases or, where supported, accurately recording the purchased item in the proper period. IRS has made progress in addressing problems in these areas and has developed an action plan, with specific timetables and deliverables, to address the issues our financial statement audits have identified. In the administrative accounting area, for example, IRS reported that it has identified substantially all of the reconciling items for its Fund Balance With Treasury accounts, except for certain amounts IRS has deemed not to be cost-beneficial to research further. It also has successfully transferred its payroll processing to the Department of Agriculture’s National Finance Center and has begun designing both a short-term and a long-term strategy to fix the problems that contribute to its nonpayroll expenses being unsupported or reported in the wrong period. In the revenue accounting area, IRS’ problems are especially affected and complicated by automated data processing systems that were implemented many years ago and thus not designed to support the new financial reporting requirements imposed by the CFO Act. Therefore, IRS has designed an interim solution to capture the detailed support for revenue and accounts receivable until longer-term solutions can be identified and implemented. Some of the longer-term actions include (1) implementing software, hardware, and procedural changes needed to Page 4 GAO/T-GGD-97-52 create reliable subsidiary accounts receivable and revenue records that are fully integrated with the general ledger; and (2) implementing software changes that allow the detailed taxes reported to be maintained separately from the results of compliance efforts that would not be valid financial reporting transactions in the masterfile, other related revenue accounting feeder systems, and the general ledger. Over the past 4 years, we have made numerous recommendations to improve IRS’ financial management systems and reporting, and IRS has been working to position itself to have more reliable financial statements for fiscal year 1997 and thereafter. To accomplish this, especially in accounting for revenue and the related accounts receivables, IRS will need to institute long-term solutions involving reprogramming software for IRS’ antiquated systems and developing new systems as required. Follow-through to complete necessary corrective measures is essential if IRS is to ensure that its corrective actions are carried out and effectively solve its financial management problems. Solving these problems is fundamental to providing reliable financial information and ensuring taxpayers that the government can properly account for their federal tax dollars. The accuracy of IRS’ financial statements is vital to both IRS and Congress for (1) ensuring adequate accountability for IRS programs; (2) assessing the impact of tax policies; and (3) measuring IRS’ performance and cost effectiveness in carrying out its numerous tax enforcement, customer service, and collection activities. Accounts Receivable IRS routinely collects over a trillion dollars annually in taxes, but many taxpayers are unable or unwilling to pay their taxes when due. As a result, IRS estimates that its accounts receivable amounts to tens of billions of dollars. Unfortunately, IRS’ ability to effectively address its accounts receivable problems is seriously hampered by its outdated equipment and processes, incomplete information needed to better target collection efforts, and the absence of a comprehensive strategy and detailed plan to address the systemic nature of the underlying problems. IRS’ collection efforts have also been hampered by the age of the delinquent tax accounts. Because of the outdated equipment and processes used to match tax returns and related information documents, it can take IRS several years to identify potential delinquencies and then initiate collection actions. In addition, according to IRS, the 10-year statutory collection period generally precludes it from writing off Page 5 GAO/T-GGD-97-52 uncollectible receivables until that period has expired. As a result, the receivables inventory includes many relatively old accounts that will never be collected because the taxpayers are deceased or the companies defunct. This is not to say, however, that IRS has not been trying to overcome its deficiencies. In the last 2 years, IRS has undertaken initiatives to correct errors in its masterfile records of tax receivables, develop profiles of delinquent taxpayers, and study the effectiveness of various collection techniques. It has also streamlined its collection process, placed additional emphasis on contacting repeat delinquents, made its collection notices more readable, and targeted compliance-generated delinquencies for earlier intervention. IRS reported that, as a result of taking these actions, its collection employees took in more money than they classified as “currently not collectible” and that the amount of money collected immediately following the revision of its collection notices increased by almost 25 percent over a comparable period in 1995. In addition, IRS reported collecting more in delinquent taxes in fiscal year 1996 than it ever has, almost $30 billion. Despite these positive results, IRS needs to continue the development of information databases and performance measures to afford its managers the data needed to determine which actions or improvements generate the desired changes in IRS’ programs and operations. And, this should not be looked upon as a short-term commitment. It will still take a number of years to identify the root causes of delinquencies and to develop, test, and implement courses of action to deal with the causes. Furthermore, once the analyses and planning are completed, it will still be some time before full results of the new initiatives are realized. Therefore, IRS must take deliberate action to ensure that its problem-solving efforts are on the right track. Specifically, it needs to implement a comprehensive strategy that involves all aspects of IRS’ operations and that sets priorities; accelerates the modernization of outdated equipment and processes; and establishes realistic goals, specific timetables, and a system to measure progress. Filing Fraud When we first identified filing fraud as a high-risk area in February 1995, the amount of filing fraud being detected by IRS was on an upward spiral. Since then, IRS has introduced new controls and expanded existing Page 6 GAO/T-GGD-97-52 controls in an attempt to reduce its exposure to filing fraud. Those controls are directed toward either (1) preventing the filing of fraudulent returns or (2) identifying questionable returns after they have been filed. To deter the filing of fraudulent returns, IRS (1) expanded the number of up-front filters in the electronic filing system designed to screen electronic submissions for selected problems in order to prevent returns with those problems from being filed electronically and (2) strengthened the process for checking the suitability of persons applying to participate in the electronic filing program as return preparers or transmitters by requiring fingerprint and credit checks. To better identify fraudulent returns once they have been filed, IRS placed an increased emphasis in 1995 on validating social security numbers (SSN) on filed paper returns and delayed any related refunds to allow time to do those validations and to check for possible fraud. IRS also revised the computerized formulas it used to score all tax returns as to their fraud potential and upgraded the research capabilities of its fraud detection