Internal Revenue Service: Progress Continues But Serious	 
Management Challenges Remain (02-APR-01, GAO-01-562T).		 
								 
This testimony discusses the management challenges that continue 
to face the Internal Revenue Service (IRS). These challenges	 
include (1) computer security, (2) financial management, (3)	 
organizational modernization and performance management, and (4) 
business systems modernization management. IRS must make progress
in all four areas to realize the modernization effort's full	 
potential to improve IRS' efficiency and to significantly improve
service to taxpayers. IRS has taken important steps in all of	 
these areas, but significant obstacles remain. In the area of	 
computer security, IRS corrected a significant number of	 
previously reported weaknesses, and is implementing a computer	 
security management program that should help it manage its risks 
in this area. However, serious weaknesses remain in this area	 
that could impair IRS' ability to perform vital functions. In	 
financial management, IRS this year was able to prepare financial
statements that received an unqualified opinion. However, this	 
achievement came through the use of substantial, costly, and	 
time-consuming processes to work around IRS' system deficiencies.
Looking at IRS' structure, IRS has reorganized into four	 
taxpayer-focused divisions and developed a performance management
approach consistent with management principles contained in the  
IRS Restructuring and Reform Act and the Government Performance  
and Results Act. However, much work remains to be done in	 
completing the foundation and in designing and implementing	 
business practice changes that noticeably improve service to	 
taxpayers and IRS' efficient administration of the tax system.	 
Finally, in terms of business systems modernization, IRS has made
important progress in developing and implementing fundamental	 
modernization management controls, but considerable work remains.
								 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-01-562T					        
    ACCNO:   A00723						        
    TITLE:   Internal Revenue Service: Progress Continues But Serious 
             Management Challenges Remain                                     
     DATE:   04/02/2001 
  SUBJECT:   Tax administration systems 			 
	     Computer security					 
	     Federal agency reorganization			 
	     Information resources management			 
	     Systems conversions				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-562T

INTERNAL REVENUE SERVICE

Progress Continues But Serious Management Challenges Remain Statement of
Robert F. Dacey Director, Information Security Issues

Michael Brostek Director, Tax Issues

Randolph C. Hite Director, Information Technology Systems Issues

Steven J. Sebastian Acting Director, Financial Management Issues

United States General Accounting Office

GAO Testimony Before the Subcommittee on Government Efficiency,

Financial Management, and Intergovernmental Relations, Committee on
Government Reform, House of Representatives

For Release on Delivery Expected at 2 p. m. EDT Monday, April 2, 2001

GAO- 01- 562T

Mr. Chairman and Members of the Subcommittee: We are pleased to be here this
afternoon to discuss the management challenges that continue to face the
Internal Revenue Service (IRS). At your request, our statement today will
cover four areas: (1) computer security, (2) financial management, (3)
organizational modernization and performance management, and (4) business
systems modernization management.

Although we will address each of these areas individually, IRS' efforts in
all four areas are interrelated and interdependent. IRS must make progress
in all four areas to realize the modernization effort's full potential to
improve IRS' efficiency and to significantly improve service to taxpayers.
IRS has taken important steps in all of these areas. Yet along with
improvements, significant obstacles remain. We have designated IRS financial
management and information systems modernization as high risk, along with
information security on a governmentwide level. 1

The challenges that face IRS are longstanding and systemic management
problems; they are challenges that require both short- and long-term
solutions. While long-term solutions depend heavily on successful business
systems modernization, short-term solutions can be implemented in many
areas. We have made many recommendations to address these areas. Our
statement today will make the following points:

1 High-Risk Series: An Update (GAO-01-263, January 2001), Major Management
Challenges and Program Risks: Department of the Treasury (GAO-01-254,
January 2001), and Major Management Challenges and Program Risks: A
Governmentwide Perspective (GAO-01-241, January 2001).

2 In the area of computer security, IRS corrected a significant number of
previously reported

weaknesses, and is implementing a computer security management program that
should, when fully implemented, help it manage its risks in this area.
However, significant security weaknesses continue to exist in IRS' computing
environment. These weaknesses could impair IRS' ability to perform vital
functions and increase the risk of unauthorized disclosure, modification, or
destruction of taxpayer data. To illustrate, we will today be discussing the
agency's electronic filing (e-file) program, pointing out several areas
where controls 2 necessary to ensure security and privacy of e-file systems
and data were not in place during last year's tax filing season.

In financial management, IRS this year was able to prepare financial
statements that received an unqualified opinion, meaning that they were
fairly presented. However, this achievement came through the use of
substantial, costly, and time-consuming processes to work around serious
systems and control deficiencies to produce financial statements that
present information for just a single point in time. This approach does not
provide for timely, useful, and reliable information to assist in managing
the day-to-day operations of the agency, which was the intent of the Chief
Financial Officers Act of 1990 and other important reform legislation
enacted in the last decade.

2 Internal control refers to IRS' plan of organization and all methods and
measures it uses to monitor assets, prevent fraud, minimize errors, verify
the correctness and reliability of accounting data, promote operational
efficiency, and ensure that established managerial policies are followed.
This encompasses all controls over access to computer systems and the data
they process, and IRS ' management controls over its organizational changes
and systems modernization.

3 While IRS has made some progress in addressing these issues, our audit of
its fiscal year

2000 financial statements continued to identify several material internal
control weaknesses and other reportable issues in addition to computer
security. 3 These weaknesses and issues relate to (1) management of unpaid
tax assessments; (2) identification and collection of unpaid taxes; (3)
refunds; (4) taxpayer receipts and data; (5) administrative activities,
including accountability for property and equipment and budgetary resources;
and (6) financial reporting. These financial management issues affect IRS'
ability to routinely report reliable information for decision-making and
have led to both increased taxpayer burden and lost revenue to the federal
government, thus affecting IRS' ability to effectively fulfill its
responsibilities as the nation's tax collector. IRS continues to work to
address these issues, and was able to fully resolve one longstanding
material internal control weakness in fiscal year 2000. Nonetheless,
continued efforts are needed to devise lasting solutions to IRS' financial
management challenges. Some of these solutions can be achieved in the short
term; others are longer term in nature, as they are dependent on the
successful modernization of IRS' information systems.

Looking at IRS' structure, the agency has reorganized into four
taxpayer-focused divisions and developed a performance management approach
consistent with management principles contained in the IRS Restructuring and
Reform Act and the Government Performance and Results Act of 1993 (GPRA).
IRS' progress in reorganizing around taxpayer-focused operating divisions
and developing a new performance management approach begins laying the
foundation for the next step in IRS' structural modernization-making
substantive business practice changes that could significantly improve its
efficiency and service to 3 Financial Audit: IRS' Fiscal Year 2000 Financial
Statements (GAO-01-394, March 1, 2001).

