Internal Revenue Service: Progress Continues But Serious Management Challenges Remain (02-APR-01, GAO-01-562T). This testimony discusses the management challenges that continue to face the Internal Revenue Service (IRS). These challenges include (1) computer security, (2) financial management, (3) organizational modernization and performance management, and (4) business systems modernization management. IRS must make progress in all four areas to realize the modernization effort's full potential to improve IRS' efficiency and to significantly improve service to taxpayers. IRS has taken important steps in all of these areas, but significant obstacles remain. In the area of computer security, IRS corrected a significant number of previously reported weaknesses, and is implementing a computer security management program that should help it manage its risks in this area. However, serious weaknesses remain in this area that could impair IRS' ability to perform vital functions. In financial management, IRS this year was able to prepare financial statements that received an unqualified opinion. However, this achievement came through the use of substantial, costly, and time-consuming processes to work around IRS' system deficiencies. Looking at IRS' structure, IRS has reorganized into four taxpayer-focused divisions and developed a performance management approach consistent with management principles contained in the IRS Restructuring and Reform Act and the Government Performance and Results Act. However, much work remains to be done in completing the foundation and in designing and implementing business practice changes that noticeably improve service to taxpayers and IRS' efficient administration of the tax system. Finally, in terms of business systems modernization, IRS has made important progress in developing and implementing fundamental modernization management controls, but considerable work remains. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-01-562T ACCNO: A00723 TITLE: Internal Revenue Service: Progress Continues But Serious Management Challenges Remain DATE: 04/02/2001 SUBJECT: Tax administration systems Computer security Federal agency reorganization Information resources management Systems conversions ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Testimony. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-01-562T INTERNAL REVENUE SERVICE Progress Continues But Serious Management Challenges Remain Statement of Robert F. Dacey Director, Information Security Issues Michael Brostek Director, Tax Issues Randolph C. Hite Director, Information Technology Systems Issues Steven J. Sebastian Acting Director, Financial Management Issues United States General Accounting Office GAO Testimony Before the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, Committee on Government Reform, House of Representatives For Release on Delivery Expected at 2 p. m. EDT Monday, April 2, 2001 GAO- 01- 562T Mr. Chairman and Members of the Subcommittee: We are pleased to be here this afternoon to discuss the management challenges that continue to face the Internal Revenue Service (IRS). At your request, our statement today will cover four areas: (1) computer security, (2) financial management, (3) organizational modernization and performance management, and (4) business systems modernization management. Although we will address each of these areas individually, IRS' efforts in all four areas are interrelated and interdependent. IRS must make progress in all four areas to realize the modernization effort's full potential to improve IRS' efficiency and to significantly improve service to taxpayers. IRS has taken important steps in all of these areas. Yet along with improvements, significant obstacles remain. We have designated IRS financial management and information systems modernization as high risk, along with information security on a governmentwide level. 1 The challenges that face IRS are longstanding and systemic management problems; they are challenges that require both short- and long-term solutions. While long-term solutions depend heavily on successful business systems modernization, short-term solutions can be implemented in many areas. We have made many recommendations to address these areas. Our statement today will make the following points: 1 High-Risk Series: An Update (GAO-01-263, January 2001), Major Management Challenges and Program Risks: Department of the Treasury (GAO-01-254, January 2001), and Major Management Challenges and Program Risks: A Governmentwide Perspective (GAO-01-241, January 2001). 2 In the area of computer security, IRS corrected a significant number of previously reported weaknesses, and is implementing a computer security management program that should, when fully implemented, help it manage its risks in this area. However, significant security weaknesses continue to exist in IRS' computing environment. These weaknesses could impair IRS' ability to perform vital functions and increase the risk of unauthorized disclosure, modification, or destruction of taxpayer data. To illustrate, we will today be discussing the agency's electronic filing (e-file) program, pointing out several areas where controls 2 necessary to ensure security and privacy of e-file systems and data were not in place during last year's tax filing season. In financial management, IRS this year was able to prepare financial statements that received an unqualified opinion, meaning that they were fairly presented. However, this achievement came through the use of substantial, costly, and time-consuming processes to work around serious systems and control deficiencies to produce financial statements that present information for just a single point in time. This approach does not provide for timely, useful, and reliable information to assist in managing the day-to-day operations of the agency, which was the intent of the Chief Financial Officers Act of 1990 and other important reform legislation enacted in the last decade. 2 Internal control refers to IRS' plan of organization and all methods and measures it uses to monitor assets, prevent fraud, minimize errors, verify the correctness and reliability of accounting data, promote operational efficiency, and ensure that established managerial policies are followed. This encompasses all controls over access to computer systems and the data they process, and IRS ' management controls over its organizational changes and systems modernization. 3 While IRS has made some progress in addressing these issues, our audit of its fiscal year 2000 financial statements continued to identify several material internal control weaknesses and other reportable issues in addition to computer security. 3 These weaknesses and issues relate to (1) management of unpaid tax assessments; (2) identification and collection of unpaid taxes; (3) refunds; (4) taxpayer receipts and data; (5) administrative activities, including accountability for property and equipment and budgetary resources; and (6) financial reporting. These financial management issues affect IRS' ability to routinely report reliable information for decision-making and have led to both increased taxpayer burden and lost revenue to the federal government, thus affecting IRS' ability to effectively fulfill its responsibilities as the nation's tax collector. IRS continues to work to address these issues, and was able to fully resolve one longstanding material internal control weakness in fiscal year 2000. Nonetheless, continued efforts are needed to devise lasting solutions to IRS' financial management challenges. Some of these solutions can be achieved in the short term; others are longer term in nature, as they are dependent on the successful modernization of IRS' information systems. Looking at IRS' structure, the agency has reorganized into four taxpayer-focused divisions and developed a performance management approach consistent with management principles contained in the IRS Restructuring and Reform Act and the Government Performance and Results Act of 1993 (GPRA). IRS' progress in reorganizing around taxpayer-focused operating divisions and developing a new performance management approach begins laying the foundation for the next step in IRS' structural modernization-making substantive business practice changes that could significantly improve its efficiency and service to 3 Financial Audit: IRS' Fiscal Year 2000 Financial Statements (GAO-01-394, March 1, 2001). 