Internal Revenue Service: 2001 Tax Filing Season, Systems	 
Modernization, and Security of Electronic Filing (03-APR-01,	 
GAO-01-595T).							 
								 
This testimony discusses (1) the status of the 2001 tax filing	 
season, (2) the status of the Internal Revenue Service's  (IRS)  
business systems modernization effort, and (3) the security of	 
IRS' electronic filing system. GAO found that although the 2001  
filing season appears to be running smoothly, there are some	 
matters that require further attention. For example, the IRS has 
had problems with the Personal Identification Number assigned to 
electronic filers. Also, while data indicate that taxpayers are  
having an easier time reaching IRS to ask questions, there are	 
still concerns about the productivity of its telephone assistors.
With respect to business systems modernization, GAO has long held
that IRS needs to establish fundamental modernization management 
controls before it begins to build and implement modernized	 
systems. While IRS has made some progress in this area, it is	 
still not where it needs to be. GAO is concerned that IRS is	 
allowing its system acquisition projects to get ahead of its	 
capabilities for managing them. Lastly, GAO's review of IRS'	 
electronic filing systems last year showed that IRS had 	 
ineffective controls to ensure the security of those systems and 
electronically-transmitted taxpayer data. According to IRS	 
officials, IRS moved promptly to correct those access control	 
weaknesses before this filing season began. It developed plans to
improve security over its electronic filing systems and internal 
networks and said that it had substantially implemented those	 
plans.								 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-01-595T					        
    ACCNO:   A00725						        
    TITLE:   Internal Revenue Service: 2001 Tax Filing Season, Systems
             Modernization, and Security of Electronic Filing                 
     DATE:   04/03/2001 
  SUBJECT:   ADP procurement					 
	     Computer security					 
	     Customer service					 
	     Federal agency reorganization			 
	     Information resources management			 
	     Strategic information systems planning		 
	     Systems conversions				 
	     Tax administration systems 			 
	     Taxpayers						 
	     IRS Custodial Accounting Project			 
	     IRS Customer Communication Project 		 
	     IRS Security and Technology			 
	     Infrastructure Release Project			 
								 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-595T

INTERNAL REVENUE SERVICE

2001 Tax Filing Season, Systems Modernization, and Security of Electronic
Filing Statement of James R. White Director, Tax Issues

Randolph C. Hite Director, Information Technology Systems Issues

Robert F. Dacey Director, Information Security Issues

United States General Accounting Office

GAO Testimony Before the Subcommittee on Oversight, Committee on

Ways and Means, House of Representatives

For Release on Delivery Expected at 2: 00 p. m. EDT on Tuesday April 3, 2001

GAO- 01- 595T

1 Mr. Chairman and Members of the Subcommittee:

We are pleased to participate in the Subcommittee's hearing on the Internal
Revenue Service's (IRS) 2001 tax return filing season. As requested by the
Subcommittee, our testimony deals with three related subjects: (1) the
status of the 2001 filing season, (2) the status of IRS' business systems
modernization effort, and (3) the security of IRS' electronic filing system.
It is fitting to discuss these three topics together. The only contact most
Americans have with IRS comes during the filing season, when they file their
returns, call IRS for help, or visit an IRS walk- in site for assistance. If
the promise of IRS' modernization is to be realized, that is, if taxpayers
are to receive better service in future filing seasons, IRS must succeed at
modernizing its information systems and ensuring the security of tax data.

Our statement is based on (1) the preliminary results of our review of the
2001 filing season being done at the Subcommittee's request, (2) past and
ongoing reviews of IRS' systems modernization effort, and (3) information in
our recently- issued report on the security of IRS' electronic filing
systems. 1

Our testimony makes the following points: ? Although the 2001 filing season
appears to be running smoothly, there are some

matters that require further attention. First, not unexpectedly, IRS'
reorganization has had little effect on taxpayers this year, but several
challenges remain if the reorganization is to ultimately improve taxpayer
service. Second, although the percentage of returns filed electronically has
increased, the rate of increase is below expectations. Third, in an effort
to make electronic filing truly paperless, IRS now allows electronic filers
to “sign” their returns with a Personal Identification Number
(PIN). Although many taxpayers have successfully used a PIN, many others who
tried to do so had their returns rejected for reasons that are still not
clear. Fourth, data obtained from IRS indicate that taxpayers are having an
easier time reaching IRS to ask questions about the tax law, their accounts,
and their refunds; but IRS still has concerns about the productivity of its
telephone assistors. And, fifth, IRS' walk- in sites are continuing to
provide poor tax law assistance this year. Although IRS has changed the way
it is organized and staffed to provide such assistance, it has deferred
making changes to improve the quality of that assistance until fiscal year
2002.

? With respect to business systems modernization, we have long held that IRS
needs to establish fundamental modernization management controls before it
begins to build and implement modernized systems. IRS has made important
progress in developing and implementing these capabilities, but it is still
not where it needs to be. We are therefore concerned that IRS is allowing
its system acquisition projects to get ahead of its capabilities for
managing them and ensuring that modernized systems deliver promised value,
on time and within budget. While allowing acquisition and building
management controls to proceed concurrently introduces an element of risk
when systems acquisition projects are in their early, formative stages, the
risk is considerably greater when projects enter their later phases
(detailed design and development). At these later junctures in a project's
life cycle, system rework, due to

1 Information Security: IRS Electronic Filing Systems (GAO- 01- 306, Feb.
16, 2001).

2 not employing disciplined modernization management controls, is much more

expensive and time- consuming than it is earlier. Given that IRS needs
additional money to invest further in modernization, both near- term and
longer term, and is seeking congressional approval of these funding needs,
this is an opportune time to ensure that IRS addresses these risks.

? Our review of IRS' electronic filing systems last year showed that IRS had
ineffective controls to ensure the security of those systems and
electronically- transmitted taxpayer data. We demonstrated that individuals,
both inside and outside of IRS, could gain unauthorized access to IRS'
electronic filing systems and view, modify, copy, or delete taxpayer data.
Although IRS said that it had not evidence of any such intrusions, it did
not have adequate procedures to detect intrusions if they had occurred.
According to IRS officials, IRS moved promptly to correct the access control
weaknesses we identified before this filing season. It developed plans to
improve security over its electronic filing systems and internal networks
and said that it had substantially implemented those plans. Sustaining
effective computer controls in today's dynamic computing environment will
require top management attention and support, disciplined processes, and
continuing vigilance.