4 taxpayers. However, much work remains to be done in completing the
foundation and in

designing and implementing business practice changes that noticeably improve
service to taxpayers and IRS' efficient administration of the tax system.
Further, although the role of managers in translating IRS' goals and
objectives into actions that make a difference is vital, managers do not
appear to have consistently revised their programmatic decisionmaking in
line with performance management principles.

Finally, in terms of business systems modernization, we have long held that
IRS needs to establish fundamental modernization management controls before
it begins to build and implement modernized systems, and we have made
recommendations to this end dating back to 1995. IRS has made important
progress in developing and implementing these capabilities, but it is still
not where it needs to be. We are therefore concerned that IRS is allowing
its system acquisition projects to get ahead of its capabilities for
managing them and ensuring that modernized systems deliver promised value,
on time and within budget. While allowing acquisition and building
management controls to proceed concurrently introduces an element of risk
when systems acquisition projects are in their early, formative stages, the
risk is considerably greater when these projects enter their later phases
(detailed design and development). At these later junctures in the projects'
life cycles, system rework, due to not employing disciplined modernization
management controls, is much more expensive and time-consuming than it is
earlier. Given that IRS needs additional money to invest further in the
modernization, both near-term and longer term, and is seeking congressional
approval of these funding needs, this is an opportune time to ensure that
IRS addresses these risks.

We will now discuss each of these areas in greater detail.

5 COMPUTER SECURITY

As a major steward of personal taxpayer information, IRS has a demanding
responsibility in collecting taxes, processing returns, and enforcing the
nation's tax laws. In conducting its work, IRS must obviously depend to a
great extent on interconnected computer systems. Due to the nature of its
mission, IRS collects and maintains a significant amount of personal and
financial data on each American taxpayer. These data typically include the
taxpayer's name, address, social security number, dependents, income,
deductions, and expenses. The confidentiality of this sensitive information
is important because, should this information be disclosed to unauthorized
individuals, American taxpayers could be exposed to a loss of privacy and to
financial loss and damages resulting from identity theft and financial
crimes.

Computer security is an important consideration for any organization that
depends on information systems and computer networks to carry out its
mission or business. However, without proper safeguards, systems and
networks pose enormous risks that make it easier for individuals and groups
with malicious intent to intrude into inadequately protected systems and use
such access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer networks and systems.
And the number of individuals with the skills to accomplish this is
increasing; intrusion-or hacking-techniques are readily available and
relatively easy to use.

6 During fiscal year 2000 we continued to find serious weaknesses with
general controls designed

to protect IRS' computing resources from unauthorized use, modification,
loss, and disclosure. IRS did not have adequate controls to

prevent or detect unauthorized access to data processing facilities,
computer networks, and systems; segregate systems administration and
security administration responsibilities; optimally configure software to
guarantee security and integrity of programs, files, and data; sufficiently
plan and test actions necessary to restore critical business systems
following unexpected occurrences; and monitor key networks and systems to
identify unauthorized activities.

In addition, internal controls over key computer applications used by IRS
personnel do not provide adequate assurance that access to taxpayer data is
granted only to those authorized to have it. Such weaknesses increase the
risk that data processed by IRS' computer systems are not reliable and
remain vulnerable to unauthorized disclosure.

Although IRS corrected a significant number of computer security weaknesses
cited in our previous reports, and is implementing a computer security
management program that should, when fully implemented, help it better
manage its risks in this area, we again reported computer security as a
material weakness 4 in our review of IRS' fiscal year 2000 financial
statements. 5

4 A material weakness is a condition that precludes an entity's internal
control from providing reasonable assurance that material misstatements in
its financial statements would be prevented or detected on a timely basis. 5
GAO-01-394, March 4, 2001.

7 We recently examined the effectiveness of key computer controls designed
to ensure the

security, privacy, and reliability of IRS' electronic filing systems and
electronically filed taxpayer data during last year's tax filing season. Our
recent report discusses the computer control weaknesses that we found, along
with actions that IRS states that it took to correct these weaknesses prior
to this year's tax filing season. 6 What we have found to date concerning
IRS'

e-file program can illustrate the challenges that many organizations are
facing. IRS' E-file Program Electronic filing of income tax returns offers
benefits to both taxpayers and IRS. IRS reports that taxpayers receive
refunds faster and believes that electronic filing improves accuracy,
decreases processing costs, and ensures the security and privacy of taxpayer
data. We found, however, that during last year's tax filing season, IRS did
not effectively implement computer controls to ensure the security and
privacy of its electronic filing systems and electronically transmitted
taxpayer data.

E-file is a major IRS initiative, and the number of individuals filing
returns electronically is increasing. IRS reported that during 2000, over 35
million individual taxpayers filed their returns electronically-about 20
percent more than the previous year. In total, the number of e- file
individual returns represented about 28 percent of all individual returns
filed during 2000. The IRS Restructuring and Reform Act of 1998 established
a goal that 80 percent of all tax and information returns-business as well
as individual-be filed electronically by 2007.

6 Information Security: IRS Electronic Filing Systems (GAO-01-306, February
16, 2001).

8 In an attempt to meet this goal, IRS has aggressively marketed the e-file
program and has

authorized private firms and individuals to be e-file trading partners.
These partners include (1) electronic return originators, who prepare
electronic tax returns for taxpayers; (2) intermediate service providers,
who assist in processing tax returns; and (3) transmitters, who transmit the
electronic portion of a return directly to IRS. Except for telefile
taxpayers who file their returns using telephones, IRS does not allow
individual taxpayers to transmit electronic tax returns directly to the
agency; they must use the services of an IRS trading partner. Figure 1
demonstrates the path that an electronically filed tax return takes from the
taxpayer to IRS.

Figure 1: E-file: 2000 Tax Filing Season. During last year's tax filing
season, IRS did not implement adequate computer controls to ensure the
security, privacy, and reliability of its electronic filing systems and the
electronically

9 transmitted tax return data that those systems contained. We demonstrated
that individuals, both

internal and external to IRS, could gain unauthorized access to IRS'
electronic filing systems and view, modify, copy, or delete taxpayer data.
Our successful access did not require sophisticated techniques. Last May,
for example, we were able to access a key electronic filing system using a
common handheld computer. We could gain such access because IRS at that time
had not

effectively restricted external access to computers supporting the e-file
program through effective perimeter defenses; securely configured its e-file
operating systems, which used several risky and unnecessary services;
implemented adequate password management and user account practices (for
example, we successfully guessed many passwords and noted user IDs and
passwords posted conspicuously on a monitor); sufficiently restricted access
to computer files and directories containing tax return and other data (for
example, all users had the ability to modify numerous sensitive data and
system files, and certain users with no “need to know” had
access, contrary to IRS policy); or used encryption to protect tax return
data on e-file systems (as is required by IRS' Internal Revenue Manual).