staff. IRS’ efforts produced some positive results. For example, the number of SSN problems identified by the electronic filing filters quadrupled between 1994 and 1995, and about 350 persons who applied to participate in the electronic filing program for 1995 were rejected because they failed the new fingerprint and credit checks. IRS’ efforts to validate SSNs on paper returns produced over $800 million in reduced refunds or additional taxes. Unfortunately, IRS identified many more SSN problems than it was able to deal with and released about 2 million refunds without resolving the problems. IRS was less successful in identifying fraudulent returns, identifying over 65 percent fewer fraudulent returns in 1996 than during a comparable period in 1995. IRS believes this decrease is attributable to a 31-percent reduction in its fraud detection staff and the resulting underutilization of its Electronic Fraud Detection System, which enhances the identification of fraudulent returns and lessens the probability of improperly deleting accurate refunds. However, IRS does not have the information it needs to verify that the decline was the result of staff reductions or to determine the extent to which the downward trend may have been affected by changes in the program’s operating and reporting procedures or by a general decline in the incidence of fraud. Page 7 GAO/T-GGD-97-52 Given the decrease in fraud detection staff, it is critically important for IRS to (1) optimize the electronic controls that are intended to prevent the filing of fraudulent returns and (2) maximize the effectiveness of available staff. Modernization is the key to achieving these objectives, and electronic filing is the cornerstone of that modernization. One solution, then, is to increase the percentage of returns filed electronically. To achieve this goal, IRS must first identify those groups of taxpayers who offer the greatest opportunity to reduce IRS’ paper-processing workload and operating costs if they were to file electronically. IRS must then develop strategies that focus its resources on eliminating or lessening impediments that inhibit those groups from participating in the program. Information Security Malicious attacks on computer systems are an increasing threat to our national welfare. The federal government now relies heavily on interconnected systems to control critical functions which, if compromised, place billions of dollars worth of assets at risk of loss and vast amounts of sensitive data at risk of unauthorized disclosure. Increasing reliance on networked systems and electronic records has elevated our concerns about the possibility of serious disruption to critical federal operations. As a result of our recent work at IRS, we believe that the vulnerabilities of IRS’ computer systems may affect the confidentiality and accuracy of taxpayer data and may allow unauthorized access, modification, or destruction of taxpayer information. The overriding problem at IRS is that information security issues are addressed on a reactive basis. IRS does not have a proactive, independent information security group that systematically reviews the adequacy and consistency of security over IRS’ computer operations. In addition, computer security management has not completed a formal risk assessment of its systems to determine system sensitivity and vulnerability. As a result, IRS cannot effectively prevent or detect unauthorized browsing of taxpayer information and cannot ensure that taxpayer data is not being improperly manipulated for personal gain. IRS needs to address its information security weaknesses on a continuing basis. More specifically, IRS needs to impress upon its senior managers the need to conduct regular systematic security reviews and risk assessments of IRS’ computer systems and operations. The weaknesses identified by these reviews and assessments then need to be corrected expeditiously by personnel who have the technical expertise to effectively Page 8 GAO/T-GGD-97-52 implement, manage, and monitor the necessary security controls and measures. The Year 2000 Problem For the past several decades, computer systems have used two digits to represent the year, such as “97” for 1997, in order to conserve electronic data storage and reduce operating costs. In this format, however, the year 2000 is indistinguishable from the year 1900 because both are represented as “00.” As a result, if not modified, computer systems and applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999. For IRS, such a disruption of functions and services could jeopardize all of its tax processing systems and administration. It could effectively halt the processing of tax return and return-related information, the maintenance of taxpayer account information, the assessment and collection of taxes, the recording of obligations and expenditures, and the disbursement of refunds. At the very least, IRS’ core business functions and mission-critical processes are at risk of failure, as is numerous other administrative and management processes. To avoid the crippling effects of a multitude of computer systems simultaneously producing inaccurate and unreliable information, IRS must assign management and oversight responsibility within its senior executive corps, define the potential impact of such a systems failure, and develop appropriate renovation strategies and contingency plans for its critical systems. Modifying IRS’ critical computer systems is a massive undertaking whose success or failure will, in large part, be determined by the quality of IRS’ executive leadership and program management. For years, IRS has struggled to collect the nation’s tax revenue using Summary Outlook outdated processes and technology. The result has often been inefficient and ineffective programs and operations that are vulnerable to waste, fraud, abuse, and mismanagement. Of particular concern to us have been IRS’ efforts to modernize its tax systems, manage its administrative and revenue accounting systems, identify and collect taxes owed the government, detect and prevent the filing of fraudulent tax returns, protect the confidentiality of taxpayer information, and prevent the future disruption of tax services due to computer malfunctions. Page 9 GAO/T-GGD-97-52 These areas of concern share common characteristics that IRS must address in the very near future. At a minimum, IRS needs an implementation strategy that includes both performing cost-benefit analyses and developing reasonable estimates of the extent, time frames, and resources required to correct its high-risk vulnerabilities. IRS also needs to (1) better define, prioritize, implement, and manage new information systems; (2) ensure that its administrative and revenue accounting systems fully comply with government accounting standards; (3) design and implement both administrative and electronic controls to protect taxpayer data from unauthorized access; and (4) develop performance measures that will allow its managers, Congress, and us to track its progress. And, above all, IRS management needs to sustain an agencywide commitment to solving the agency’s high-risk problems. Madam Chairman, this concludes my prepared statement. We will be glad to answer any questions that you or the Members of the Subcommittee may have. (268786) Page 10 GAO/T-GGD-97-52 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
IRS High-Risk Issues: Modernization of Processes and Systems Necessary to Resolve Problems
Published by the Government Accountability Office on 1997-03-04.
Below is a raw (and likely hideous) rendition of the original report. (PDF)