Preliminary Data on the 2001 Filing Season Show Mixed Results

? At the Subcommittee's request, we are reviewing IRS' performance during
the 2001 filing season. Our testimony today on the 2001 filing season
focuses on four specific areas- the effect of IRS' recent reorganization on
the filing season, IRS' performance in processing returns and refunds, the
ability of taxpayers seeking help to reach IRS by telephone, and the quality
of service being provided taxpayers who visit an IRS walk- in site. Our
preliminary analysis shows mixed results; there are several positive aspects
of this filing season as well as several concerns. Specifically,

? not unexpectedly, given its newness, IRS' reorganization has had little
effect on taxpayers this year; but several challenges remain if the
reorganization is to achieve its ultimate goal of improving customer
service;

? IRS has processed income tax returns and refunds without any significant
problems and has received a growing percentage of returns electronically;
but the rate of growth in electronic filing is less than expected, and many
taxpayers encountered problems in trying to file their electronic returns
with a PIN;

? IRS has done a better job of answering the telephone when people call for
assistance, but there are continuing concerns about declines in the
productivity of telephone assistors that have prevented further improvements
in service; and

? IRS changed the structure and increased the staffing of its field
assistance program in an effort to provide better service, but remains
concerned about the quality of tax law assistance being provided by its
walk- in sites.

3 Our preliminary analysis is based primarily on data provided by IRS that
we did not

verify. However, those data generally came from management information
systems that we have used in the past to assess IRS operations.

IRS' Reorganization Has Had Little Effect on Taxpayers This Year; Several
Challenges Remain If the Reorganization Is to Achieve Its Ultimate Goal

This year marks the first filing season since IRS reorganized into four
operating divisions based on the type of taxpayer. The responsibilities of
one of those four divisions, the Wage and Investment (W& I) Division,
include processing individual income tax returns and assisting taxpayers at
walk- in sites and over the telephone. 2 Other than some persons having to
mail their returns to different service centers than in the past, IRS'
organizational changes appear not to have altered the way individual
taxpayers are interacting with IRS this filing season. For example,
taxpayers are calling the same telephone numbers for assistance that they
called last year and are generally visiting the same walk- in sites to pick
up forms or get help preparing their returns.

We have also seen no evidence that the reorganization itself has led to
significant changes in the level of service being provided taxpayers this
filing season. That is not unexpected. The reorganization provides a focus
on taxpayer segments that IRS expects will help it better understand
taxpayers' needs and identify changes to its systems and procedures for
meeting those needs. Because the reorganization has just been completed, IRS
generally has not yet identified those changes in its systems and procedures
that may better serve taxpayers. In the long term, IRS must overcome several
challenges if it is to realize the full potential of its reorganization, in
terms of improved taxpayer service.

Identifying needed changes and determining whether new approaches to serving
taxpayers are successful and worth expanding requires real- time, reliable
program performance data. As we will be discussing later, IRS has made and
is making several changes to the measures it uses to assess its performance
in processing returns and refunds and serving taxpayers. IRS plans to have
most of these new and revised measures in place this fiscal year and collect
sufficient information to set targets or goals for the measures in fiscal
year 2002. We support IRS' efforts to improve its performance measures. The
new and revised measures could provide useful information in helping IRS
assess its performance. Because trend data on the new measures will not be
available until 2002, there will be limited ability to compare IRS year- to-
year performance.

IRS also has to do a better job of assessing the information it does
collect. As we discuss in a report on IRS' telephone assistance that we will
be issuing to the Subcommittee later

2 The other three operating divisions are: (1) Small Business and Self
Employed, serving fully or partially self- employed individuals and
businesses with assets of $5 million or less; (2) Large and Mid- Size
Business, serving businesses with assets over $5 million; and (3) Tax Exempt
and Government Entities, serving pension plans, exempt organizations, and
governments.

4 this month, although IRS has undertaken efforts to analyze its performance
in providing

telephone assistance and identify ways to improve that performance, its
analyses did not cover all of the key management decisions and other key
factors that affect telephone performance. For example, in studying the
productivity of its telephone assistors, IRS considered the average time
taken to handle a call but not the time in- between calls. Without such a
comprehensive analysis, IRS management lacks information that would be
useful when making decisions about how to improve performance. We recognize
that collecting and analyzing performance data is costly. However, not
having timely, reliable, and comprehensive performance data to support
management decisionmaking and aid congressional oversight can also be
costly.

Having real- time, reliable data to support decisionmaking also requires
that IRS successfully modernize its information systems. We will be
discussing IRS' progress in that regard later.

IRS' Processing of Returns and Refunds Appears to Be Proceeding Smoothly,
But Preliminary Data on Electronic Filing Raises Some Questions

Although there is much analysis still to do, our preliminary review has not
identified any significant problem that has adversely affected IRS' ability
to process returns and refunds. IRS has developed several new or revised
measures for assessing its processing performance this year. However,
meaningful performance data related to those measures will not be available
for analysis until later in the year, and, as discussed earlier, there will
be limited opportunities to compare IRS' performance with prior years. One
indicator of IRS' performance that has not been revised is the percentage of
individual income tax returns filed electronically. That indicator shows
that the upward trend in electronic filing is continuing although at a
slower rate of increase than expected. IRS has undertaken several
initiatives this year to enhance the processing of individual income tax
returns. Although it is too soon to assess the results of those initiatives,
there are indications that one initiative- allowing electronic filers to
“sign”

their returns with a PIN- has encountered some problems. IRS' Tax Processing
Systems Appear to Be Operating Without Significant Problems

For the first time in several years, the information systems that IRS uses
to process returns and remittances are not affected by extensive Year 2000
changes, consolidation of computer operations, or replacement of critical
equipment, prompting us to anticipate few problems this year. That appears
to be the case so far this filing season. Except for some problems
associated with IRS' effort to allow electronic filers to “sign”
their returns with a PIN, which we will discuss later, we have seen no
evidence that IRS is not processing returns or issuing refunds as quickly as
it has in the past.

Given the volume of tax returns and remittances and the programming changes
that IRS makes annually to its systems, some "glitches" are to be expected.
In that regard, IRS

5 experienced minor programming issues during start- up related to notices,
and the

programming was corrected. For example, in one case, fewer than 8,000
payment due notices were not mailed timely, which may have resulted in
taxpayers being assessed penalties and interest due to no fault of their
own. To remedy the situation, when the notices were mailed, IRS included a
statement that said that the notice had been delayed due to technical
difficulties and that the payment due date was extended with no impact on
the amount due.

IRS Has Developed Several New or Revised Measures for Assessing Its
Processing Performance

IRS has developed several new or revised measures for gauging its
performance in processing returns, refunds, and remittances. This is part of
an agency- wide effort to develop a system of balanced measures to help IRS
achieve its mission of providing America's taxpayers with top quality
service by helping them understand and meet their tax responsibilities and
by applying the tax law with integrity and fairness to all.