Further, these weaknesses jeopardized the security of sensitive business,
financial, and taxpayer data on other critical IRS systems that were
connected to e-file computers through its servicewide network because IRS
personnel turned off (bypassed) network control devices that were intended
to provide security between e-file and other IRS systems. While IRS stated
that it

10 did not have evidence that such intrusions had actually occurred or that
intruders had accessed or

modified taxpayer data, the agency did not have adequate procedures to
detect such intrusions if they had occurred. For example, it did not (1)
record certain key events in system audit logs, (2) regularly review those
logs for unusual or suspicious events or patterns, or (3) deploy software to
facilitate the detection and analysis of logged events. Consequently, IRS
did not recognize or record much of the activity associated with our tests.

These serious access control weaknesses existed because IRS had not taken
adequate steps during the 2000 tax filing season to ensure the ongoing
security of electronically transmitted tax return data on its e-file
systems. For example, IRS had not followed or fully implemented several of
its own information security policies and guidelines when it developed and
implemented controls over its electronic filing systems. It decided to
implement and operate its

e-file computers before completing all of the security requirements for
certification and accreditation. 7 Further, IRS had not fully implemented a
continuing program for assessing risk and monitoring the effectiveness of
security controls over its electronic filing systems.

According to IRS officials, the agency moved promptly to correct the access
control weaknesses we identified prior to the current tax filing season. It
developed plans to improve security over its electronic filing systems and
internal networks, and said that it has substantially implemented those
plans. In his response to our report, the Commissioner said that
“electronic filing systems now satisfactorily meet critical federal
information security requirements to provide strong

7 Accreditation is the formal authorization for system operation and is
usually supported by certification of the system's security safeguards,
including its management, operational, and technical controls. Certification
is a formal review and test of a system's security safeguards to determine
whether or not they meet security needs and applicable requirements.

11 controls to protect taxpayer data.” Sustaining effective computer
controls in today's dynamic

computing environment will require top management attention and support,
disciplined processes, and continuing vigilance. We will assess the
effectiveness of IRS' corrective actions as part of our normal follow-up
review.

Application controls also need to be designed and implemented to ensure the
reliability of data processed by the systems. IRS believes that
electronically filed tax returns are more accurate than paper returns, and
has implemented many application controls designed to enhance the
reliability of data processed by its electronic filing systems. However, we
identified additional opportunities to strengthen application controls for
IRS' processing of electronic tax return data. Based on agency statistics,
IRS processed electronic tax returns and paid refunds of about $2.1 billion
without receiving required authenticating signatures or electronic personal
identification numbers (PINs) from taxpayers. Data validation and editing
controls did not detect certain erroneous or invalid data that could occur
in tax returns. In addition, weaknesses in software development controls
increased the risk that programmers could have made unauthorized changes to
software programs during the 2000 tax filing season.

Further, taxpayers who filed electronically may not have been aware that
transmitters, who actually send the data to IRS and may be unknown to the
taxpayer, could have viewed and modified their data and that such data are
transmitted to IRS in clear text-human readable form. This is because IRS
decided (1) not to allow taxpayers to file most electronic returns directly
to IRS, (2) to require taxpayers who elected to file electronically to use
the services of third-party transmitters, and (3) not to accept electronic
tax returns in encrypted form. In addition, taxpayers

12 may not have been aware that IRS has no assurance of the security of its
e-file trading partner

systems. Other than providing guidance about protecting certain passwords,
IRS did not prescribe minimum computer security requirements for
transmitters and did not assess or require an independent assessment of the
effectiveness of computer controls within the transmitters' operating
environment.

We provided specific technical recommendations to improve access controls
over IRS electronic filing systems and networks. We also recommended that
IRS complete the certification and accreditation of its electronic filing
systems, assess security risks and routinely monitor the effectiveness of
security controls over electronic filing systems, improve certain data
reliability and integrity controls, and notify taxpayers of the privacy
risks of filing electronically. IRS agreed with our recommendations and
stated that it implemented most of the improvements, including correcting
critical vulnerabilities, before this year's tax filing season; it further
stated that the actions it has taken demonstrate a systematic, risk-based
approach to correcting identified weaknesses. Such an approach will continue
to be important in ensuring that corrective actions are effective on a
continuing basis and that new risks are promptly identified and addressed.

13 FINANCIAL MANAGEMENT

IRS' financial management has long been problematic. In fiscal year 2000, it
continued to be plagued by many of the serious internal control and
financial management issues we have been reporting each year since 1992. 8
Despite these issues, as we recently reported, 9 IRS was able to produce, in
fiscal year 2000, combined financial statements encompassing both its tax
custodial and administrative activities that were, for the first time,
fairly stated in all material respects. 10 This achievement was the
culmination of 2 years of extraordinary work on the part of IRS to develop
compensating processes to work around its serious systems and control
weaknesses to derive reliable year-end financial statement balances.

IRS' approach entailed costly, time-consuming processes, statistical
projections, external contractors, substantial adjustments, and monumental
human efforts that were not completed until over 4 months after the end of
the fiscal year. Although this approach resulted in IRS' being able to
report reliable fiscal year 2000 balances in its financial statements, it
cannot achieve the central objective of the Chief Financial Officers' Act of
1990, which is to provide managers with the current, reliable information
they need for day-to-day decisionmaking. In addition, this approach does not
address the underlying financial management and operational

8 Internal Revenue Service: Recommendations to Improve Financial and
Operational Management (GAO-01-42, November 17, 2000). 9 GAO-01-394, March
1, 2001. 10 In fiscal year 1997, IRS received-for the first time-unqualified
audit opinions on separate financial statements,

covering its tax custodial activities (by us) and its administrative
activities (by the Department of the Treasury's Office of Inspector
General). In fiscal year 1998, IRS combined its tax custodial and
administrative activities in one set of financial statements. We were able
to determine in fiscal years 1998 and 1999 that the taxes receivable balance
reported on the balance sheet and the tax revenue and refunds reported in
the Statement of Custodial Activity were fairly stated.