4 taxpayers. However, much work remains to be done in completing the foundation and in designing and implementing business practice changes that noticeably improve service to taxpayers and IRS' efficient administration of the tax system. Further, although the role of managers in translating IRS' goals and objectives into actions that make a difference is vital, managers do not appear to have consistently revised their programmatic decisionmaking in line with performance management principles. Finally, in terms of business systems modernization, we have long held that IRS needs to establish fundamental modernization management controls before it begins to build and implement modernized systems, and we have made recommendations to this end dating back to 1995. IRS has made important progress in developing and implementing these capabilities, but it is still not where it needs to be. We are therefore concerned that IRS is allowing its system acquisition projects to get ahead of its capabilities for managing them and ensuring that modernized systems deliver promised value, on time and within budget. While allowing acquisition and building management controls to proceed concurrently introduces an element of risk when systems acquisition projects are in their early, formative stages, the risk is considerably greater when these projects enter their later phases (detailed design and development). At these later junctures in the projects' life cycles, system rework, due to not employing disciplined modernization management controls, is much more expensive and time-consuming than it is earlier. Given that IRS needs additional money to invest further in the modernization, both near-term and longer term, and is seeking congressional approval of these funding needs, this is an opportune time to ensure that IRS addresses these risks. We will now discuss each of these areas in greater detail. 5 COMPUTER SECURITY As a major steward of personal taxpayer information, IRS has a demanding responsibility in collecting taxes, processing returns, and enforcing the nation's tax laws. In conducting its work, IRS must obviously depend to a great extent on interconnected computer systems. Due to the nature of its mission, IRS collects and maintains a significant amount of personal and financial data on each American taxpayer. These data typically include the taxpayer's name, address, social security number, dependents, income, deductions, and expenses. The confidentiality of this sensitive information is important because, should this information be disclosed to unauthorized individuals, American taxpayers could be exposed to a loss of privacy and to financial loss and damages resulting from identity theft and financial crimes. Computer security is an important consideration for any organization that depends on information systems and computer networks to carry out its mission or business. However, without proper safeguards, systems and networks pose enormous risks that make it easier for individuals and groups with malicious intent to intrude into inadequately protected systems and use such access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer networks and systems. And the number of individuals with the skills to accomplish this is increasing; intrusion-or hacking-techniques are readily available and relatively easy to use. 6 During fiscal year 2000 we continued to find serious weaknesses with general controls designed to protect IRS' computing resources from unauthorized use, modification, loss, and disclosure. IRS did not have adequate controls to prevent or detect unauthorized access to data processing facilities, computer networks, and systems; segregate systems administration and security administration responsibilities; optimally configure software to guarantee security and integrity of programs, files, and data; sufficiently plan and test actions necessary to restore critical business systems following unexpected occurrences; and monitor key networks and systems to identify unauthorized activities. In addition, internal controls over key computer applications used by IRS personnel do not provide adequate assurance that access to taxpayer data is granted only to those authorized to have it. Such weaknesses increase the risk that data processed by IRS' computer systems are not reliable and remain vulnerable to unauthorized disclosure. Although IRS corrected a significant number of computer security weaknesses cited in our previous reports, and is implementing a computer security management program that should, when fully implemented, help it better manage its risks in this area, we again reported computer security as a material weakness 4 in our review of IRS' fiscal year 2000 financial statements. 5 4 A material weakness is a condition that precludes an entity's internal control from providing reasonable assurance that material misstatements in its financial statements would be prevented or detected on a timely basis. 5 GAO-01-394, March 4, 2001. 7 We recently examined the effectiveness of key computer controls designed to ensure the security, privacy, and reliability of IRS' electronic filing systems and electronically filed taxpayer data during last year's tax filing season. Our recent report discusses the computer control weaknesses that we found, along with actions that IRS states that it took to correct these weaknesses prior to this year's tax filing season. 6 What we have found to date concerning IRS' e-file program can illustrate the challenges that many organizations are facing. IRS' E-file Program Electronic filing of income tax returns offers benefits to both taxpayers and IRS. IRS reports that taxpayers receive refunds faster and believes that electronic filing improves accuracy, decreases processing costs, and ensures the security and privacy of taxpayer data. We found, however, that during last year's tax filing season, IRS did not effectively implement computer controls to ensure the security and privacy of its electronic filing systems and electronically transmitted taxpayer data. E-file is a major IRS initiative, and the number of individuals filing returns electronically is increasing. IRS reported that during 2000, over 35 million individual taxpayers filed their returns electronically-about 20 percent more than the previous year. In total, the number of e- file individual returns represented about 28 percent of all individual returns filed during 2000. The IRS Restructuring and Reform Act of 1998 established a goal that 80 percent of all tax and information returns-business as well as individual-be filed electronically by 2007. 6 Information Security: IRS Electronic Filing Systems (GAO-01-306, February 16, 2001). 8 In an attempt to meet this goal, IRS has aggressively marketed the e-file program and has authorized private firms and individuals to be e-file trading partners. These partners include (1) electronic return originators, who prepare electronic tax returns for taxpayers; (2) intermediate service providers, who assist in processing tax returns; and (3) transmitters, who transmit the electronic portion of a return directly to IRS. Except for telefile taxpayers who file their returns using telephones, IRS does not allow individual taxpayers to transmit electronic tax returns directly to the agency; they must use the services of an IRS trading partner. Figure 1 demonstrates the path that an electronically filed tax return takes from the taxpayer to IRS. Figure 1: E-file: 2000 Tax Filing Season. During last year's tax filing season, IRS did not implement adequate computer controls to ensure the security, privacy, and reliability of its electronic filing systems and the electronically 9 transmitted tax return data that those systems contained. We demonstrated that individuals, both internal and external to IRS, could gain unauthorized access to IRS' electronic filing systems and view, modify, copy, or delete taxpayer data. Our successful access did not require sophisticated techniques. Last May, for example, we were able to access a key electronic filing system using a common handheld computer. We could gain such access because IRS at that time had not effectively restricted external access to computers supporting the e-file program through effective perimeter