oversight

IRS High-Risk Issues: Modernization of Processes and Systems Necessary to Resolve Problems

Published by the Government Accountability Office on 1997-03-04.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                         United States General Accounting Office

GAO                      Testimony
                         Before the Subcommittee on Oversight, Committee on
                         Ways and Means, House of Representatives




For Release
on Delivery
Expected at
                         IRS HIGH-RISK ISSUES
10:00 a.m. EDT
Tuesday, March 4, 1997

                         Modernization of Processes
                         and Systems Necessary to
                         Resolve Problems
                         Statement of Lynda D. Willis, Director, Tax Policy and
                         Administration Issues, General Government Division




GAO/T-GGD-97-52
           Madam Chairman and Members of the Subcommittee:

           We are pleased to be here today to assist the Subcommittee in its review of
           the Internal Revenue Service’s (IRS) efforts to improve the efficiency and
           effectiveness of its program areas that we have identified as high risk
           because of their vulnerability to waste, fraud, abuse, and mismanagement.
           A key factor in understanding IRS’ ongoing difficulties in the high-risk
           areas is the realization that its major processes and systems were
           developed and implemented decades ago and were not designed to
           address the critical needs and vulnerabilities that confront IRS in the
           1990s. In addition, the problems IRS faces in attempting to eliminate its
           high-risk vulnerabilities are compounded by the interdependency of the
           high-risk areas. For example, IRS’ success in addressing the weaknesses in
           its program areas is clearly linked to its success in modernizing its
           information systems. However, this understanding of the difficulties IRS
           faces does not mitigate our concern over IRS’ progress in developing a
           comprehensive strategy or detailed business plan to modernize its
           outdated processes and systems. Without successfully modernizing its
           processes and systems, IRS cannot hope to resolve the problems in its
           high-risk areas.


           In February 1997, we issued our third series of reports on the status of
Overview   high-risk areas across the government.1 One report in the series discussed
           the four long-standing high-risk areas at IRS: (1) tax systems
           modernization—IRS’ development of the business and management
           strategies, software acquisition and development capabilities, and
           technical infrastructure and systems architecture needed to modernize its
           systems and processes; (2) financial management—IRS’ efforts to properly
           account for its tax revenues, obligations, and disbursements; (3) accounts
           receivable—IRS’ initiatives to better understand the composition of its tax
           debt inventory and to devise effective collection strategies and reliable
           programs to prevent future delinquencies; and (4) filing fraud—IRS’ efforts
           to gather sufficient information to determine the effectiveness of its
           attempts to deter the filing of fraudulent returns.2

           Our 1997 high-risk report series also designated five new high-risk areas,
           two of which have government-wide implications and directly affect IRS’



           1
            GAO/HR-97-20SET.
           2
            GAO/HR-97-8.



           Page 1                                                       GAO/T-GGD-97-52
                       operations.3 One area is information security—IRS’ initiatives to better
                       protect the confidentiality and accuracy of taxpayer data from
                       unauthorized access and manipulation. The other area is the year 2000
                       problem—IRS’ plans to protect itself from the operational and financial
                       impacts that could affect tax processing and revenue collection systems if
                       its computer systems cannot accommodate the change of date to the year
                       2000.

                       Today, we will briefly discuss the problems IRS faces in these six high-risk
                       areas, the progress IRS has made since our last series of high-risk reports
                       in 1995, and the measures IRS must take to resolve the problems in its
                       high-risk areas. This testimony is based on our prior reports and recent
                       information obtained from IRS.


                       For years we have chronicled IRS’ struggle to modernize and manage its
IRS’ High-Risk Areas   operations, especially in the high-risk areas, and have made scores of
                       recommendations to improve IRS’ systems, processes, and procedures. It
                       is clear that in order to achieve its stated goals of reducing the volume of
                       paper tax returns, providing better customer service, and improving
                       compliance with the nation’s tax laws, IRS must successfully modernize its
                       systems and operations. To accomplish this modernization, however, IRS
                       needs to develop comprehensive business strategies to ensure that its new
                       and revised processes drive systems development and acquisition. Solving
                       the problems in the high-risk areas is not an insurmountable task, but it
                       requires sustained management commitment, accurate information
                       systems, and reliable performance measures to track IRS’ progress and
                       provide the data necessary to make informed management decisions.