The new or revised measures are described in table 1. Table 1: New or
Revised Performance Measures for Returns Processing

Measure Description

Letter Accuracy (new) Percent of letters issued by the Submission Processing
function that are incorrect. Notice Accuracy (revised) Percent of notices
issued by the Submission Processing

function that are incorrect. This measure was revised to include only
notices for which Submission Processing is identified as the owner and to
include systemic errors. Deposit Accuracy (new) Percent of payments applied
in error by, for example, issuing

a refund to a taxpayer who overpaid when the taxpayer wanted any overpayment
credited to next year's tax bill. Deposit Timeliness (new)

Interest value of money not deposited by the close of business the business
day after receipt, per $1 billion in deposits. Measure assumes an 8 percent
interest rate. Refund Timeliness (revised)

Percent of refunds not issued in 40 days or less. IRS changed the date it
uses to start computing the time it takes to issue a refund. Refund Accuracy
(revised) Percent of returns with an IRS- caused error in the entity

information (e. g., name or Social Security number) or refund amount. IRS
revised this measure to include systemic errors. Refund Interest (new)
Amount of interest paid per $1 million in refunds issued.

Productivity (new) Weighted volume of documents processed per staff year
expended at the Submission Processing Centers

Source: IRS data.

6 One performance measure that IRS revised for the 2001 filing season is
“refund

timeliness”. IRS' goal is to issue a refund on paper returns within 40
days. Before this year, IRS used the date the taxpayer signed the return as
the start date for determining the number of days before it issued the
refund. Under the revised measure, IRS is using the date that IRS received
the return. According to IRS, the way it previously measured timeliness was
flawed because the taxpayer could have signed the return several days before
mailing it- something that could cause IRS to miss its 40- day goal but over
which IRS had no control. IRS had originally decided to use the postmark
date as the starting date for its computation. However, IRS subsequently
determined that it would be labor intensive and costly to use the postmark
date- a date that IRS does not currently record for returns received by the
filing deadline of April 15. Instead, IRS decided to use the IRS- received
date, which is the date that the document is received at a submission
processing center's loading dock- a date that IRS already records. Because
that date could be several days later than the date the taxpayer signed the
return, IRS has, in effect, increased its chances of meeting the 40- day
goal. To maintain something of a level playing field and to better enable
IRS to compare this year's performance with prior years', it seems that, at
a minimum, IRS should have adjusted its 40- day goal downward to approximate
the number of days it “saved” by changing the computation start
date.

We will continue to monitor IRS' progress in benchmarking its new or revised
performance measures and will report the status of IRS' efforts in our final
report on the 2001 filing season.

Use of Electronic Filing Continues an Upward Trend, But at a Reduced Rate of
Increase

One indicator of IRS' performance in processing returns that has not changed
is the percentage of individual income tax returns that have been filed
electronically. Pursuant to a provision in the IRS Restructuring and Reform
Act of 1998, IRS' goal is to have 80 percent of all returns filed
electronically by 2007. Electronic filing has several advantages for
taxpayers and IRS. For example, IRS acknowledges receipt of an electronic
return, electronic filers receive their refunds faster, up- front
mathematical checks and other filters in the electronic filing system help
to reduce the number of taxpayer errors that IRS has to correct after the
return is filed, and returns filed electronically bypass the error- prone
manual procedures that IRS uses to process paper returns.

As noted in our report on the 2000 filing season, the number of individual
income tax returns filed electronically increased substantially- about 20
percent- in both 1999 and 2000, bringing the total to 35 million returns. 3
IRS' projection for this year was 42 million returns- another 20- percent
increase. However, filing data as of March 15, 2001, indicate that IRS may
fall short of that projection.

3 Tax Administration: Assessment of IRS' 2000 Tax Filing Season (GAO- 01-
158, Dec. 22, 2000).

7 As shown in table 2, about 29.3 million returns had been filed
electronically as of March

16, 2001. Although that is a 10.2- percent increase compared to the same
time last year, the rate of increase is considerably lower than last year.
The rate of increase over the last month of the filing season would have to
increase substantially for IRS to achieve its projected growth of 20 percent
for the year. Figure 1 shows how the numbers of returns filed overall and
electronically have changed over the past 5 years. Table 2 provides more
detailed information on filings for the past 3 years.

Figure 1: Individual Income Tax Returns Received IRS in Total and
Electroncially

Individual Income Tax Returns 0 10,000,000

20,000,000 30,000,000

40,000,000 50,000,000

60,000,000 1/ 1 to 3/ 14/ 97 1/ 1 to 3/ 13/ 98 1/ 1 to 3/ 19/ 99 1/ 1 to 3/
17/ 00 1/ 1 to 3/ 16/ 01

Total number received Number received electronically

Source: IRS Management Information System for Top Level Executives. .

8 Table 2: Individual Income Tax Returns Received by IRS

(Number of returns in millions)

Filing type 1/ 1/ 99 to

3/ 19/ 99 1/ 1/ 00 to

3/ 17/ 00 Percent

change: 1999 to 2000

1/ 1/ 01 to 3/ 16/ 01

Percent change: 2000 to 2001

Paper 34.4 32.1 -6.7 28.9 -10.0 Electronic Traditional a 16.8 19.6 16.7 21.7
10.7 On- line b 1.6 3.1 93.8 4.2 35.5 TeleFile c 4.5 4.1 -8.9 3.5 -14.6
Subtotal 22.9 26.6 16.2 29.3 10.2

Total 57.3 58.7 2. 4 58.2 -0.9 Percentage of total filed electronically 39.9
45.4 50.3

Note: Subtotals, totals, and percentages may not compute due to rounding. a
Traditional electronic filing involves the transmission of returns over
communication lines through a third party, such as a tax return preparer or
electronic transmitter, to an IRS service center. b On- line returns are
prepared and transmitted by the taxpayer through an on- line intermediary
using a personal computer and commercial software. c Under TeleFile, certain
taxpayers who are eligible to file a Form 1040EZ are allowed to file using a
tollfree number on touch– tone telephones. Source: IRS' Management
Information System for Top Level Executives.

IRS Has Initiatives Underway to Improve Processing

IRS has several initiatives underway to improve the processing of individual
income tax returns. These initiatives include (1) allowing electronic filers
to “sign” their returns with a PIN, thus reducing some of the
paper processing associated with electronic filing; (2) validating spouses'
Social Security numbers (SSN), thus ensuring more accurate returns; and (3)
enabling taxpayers to authorize IRS to discuss their returns with their paid
preparers, thus expediting the resolution of certain issues that arise
during processing. Although it is too soon to assess the affect of these
initiatives, there is some information that the PIN initiative, while used
by millions of taxpayers, has encountered some problems.

9 Allowing Electronic Filers to Use a PIN

A major criticism of the electronic filing program over the years has been
that it is not entirely paperless. For example, all electronic filers,
except those who filed by telephone (i. e., TeleFile) had to send IRS a
signature document. According to IRS, feedback from the tax practitioner
community indicated that making electronic filing paperless would
significantly increase taxpayers' and tax practitioners' willingness to file
electronically. For the past 3 years, IRS has allowed taxpayers to pay their
taxes electronically, thus eliminating the need for taxpayers to send IRS
checks and paper vouchers. But until this year, most electronic filers still
had to send IRS a form with their signature.