defenses; securely configured its e-file operating systems, which used several risky and unnecessary services; implemented adequate password management and user account practices (for example, we successfully guessed many passwords and noted user IDs and passwords posted conspicuously on a monitor); sufficiently restricted access to computer files and directories containing tax return and other data (for example, all users had the ability to modify numerous sensitive data and system files, and certain users with no “need to know” had access, contrary to IRS policy); or used encryption to protect tax return data on e-file systems (as is required by IRS' Internal Revenue Manual). Further, these weaknesses jeopardized the security of sensitive business, financial, and taxpayer data on other critical IRS systems that were connected to e-file computers through its servicewide network because IRS personnel turned off (bypassed) network control devices that were intended to provide security between e-file and other IRS systems. While IRS stated that it 10 did not have evidence that such intrusions had actually occurred or that intruders had accessed or modified taxpayer data, the agency did not have adequate procedures to detect such intrusions if they had occurred. For example, it did not (1) record certain key events in system audit logs, (2) regularly review those logs for unusual or suspicious events or patterns, or (3) deploy software to facilitate the detection and analysis of logged events. Consequently, IRS did not recognize or record much of the activity associated with our tests. These serious access control weaknesses existed because IRS had not taken adequate steps during the 2000 tax filing season to ensure the ongoing security of electronically transmitted tax return data on its e-file systems. For example, IRS had not followed or fully implemented several of its own information security policies and guidelines when it developed and implemented controls over its electronic filing systems. It decided to implement and operate its e-file computers before completing all of the security requirements for certification and accreditation. 7 Further, IRS had not fully implemented a continuing program for assessing risk and monitoring the effectiveness of security controls over its electronic filing systems. According to IRS officials, the agency moved promptly to correct the access control weaknesses we identified prior to the current tax filing season. It developed plans to improve security over its electronic filing systems and internal networks, and said that it has substantially implemented those plans. In his response to our report, the Commissioner said that “electronic filing systems now satisfactorily meet critical federal information security requirements to provide strong 7 Accreditation is the formal authorization for system operation and is usually supported by certification of the system's security safeguards, including its management, operational, and technical controls. Certification is a formal review and test of a system's security safeguards to determine whether or not they meet security needs and applicable requirements. 11 controls to protect taxpayer data.” Sustaining effective computer controls in today's dynamic computing environment will require top management attention and support, disciplined processes, and continuing vigilance. We will assess the effectiveness of IRS' corrective actions as part of our normal follow-up review. Application controls also need to be designed and implemented to ensure the reliability of data processed by the systems. IRS believes that electronically filed tax returns are more accurate than paper returns, and has implemented many application controls designed to enhance the reliability of data processed by its electronic filing systems. However, we identified additional opportunities to strengthen application controls for IRS' processing of electronic tax return data. Based on agency statistics, IRS processed electronic tax returns and paid refunds of about $2.1 billion without receiving required authenticating signatures or electronic personal identification numbers (PINs) from taxpayers. Data validation and editing controls did not detect certain erroneous or invalid data that could occur in tax returns. In addition, weaknesses in software development controls increased the risk that programmers could have made unauthorized changes to software programs during the 2000 tax filing season. Further, taxpayers who filed electronically may not have been aware that transmitters, who actually send the data to IRS and may be unknown to the taxpayer, could have viewed and modified their data and that such data are transmitted to IRS in clear text-human readable form. This is because IRS decided (1) not to allow taxpayers to file most electronic returns directly to IRS, (2) to require taxpayers who elected to file electronically to use the services of third-party transmitters, and (3) not to accept electronic tax returns in encrypted form. In addition, taxpayers 12 may not have been aware that IRS has no assurance of the security of its e-file trading partner systems. Other than providing guidance about protecting certain passwords, IRS did not prescribe minimum computer security requirements for transmitters and did not assess or require an independent assessment of the effectiveness of computer controls within the transmitters' operating environment. We provided specific technical recommendations to improve access controls over IRS electronic filing systems and networks. We also recommended that IRS complete the certification and accreditation of its electronic filing systems, assess security risks and routinely monitor the effectiveness of security controls over electronic filing systems, improve certain data reliability and integrity controls, and notify taxpayers of the privacy risks of filing electronically. IRS agreed with our recommendations and stated that it implemented most of the improvements, including correcting critical vulnerabilities, before this year's tax filing season; it further stated that the actions it has taken demonstrate a systematic, risk-based approach to correcting identified weaknesses. Such an approach will continue to be important in ensuring that corrective actions are effective on a continuing basis and that new risks are promptly identified and addressed. 13 FINANCIAL MANAGEMENT IRS' financial management has long been problematic. In fiscal year 2000, it continued to be plagued by many of the serious internal control and financial management issues we have been reporting each year since 1992. 8 Despite these issues, as we recently reported, 9 IRS was able to produce, in fiscal year 2000, combined financial statements encompassing both its tax custodial and administrative activities that were, for the first time, fairly stated in all material respects. 10 This achievement was the culmination of 2 years of extraordinary work on the part of IRS to develop compensating processes to work around its serious systems and control weaknesses to derive reliable year-end financial statement balances. IRS' approach entailed costly, time-consuming processes, statistical projections, external contractors, substantial adjustments, and monumental human efforts that were not completed until over 4 months after the end of the fiscal year. Although this approach resulted in IRS' being able to report reliable fiscal year 2000 balances in its financial statements, it cannot achieve the central objective of the Chief Financial Officers' Act of 1990, which is to provide managers with the current, reliable information they need for day-to-day decisionmaking. In addition, this approach does not address the underlying financial management and operational 8 Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, November 17, 2000). 9 GAO-01-394, March 1, 2001. 10 In fiscal year 1997, IRS received-for the first time-unqualified audit opinions on separate financial statements, covering its tax custodial activities (by us) and its administrative activities (by the Department of the Treasury's Office of Inspector General). In fiscal year 1998, IRS combined its tax custodial and administrative activities in one set of financial statements. We were able to determine in fiscal years 1998 and 1999 that the taxes receivable balance reported on the balance sheet and the tax revenue and refunds reported in the Statement of Custodial Activity were fairly stated. 