Tax Systems            Over the last decade, IRS has been attempting to overhaul its timeworn,
Modernization          paper-intensive approach to tax return processing. At stake is the over
                       $3 billion that IRS has spent or obligated on this modernization since 1986,
                       as well as any additional funds that IRS plans to spend on the
                       modernization.

                       In July 1995, we reported that IRS (1) did not have a comprehensive
                       business strategy to cost-effectively reduce paper tax return filings;
                       (2) had not yet fully developed and put in place the requisite management,
                       software development, and technical infrastructure necessary to
                       successfully implement its ambitious, world-class modernization; and

                       3
                        GAO/HR-97-9.



                       Page 2                                                       GAO/T-GGD-97-52
(3) lacked an overall systems architecture, or blueprint, to guide the
modernization’s development and evolution.4 At that time, we made over a
dozen recommendations to the IRS Commissioner to address these
weaknesses.

Pursuant to subsequent congressional direction, we assessed IRS’ actions
to correct its management and technical weaknesses. We reported in June
and September 1996 that IRS had initiated many activities to improve its
modernization efforts but had not yet fully implemented any of our
recommendations.5 We also suggested to Congress that it consider limiting
modernization funding exclusively to cost-effective efforts that (1) support
ongoing operations and maintenance; (2) correct IRS’ pervasive
management and technical weaknesses; (3) are small, represent low
technical risk, and can be delivered quickly; and (4) involve deploying
already developed and fully tested systems that have proven business
value and are not premature given the lack of a completed architecture.

IRS has taken steps to address our recommendations and respond to
congressional direction. For example, IRS hired a new Chief Information
Officer. It also created an investment review board to select, control, and
evaluate its information technology investments. Thus far, the board has
reevaluated and terminated several major modernization development
projects that were not found to be cost-effective. In addition, IRS provided
a report to Congress in November 1996 that set forth IRS’ strategic plan
and its schedule for shifting modernization development and deployment
to contractors.

IRS is also finalizing a comprehensive strategy to maximize electronic
filing that is currently scheduled for completion in May 1997. It is also
updating its system development life cycle methodology and is working
across various IRS organizations to define disciplined processes for
software requirements management, quality assurance, configuration
management, and project planning and tracking. Additionally, IRS is
developing a systems architecture and project sequencing plan for the
modernization and intends to provide this to Congress by May 15, 1997.




4
Tax Systems Modernization: Management and Technical Weaknesses Must Be Corrected If
Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995).
5
 Tax Systems Modernization: Actions Underway But IRS Has Not Yet Corrected Management and
Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996) and Tax Systems Modernization: Actions
Underway But Management and Technical Weaknesses Not Yet Corrected (GAO/T-AIMD-95-165, Sept.
10, 1996).



Page 3                                                                     GAO/T-GGD-97-52
                       While we recognize IRS’ actions, we remain concerned because much
                       remains to be done to fully implement essential improvements. Increasing
                       the use of contractors, for example, will not automatically increase the
                       likelihood of successful modernization because IRS does not have the
                       technical capability needed to manage all of its current contractors. To be
                       successful, IRS must also continue to make a concerted, sustained effort
                       to fully implement our recommendations and respond effectively to the
                       requirements outlined by Congress. It will take both management
                       commitment and technical discipline for IRS to accomplish these tasks.


Financial Management   Our audits of IRS’ financial statements have outlined the substantial
                       improvements needed in IRS’ accounting and reporting in order to comply
                       fully with the requirements of the Chief Financial Officers Act of 1990
                       (CFO Act). The audits for fiscal years 1992 through 1995 have described
                       IRS’ difficulties in (1) properly accounting for its tax revenues, in total and
                       by reported type of tax; (2) reliably determining the amount of accounts
                       receivable owed for unpaid taxes; (3) regularly reconciling its Fund
                       Balance With Treasury accounts; and (4) either routinely providing
                       support for receipt of the goods and services it purchases or, where
                       supported, accurately recording the purchased item in the proper period.