For the 2001 filing season, IRS instituted the self- select PIN program that
makes it possible for taxpayers who file on- line or through a tax
practitioner to “sign” their returns electronically and thus
file a totally paperless return. The self- select PIN program, so named
because taxpayers select their own 5- digit PIN, replaces the two
alternative signature options that IRS tested last year. The major
difference between the self- select PIN program and the alternative
signature options tested last year is that virtually all taxpayers filing
through a practitioner or on- line this year can file a totally paperless
tax return. Last year only certain taxpayers could do so. Before IRS will
accept an electronic return with a PIN, the taxpayer must include in his or
her electronic submission two pre- identified pieces of information from the
previous year's tax return. This information is required to help IRS assure
that taxpayers filing with a PIN are who they say they are. If IRS
determines that the information is correct and the submission passes other
up- front checks that have been in place for several years, the electronic
submission is accepted and the return is considered filed; otherwise the
submission is rejected.

As of March 11, 2001, about 5.9 million returns had been filed
electronically using the self- select PIN. Of those 5.9 million returns,
about 3.3 million were filed through practitioners and about 2.6 million
were filed on- line. For the same time period last year, about 4.7 million
returns were filed using the two alternative signature programs.

One intriguing part of the PIN usage this filing season is that as of March
11, 2001, about 64 percent of the electronic returns filed on- line had a
PIN compared to about 16 percent of the returns filed electronically through
practitioners. IRS intends to conduct focus groups with tax practitioners
later in the year, and one of the issues to be discussed is what prevented
practitioners from using the self- select PIN. IRS officials said that they
believe large tax practitioners are not using the PIN more extensively
because many of their customers are first- time clients and neither the
customer nor the practitioner has ready access to the necessary data from
last year's return. Without that information, the practitioner may simply
file the return electronically with the paper signature document.

According to a representative of the largest tax preparation company,
returns filed electronically using self- select PINs have higher reject
rates- about twice as high as the reject rates they usually experience on
electronic submissions- causing additional burden on the taxpayer and the
practitioner. As a result, the company had been advising

10 its clients to use the self- select PIN with caution. Data obtained from
IRS indicated that

of about 6.8 million reject conditions identified on electronically filed
returns as of March 15, about 1.5 million involved problems related to PINs.
4 A representative of the National Association of Enrolled Agents told us
that one of the problems associated with the self- select PIN program is
that many taxpayers and practitioners don't understand what information is
needed to use a PIN.

We will continue to monitor the use of PINs and the issues surrounding that
program as we proceed with our assessment of the filing season. As part of
that effort, we will attempt to determine to what extent, if at all, PIN-
related problems caused taxpayers to not file electronically.

Validating Secondary SSNs During its processing of tax returns, IRS
validates SSNs on the returns. If IRS determines that an SSN is invalid, it
can disallow the related exemption or deny a claimed earned income credit or
child tax credit. 5 That, in turn, can change the taxpayer's tax liability
and reduce or eliminate any refund the taxpayer might be expecting. In past
years, IRS has validated primary 6 and dependent SSNs. This year, IRS has
expanded its SSN validation effort to include secondary SSNs.

Because of a concern that taxpayers are treated fairly in the validation
process, the Committee on Government Reform sent a letter to the
Commissioner of Internal Revenue in January 2001 requesting information
about this initiative. In his February 2001 response, the Commissioner said
that IRS has an extensive, multi- step process to determine the
acceptability of a secondary SSN. If an individual fails to furnish a
correct secondary SSN, IRS said it would disallow the exemption but would
not alter the joint filing status claimed on the return.

Authorizing IRS to Discuss Returns with Preparers IRS added a checkbox to
the individual income tax forms that are being filed this year that enables
taxpayers to authorize IRS to discuss their returns with their paid
preparers. By being able to contact the return preparer directly, IRS
believes that it can expedite the resolution of certain issues that arise
during processing, such as math errors and missing information on the
return, and thus reduce taxpayer burden. In testimony before the House
Government Reform Committee last year, the Commissioner of Internal Revenue
estimated that about 2.5 million notices generated from returns processing
were related to returns prepared by paid practitioners.

4 The number of reject conditions cannot be equated to the number of
electronic submissions that were rejected because one submission can have
more than one reject condition. 5 IRS considers an SSN invalid if it is
missing from the return or if the SSN and associated name on the

return do not match data in the Social Security Administration's records. 6
On a joint return, the person whose name appears first on the return is
considered the primary taxpayer.

The other person is considered the secondary taxpayer.

11 Level of Telephone Service Has Improved,

But Declines in Assistor Productivity and Delays in Modernization Prevent
Further Improvement

Millions of taxpayers call IRS each year with questions about the tax law,
their accounts, and their refunds. One important indicator of IRS'
performance in assisting these taxpayers is “level- of-
service”, which is computed by dividing the number of calls answered
by the number of call attempts. We have adjusted computation of that
indicator this year to allow a more accurate comparison with IRS'
performance in past years, although a completely accurate comparison is not
possible because data for one of IRS' phone lines does not show the extent
to which taxpayers hung up before being served. The adjusted indicator shows
that IRS has been answering a greater percentage of calls this filing season
than it did last year. However, declines in the productivity of telephone
assistors and delays in modernization have prevented even further
improvement. Further improvement is needed if IRS is to achieve its goal of
providing telephone assistance comparable to that provided by leading public
and private telephone customer service organizations. In an effort to
facilitate that kind of comparison and better gauge its performance in
assisting taxpayers, IRS is putting in place some new measures of telephone
service.

According to Data From IRS, the Accessibility of IRS' Telephone Service Has
Improved

Taxpayers calling on IRS' toll- free assistance lines can obtain needed
information by talking to an assistor or by using an automated
“interactive application.” However, unlike last year, taxpayers
calling on the assistance lines in 2001 are given the option of being routed
to another telephone line, the Tele- Tax line, for an automated response to
an inquiry about their refund. 7 IRS is routing refund inquiry calls to the
Tele- Tax line in an effort to improve taxpayer service. According to IRS,
in previous years, these calls would have been answered by a similar
automated refund inquiry service on the assistance lines. Sending these
calls to Tele- Tax frees up the assistance lines for calls that require an
assistor's help, making it less likely that taxpayers calling on these lines
will get a busy signal.

Because of this change in routing, the level- of- service computation has to
be adjusted to properly compare IRS' performance this year with last year.
As computed in previous years, level of service reflected IRS' performance
on its toll- free assistance lines. Because refund inquiries were answered
by automated systems on the assistance lines in previous years, they were
included in computing level of service. Even though those inquiries are no
longer being answered on the assistance lines, they should be included in
computing level- of- service for comparability.

Although including the Tele- Tax refund inquiries in the computation of
level of service makes the measure more comparable to previous filing
seasons, it is not completely

7 In addition to automated refund information, Tele- Tax provides recorded
information on about 150 tax topics.

12 comparable because it assumes that all of the callers who were routed to
Tele- Tax were

actually served. Unlike data for the assistance phone lines, data for the
Tele- Tax line does not allow IRS to determine whether taxpayers hung up
before completing an automated service, calls that IRS refers to as
“abandoned”. Calls to the assistance phone lines that are
abandoned are not counted as “calls answered” in computing level
of service.