14 issues that adversely affect IRS' ability to effectively fulfill its responsibilities as the nation's tax collector. The tremendous commitment on the part of both IRS senior management and staff was key to IRS' ability to achieve its goal of receiving an unqualified audit opinion on its financial statements for fiscal year 2000. However, these costly and time-consuming efforts would not be necessary if IRS' systems and controls operated effectively. IRS' current financial management systems do not comply with federal financial management systems requirements, federal accounting standards, or the U.S. Government Standard General Ledger at the transaction level. Consequently, they do not substantially comply with the Federal Financial Management Improvement Act of 1996. Until IRS implements financial management systems that meet this standard and otherwise strengthens its internal controls, it will continue to be dependent on its workaround processes and heroic efforts to enable it to sustain an unqualified opinion on its financial statements. IRS has laid the groundwork for sustainable improvement in several critical areas, and is taking action to address several of the management issues we have raised. However, it continues to have major financial management and operational problems, many of which will require a sustained, long-term commitment of resources, proactive involvement by senior management, and-ultimately-the successful modernizing of its financial and operational systems. We would now like to summarize the major financial management challenges confronting IRS. 15 Management of Unpaid Tax Assessments IRS continues to have serious internal control deficiencies that affect its management of unpaid tax assessments. 11 IRS still lacks a subsidiary ledger that tracks and accumulates unpaid tax assessments on an ongoing basis. As a consequence, it must rely on specialized computer programs to extract unpaid tax assessment information from its master files-its only detailed databases of taxpayer account information-and then subject this information to statistical sampling procedures in order to prepare its financial statements. However, this process takes months to complete and requires tens of billions of dollars in adjustments to correct misclassifications and eliminate duplications in order to produce a reliable balance at a single point in time. Additionally, IRS' automated records used in this process continued to contain errors. Finally, significant delays were encountered in recording activity in taxpayer accounts. These conditions continued to result in unnecessary taxpayer burden and lost opportunities to collect outstanding taxes owed during fiscal year 2000. For example: IRS continued to lack the ability to effectively link related taxpayer accounts so that payments made by one taxpayer are properly applied to reduce the tax liability of a related taxpayer. In 29 of the 68 unpaid payroll tax cases we reviewed (43 percent), payments were not accurately recorded to reduce the tax liabilities of all related taxpayers. In some 11 Unpaid tax assessments consist of (1) taxes due from taxpayers for which IRS can support the existence of a receivable through taxpayer agreement or a favorable court ruling (federal taxes receivable); (2) compliance assessments where neither the taxpayer nor the court has affirmed that the amounts are owed; and (3) write-offs, which represent unpaid assessments for which IRS does not expect further collections due to factors such as the taxpayer's death, bankruptcy, or insolvency. Of these three classifications, only the first is reported on the principal financial statements. As of September 30, 2000, IRS reported $22 billion (net of an allowance for doubtful accounts of $59 billion), $30 billion, and $129 billion in these three categories, respectively. 16 instances, we identified delays of up to 12 years in recording payments to all related taxpayer accounts, and in other instances payments were still not properly reflected, despite the fact that the payments were made in the late 1980s. IRS continued to experience significant delays and errors in recording other information in taxpayer accounts. In one case, it erroneously recorded a $68 million payment to the wrong taxpayer's account, resulting in the taxpayer who made the payment waiting nearly 2 years to receive a $7 million refund to which the taxpayer was entitled. In two other cases, IRS' failure to update information in taxpayer accounts resulted in refunds being paid to individuals who should not have been paid because they had other outstanding tax liabilities. IRS continued to experience problems in promptly releasing liens filed against the property of taxpayers who at one time owed the federal government for taxes but who had subsequently paid these taxes. In one case, a taxpayer paid off his outstanding tax liability in August 1998, yet it took IRS until March 2000-19 months later-to release the tax lien. By law, tax liens are required to be released within 30 days of the date the taxpayer satisfies the outstanding tax liability. The serious internal control issues IRS continues to experience with its unpaid assessments can lead, and have led, both to undue taxpayer burden and lost revenue to the government. These conditions can also further erode the confidence of the nation's taxpayers in the integrity and fairness of the tax collection process. 17 Identification and Collection of Unpaid Taxes Unpaid taxes includes taxes due the federal government that (1) taxpayers have reported to IRS or that taxpayers have not reported and IRS has identified through other means 12 and has recorded in its accounting records, (2) taxpayers have not reported but that IRS has identified through other means and has estimated the amount due, and (3) taxpayers have not reported and which IRS has not identified through other means. Inherent in the voluntary nature of the nation's tax collection system is the concept that IRS must, to a large degree, rely on taxpayers to report their tax liabilities. When taxpayers either intentionally or unintentionally fail to report to IRS the full amount of taxes they owe the federal government, IRS' ability to independently identify the taxpayers and determine the amount they owe is inherently limited. However, IRS does not always follow up on potential unpaid taxes it is aware of, and does not always pursue collection of those taxes it determines are owed. For example: Between fiscal years 1996 and 1998, IRS identified over 39 million potential cases in which taxpayers may have understated the amount of taxes they owed the government. Potential underreported taxes related to these cases were estimated by IRS at over $49 billion. However, IRS investigated fewer than 9 million of these cases, with total estimated underreported taxes totaling about $19 billion, leaving $29 billion in potential taxes uninvestigated and thus not pursued. 12 IRS' other means of identifying unpaid taxes include its automated matching programs, nonfiler program, and examinations. 18 As of September 30, 2000, IRS had recorded $240 billion 13 in unpaid taxes, penalties, and interest in its accounting records. During our audit of IRS' fiscal year 2000 financial statements, we continued to identify unpaid tax cases with some potential for collection that were not being actively worked on by IRS. In one case, a taxpayer with an annual income of over $110,000 owed $23,000 in unpaid taxes, but IRS was not pursuing collection. As with any large agency, IRS is confronted with the ongoing management challenge of allocating its limited resources among competing management priorities. Its challenge is to determine the appropriate level of resources needed to fulfill its mission and the most appropriate utilization of its existing resources. However, IRS does not have the management data necessary to prepare reliable cost-benefit analyses to assess whether its resource allocation decisions are appropriate. Consequently, IRS is hindered in its ability to determine if it is devoting the appropriate level of resources to identifying and pursuing collection of unpaid taxes relative to the costs and potential benefits involved. This lack of such data also renders IRS unable to determine if it needs additional resources or to justify requests for resource increases to the Congress. This increases the risk of billions of dollars in amounts owed to the federal government going uncollected, and the further erosion of public confidence in the tax collection system. 