14 issues that adversely affect IRS' ability to effectively fulfill its
responsibilities as the nation's tax

collector. The tremendous commitment on the part of both IRS senior
management and staff was key to IRS' ability to achieve its goal of
receiving an unqualified audit opinion on its financial statements for
fiscal year 2000. However, these costly and time-consuming efforts would not
be necessary if IRS' systems and controls operated effectively. IRS' current
financial management systems do not comply with federal financial management
systems requirements, federal accounting standards, or the U.S. Government
Standard General Ledger at the transaction level. Consequently, they do not
substantially comply with the Federal Financial Management Improvement Act
of 1996. Until IRS implements financial management systems that meet this
standard and otherwise strengthens its internal controls, it will continue
to be dependent on its workaround processes and heroic efforts to enable it
to sustain an unqualified opinion on its financial statements.

IRS has laid the groundwork for sustainable improvement in several critical
areas, and is taking action to address several of the management issues we
have raised. However, it continues to have major financial management and
operational problems, many of which will require a sustained, long-term
commitment of resources, proactive involvement by senior management,
and-ultimately-the successful modernizing of its financial and operational
systems.

We would now like to summarize the major financial management challenges
confronting IRS.

15 Management of Unpaid Tax Assessments

IRS continues to have serious internal control deficiencies that affect its
management of unpaid tax assessments. 11 IRS still lacks a subsidiary ledger
that tracks and accumulates unpaid tax assessments on an ongoing basis. As a
consequence, it must rely on specialized computer programs to extract unpaid
tax assessment information from its master files-its only detailed databases
of taxpayer account information-and then subject this information to
statistical sampling procedures in order to prepare its financial
statements. However, this process takes months to complete and requires tens
of billions of dollars in adjustments to correct misclassifications and
eliminate duplications in order to produce a reliable balance at a single
point in time. Additionally, IRS' automated records used in this process
continued to contain errors. Finally, significant delays were encountered in
recording activity in taxpayer accounts. These conditions continued to
result in unnecessary taxpayer burden and lost opportunities to collect
outstanding taxes owed during fiscal year 2000. For example:

IRS continued to lack the ability to effectively link related taxpayer
accounts so that payments made by one taxpayer are properly applied to
reduce the tax liability of a related taxpayer. In 29 of the 68 unpaid
payroll tax cases we reviewed (43 percent), payments were not accurately
recorded to reduce the tax liabilities of all related taxpayers. In some

11 Unpaid tax assessments consist of (1) taxes due from taxpayers for which
IRS can support the existence of a receivable through taxpayer agreement or
a favorable court ruling (federal taxes receivable); (2) compliance
assessments where neither the taxpayer nor the court has affirmed that the
amounts are owed; and (3) write-offs, which represent unpaid assessments for
which IRS does not expect further collections due to factors such as the
taxpayer's death, bankruptcy, or insolvency. Of these three classifications,
only the first is reported on the principal financial statements. As of
September 30, 2000, IRS reported $22 billion (net of an allowance for
doubtful accounts of $59 billion), $30 billion, and $129 billion in these
three categories, respectively.

16 instances, we identified delays of up to 12 years in recording payments
to all related taxpayer

accounts, and in other instances payments were still not properly reflected,
despite the fact that the payments were made in the late 1980s. IRS
continued to experience significant delays and errors in recording other
information in taxpayer accounts. In one case, it erroneously recorded a $68
million payment to the wrong taxpayer's account, resulting in the taxpayer
who made the payment waiting nearly 2 years to receive a $7 million refund
to which the taxpayer was entitled. In two other cases, IRS' failure to
update information in taxpayer accounts resulted in refunds being paid to
individuals who should not have been paid because they had other outstanding
tax liabilities. IRS continued to experience problems in promptly releasing
liens filed against the property of taxpayers who at one time owed the
federal government for taxes but who had subsequently paid these taxes. In
one case, a taxpayer paid off his outstanding tax liability in August 1998,
yet it took IRS until March 2000-19 months later-to release the tax lien. By
law, tax liens are required to be released within 30 days of the date the
taxpayer satisfies the outstanding tax liability.

The serious internal control issues IRS continues to experience with its
unpaid assessments can lead, and have led, both to undue taxpayer burden and
lost revenue to the government. These conditions can also further erode the
confidence of the nation's taxpayers in the integrity and fairness of the
tax collection process.

17 Identification and Collection of Unpaid Taxes

Unpaid taxes includes taxes due the federal government that (1) taxpayers
have reported to IRS or that taxpayers have not reported and IRS has
identified through other means 12 and has recorded in its accounting
records, (2) taxpayers have not reported but that IRS has identified through
other means and has estimated the amount due, and (3) taxpayers have not
reported and which IRS has not identified through other means. Inherent in
the voluntary nature of the nation's tax collection system is the concept
that IRS must, to a large degree, rely on taxpayers to report their tax
liabilities. When taxpayers either intentionally or unintentionally fail to
report to IRS the full amount of taxes they owe the federal government, IRS'
ability to independently identify the taxpayers and determine the amount
they owe is inherently limited. However, IRS does not always follow up on
potential unpaid taxes it is aware of, and does not always pursue collection
of those taxes it determines are owed. For example:

Between fiscal years 1996 and 1998, IRS identified over 39 million potential
cases in which taxpayers may have understated the amount of taxes they owed
the government. Potential underreported taxes related to these cases were
estimated by IRS at over $49 billion. However, IRS investigated fewer than 9
million of these cases, with total estimated underreported taxes totaling
about $19 billion, leaving $29 billion in potential taxes uninvestigated and
thus not pursued.

12 IRS' other means of identifying unpaid taxes include its automated
matching programs, nonfiler program, and examinations.

18 As of September 30, 2000, IRS had recorded $240 billion 13 in unpaid
taxes, penalties, and

interest in its accounting records. During our audit of IRS' fiscal year
2000 financial statements, we continued to identify unpaid tax cases with
some potential for collection that were not being actively worked on by IRS.
In one case, a taxpayer with an annual income of over $110,000 owed $23,000
in unpaid taxes, but IRS was not pursuing collection.

As with any large agency, IRS is confronted with the ongoing management
challenge of allocating its limited resources among competing management
priorities. Its challenge is to determine the appropriate level of resources
needed to fulfill its mission and the most appropriate utilization of its
existing resources. However, IRS does not have the management data necessary
to prepare reliable cost-benefit analyses to assess whether its resource
allocation decisions are appropriate. Consequently, IRS is hindered in its
ability to determine if it is devoting the appropriate level of resources to
identifying and pursuing collection of unpaid taxes relative to the costs
and potential benefits involved. This lack of such data also renders IRS
unable to determine if it needs additional resources or to justify requests
for resource increases to the Congress. This increases the risk of billions
of dollars in amounts owed to the federal government going uncollected, and
the further erosion of public confidence in the tax collection system.