While the adjusted level- of- service computation is not completely
comparable to previous years, it does indicate that level of service has
improved relative to 2000. Other information from IRS supports this view.
According to IRS data, for example, the level of service through March 10,
2001, for calls routed to assistors was somewhat higher than for a
comparable period last year and the number of calls receiving busy signals
on the assistance lines during the first 11 weeks of the filing season had
declined from about 5.4 million in 2000 to about 3.1 million in 2001. IRS
data also indicate that there have been virtually no busy signals on the
Tele- Tax line this filing season.

As shown in figure 2, as of March 17, 2001, IRS' level of service, including
the refund inquiries answered through the Tele- Tax line, was 76 percent- 13
percentage points above last year.

Figure 2: Toll- Free Telephone Level of Service for the First 11 Weeks of
the 2001, 2000, 1999, and 1998 Filing Seasons

Percent 0 10

20 30

40 50

60 70

80 90

100 1998 1999 2000 2001 Year 74

48 63

76 Level of service

The level- of- service computation for 2001 is not completely comparable to
the computation for the other years. See table 3 for an explanation.

Source: GAO analysis of IRS data.

13 Table 3 contains more detailed information behind the level of service
computations

depicted in figure 2. Table 3: Toll- Free Telephone Level of Service for the
First 11 Weeks of the 2001, 2000, 1999, and 1998 Filing Seasons (in
millions)

Filing season Telephone service 2001 a 2000 1999 1998

Call attempts Excluding refund calls routed to Tele- Tax 18.7 28.4 41.4 29.2
Refund calls routed to Tele- Tax in 2001 11.6

Total call attempts 30.2 28.4 41.4 29.2

Calls answered Automated 1.6 7.5 6.6 Not available Assistor 9.7 10.4 13.2
Not available Refund calls routed to Tele- Tax in 2001 11.6

Total calls answered 22.9 17.9 19.8 21.5

Level of service 76% 63% 48% 74%

Note: Totals may not compute due to rounding. a The level- of- service
computation for 2001 is not completely comparable to the computation for the
other years because the Tele- Tax data does not account for taxpayers who
may have abandoned their calls before getting an answer.

Source: GAO analysis of IRS data. Figure 2 and table 3 indicate that the
level of service this year is higher than in 1998. However, because
available data for those years are not comparable, we do not know if that is
an accurate representation.

Assistor Productivity Decline and Modernization Delays Have Prevented
Further Phone Service Improvement

Taxpayer access to telephone assistors is less than it could be because (1)
telephone assistor productivity- measured by IRS as how quickly assistors
complete telephone calls- has declined for the third filing season in a row
and (2) implementation of a modernization project has been delayed.
Increases in assistor productivity could lead to further improvements in
telephone service by allowing assistors to answer more calls, thus reducing
the extent to which taxpayers receive busy signals or are kept on hold.
Implementation of the modernization project could lead to improved service
by freeing up assistors to handle more calls.

14 As we discuss in a report to be issued to the Subcommittee later this
month, the

productivity of telephone assistors declined during the 1999 and 2000 filing
seasons. According to IRS officials, although some of the decline in 2000
was caused by assistors handling more of the types of calls that take longer
to answer, four policy changes that had the unintended effect of lowering
productivity in the 1999 filing season continued to adversely affect
productivity in the 2000 filing season. Specifically, in 1999, IRS (1)
discontinued automatically routing another call to an assistor immediately
upon completion of a call; (2) increased restrictions on using productivity
data when evaluating assistors' performance; (3) disproportionately diverted
staff from peak demand shifts to other shifts when it implemented 24- hour-
a- day, 7- day- a- week assistance; and (4) discontinued measuring the
productivity of individual call sites.

According to IRS officials, these factors have continued to negatively
affect productivity in the 2001 filing season. The officials said that
although some of the decline can be explained by assistors answering more
complex calls, assistors clearly are not using their time efficiently. In
that regard, according to IRS, site visits it made earlier this year
indicated that assistors who were directly monitored (i. e., someone sitting
with them) spent about half as much time wrapping up a call after the
taxpayer had hung up than assistors who were remotely monitored. IRS, in
conjunction with the National Treasury Employees' Union, has taken steps
intended to improve productivity. For example, IRS has conducted a series of
training sessions at call sites designed to assist supervisors in ensuring
assistors use their time productively, particularly with respect to the time
they spend wrapping up calls. According to IRS officials, data shows that
productivity has improved during the year as a result of these efforts.

Delays in implementing a modernization project has also prevented further
improvements in telephone service. IRS' Customer Communication Project is
one of the most important first steps in improving customer service as
envisioned in IRS' modernization plans. As a key part of IRS' strategy for
improving level of service, Customer Communications enhancements are
designed to free- up assistors to handle more calls by routing and answering
more calls through automation. However, one of the enhancements designed to
significantly improve level of service will not be implemented until May or
June 2001- at least 3 months later than expected and too late to provide the
expected benefits this filing season.

Under this enhancement, IRS expected to implement a telephone voice
recognition capability in February 2001. Voice recognition would allow
callers with rotary- dial telephones to interact with IRS' automated routing
and answering system in the same way as touch- tone callers do. Also, voice
recognition would require callers with a touchtone phone to use the
automated system even if they do not respond to phone menu prompts to press
the appropriate touch- tone key. According to IRS, a significant number of
callers, whether they have rotary- dial telephones or not, do not respond to
the prompts; assistors must answer these calls to determine what the
taxpayer is calling about and then route the call to the most appropriate
source of assistance. Voice recognition would have allowed IRS to offload
some of this workload from live assistors and answer more calls.

15 According to the Treasury Inspector General for Tax Administration
(TIGTA), the

Customer Communication Project fell behind schedule, in part, because some
key work products were not timely completed and several identified barriers
to deployment, such as an inadequate database to track modernization project
risks and the need to complete the security certification process, had not
been overcome. 8

IRS is Putting in Place New Performance Measures for Telephone Operations

According to IRS officials, its current level of service measure is not
strategically aligned with those used by world- class customer service
organizations, and does not focus efforts at enhancing the customer's
experience or clearly show how human capital and technology investments
affect performance. Therefore, IRS is planning to replace its current level
of service measure with two primary measures of service, one for measuring
IRS' success at providing taxpayers access to assistors, and another for
measuring IRS' success at serving taxpayers though automated services. Also,
IRS intends to gather data on other new measures, including measures of how
long taxpayers have to wait to speak to IRS assistors.

We support IRS' efforts to improve its performance measures, particularly
efforts to better gauge how well IRS serves taxpayers and how its
performance compares to that of leading private and public telephone
customer service organizations. However, unless IRS maintains its current
measures while transitioning to its new measures, it will not have
comparable data to monitor performance from one year to the next. We
recognize that there is a cost associated with maintaining current measures
while developing new measures, and we recognize that doing so may not always
be feasible. However, without comparable historical performance data, IRS
will be unable to assess the results of past efforts to improve performance,
such as the 1999 policy changes discussed earlier.