13 Of this amount, $129 billion represents write-offs, which are unpaid tax assessments for which IRS does not expect further collections due to factors such as the taxpayer's bankruptcy, insolvency, or death. 19 Controls Over Refunds Weaknesses in IRS' controls over income tax refunds have potentially allowed billions of dollars in improper refunds to be disbursed. Time constraints, 14 high volume, and reliance on information supplied by taxpayers affect the options available to IRS to prevent improper refunds from being disbursed, and the preventive controls it employs are not always effective. Consequently, IRS relies extensively on detective controls, such as examinations of tax returns that its screening programs have identified as most likely to be invalid. However, these controls are often performed months after refunds are disbursed, requiring the government to incur the costs associated with attempting to recover these improper payments, often unsuccessfully. For example: Between fiscal years 1998 and 2000, IRS examiners identified invalid earned income tax credit (EITC) claims totaling $1.9 billion that may have resulted in the disbursement of $1.6 billion in improper refunds. In September 2000, IRS estimated that about $9.3 billion in invalid EITC claims were filed in tax year 1997. Based on an average refund rate of 78 percent that year, this may have resulted in the disbursement of about $7.3 billion in improper refunds related to EITC claims, about $6.1 billion of which (84 percent) may never be recovered. These weaknesses result in losses to the government potentially totaling billions of dollars annually. They could also contribute to further erosion of confidence by the nation's taxpayers in the integrity of the tax collection system. 14 By statute, IRS must pay interest on refunds not paid within 45 days of receipt or due date, whichever is later. 20 Controls Over Hard Copy Taxpayer Receipts and Data Despite improvements during fiscal year 2000, IRS' internal controls over cash, checks, and related taxpayer data do not adequately protect the federal government and taxpayers from vulnerability to loss from theft and inappropriate disclosure of proprietary taxpayer information. IRS has significantly reduced the average amount of time it takes to obtain the results of employee applicant fingerprint checks; further, it now requires the use of two bonded or insured couriers to transport tax receipts to depository institutions, and has limited courier access within service center premises. However, significant but readily correctable weaknesses continued to exist. For example, at IRS locations we visited as part of our fiscal year 2000 financial audit, checks were left in open, unlocked containers, and personal belongings of IRS' employees were allowed into restricted areas where taxpayer receipts were being processed. These weaknesses increase the risk that taxpayer data could be inappropriately disclosed or receipts stolen. New employees also continued to be allowed to handle tax receipts and sensitive taxpayer data before IRS received and evaluated the results of their fingerprint checks-despite a new IRS policy issued in April 2000 directly prohibiting it. Specifically, of about 19,500 employees hired during fiscal year 2000, about a quarter-some 4,900-began working before their fingerprint results were in. Of these 4,900 employees, 145 were hired after the April 2000 policy memo was issued, and 776 (16 percent) were subsequently found to have prior criminal arrests or convictions or other potentially unsuitable backgrounds that required further review. A related vulnerability is that this IRS policy does not apply to individuals employed at ten commercial banks that process tax receipts for the agency. The Department of the Treasury's 21 Financial Management Service contracts with these banks to process manual tax receipts, but the banks are not required to fingerprint their employees. At the two banks we visited during our fiscal year 2000 audit, both obtained fingerprint checks for their permanent employees, but not until after they began to work processing tax receipts, and neither bank required fingerprint checks for temporary employees. As a result of these weaknesses, IRS unknowingly hired new employees with unsuitable backgrounds and allowed them to begin working before it could ascertain whether they were suitable for their positions. These weaknesses subject IRS to unnecessary risk of theft or loss of tax receipts, and expose taxpayers to increased risk of losses from financial crimes committed by individuals who inappropriately gain access to confidential information entrusted to IRS. Accountability Over Administrative Accounts and Budgetary Resources During fiscal year 2000, IRS made significant strides in correcting the weaknesses in accountability over its administrative accounts and budgetary resources that we reported for fiscal year 1999. 15 For example, IRS made major improvements in its policies and procedures over its fund balance with Treasury and amounts held in suspense. It is also working aggressively to address issues we have raised regarding its controls over its property and equipment and budgetary activity, but it continues to experience significant internal control deficiencies in these areas. 15 GAO/AIMD-00-76, February 28, 2000. 22 Severe deficiencies in accountability for property and equipment have been reported by IRS every year since 1983. IRS lacks an integrated property management system to appropriately record, track, and account for property and equipment additions, disposals, and existing inventory on an ongoing basis. While IRS has made progress in improving the timeliness and accuracy of recording such activity in its inventory records, we continued to find significant errors in these records. For example, IRS was unable to locate 35 of 220 items we selected from its inventory records; these items included computers, monitors, printers, and computer software. In addition, because of the lack of an integrated property management system that includes reliable cost information on each item, IRS continued to need the assistance of a contractor to develop and implement a process to enable it to report reliable property and equipment-related balances in its financial statements. These weaknesses seriously impair IRS' ability to ensure that property and equipment are properly safeguarded and utilized only in accordance with laws, regulations, and management policy, and preclude IRS from having information on its balance of these assets throughout the fiscal year. With respect to controls over IRS' budgetary activity, while we noted substantial progress, we continued to identify deficiencies. For example, amounts obligated when goods and services were ordered were often not updated in a timely way to reflect their receipt. This significantly reduces the reliability of key budgetary information IRS needs on an ongoing basis to effectively manage its operations and ensure that its resources do not exceed budgetary authority. 23 Financial Reporting As noted, IRS cannot produce timely, reliable financial information for its managers to use in making decisions. Information produced by IRS' financial management systems is not current or accurate, and must be supplemented by extensive, costly manual procedures that take months to complete and require billions of dollars in corrections to derive financial statement balances that are not available until months later and are reliable only at a single point in time. As of September 30, 2000, fiscal year 2000 transactions totaling over $3.7 billion were either not yet recorded in IRS' general ledger or were recorded in the wrong account. All of these transactions had to be either recorded or re-recorded by IRS in subsequent months in order for it to prepare reliable financial statements. However, other information produced by IRS based on the data provided by its financial management system but not supplemented by these workaround procedures and material corrections may be unreliable, and could lead to inappropriate management or budgetary decisions stemming from incomplete, outdated, or otherwise erroneous information. Another problem is that IRS does not track the cost accounting information needed to prepare cost-based performance information consistent with the Government Performance and Results Act of 1993. IRS relies on an internal coding structure to capture costs at a project and subproject level. Yet during fiscal year 2000, IRS staff were not required to use these codes for time charged to either of IRS' two largest appropriations, 16 which collectively accounted for 74 percent of all IRS budgetary resources. Consequently, managers did not have the basic 16 IRS' two largest appropriations are Processing Assistance and Management and Tax Law Enforcement. 