                       IRS has made progress in addressing problems in these areas and has
                       developed an action plan, with specific timetables and deliverables, to
                       address the issues our financial statement audits have identified. In the
                       administrative accounting area, for example, IRS reported that it has
                       identified substantially all of the reconciling items for its Fund Balance
                       With Treasury accounts, except for certain amounts IRS has deemed not
                       to be cost-beneficial to research further. It also has successfully
                       transferred its payroll processing to the Department of Agriculture’s
                       National Finance Center and has begun designing both a short-term and a
                       long-term strategy to fix the problems that contribute to its nonpayroll
                       expenses being unsupported or reported in the wrong period.

                       In the revenue accounting area, IRS’ problems are especially affected and
                       complicated by automated data processing systems that were
                       implemented many years ago and thus not designed to support the new
                       financial reporting requirements imposed by the CFO Act. Therefore, IRS
                       has designed an interim solution to capture the detailed support for
                       revenue and accounts receivable until longer-term solutions can be
                       identified and implemented. Some of the longer-term actions include
                       (1) implementing software, hardware, and procedural changes needed to



                       Page 4                                                         GAO/T-GGD-97-52
                      create reliable subsidiary accounts receivable and revenue records that
                      are fully integrated with the general ledger; and (2) implementing software
                      changes that allow the detailed taxes reported to be maintained separately
                      from the results of compliance efforts that would not be valid financial
                      reporting transactions in the masterfile, other related revenue accounting
                      feeder systems, and the general ledger.

                      Over the past 4 years, we have made numerous recommendations to
                      improve IRS’ financial management systems and reporting, and IRS has
                      been working to position itself to have more reliable financial statements
                      for fiscal year 1997 and thereafter. To accomplish this, especially in
                      accounting for revenue and the related accounts receivables, IRS will need
                      to institute long-term solutions involving reprogramming software for IRS’
                      antiquated systems and developing new systems as required.

                      Follow-through to complete necessary corrective measures is essential if
                      IRS is to ensure that its corrective actions are carried out and effectively
                      solve its financial management problems. Solving these problems is
                      fundamental to providing reliable financial information and ensuring
                      taxpayers that the government can properly account for their federal tax
                      dollars. The accuracy of IRS’ financial statements is vital to both IRS and
                      Congress for (1) ensuring adequate accountability for IRS programs;
                      (2) assessing the impact of tax policies; and (3) measuring IRS’
                      performance and cost effectiveness in carrying out its numerous tax
                      enforcement, customer service, and collection activities.


Accounts Receivable   IRS routinely collects over a trillion dollars annually in taxes, but many
                      taxpayers are unable or unwilling to pay their taxes when due. As a result,
                      IRS estimates that its accounts receivable amounts to tens of billions of
                      dollars. Unfortunately, IRS’ ability to effectively address its accounts
                      receivable problems is seriously hampered by its outdated equipment and
                      processes, incomplete information needed to better target collection
                      efforts, and the absence of a comprehensive strategy and detailed plan to
                      address the systemic nature of the underlying problems.

                      IRS’ collection efforts have also been hampered by the age of the
                      delinquent tax accounts. Because of the outdated equipment and
                      processes used to match tax returns and related information documents, it
                      can take IRS several years to identify potential delinquencies and then
                      initiate collection actions. In addition, according to IRS, the 10-year
                      statutory collection period generally precludes it from writing off



                      Page 5                                                        GAO/T-GGD-97-52
               uncollectible receivables until that period has expired. As a result, the
               receivables inventory includes many relatively old accounts that will never
               be collected because the taxpayers are deceased or the companies
               defunct.

               This is not to say, however, that IRS has not been trying to overcome its
               deficiencies. In the last 2 years, IRS has undertaken initiatives to correct
               errors in its masterfile records of tax receivables, develop profiles of
               delinquent taxpayers, and study the effectiveness of various collection
               techniques. It has also streamlined its collection process, placed additional
               emphasis on contacting repeat delinquents, made its collection notices
               more readable, and targeted compliance-generated delinquencies for
               earlier intervention.

               IRS reported that, as a result of taking these actions, its collection
               employees took in more money than they classified as “currently not
               collectible” and that the amount of money collected immediately following
               the revision of its collection notices increased by almost 25 percent over a
               comparable period in 1995. In addition, IRS reported collecting more in
               delinquent taxes in fiscal year 1996 than it ever has, almost $30 billion.