IRS Has Deferred Making Changes to Improve the Quality of Tax Law Assistance
Provided by Walk- in Sites Until Fiscal Year 2002

IRS changed the way it was organized and staffed to provide face- to- face
assistance for the 2001 filing season. Despite these changes, there are
continuing concerns about the quality of tax law assistance being provided.
According to IRS officials, the staffing and training challenges associated
with the restructuring made it impractical for IRS to make changes to
improve the quality of tax law assistance this fiscal year. Instead, IRS,
with the help of a contractor, is studying how the quality of face- to- face
assistance should be measured and improved, with the expectation of making
changes for the 2002 filing season.

8 Progress in Developing the Customer Communications Project Has Been Made,
But Risks to Timely Deployment in 2001 Still Exist, TIGTA, Reference No.
2001- 20- 055, Mar. 12, 2001.

16 IRS Has Changed the Way Its Taxpayer

Assistance Centers Are Organized and Staffed Taxpayers can obtain forms, get
answers to questions about the tax law and their accounts, and get help in
preparing their returns at about 400 Taxpayer Assistance Centers (TAC),
which were formerly known as walk- in sites. Before IRS' reorganization, the
TACs and associated staff reported to 33 district offices. According to IRS
officials, differences in the way TACs were organized and operated within
each district caused inconsistencies in the assistance provided to
taxpayers. To provide more consistency in field assistance, the 400 TACs now
report to the W& I Division's Field Assistance unit, through a network of 7
area and 34 territory offices. As of March 17, 2001, according to IRS, the
TACs had assisted about 3.4 million taxpayers, compared to about 3.9 million
taxpayers as of the same time last year.

According to IRS, it began the year with about 1,000 technical employees in
field assistance and had hired another 504 as of March 16, 2001. Of those
1,504 technical employees, 1,041 are in a new position- taxpayer resolution
representative (TRR)- that IRS had established as part of its
reorganization. Persons filing these positions will be required to assume
some functions previously done by compliance staff, such as office audits,
in addition to their taxpayer assistance duties.

Although IRS is filling the TRR positions primarily from qualified staff in
related job series, additional training is required. According to officials,
IRS is surveying the new staff to assess the training gaps and prioritizing
the delivery of abbreviated training to fill the gaps. Not all of the gaps
were filled in time for the 2001 filing season. For example, about 100 staff
placed in TRR positions in January 2001, who needed the full 6 weeks of
required first- year training, received only 3 weeks of that training.

Considerable hiring and training is also required for new managers in the
Field Assistance unit. Managers of the former walk- in sites were compliance
staff who generally moved to the new Small Business and Self Employed
Division as part of IRS' reorganization. As of December 31, 2000, IRS had
filled 29 of the 34 territory manager positions and 154 of the 226 group
manager positions authorized. According to IRS officials, about one- half of
the new managers had no field assistance experience and some had no
managerial experience.

IRS and TIGTA Reviews Show That TACs Provide Poor Quality Tax Law Assistance

According to W& I field assistance officials, the quality of tax law
assistance provided to taxpayers who walk into one of IRS' TACs this year is
about as poor as the quality reflected by IRS' own reviews last year.

IRS employees posing as taxpayers conducted 272 visitations to TACs before
the 2000 filing season and another 272 during the filing season. IRS' final
report on the combined

17 results found, among other things, that although 92 percent of the
“assistors spoke to

reviewers in a pleasant manner and tone of voice,”

? 81 percent of the reviewers' questions were not answered correctly; and,

? 21 percent of the reviewers were denied service. Officials based their
characterization of the quality of this year's field assistance on reviews
of quality during late January and early February 2001 by TIGTA. According
to TIGTA, its review of TAC quality involved 90 contacts in which tax law
questions were posed to IRS representatives. In 7 of those 90 contacts (8
percent), service was denied (i. e., the TIGTA reviewers were not given an
opportunity to speak with an assistor). When service was provided, TIGTA's
reviewers received inaccurate answers 48 percent of the time. Although
TIGTA's results might indicate that service quality, although not good, has
improved compared to the results of IRS' reviews last year, such a
comparison cannot be made because TIGTA used a different methodology from
the one used by IRS.

One of the recommendations resulting from IRS' quality reviews during fiscal
year 2000 was that IRS develop a comprehensive, year- round quality review
program for walk- in offices. The recommendation anticipated changes in the
scope of the reviews, the selection and training of reviewers, the review
checksheet, and the relevant database. In that regard, field assistance
officials informed us that IRS, with help from a contractor, is studying how
field assistance quality should be measured and improved. According to IRS
officials, because of that study and the staffing and training challenges
associated with the restructuring, IRS decided not to conduct its own review
of quality during the 2001 filing season and to defer making changes to
improve the quality of tax law assistance provided by TACs until fiscal year
2002, after the results of the ongoing study are known.

Despite Important Progress, IRS Has Yet to Fully Implement the Capabilities
Needed to Effectively Manage the Business Systems Modernization Program

We turn now to business systems modernization (BSM)- IRS' multiyear program
to put in place the technology that will support revamped business
processes. This multibillion- dollar program, which began a little over 2
years ago and has thus far received congressional approval to obligate about
$450 million, 9 is vital to achieving IRS' new, customer- focused vision and
enabling IRS to meet performance and accountability goals. BSM consists of a
number of new systems acquisition projects that are at differing stages of
acquisition and implementation, as well as various program- level
initiatives intended to establish the capacity for IRS to effectively manage
the projects.

9 IRS requested and Congress established a multiyear systems modernization
account and funded it with about $578 million via IRS' fiscal years 1998,
1999, and 2001 appropriation acts. To date, IRS has received approval from
Congress to obligate about $450 million from the account.

18 We have long held- and communicated to IRS- the importance of
establishing sound

management controls to guide its systems acquisition projects; to its
credit, IRS has made important progress in this area. Nevertheless, IRS is
starting to let project acquisitions get perilously ahead of controls-
proceeding in some cases with detailed systems design and development
without having the capacity in place to help ensure that projects perform as
intended and are completed on time and within budget. We remain concerned
that at these later stages in systems' life cycles, the risk of rework due
to missing modernization management controls increases, both in terms of
probability and impact. Given that IRS expects to totally exhaust
congressionally- approved BSM funding by about November 2001, and thus is
seeking additional money for fiscal year 2002, this is a good time to ensure
that the overdue modernization management controls are emphasized as a BSM
priority.

Beginning in 1995, when IRS was involved in an earlier attempt to modernize
its tax processing systems, and continuing since then, we have made
recommendations to implement fundamental modernization management
capabilities before acquiring new systems. We concluded that until these
controls were in place, IRS was not ready to invest billions of dollars in
building modernized systems. 10 Although IRS has since taken steps that have
partially addressed our set of recommendations, important ones remain
unfulfilled. In general, the areas in which we found controls to be lacking
and made recommendations to fill these voids fell into five interrelated and
interdependent information technology management categories, as shown in
figure 3- investment management, system life- cycle management, enterprise
architecture management, software acquisition management, and human capital
management.