24 information they needed to prepare reliable cost-benefit data for internal decisionmaking and for budget justifications. Remaining Financial Management Issues While IRS' achievement of an unqualified opinion on its fiscal year 2000 financial statements is an important milestone, IRS continues to be challenged by serious internal control and systems deficiencies that hinder its ability to make this happen without heroic effort, and thereby achieve lasting financial management improvement. IRS decisionmakers need reliable, useful, and timely financial and performance information on an ongoing basis; this is the goal of the Chief Financial Officers Act. IRS' achievement this year likewise does not address the underlying financial management and operational issues that impair its ability to effectively fulfill its responsibilities as the nation's tax collector, nor does it provide the public with confidence that it is performing its job fairly and consistently. The challenge for IRS will be to build on the goals reached in fiscal year 2000: to not only improve its compensating processes but, more importantly, to develop and implement the fundamental long-term solutions that are needed to address the management challenges we have identified. Some of these solutions can be addressed in the near term through the continued efforts and commitment of senior IRS managers and staff. Others, such as those involving modernizing IRS' financial and operational systems, will take years to fully achieve. Until IRS' systems and processes are overhauled and internal controls strengthened, heroic efforts will have to be sustained for IRS to continue to produce reliable financial statements. 25 IRS acknowledges the issues raised in our financial audits, and the Commissioner and Deputy Commissioner of Operations continue to pledge their commitment to addressing these long- standing issues. We have assisted IRS in formulating corrective actions to address its serious internal control and financial management issues by providing recommendations over the years, and we will continue to work with the agency on these matters. We recognize that IRS' financial management systems were not designed to meet current systems and financial reporting standards; we also recognize that IRS' problems did not develop overnight. Successful implementation of IRS' longer term efforts and resolution of the serious problems that continue to be identified will also require substantial management commitment, resources, and expertise. This high level of involvement by IRS senior management has contributed greatly to IRS' successes to date. Such commitment and involvement must continue for IRS to address the fundamental problems it faces. MODERNIZATION OF IRS' ORGANIZATIONAL STRUCTURE AND PERFORMANCE MANAGEMENT SYSTEM Just as with its computer security and financial management, IRS has made progress in modernizing its organizational structure and its performance management system-a system designed to assess and improve organizational and employee performance in keeping with organizational goals. However, much additional work needs to be done, particularly in ensuring that IRS progresses toward its goal of incorporating performance management principles into 26 day-to-day management. These principles include establishing performance goals, which are broad statements of desired outcomes; objectives, which are targets that describe the end results to be accomplished in a given period of time; and performance measures, which are used to gauge progress. Further, IRS expects its managers and their work groups to routinely analyze data to determine whether they are progressing as expected toward achieving the desired results. Key Accomplishments Over the Past Year IRS' key accomplishments over the last year include the following: In October 2000, IRS largely completed its transition to a new organizational structure centered on four customer-focused operating divisions. 17 In a process that the Commissioner likened to putting together a giant jigsaw puzzle with literally thousands of pieces, IRS put the new organization in place without significant effect on its processing of millions of returns this filing season. In January 2001, IRS published a strategic plan for fiscal years 2000 to 2005. In laying out the IRS mission, strategic goals, and objectives, the plan is consistent with the management principles contained in the IRS Restructuring and Reform Act and GPRA. The plan also documents IRS' intent to achieve the balance between service and compliance that Congress 17 The operating divisions are (1) Wage and Investment, for individual taxpayers, headquartered in Atlanta; (2) Small Business/Self-Employed, for fully or partially self-employed taxpayers and small businesses with assets of less than $5 million, headquartered in New Carrollton, MD; (3) Large and Mid-Size Business, serving corporations and partnerships with at least $5 million in assets, headquartered in Washington, DC; and (4) Tax- Exempt/Government Entities, serving government entities, exempt organizations, and employee plans, headquartered in Washington, DC. 27 sought in the restructuring Act through a balanced set of goals, associated objectives, and measures. We believe that they represent progress, especially at the organization-wide level, in the challenging task of revamping IRS' performance management system. 18 Critically, IRS has not approached this strategic planning process as a mere paperwork exercise. Instead, the Commissioner and senior staff have been very much involved in the strategic planning process and intend that the strategic plan be a guide to transforming IRS. Recognizing that the entire institution must understand and adhere to organizational goals, IRS is continuing to move forward in driving a standard performance management system throughout the agency. For example, IRS implemented a strategic-level planning and budgeting process designed to reconcile its many critical and competing priorities and initiatives with the realities of its available resources. In addition, IRS has substantially developed a set of organizational performance measures for the goals and objectives in its strategic plan. Last year, IRS also made progress by aligning its performance evaluation system for managers with its balanced measurement system, to clearly link their work to the mission and goals of the agency. Further, IRS is beginning this year to hold managers accountable with a performance-based pay system. Improved Taxpayer Services and Compliance Activities Hinge on Completion of Management Improvements The progress IRS has made in reorganizing into taxpayer-focused divisions and in instituting its performance management system, while notable, is incomplete. IRS must follow through by 18 IRS Modernization: IRS Should Enhance Its Performance Management System (GAO-01-234, February 23, 2001). 