               Despite these positive results, IRS needs to continue the development of
               information databases and performance measures to afford its managers
               the data needed to determine which actions or improvements generate the
               desired changes in IRS’ programs and operations. And, this should not be
               looked upon as a short-term commitment. It will still take a number of
               years to identify the root causes of delinquencies and to develop, test, and
               implement courses of action to deal with the causes. Furthermore, once
               the analyses and planning are completed, it will still be some time before
               full results of the new initiatives are realized.

               Therefore, IRS must take deliberate action to ensure that its
               problem-solving efforts are on the right track. Specifically, it needs to
               implement a comprehensive strategy that involves all aspects of IRS’
               operations and that sets priorities; accelerates the modernization of
               outdated equipment and processes; and establishes realistic goals, specific
               timetables, and a system to measure progress.


Filing Fraud   When we first identified filing fraud as a high-risk area in February 1995,
               the amount of filing fraud being detected by IRS was on an upward spiral.
               Since then, IRS has introduced new controls and expanded existing



               Page 6                                                       GAO/T-GGD-97-52
controls in an attempt to reduce its exposure to filing fraud. Those
controls are directed toward either (1) preventing the filing of fraudulent
returns or (2) identifying questionable returns after they have been filed.

To deter the filing of fraudulent returns, IRS (1) expanded the number of
up-front filters in the electronic filing system designed to screen electronic
submissions for selected problems in order to prevent returns with those
problems from being filed electronically and (2) strengthened the process
for checking the suitability of persons applying to participate in the
electronic filing program as return preparers or transmitters by requiring
fingerprint and credit checks.

To better identify fraudulent returns once they have been filed, IRS placed
an increased emphasis in 1995 on validating social security numbers (SSN)
on filed paper returns and delayed any related refunds to allow time to do
those validations and to check for possible fraud. IRS also revised the
computerized formulas it used to score all tax returns as to their fraud
potential and upgraded the research capabilities of its fraud detection
staff.

IRS’ efforts produced some positive results. For example, the number of
SSN problems identified by the electronic filing filters quadrupled between
1994 and 1995, and about 350 persons who applied to participate in the
electronic filing program for 1995 were rejected because they failed the
new fingerprint and credit checks. IRS’ efforts to validate SSNs on paper
returns produced over $800 million in reduced refunds or additional taxes.
Unfortunately, IRS identified many more SSN problems than it was able to
deal with and released about 2 million refunds without resolving the
problems.

IRS was less successful in identifying fraudulent returns, identifying over
65 percent fewer fraudulent returns in 1996 than during a comparable
period in 1995. IRS believes this decrease is attributable to a 31-percent
reduction in its fraud detection staff and the resulting underutilization of
its Electronic Fraud Detection System, which enhances the identification
of fraudulent returns and lessens the probability of improperly deleting
accurate refunds. However, IRS does not have the information it needs to
verify that the decline was the result of staff reductions or to determine
the extent to which the downward trend may have been affected by
changes in the program’s operating and reporting procedures or by a
general decline in the incidence of fraud.




Page 7                                                        GAO/T-GGD-97-52
                       Given the decrease in fraud detection staff, it is critically important for IRS
                       to (1) optimize the electronic controls that are intended to prevent the
                       filing of fraudulent returns and (2) maximize the effectiveness of available
                       staff. Modernization is the key to achieving these objectives, and
                       electronic filing is the cornerstone of that modernization. One solution,
                       then, is to increase the percentage of returns filed electronically. To
                       achieve this goal, IRS must first identify those groups of taxpayers who
                       offer the greatest opportunity to reduce IRS’ paper-processing workload
                       and operating costs if they were to file electronically. IRS must then
                       develop strategies that focus its resources on eliminating or lessening
                       impediments that inhibit those groups from participating in the program.


Information Security   Malicious attacks on computer systems are an increasing threat to our
                       national welfare. The federal government now relies heavily on
                       interconnected systems to control critical functions which, if
                       compromised, place billions of dollars worth of assets at risk of loss and
                       vast amounts of sensitive data at risk of unauthorized disclosure.
                       Increasing reliance on networked systems and electronic records has
                       elevated our concerns about the possibility of serious disruption to critical
                       federal operations.