13 Of this amount, $129 billion represents write-offs, which are unpaid tax
assessments for which IRS does not expect further collections due to factors
such as the taxpayer's bankruptcy, insolvency, or death.

19 Controls Over Refunds

Weaknesses in IRS' controls over income tax refunds have potentially allowed
billions of dollars in improper refunds to be disbursed. Time constraints,
14 high volume, and reliance on information supplied by taxpayers affect the
options available to IRS to prevent improper refunds from being disbursed,
and the preventive controls it employs are not always effective.
Consequently, IRS relies extensively on detective controls, such as
examinations of tax returns that its screening programs have identified as
most likely to be invalid. However, these controls are often performed
months after refunds are disbursed, requiring the government to incur the
costs associated with attempting to recover these improper payments, often
unsuccessfully. For example:

Between fiscal years 1998 and 2000, IRS examiners identified invalid earned
income tax credit (EITC) claims totaling $1.9 billion that may have resulted
in the disbursement of $1.6 billion in improper refunds. In September 2000,
IRS estimated that about $9.3 billion in invalid EITC claims were filed in
tax year 1997. Based on an average refund rate of 78 percent that year, this
may have resulted in the disbursement of about $7.3 billion in improper
refunds related to EITC claims, about $6.1 billion of which (84 percent) may
never be recovered.

These weaknesses result in losses to the government potentially totaling
billions of dollars annually. They could also contribute to further erosion
of confidence by the nation's taxpayers in the integrity of the tax
collection system. 14 By statute, IRS must pay interest on refunds not paid
within 45 days of receipt or due date, whichever is later.

20 Controls Over Hard Copy Taxpayer Receipts and Data

Despite improvements during fiscal year 2000, IRS' internal controls over
cash, checks, and related taxpayer data do not adequately protect the
federal government and taxpayers from vulnerability to loss from theft and
inappropriate disclosure of proprietary taxpayer information. IRS has
significantly reduced the average amount of time it takes to obtain the
results of employee applicant fingerprint checks; further, it now requires
the use of two bonded or insured couriers to transport tax receipts to
depository institutions, and has limited courier access within service
center premises. However, significant but readily correctable weaknesses
continued to exist. For example, at IRS locations we visited as part of our
fiscal year 2000 financial audit, checks were left in open, unlocked
containers, and personal belongings of IRS' employees were allowed into
restricted areas where taxpayer receipts were being processed. These
weaknesses increase the risk that taxpayer data could be inappropriately
disclosed or receipts stolen.

New employees also continued to be allowed to handle tax receipts and
sensitive taxpayer data before IRS received and evaluated the results of
their fingerprint checks-despite a new IRS policy issued in April 2000
directly prohibiting it. Specifically, of about 19,500 employees hired
during fiscal year 2000, about a quarter-some 4,900-began working before
their fingerprint results were in. Of these 4,900 employees, 145 were hired
after the April 2000 policy memo was issued, and 776 (16 percent) were
subsequently found to have prior criminal arrests or convictions or other
potentially unsuitable backgrounds that required further review.

A related vulnerability is that this IRS policy does not apply to
individuals employed at ten commercial banks that process tax receipts for
the agency. The Department of the Treasury's

21 Financial Management Service contracts with these banks to process manual
tax receipts, but the

banks are not required to fingerprint their employees. At the two banks we
visited during our fiscal year 2000 audit, both obtained fingerprint checks
for their permanent employees, but not until after they began to work
processing tax receipts, and neither bank required fingerprint checks for
temporary employees.

As a result of these weaknesses, IRS unknowingly hired new employees with
unsuitable backgrounds and allowed them to begin working before it could
ascertain whether they were suitable for their positions. These weaknesses
subject IRS to unnecessary risk of theft or loss of tax receipts, and expose
taxpayers to increased risk of losses from financial crimes committed by
individuals who inappropriately gain access to confidential information
entrusted to IRS.

Accountability Over Administrative Accounts and Budgetary Resources During
fiscal year 2000, IRS made significant strides in correcting the weaknesses
in accountability over its administrative accounts and budgetary resources
that we reported for fiscal year 1999. 15 For example, IRS made major
improvements in its policies and procedures over its fund balance with
Treasury and amounts held in suspense. It is also working aggressively to
address issues we have raised regarding its controls over its property and
equipment and budgetary activity, but it continues to experience significant
internal control deficiencies in these areas.

15 GAO/AIMD-00-76, February 28, 2000.

22 Severe deficiencies in accountability for property and equipment have
been reported by IRS

every year since 1983. IRS lacks an integrated property management system to
appropriately record, track, and account for property and equipment
additions, disposals, and existing inventory on an ongoing basis. While IRS
has made progress in improving the timeliness and accuracy of recording such
activity in its inventory records, we continued to find significant errors
in these records. For example, IRS was unable to locate 35 of 220 items we
selected from its inventory records; these items included computers,
monitors, printers, and computer software. In addition, because of the lack
of an integrated property management system that includes reliable cost
information on each item, IRS continued to need the assistance of a
contractor to develop and implement a process to enable it to report
reliable property and equipment-related balances in its financial
statements. These weaknesses seriously impair IRS' ability to ensure that
property and equipment are properly safeguarded and utilized only in
accordance with laws, regulations, and management policy, and preclude IRS
from having information on its balance of these assets throughout the fiscal
year.

With respect to controls over IRS' budgetary activity, while we noted
substantial progress, we continued to identify deficiencies. For example,
amounts obligated when goods and services were ordered were often not
updated in a timely way to reflect their receipt. This significantly reduces
the reliability of key budgetary information IRS needs on an ongoing basis
to effectively manage its operations and ensure that its resources do not
exceed budgetary authority.

23 Financial Reporting

As noted, IRS cannot produce timely, reliable financial information for its
managers to use in making decisions. Information produced by IRS' financial
management systems is not current or accurate, and must be supplemented by
extensive, costly manual procedures that take months to complete and require
billions of dollars in corrections to derive financial statement balances
that are not available until months later and are reliable only at a single
point in time. As of September 30, 2000, fiscal year 2000 transactions
totaling over $3.7 billion were either not yet recorded in IRS' general
ledger or were recorded in the wrong account. All of these transactions had
to be either recorded or re-recorded by IRS in subsequent months in order
for it to prepare reliable financial statements. However, other information
produced by IRS based on the data provided by its financial management
system but not supplemented by these workaround procedures and material
corrections may be unreliable, and could lead to inappropriate management or
budgetary decisions stemming from incomplete, outdated, or otherwise
erroneous information.

Another problem is that IRS does not track the cost accounting information
needed to prepare cost-based performance information consistent with the
Government Performance and Results Act of 1993. IRS relies on an internal
coding structure to capture costs at a project and subproject level. Yet
during fiscal year 2000, IRS staff were not required to use these codes for
time charged to either of IRS' two largest appropriations, 16 which
collectively accounted for 74 percent of all IRS budgetary resources.
Consequently, managers did not have the basic

16 IRS' two largest appropriations are Processing Assistance and Management
and Tax Law Enforcement.

24 information they needed to prepare reliable cost-benefit data for
internal decisionmaking and for

budget justifications. Remaining Financial Management Issues While IRS'
achievement of an unqualified opinion on its fiscal year 2000 financial
statements is an important milestone, IRS continues to be challenged by
serious internal control and systems deficiencies that hinder its ability to
make this happen without heroic effort, and thereby achieve lasting
financial management improvement. IRS decisionmakers need reliable, useful,
and timely financial and performance information on an ongoing basis; this
is the goal of the Chief Financial Officers Act. IRS' achievement this year
likewise does not address the underlying financial management and
operational issues that impair its ability to effectively fulfill its
responsibilities as the nation's tax collector, nor does it provide the
public with confidence that it is performing its job fairly and
consistently.

The challenge for IRS will be to build on the goals reached in fiscal year
2000: to not only improve its compensating processes but, more importantly,
to develop and implement the fundamental long-term solutions that are needed
to address the management challenges we have identified. Some of these
solutions can be addressed in the near term through the continued efforts
and commitment of senior IRS managers and staff. Others, such as those
involving modernizing IRS' financial and operational systems, will take
years to fully achieve. Until IRS' systems and processes are overhauled and
internal controls strengthened, heroic efforts will have to be sustained for
IRS to continue to produce reliable financial statements.

25 IRS acknowledges the issues raised in our financial audits, and the
Commissioner and Deputy

Commissioner of Operations continue to pledge their commitment to addressing
these long- standing issues. We have assisted IRS in formulating corrective
actions to address its serious internal control and financial management
issues by providing recommendations over the years, and we will continue to
work with the agency on these matters.

We recognize that IRS' financial management systems were not designed to
meet current systems and financial reporting standards; we also recognize
that IRS' problems did not develop overnight. Successful implementation of
IRS' longer term efforts and resolution of the serious problems that
continue to be identified will also require substantial management
commitment, resources, and expertise. This high level of involvement by IRS
senior management has contributed greatly to IRS' successes to date. Such
commitment and involvement must continue for IRS to address the fundamental
problems it faces.

MODERNIZATION OF IRS' ORGANIZATIONAL STRUCTURE AND PERFORMANCE MANAGEMENT
SYSTEM

Just as with its computer security and financial management, IRS has made
progress in modernizing its organizational structure and its performance
management system-a system designed to assess and improve organizational and
employee performance in keeping with organizational goals. However, much
additional work needs to be done, particularly in ensuring that IRS
progresses toward its goal of incorporating performance management
principles into

26 day-to-day management. These principles include establishing performance
goals, which are

broad statements of desired outcomes; objectives, which are targets that
describe the end results to be accomplished in a given period of time; and
performance measures, which are used to gauge progress. Further, IRS expects
its managers and their work groups to routinely analyze data to determine
whether they are progressing as expected toward achieving the desired
results.

Key Accomplishments Over the Past Year IRS' key accomplishments over the
last year include the following:

In October 2000, IRS largely completed its transition to a new
organizational structure centered on four customer-focused operating
divisions. 17 In a process that the Commissioner likened to putting together
a giant jigsaw puzzle with literally thousands of pieces, IRS put the new
organization in place without significant effect on its processing of
millions of returns this filing season. In January 2001, IRS published a
strategic plan for fiscal years 2000 to 2005. In laying out the IRS mission,
strategic goals, and objectives, the plan is consistent with the management
principles contained in the IRS Restructuring and Reform Act and GPRA. The
plan also documents IRS' intent to achieve the balance between service and
compliance that Congress

17 The operating divisions are (1) Wage and Investment, for individual
taxpayers, headquartered in Atlanta; (2) Small Business/Self-Employed, for
fully or partially self-employed taxpayers and small businesses with assets
of less than $5 million, headquartered in New Carrollton, MD; (3) Large and
Mid-Size Business, serving corporations and partnerships with at least $5
million in assets, headquartered in Washington, DC; and (4) Tax-
Exempt/Government Entities, serving government entities, exempt
organizations, and employee plans, headquartered in Washington, DC.

27 sought in the restructuring Act through a balanced set of goals,
associated objectives, and

measures. We believe that they represent progress, especially at the
organization-wide level, in the challenging task of revamping IRS'
performance management system. 18 Critically, IRS has not approached this
strategic planning process as a mere paperwork exercise. Instead, the
Commissioner and senior staff have been very much involved in the strategic
planning process and intend that the strategic plan be a guide to
transforming IRS. Recognizing that the entire institution must understand
and adhere to organizational goals, IRS is continuing to move forward in
driving a standard performance management system throughout the agency. For
example, IRS implemented a strategic-level planning and budgeting process
designed to reconcile its many critical and competing priorities and
initiatives with the realities of its available resources. In addition, IRS
has substantially developed a set of organizational performance measures for
the goals and objectives in its strategic plan. Last year, IRS also made
progress by aligning its performance evaluation system for managers with its
balanced measurement system, to clearly link their work to the mission and
goals of the agency. Further, IRS is beginning this year to hold managers
accountable with a performance-based pay system.

Improved Taxpayer Services and Compliance Activities Hinge on Completion of
Management Improvements

The progress IRS has made in reorganizing into taxpayer-focused divisions
and in instituting its performance management system, while notable, is
incomplete. IRS must follow through by

18 IRS Modernization: IRS Should Enhance Its Performance Management System
(GAO-01-234, February 23, 2001).

28 completing the framework it has established and designing and
implementing business practice

changes that result in improvements that taxpayers can see. Examples of the
continuing challenges facing IRS in instituting its new performance
management system include the following:

The performance management system is most fully developed at the
organization-wide level, is less well developed at the division level, and
is weakest at the front-line level, where interactions with taxpayers occur.
IRS' performance management plan calls for each operating division to have
complementary goals, objectives, and measures, and for front-line managers
to develop plans identifying the actions they need to take to support
operational objectives. While, at the division level, we found that most
goals were clearly stated, 19 most operating objectives were not specific,
measurable, or outcome- or output-oriented. Further, a large number of
operating measures and indicators were not directly linked to objectives.
The action items in the plans developed by front-line managers were clearly
stated and consistent with IRS' mission, but 91 percent of the items we
reviewed were not specific, measurable, and outcome- or output-oriented.
While IRS has revamped its evaluation system for managers, it still needs to
similarly align its evaluation system for front-line employees. This will
require tailoring the performance standards for employee groups to what is
appropriate and measurable in their units, and to align those performance
standards to encourage behavior that contributes to the three strategic
goals. IRS intends to have this evaluation system implemented by October 1,
2001.