28 completing the framework it has established and designing and implementing business practice changes that result in improvements that taxpayers can see. Examples of the continuing challenges facing IRS in instituting its new performance management system include the following: The performance management system is most fully developed at the organization-wide level, is less well developed at the division level, and is weakest at the front-line level, where interactions with taxpayers occur. IRS' performance management plan calls for each operating division to have complementary goals, objectives, and measures, and for front-line managers to develop plans identifying the actions they need to take to support operational objectives. While, at the division level, we found that most goals were clearly stated, 19 most operating objectives were not specific, measurable, or outcome- or output-oriented. Further, a large number of operating measures and indicators were not directly linked to objectives. The action items in the plans developed by front-line managers were clearly stated and consistent with IRS' mission, but 91 percent of the items we reviewed were not specific, measurable, and outcome- or output-oriented. While IRS has revamped its evaluation system for managers, it still needs to similarly align its evaluation system for front-line employees. This will require tailoring the performance standards for employee groups to what is appropriate and measurable in their units, and to align those performance standards to encourage behavior that contributes to the three strategic goals. IRS intends to have this evaluation system implemented by October 1, 2001. 19 Goals should (1) clearly articulate the divisions' future direction, (2) indicate the expected impact of achieving the goal, and (3) provide a clear basis for establishing objectives. 29 Although IRS has recognized the need for information to assess whether its various methods of encouraging voluntary compliance with our tax system are achieving results, it has not yet developed a plan for obtaining that information. IRS has experienced a significant decline in the use of tax collection tools, such as liens or levies. Similarly, the audit rate for individual taxpayers has declined precipitously over the past several years. These declines raise concerns that taxpayers' confidence will be shaken in the voluntary compliance foundation of our tax system, which could adversely affect overall compliance. For instance, voluntary compliance could suffer if taxpayers come to believe that others are not paying their fair share of taxes. On the other hand, IRS continues to use other techniques to review tax returns for the accurate and complete reporting of income and tax liabilities. It also has increased emphasis on providing better service so taxpayers can understand their tax responsibilities and more readily comply. However, because IRS does not have a current measure of voluntary compliance, it is unable to assess the net effect of these factors on the level of voluntary compliance and how best to improve compliance levels. In part because IRS lacks these fundamental data on compliance levels, we consider unpaid taxes of which IRS is or is not aware to be a high-risk area. 20 Reorganization has provided a focus on taxpayer segments with the expectation that this will enable IRS to better understand taxpayers' needs and to modify its systems and procedures for interacting with taxpayers. Because the reorganization has just been completed, IRS generally has not yet identified those changes in its systems and procedures that may better serve taxpayers. 20 GAO-01-254, January 2001. 30 Managers Would Benefit From Use of Performance Management Principles in Making Programmatic Decisions Although managers are vital to translating IRS' goals and objectives into actions that make a difference, they have not consistently revised their programmatic decisionmaking in line with performance management principles. The following examples illustrate our concern that managers often do not adhere to these principles: As mentioned, front-line managers' action plans developed to support operational goals were the weakest link in the overall performance management system. The lack of guidance to managers about how to develop this initial round of action items may partly explain the problems. Nevertheless, unfocused and unmeasurable plans could be a significant impediment to IRS' intent to align managers' and core employees' performance expectations with organizational goals and objectives and to hold them more explicitly accountable for helping IRS achieve them. The very high portion of action items that were not specific, measurable, or outcome- or output-oriented also raises concerns about whether managers are yet adhering to IRS' performance management system. In the telephone service area, IRS lacked long-term goals for the level of telephone service to be provided to taxpayers, as well as annual goals designed to make progress toward achieving long-term improvement. 21 Such goals are essential for guiding the development of strategies and the identification of resources needed to achieve substantive performance improvements. Further, IRS has made several changes to the performance measures that it 21 IRS Telephone Assistance: Opportunities to Improve Human Capital Management (GAO-01-144, January 30, 2001). 31 uses for its telephone service operations and, while each may have merit, the lack of continuity in performance measures may undermine IRS' ability to identify performance trends and factors that may be influencing those trends. Finally, as mentioned, IRS' financial management systems fail to provide the real-time cost data that managers need in order to make informed decisions about the efficiency of their programs and appropriate staffing levels. BUSINESS SYSTEMS MODERNIZATION We turn now to business systems modernization (BSM)-IRS' multiyear program to put in place the technology that will support revamped business processes. This multi-billion-dollar program, which began a little over 2 years ago and has thus far received congressional approval to obligate about $450 million, 22 is vital to achieving IRS' new, customer-focused vision and enabling it to meet performance and accountability goals. BSM consists of a number of new systems acquisition projects that are at differing stages of being acquired and implemented, as well as various program-level initiatives intended to establish the capacity for IRS to effectively manage the projects. 22 IRS requested and the Congress established a multiyear systems modernization account and funded it with approximately $578 million via IRS' fiscal year 1998, 1999, and 2001 appropriations acts. To date, IRS has received approval from the Congress to obligate about $450 million from the account. 32 We have long held-and communicated to IRS-the importance of establishing sound management controls to guide its systems acquisition projects; to its credit, IRS has made important progress in this area. Nevertheless, IRS is starting to let project acquisitions get perilously ahead of controls-proceeding in some cases with detailed systems design and development without having the capacity in place to help ensure that projects perform as intended and are completed on time and within budget. We remain concerned that at these later stages in systems' life cycles, the risk of rework due to missing modernization management controls increases, both in terms of probability and impact. Given that IRS expects to totally exhaust most of the congressionally-approved BSM funding by mid-November 2001, and thus is seeking additional money for fiscal year 2002, this is a good time to ensure that the overdue modernization management controls are emphasized as a BSM priority. Beginning in 1995, when IRS was involved in an earlier attempt to modernize its tax processing systems, and continuing since then, we have made recommendations to implement fundamental modernization management capabilities before acquiring new systems; we concluded that until these controls were in place, IRS was not ready to invest billions of dollars in building modernized systems. 23 While IRS has since taken steps that have partially addressed our set of recommendations, important ones remain unfulfilled to this day. In general, the areas in which we found controls to be lacking and made recommendations to fill these voids fell into five interrelated and interdependent IT management categories, as shown in figure 2-investment management, system life-cycle management, enterprise architecture management, software acquisition management, and human capital management. 23 Tax Systems Modernization: Management and Technical Weaknesses Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995). 