10 Tax Systems Modernization: Management and Technical Weaknesses Must Be
Corrected If Modernization Is to Succeed (GAO/ AIMD- 95- 156, July 26,
1995).

19 Figure 3: Information Technology Management Control Areas Needing
Attention

In December 1998, IRS hired a systems integration support contractor to,
among other things, help it develop and implement these program
capabilities. Subsequently, the Commissioner adopted a modernization
strategy that appropriately required, for example, (1) the use of
incremental investment decisionmaking, (2) adherence to a rigorous systems
and software life- cycle management method, and (3) development and
implementation of an enterprise architecture or modernization blueprint to
guide and constrain the content, sequencing, and integration of systems
investments. This approach, however, involved development of these kinds of
program- level management capabilities while simultaneously proceeding with
project acquisition, in anticipation that program controls would be in place
and functioning when these projects reached their later, less formative
stages. Figure 4 illustrates this approach.

Investment Management Life-Cycle Management Enterprise Architecture
Management

Modernization Management

Capability

Human Capital Management

Acquisition Management

20 Figure 4: Concurrent Development of Program- Level Controls and Projects

During BSM's first 18 months, progress in implementing these management
controls was slow, while at the same time project acquisitions moved
rapidly. At that time we reported to IRS' Senate and House appropriations
subcommittees that projects were getting ahead of the modernization
management capacity that needed to be in place to manage them effectively.
In response to our concerns and the subcommittees' direction, IRS
appropriately pulled back on the projects and gave priority to implementing
needed management capacity.

Despite this shaky start to implementing management controls, IRS has since
made important progress in its modernization management capacity. For
example, last year we reported that IRS (1) largely defined and implemented
its system life- cycle methodology that incorporates software acquisition
and investment management processes, (2) defined program roles and
responsibilities of IRS and its modernization contractor and began relating
with the contractor accordingly, (3) began formally managing modernization
risks in an effort to proactively head off problems, and (4) made progress
toward producing the first release of its enterprise architecture. 11

In addition, we recently reported that IRS had taken steps to address our
recommendations aimed at strengthening management of individual BSM
projects. 12 For

11 Tax Systems Modernization: Results of Review of IRS' Third Expenditure
Plan (GAO- 01- 227, Jan. 22, 2001). 12 See, for example, IRS' Custodial
Accounting Project (GAO- 01- 444R, Mar. 16, 2001) and GAO- 01- 227, Jan.

22, 2001.

IRS is here

Selecte d Key Projects

CAP STIR

e-Services CADE ELC (Acquisition and Investment Management)

Program Management Office

Program Ma nagement C

ap ability

Enterpri se Archi tecture Denotes beginning of detailed design and
development Denotes issuance of key enterprise architecture versions 1/99
1/00 4/01 1/01 9/01

21 instance, it started to manage the Custodial Accounting Project 13 as an
integral part of the

modernization program. On another project, the Security and Technology
Infrastructure Release, 14 IRS assessed security threats and
vulnerabilities, analyzed the resulting risk in terms of probable impact,
and planned to reevaluate project requirements in light of this risk
analysis. Recently, IRS hired experienced technical and managerial
executives and augmented existing modernization staff with experienced IRS
information systems personnel.

We are concerned, however, because projects are entering critical stages
without certain essential management controls in place and functioning. In
particular, in our ongoing work for IRS' appropriations subcommittees, we
found that IRS is proceeding with building systems- including detailed
design and software development work- before it has implemented two key
management controls. First, IRS has yet to develop a sufficiently defined
version of its enterprise architecture to effectively guide and constrain
acquisition of modernization projects. Second, it has not yet implemented
rigorous, disciplined configuration management practices. Both of these are
requirements of IRS's own systems life- cycle methodology and are recognized
best practices of successful public and private- sector organizations. This
increases the risk of cost, schedule, and performance shortfalls. We have
discussed these missing controls with the Commissioner and his BSM
executives; they have stated that they plan to have them in place by the end
of June 2001.

Timing is critical. While the lack of controls can be risky in projects'
early stages, it introduces considerably greater risk when these projects
enter design and development. To mitigate this added risk, IRS needs to
fully implement the remaining management controls that we have recommended.
Figure 5 illustrates the growing risk that accompanies project development
in its later stages.

13 The Custodial Accounting Project is expected to provide a single data
repository of taxpayer accounts and tax payments as well as related tax
revenue accounting and reporting capabilities. IRS also plans for this
project to, among other things, automatically reconcile accounts and
payments, post updates to IRS' general ledger, and produce revenue
accounting reports. 14 This project is the common integrated infrastructure
to support and enable modernization business

systems applications. As designed, it consists of a combination of custom
and commercial off- the- shelf software, hardware, and security solutions,
integrated to form the technical foundation upon which modernized business
systems applications will operate.

22 Figure 5: Increased Risk Associated With Inadequate Controls at Later
Stages of Project

Development The timing of this hearing is appropriate for ensuring that IRS
implements the remaining needed modernization management controls. While
Congress has appropriated about $578 million for this program to date, it
also took steps to limit the agency's ability to obligate funds until
certain controls were in place by establishing a multiyear capital account-
the Information Technology Investments Account- to fund IRS systems
modernization initiatives. IRS has received about $450 million of this
total, and has submitted a plan to Congress to spend the remainder over the
next 7 months. In addition, IRS plans to include $396 million in funding for
BSM in its upcoming fiscal year 2002 budget request. This is, then, an
opportune time to ensure that IRS addresses these outstanding risks as a
condition of future funding.

IRS is here

Selec ted K

ey Projects

CAP STIR

e-Services CADE ELC (Acquisition and Investment Management)

Program Management Office

Pr ogram Management Cap

abil ity

Enterprise Architecture Denotes beginning of detailed design and development
Denotes issuance of key enterprise architecture versions 1/99 1/00 4/01 1/01
9/01

Execution Risk

23

IRS Had Ineffective Controls to Ensure the Security of Electronic Filing
Systems And Electronically- Transmitted Taxpayer Data

As a major steward of personal taxpayer information, IRS has a demanding
responsibility in collecting taxes, processing returns, and enforcing the
nation's tax laws. In conducting its work, IRS must obviously depend to a
great extent on interconnected computer systems. Due to the nature of its
mission, IRS collects and maintains a significant amount of personal and
financial data on each American taxpayer. These data typically include the
taxpayer's name, address, SSN, dependents, income, deductions, and expenses.
The confidentiality of this sensitive information is important because
American taxpayers could be exposed to a loss of privacy and to financial
loss and damages resulting from identity theft and financial crimes should
this information be disclosed to unauthorized individuals.