19 Goals should (1) clearly articulate the divisions' future direction, (2)
indicate the expected impact of achieving the goal, and (3) provide a clear
basis for establishing objectives.

29 Although IRS has recognized the need for information to assess whether
its various methods

of encouraging voluntary compliance with our tax system are achieving
results, it has not yet developed a plan for obtaining that information. IRS
has experienced a significant decline in the use of tax collection tools,
such as liens or levies. Similarly, the audit rate for individual taxpayers
has declined precipitously over the past several years. These declines raise
concerns that taxpayers' confidence will be shaken in the voluntary
compliance foundation of our tax system, which could adversely affect
overall compliance. For instance, voluntary compliance could suffer if
taxpayers come to believe that others are not paying their fair share of
taxes. On the other hand, IRS continues to use other techniques to review
tax returns for the accurate and complete reporting of income and tax
liabilities. It also has increased emphasis on providing better service so
taxpayers can understand their tax responsibilities and more readily comply.
However, because IRS does not have a current measure of voluntary
compliance, it is unable to assess the net effect of these factors on the
level of voluntary compliance and how best to improve compliance levels. In
part because IRS lacks these fundamental data on compliance levels, we
consider unpaid taxes of which IRS is or is not aware to be a high-risk
area. 20 Reorganization has provided a focus on taxpayer segments with the
expectation that this will enable IRS to better understand taxpayers' needs
and to modify its systems and procedures for interacting with taxpayers.
Because the reorganization has just been completed, IRS generally has not
yet identified those changes in its systems and procedures that may better
serve taxpayers.

20 GAO-01-254, January 2001.

30 Managers Would Benefit From Use of Performance Management Principles

in Making Programmatic Decisions Although managers are vital to translating
IRS' goals and objectives into actions that make a difference, they have not
consistently revised their programmatic decisionmaking in line with
performance management principles. The following examples illustrate our
concern that managers often do not adhere to these principles:

As mentioned, front-line managers' action plans developed to support
operational goals were the weakest link in the overall performance
management system. The lack of guidance to managers about how to develop
this initial round of action items may partly explain the problems.
Nevertheless, unfocused and unmeasurable plans could be a significant
impediment to IRS' intent to align managers' and core employees' performance
expectations with organizational goals and objectives and to hold them more
explicitly accountable for helping IRS achieve them. The very high portion
of action items that were not specific, measurable, or outcome- or
output-oriented also raises concerns about whether managers are yet adhering
to IRS' performance management system. In the telephone service area, IRS
lacked long-term goals for the level of telephone service to be provided to
taxpayers, as well as annual goals designed to make progress toward
achieving long-term improvement. 21 Such goals are essential for guiding the
development of strategies and the identification of resources needed to
achieve substantive performance improvements. Further, IRS has made several
changes to the performance measures that it

21 IRS Telephone Assistance: Opportunities to Improve Human Capital
Management (GAO-01-144, January 30, 2001).

31 uses for its telephone service operations and, while each may have merit,
the lack of

continuity in performance measures may undermine IRS' ability to identify
performance trends and factors that may be influencing those trends.
Finally, as mentioned, IRS' financial management systems fail to provide the
real-time cost data that managers need in order to make informed decisions
about the efficiency of their programs and appropriate staffing levels.

BUSINESS SYSTEMS MODERNIZATION We turn now to business systems modernization
(BSM)-IRS' multiyear program to put in place the technology that will
support revamped business processes. This multi-billion-dollar program,
which began a little over 2 years ago and has thus far received
congressional approval to obligate about $450 million, 22 is vital to
achieving IRS' new, customer-focused vision and enabling it to meet
performance and accountability goals. BSM consists of a number of new
systems acquisition projects that are at differing stages of being acquired
and implemented, as well as various program-level initiatives intended to
establish the capacity for IRS to effectively manage the projects.

22 IRS requested and the Congress established a multiyear systems
modernization account and funded it with approximately $578 million via IRS'
fiscal year 1998, 1999, and 2001 appropriations acts. To date, IRS has
received approval from the Congress to obligate about $450 million from the
account.

32 We have long held-and communicated to IRS-the importance of establishing
sound

management controls to guide its systems acquisition projects; to its
credit, IRS has made important progress in this area. Nevertheless, IRS is
starting to let project acquisitions get perilously ahead of
controls-proceeding in some cases with detailed systems design and
development without having the capacity in place to help ensure that
projects perform as intended and are completed on time and within budget. We
remain concerned that at these later stages in systems' life cycles, the
risk of rework due to missing modernization management controls increases,
both in terms of probability and impact. Given that IRS expects to totally
exhaust most of the congressionally-approved BSM funding by mid-November
2001, and thus is seeking additional money for fiscal year 2002, this is a
good time to ensure that the overdue modernization management controls are
emphasized as a BSM priority.

Beginning in 1995, when IRS was involved in an earlier attempt to modernize
its tax processing systems, and continuing since then, we have made
recommendations to implement fundamental modernization management
capabilities before acquiring new systems; we concluded that until these
controls were in place, IRS was not ready to invest billions of dollars in
building modernized systems. 23 While IRS has since taken steps that have
partially addressed our set of recommendations, important ones remain
unfulfilled to this day. In general, the areas in which we found controls to
be lacking and made recommendations to fill these voids fell into five
interrelated and interdependent IT management categories, as shown in figure
2-investment management, system life-cycle management, enterprise
architecture management, software acquisition management, and human capital
management.

23 Tax Systems Modernization: Management and Technical Weaknesses Must Be
Corrected If Modernization Is to Succeed (GAO/AIMD-95-156, July 26, 1995).

33 Figure 2: Categories of Management Controls Needed for Modernization
Capability.

In December 1998, IRS hired a systems integration support contractor to,
among other things, help it develop and implement these program
capabilities. Subsequently, the Commissioner adopted a modernization
strategy that appropriately required, for example, (1) the use of
incremental investment decisionmaking, (2) adherence to a rigorous systems
and software life- cycle management method, and (3) development and
implementation of an enterprise architecture or modernization blueprint to
guide and constrain the content, sequencing, and integration of systems
investments. This approach, however, included the simultaneous development
of these kinds of program-level management capabilities while also
proceeding

Investment Management Life-Cycle Management Enterprise Architecture
Management

Modernization Management

Capability

Human Capital Management

Acquisition Management

34 with project acquisition, in anticipation that program controls would be
in place and functioning

when these projects reached their later, less formative stages. Figure 3
illustrates this approach. Figure 3: Concurrent Development of Program-Level
Controls and Projects.

During BSM's first 18 months, progress in implementing these management
controls was slow, while at the same time project acquisitions moved
rapidly. At that time we reported to IRS' Senate and House appropriations
subcommittees that projects were getting ahead of the modernization
management capacity that needed to be in place to manage them
effectively-the cart was getting ahead of the horse. In response to our
concerns and the subcommittees' direction, IRS appropriately pulled back on
the projects and gave priority to implementing needed management capacity.

IRS is here

Selecte d Key Projects

CAP STIR

e-Services CADE ELC (Acquisition and Investment Management)

Program Management Office

Program Ma nagement C

ap ability

Enterpri se Archi tecture Denotes beginning of detailed design and
development Denotes issuance of key enterprise architecture versions 1/99
1/00 4/01 1/01 9/01

35 Despite this shaky start to the modernization, IRS has since made
important progress in its

modernization management capacity. For example, last year we reported that
IRS (1) largely defined and implemented its system life-cycle methodology
that incorporates software acquisition and investment management processes,
(2) defined program roles and responsibilities of IRS and its modernization
contractor and began relating with the contractor accordingly, (3) began
formally managing modernization risks in an effort to proactively head off
problems, and (4) made progress toward producing the first release of its
enterprise architecture. 24

In addition, we recently reported that IRS had taken steps to address our
recommendations aimed at strengthening management of individual BSM
projects. 25 For instance, it started to manage the Custodial Accounting
Project 26 as an integral part of the modernization program. On another
project, the Security and Technology Infrastructure Release, 27 IRS assessed
security threats and vulnerabilities, analyzed the resulting risk in terms
of probable impact, and planned to reevaluate project requirements in light
of this risk analysis. Recently, IRS hired experienced technical and

24 Tax Systems Modernization: Results of Review of IRS' Third Expenditure
Plan (GAO-01-227, January 22, 2001). 25 See, for example, IRS' Custodial
Accounting Project (GAO-01-444R, March 16, 2001) and GAO-01-227, January 22,
2001. 26 CAP is expected to provide a single data repository of taxpayer
accounts and tax payments as well as related tax revenue accounting and
reporting capabilities. IRS also plans for CAP to, among other things,
automatically reconcile accounts and payments, post updates to IRS' general
ledger, and produce revenue accounting reports. 27 This project is the
common integrated infrastructure to support and enable modernization
business systems

applications. As designed, it consists of a combination of custom and
commercial off-the-shelf software, hardware, and security solutions,
integrated to form the technical foundation upon which modernized business
systems applications will operate.

36 managerial executives, and augmented existing modernization staff with
experienced IRS

information systems personnel. We are concerned, however, because projects
are entering critical stages without certain essential management controls
in place and functioning. In particular, in our ongoing work for IRS'
appropriations subcommittees, we found that IRS is proceeding with building
systems- including detailed design and software development work-before it
has implemented two key management controls. First, IRS has yet to develop a
sufficiently defined version of its enterprise architecture to effectively
guide and constrain acquisition of modernization projects. Second, it has
not yet implemented rigorous, disciplined configuration management
practices. Both of these are requirements of IRS's own systems life-cycle
methodology and are recognized best practices of successful public and
private-sector organizations. This increases the risk of cost, schedule, and
performance shortfalls. We have discussed these missing controls with the
Commissioner and his BSM executives; they have stated that they plan to have
them in place by the end of this June.

Timing is critical. While the lack of controls can be risky in projects'
early stages, it introduces considerably greater risk when these projects
enter design and development. To mitigate this added risk, IRS needs to
fully implement the remaining management controls that we have recommended.
Figure 4 illustrates the growing risk that accompanies project development
in its later stages.

37 Figure 4: Increasing Risk Associated With Inadequate Controls at Later
Stages of Project

Development. The timing of this hearing is appropriate for ensuring that IRS
implements the remaining needed modernization management controls. While the
Congress has appropriated about $578 million for the program to date, it
also took steps to limit the agency's ability to obligate funds until
certain controls were in place by establishing a multiyear capital
account-the IT Investments Account-to fund IRS systems modernization
initiatives. IRS has received about $450 million of this total, and has
submitted a plan to the Congress to spend the remainder over the next 7
months. In addition, IRS plans to include $396 million in funding for BSM in
its upcoming fiscal year 2002 budget request. This is, then, an opportune
time to ensure that the agency addresses these outstanding risks as a
condition of future funding.

IRS is here

Selec ted K

ey Projects

CAP STIR

e-Services CADE ELC (Acquisition and Investment Management)

Program Management Office

Pr ogram Management Cap

abil ity

Enterprise Architecture Denotes beginning of detailed design and development
Denotes issuance of key enterprise architecture versions 1/99 1/00 4/01 1/01
9/01

Execution Risk

38 CONCLUSION

Change is never smooth, easy, or quick. We understand that the four areas
that we have discussed are part of IRS' decade-long effort to transform
itself into a more reliable, accountable, customer-focused organization. It
has clearly made important progress toward that end. We have made many
recommendations over the years to assist the agency in this goal, and
several have been implemented. We have worked closely with IRS officials,
and will continue to do so.

As IRS moves forward from building the foundations for change to
implementing new processes and systems that directly improve service to
taxpayers, the potential rewards grow, but so does the risk of failing to
realize the transformation everyone desires. Our theme today is simple. Make
sure the foundation is strong so the structure will endure. Yet while
building the new, don't neglect to maintain and make prudent near-term
improvements to existing systems and processes.

- - - - - Mr. Chairman, that concludes our statement. We would be pleased to
respond to any questions that you or other members of the Subcommittee may
have at this time.

(310117)

Orders by Internet

For information on how to access GAO reports on the Internet, send an e-
mail message with “info” in the body to

info@ www. gao. gov or visit GAO's World Wide Web home page at http:// www.
gao. gov

To Report Fraud, Waste, and Abuse in Federal Programs

Web site: http:// www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@
gao. gov Automated answering system: 1- 800- 424- 5454
*** End of document ***