33 Figure 2: Categories of Management Controls Needed for Modernization Capability. In December 1998, IRS hired a systems integration support contractor to, among other things, help it develop and implement these program capabilities. Subsequently, the Commissioner adopted a modernization strategy that appropriately required, for example, (1) the use of incremental investment decisionmaking, (2) adherence to a rigorous systems and software life- cycle management method, and (3) development and implementation of an enterprise architecture or modernization blueprint to guide and constrain the content, sequencing, and integration of systems investments. This approach, however, included the simultaneous development of these kinds of program-level management capabilities while also proceeding Investment Management Life-Cycle Management Enterprise Architecture Management Modernization Management Capability Human Capital Management Acquisition Management 34 with project acquisition, in anticipation that program controls would be in place and functioning when these projects reached their later, less formative stages. Figure 3 illustrates this approach. Figure 3: Concurrent Development of Program-Level Controls and Projects. During BSM's first 18 months, progress in implementing these management controls was slow, while at the same time project acquisitions moved rapidly. At that time we reported to IRS' Senate and House appropriations subcommittees that projects were getting ahead of the modernization management capacity that needed to be in place to manage them effectively-the cart was getting ahead of the horse. In response to our concerns and the subcommittees' direction, IRS appropriately pulled back on the projects and gave priority to implementing needed management capacity. IRS is here Selecte d Key Projects CAP STIR e-Services CADE ELC (Acquisition and Investment Management) Program Management Office Program Ma nagement C ap ability Enterpri se Archi tecture Denotes beginning of detailed design and development Denotes issuance of key enterprise architecture versions 1/99 1/00 4/01 1/01 9/01 35 Despite this shaky start to the modernization, IRS has since made important progress in its modernization management capacity. For example, last year we reported that IRS (1) largely defined and implemented its system life-cycle methodology that incorporates software acquisition and investment management processes, (2) defined program roles and responsibilities of IRS and its modernization contractor and began relating with the contractor accordingly, (3) began formally managing modernization risks in an effort to proactively head off problems, and (4) made progress toward producing the first release of its enterprise architecture. 24 In addition, we recently reported that IRS had taken steps to address our recommendations aimed at strengthening management of individual BSM projects. 25 For instance, it started to manage the Custodial Accounting Project 26 as an integral part of the modernization program. On another project, the Security and Technology Infrastructure Release, 27 IRS assessed security threats and vulnerabilities, analyzed the resulting risk in terms of probable impact, and planned to reevaluate project requirements in light of this risk analysis. Recently, IRS hired experienced technical and 24 Tax Systems Modernization: Results of Review of IRS' Third Expenditure Plan (GAO-01-227, January 22, 2001). 25 See, for example, IRS' Custodial Accounting Project (GAO-01-444R, March 16, 2001) and GAO-01-227, January 22, 2001. 26 CAP is expected to provide a single data repository of taxpayer accounts and tax payments as well as related tax revenue accounting and reporting capabilities. IRS also plans for CAP to, among other things, automatically reconcile accounts and payments, post updates to IRS' general ledger, and produce revenue accounting reports. 27 This project is the common integrated infrastructure to support and enable modernization business systems applications. As designed, it consists of a combination of custom and commercial off-the-shelf software, hardware, and security solutions, integrated to form the technical foundation upon which modernized business systems applications will operate. 36 managerial executives, and augmented existing modernization staff with experienced IRS information systems personnel. We are concerned, however, because projects are entering critical stages without certain essential management controls in place and functioning. In particular, in our ongoing work for IRS' appropriations subcommittees, we found that IRS is proceeding with building systems- including detailed design and software development work-before it has implemented two key management controls. First, IRS has yet to develop a sufficiently defined version of its enterprise architecture to effectively guide and constrain acquisition of modernization projects. Second, it has not yet implemented rigorous, disciplined configuration management practices. Both of these are requirements of IRS's own systems life-cycle methodology and are recognized best practices of successful public and private-sector organizations. This increases the risk of cost, schedule, and performance shortfalls. We have discussed these missing controls with the Commissioner and his BSM executives; they have stated that they plan to have them in place by the end of this June. Timing is critical. While the lack of controls can be risky in projects' early stages, it introduces considerably greater risk when these projects enter design and development. To mitigate this added risk, IRS needs to fully implement the remaining management controls that we have recommended. Figure 4 illustrates the growing risk that accompanies project development in its later stages. 37 Figure 4: Increasing Risk Associated With Inadequate Controls at Later Stages of Project Development. The timing of this hearing is appropriate for ensuring that IRS implements the remaining needed modernization management controls. While the Congress has appropriated about $578 million for the program to date, it also took steps to limit the agency's ability to obligate funds until certain controls were in place by establishing a multiyear capital account-the IT Investments Account-to fund IRS systems modernization initiatives. IRS has received about $450 million of this total, and has submitted a plan to the Congress to spend the remainder over the next 7 months. In addition, IRS plans to include $396 million in funding for BSM in its upcoming fiscal year 2002 budget request. This is, then, an opportune time to ensure that the agency addresses these outstanding risks as a condition of future funding. IRS is here Selec ted K ey Projects CAP STIR e-Services CADE ELC (Acquisition and Investment Management) Program Management Office Pr ogram Management Cap abil ity Enterprise Architecture Denotes beginning of detailed design and development Denotes issuance of key enterprise architecture versions 1/99 1/00 4/01 1/01 9/01 Execution Risk 38 CONCLUSION Change is never smooth, easy, or quick. We understand that the four areas that we have discussed are part of IRS' decade-long effort to transform itself into a more reliable, accountable, customer-focused organization. It has clearly made important progress toward that end. We have made many recommendations over the years to assist the agency in this goal, and several have been implemented. We have worked closely with IRS officials, and will continue to do so. As IRS moves forward from building the foundations for change to implementing new processes and systems that directly improve service to taxpayers, the potential rewards grow, but so does the risk of failing to realize the transformation everyone desires. Our theme today is simple. Make sure the foundation is strong so the structure will endure. Yet while building the new, don't neglect to maintain and make prudent near-term improvements to existing systems and processes. - - - - - Mr. Chairman, that concludes our statement. We would be pleased to respond to any questions that you or other members of the Subcommittee may have at this time. (310117) Orders by Internet For information on how to access GAO reports on the Internet, send an e- mail message with “info” in the body to info@ www. gao. gov or visit GAO's World Wide Web home page at http:// www. gao. gov To Report Fraud, Waste, and Abuse in Federal Programs Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@ gao. gov Automated answering system: 1- 800- 424- 5454 *** End of document ***