Computer security is an important consideration for any organization that
depends on information systems and computer networks to carry out its
mission or business. However, without proper safeguards, systems and
networks pose enormous risks that make it easier for individuals and groups
with malicious intent to intrude into inadequately protected systems and use
such access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer networks and systems.
And the number of individuals with the skills to accomplish this is
increasing; intrusion- or hacking- techniques are readily available and
relatively easy to use.

We recently examined the effectiveness of key computer controls designed to
ensure the security, privacy, and reliability of IRS' electronic filing
systems and electronically filed taxpayer data during last year's tax filing
season. Our recent report discusses the computer control weaknesses that we
found, along with actions that IRS says that it took to correct these
weaknesses before this year's filing season. 15 What we found to date
concerning IRS' electronic filing program can illustrate the challenges that
many organizations are facing.

In an attempt to meet the 80- percent electronic filing goal provided for in
the IRS Restructuring and Reform Act of 1998, IRS has aggressively marketed
the electronic filing program and has authorized private firms and
individuals to be electronic filing trading partners. These partners include
electronic return originators, who prepare electronic tax returns for
taxpayers, and transmitters, who transmit the electronic portion of a return
directly to IRS. Except for TeleFile taxpayers, who file their returns using
the telephone, IRS does not allow individual taxpayers to transmit
electronic tax returns directly to the agency; they must use the services of
an IRS trading partner. Figure 6 demonstrates the path that an
electronically filed tax return took from the taxpayer to IRS during the
time of our review.

15 GAO- 01- 306.

24 Figure 6: Electronic Filing Journey, 2000 Filing Season

During the 2000 filing season, IRS did not implement adequate computer
controls to ensure the security, privacy, and reliability of its electronic
filing systems and the electronically- transmitted tax return data that
those systems contained. We demonstrated that individuals, both internal and
external to IRS, could gain unauthorized access to IRS' electronic filing
systems and view, modify, copy, or delete taxpayer data. Our successful
access did not require sophisticated techniques. Last May, for example, we
were able to access a key electronic filing system using a common handheld
computer. We could gain such access because IRS at that time had not

? effectively restricted external access to computers supporting the
electronic filing program through effective perimeter defenses;

? securely configured its electronic filing operating systems, which used
several risky and unnecessary services;

? implemented adequate password management and user account practices (for
example, we successfully guessed many passwords and noted user IDs and
passwords posted conspicuously on a monitor);

? sufficiently restricted access to computer files and directories
containing tax return and other data (for example, all users had the ability
to modify numerous sensitive data and system files, and certain users with
no “need to know” had access, contrary to policy); or

? used encryption to protect tax return data on electronic filing systems
(as is required by IRS' Internal Revenue Manual).

Further, these weaknesses jeopardized the security of sensitive business,
financial, and taxpayer data on other critical IRS systems that were
connected to electronic filing computers through its servicewide network
because IRS personnel turned off (bypassed)

25 network control devices that were intended to provide security between
electronic filing

systems and other IRS systems. Although IRS stated that it did not have
evidence that such intrusions had actually occurred or that intruders had
accessed or modified taxpayer data, it did not have adequate procedures to
detect such intrusions if they had occurred. For example, IRS did not (1)
record certain key events in system audit logs, (2) regularly review those
logs for unusual or suspicious events or patterns, or (3) deploy software to
facilitate the detection and analysis of logged events. Consequently, IRS
did not recognize or record much of the activity associated with our tests.

These serious access control weaknesses existed because IRS had not taken
adequate steps during the 2000 filing season to ensure the ongoing security
of electronically transmitted tax return data on its electronic filing
systems. For example, IRS had not followed or fully implemented several of
its own information security policies and guidelines when it developed and
implemented controls over its electronic filing systems. It decided to
implement and operate its electronic filing computers before completing all
of the security requirements for certification and accreditation. 16
Further, IRS had not fully implemented a continuing program for assessing
risk and monitoring the effectiveness of security controls over its
electronic filing systems.

According to IRS officials, IRS moved promptly to correct the access control
weaknesses we identified before the current filing season. It developed
plans to improve security over its electronic filing systems and internal
networks and said that it has substantially implemented those plans. In his
response to our report, the Commissioner said that

“electronic filing systems now satisfactorily meet critical federal
information security requirements to provide strong controls to protect
taxpayer data.” Sustaining effective computer controls in today's
dynamic computing environment will require top management attention and
support, disciplined processes, and continuing vigilance.

Application controls also need to be designed and implemented to ensure the
reliability of data processed by the systems. IRS believes that
electronically filed tax returns are more accurate than paper returns and
has implemented many application controls designed to enhance the
reliability of data processed by its electronic filing systems. However, we
identified additional opportunities to strengthen application controls for
IRS' processing of electronic tax return data. Based on IRS statistics, it
processed electronic tax returns and paid refunds of about $2.1 billion
without receiving required

16 Accreditation is the formal authorization for system operation and is
usually supported by certification of the system's security safeguards,
including its management, operational, and technical controls. Certification
is a formal review and test of a system's security safeguards to determine
whether or not they meet security needs and applicable requirements.

26 authenticating signatures or electronic PINs from taxpayers. Data
validation and editing

controls did not detect certain erroneous or invalid data that could occur
in tax returns. In addition, weaknesses in software development controls
increased the risk that programmers could have made unauthorized changes to
software programs during the 2000 filing season.

Further, taxpayers who filed electronically may not have been aware that
transmitters, who actually send the data to IRS and may be unknown to the
taxpayers, could have viewed and modified their data and that such data are
transmitted to IRS in clear text- human readable form. This is because IRS
decided to (1) not allow taxpayers to file most electronic returns directly
to IRS, (2) require taxpayers who elected to file electronically to use the
services of third- party transmitters, and (3) not accept electronic tax
returns in encrypted form. In addition, taxpayers may not have been aware
that IRS has no assurance of the security of its electronic filing trading
partners' systems. Other than providing guidance about protecting certain
passwords, IRS did not prescribe minimum computer security requirements for
transmitters and did not assess or require an independent assessment of the
effectiveness of computer controls within the transmitters' operating
environment.

We provided specific technical recommendations to improve access controls
over IRS' electronic filing systems and networks. We also recommended that
IRS complete the certification and accreditation of its electronic filing
systems, assess security risks and routinely monitor the effectiveness of
security controls over electronic filing systems, improve certain data
reliability and integrity controls, and notify taxpayers of the privacy
risks of filing electronically. IRS agreed with our recommendations and said
that it implemented most of the improvements, including correcting critical
vulnerabilities, before this year's filing season. IRS further said that the
actions it has taken demonstrate a systematic, risk- based approach to
correcting identified weaknesses. Such an approach will continue to be
important in ensuring that corrective actions are effective on a continuing
basis and that new risks are promptly identified and addressed.

- - - - Mr. Chairman, that concludes our statement. We would be pleased to
respond to any questions that you or other members of the Subcommittee may
have at this time.

(440039)
*** End of document ***