                       As a result of our recent work at IRS, we believe that the vulnerabilities of
                       IRS’ computer systems may affect the confidentiality and accuracy of
                       taxpayer data and may allow unauthorized access, modification, or
                       destruction of taxpayer information. The overriding problem at IRS is that
                       information security issues are addressed on a reactive basis. IRS does not
                       have a proactive, independent information security group that
                       systematically reviews the adequacy and consistency of security over IRS’
                       computer operations. In addition, computer security management has not
                       completed a formal risk assessment of its systems to determine system
                       sensitivity and vulnerability. As a result, IRS cannot effectively prevent or
                       detect unauthorized browsing of taxpayer information and cannot ensure
                       that taxpayer data is not being improperly manipulated for personal gain.

                       IRS needs to address its information security weaknesses on a continuing
                       basis. More specifically, IRS needs to impress upon its senior managers
                       the need to conduct regular systematic security reviews and risk
                       assessments of IRS’ computer systems and operations. The weaknesses
                       identified by these reviews and assessments then need to be corrected
                       expeditiously by personnel who have the technical expertise to effectively




                       Page 8                                                         GAO/T-GGD-97-52
                        implement, manage, and monitor the necessary security controls and
                        measures.


The Year 2000 Problem   For the past several decades, computer systems have used two digits to
                        represent the year, such as “97” for 1997, in order to conserve electronic
                        data storage and reduce operating costs. In this format, however, the year
                        2000 is indistinguishable from the year 1900 because both are represented
                        as “00.” As a result, if not modified, computer systems and applications
                        that use dates or perform date- or time-sensitive calculations may generate
                        incorrect results beyond 1999.

                        For IRS, such a disruption of functions and services could jeopardize all of
                        its tax processing systems and administration. It could effectively halt the
                        processing of tax return and return-related information, the maintenance
                        of taxpayer account information, the assessment and collection of taxes,
                        the recording of obligations and expenditures, and the disbursement of
                        refunds. At the very least, IRS’ core business functions and mission-critical
                        processes are at risk of failure, as is numerous other administrative and
                        management processes.

                        To avoid the crippling effects of a multitude of computer systems
                        simultaneously producing inaccurate and unreliable information, IRS must
                        assign management and oversight responsibility within its senior executive
                        corps, define the potential impact of such a systems failure, and develop
                        appropriate renovation strategies and contingency plans for its critical
                        systems. Modifying IRS’ critical computer systems is a massive
                        undertaking whose success or failure will, in large part, be determined by
                        the quality of IRS’ executive leadership and program management.


                        For years, IRS has struggled to collect the nation’s tax revenue using
Summary Outlook         outdated processes and technology. The result has often been inefficient
                        and ineffective programs and operations that are vulnerable to waste,
                        fraud, abuse, and mismanagement. Of particular concern to us have been
                        IRS’ efforts to modernize its tax systems, manage its administrative and
                        revenue accounting systems, identify and collect taxes owed the
                        government, detect and prevent the filing of fraudulent tax returns, protect
                        the confidentiality of taxpayer information, and prevent the future
                        disruption of tax services due to computer malfunctions.




                        Page 9                                                        GAO/T-GGD-97-52
           These areas of concern share common characteristics that IRS must
           address in the very near future. At a minimum, IRS needs an
           implementation strategy that includes both performing cost-benefit
           analyses and developing reasonable estimates of the extent, time frames,
           and resources required to correct its high-risk vulnerabilities. IRS also
           needs to (1) better define, prioritize, implement, and manage new
           information systems; (2) ensure that its administrative and revenue
           accounting systems fully comply with government accounting standards;
           (3) design and implement both administrative and electronic controls to
           protect taxpayer data from unauthorized access; and (4) develop
           performance measures that will allow its managers, Congress, and us to
           track its progress. And, above all, IRS management needs to sustain an
           agencywide commitment to solving the agency’s high-risk problems.


           Madam Chairman, this concludes my prepared statement. We will be glad
           to answer any questions that you or the Members of the Subcommittee
           may have.




(268786)   Page 10                                                     GAO/T-GGD-97-52
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested