May 20 Oversight Hearing on the Internal Revenue		 
Service--Questions for the Record (27-JUN-03, GAO-03-962R).	 
                                                                 
GAO reviewed the Internal Revenue Service's (IRS) accomplishments
in the 5 years since the IRS Restructuring and Reform Act of 1998
was past. Specifically, GAO determined (1) how much money IRS has
spent on upgrading its security, (2) whether the challenges	 
associated with ensuring information security are technological  
or managerial, and (3) if IRS is taking sufficient steps to	 
eliminate overpayments to the Earned Income Credit (EIC).	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-962R					        
    ACCNO:   A07419						        
  TITLE:     May 20 Oversight Hearing on the Internal Revenue	      
Service--Questions for the Record				 
     DATE:   06/27/2003 
  SUBJECT:   Computer security					 
	     Erroneous payments 				 
	     Information systems				 
	     Information technology				 
	     Internal controls					 
	     Overpayments					 
	     Strategic planning 				 
	     IRS Earned Income Credit Program			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-962R

GAO- 03- 962R IRS Oversight

United States General Accounting Office Washington, DC 20548

June 27, 2003 The Honorable William M. Thomas Chairman Joint Committee On
Taxation

Subject: May 20 Oversight Hearing on the Internal Revenue Service *
Questions for the Record It was a pleasure to appear before the Joint
Committee on Taxation on May 20, 2003,

to discuss the Internal Revenue Service*s (IRS) accomplishments in the 5
years since the IRS Restructuring and Reform Act of 1998 was passed.
Enclosed are our answers to questions from the Honorable Marsha Blackburn,
dated June 3, 2003, which required a written response. I hope this
information is helpful.

Sincerely yours, James R. White Director, Strategic Issues

Enclosure

Page 2 GAO- 03- 962R IRS Oversight

(1) How much money has IRS spent on upgrading its security? Are the
challenges associated with ensuring information security technological or
managerial?

According to IRS officials, spending for security in fiscal year 2003 is
about $132 million, including about $39 million dedicated to information
technology security improvements. For fiscal year 2004, IRS officials
state that they have requested about $136 million for information
technology security, with about $40 million dedicated to improvements.

The challenges facing IRS in ensuring information security are largely
managerial. Ensuring that known weaknesses affecting IRS*s computing
resources are promptly mitigated and that computer controls effectively
protect its systems and data requires support and leadership from senior
management of IRS*s information technology and operating divisions,
disciplined processes, and consistent oversight. We have reported that an
underlying cause for the hundreds of information security weaknesses
identified during our reviews of IRS*s computer controls was that IRS has
not fully implemented its agencywide information security program. 1
Implementing such a program requires that IRS take a comprehensive
approach that

includes assessing risks and evaluating needs, establishing and
implementing appropriate policies and controls, enhancing awareness and
technical skills, and monitoring the effectiveness of controls on an
ongoing basis. Further, a successful program will need the active and
accountable involvement of both (1) operating division executives and
managers who understand which aspects of their missions and information
systems are the most critical and sensitive and (2) technical experts who
know the agency*s systems and understand the technical aspects of
implementing security controls. At the same time, technology is certainly
part of the answer.

While there are no silver bullets, there are many tools today that are
very helpful in implementing information security and could assist IRS in
its efforts to strengthen security. Until IRS effectively and fully
implements its agencywide information security program, assurance will
remain limited that IRS*s financial information and taxpayers* personal
information are adequately safeguarded against unauthorized use,
disclosure, and modification, and its exposure to these risks will remain
unnecessarily high.

(2) Is IRS taking sufficient steps to eliminate overpayments to the Earned
Income Credit?

Because IRS*s latest compliance study uses tax year 1999 data and its new
initiatives are in the early planning stages, it is too early to determine
whether IRS*s steps to reduce Earned Income Credit (EIC) overpayments will
be sufficient. IRS has plans to evaluate the success of its initiatives,
but data will not be available for some time. We

1 U. S. General Accounting Office, Information Security: Progress Made,
but Weaknesses at the Internal Revenue Service Continue to Pose Risks,
GAO- 03- 44 (Washington, D. C.: May 30, 2003).

Page 3 GAO- 03- 962R IRS Oversight are preparing a report on the
precertification initiative, due in late July, which

discusses, among other things, IRS*s evaluation efforts for that program.
IRS has and continues to take steps aimed at reducing EIC overpayments.
IRS received about $875 million in special appropriations for EIC
compliance initiatives between 1998 and 2003. The most recent data
available, for tax year 1999, showed that overpayments for the EIC are
estimated to be between about 27 and 32 percent of dollars claimed or
between $8.5 billion and $9.9 billion.

For fiscal year 2004, IRS has asked for a total of $251 million. This
included $100 million to enhance its EIC compliance initiatives* about $45
million for technology improvements and about $55 million for direct
casework. The direct casework involves three new initiatives, each of
which would be tested over the next year and, depending on the results,
expanded in future years. The initiatives cover (1) qualifying child
verification, (2) income misreporting, and (3) filing status.

Qualifying Child Verification Initiative: Filers that improperly claim
qualified children represent the single largest area of EIC overclaims.
Under this proposed initiative, IRS would notify taxpayers of their need
to provide certain documentation to prove EIC eligibility and taxpayers
would send in the required documentation prior to receiving the EIC
portion of their refund, thus providing an opportunity for examiners to
either accept or deny the claim. IRS plans to test this proposal beginning
in late summer 2003 by mailing 45,000 notices to taxpayers considered to
be high risk because IRS could not verify eligibility for EIC through any
available means.

Income Misreporting Initiative: Income misreporting is another common
problem with EIC claims. IRS plans to use document matching to identify
EIC filers who have a history of misreporting income in order to increase
(or receive) the EIC. Based on that history, 175,000 taxpayers* returns
would be flagged when their 2003 EIC claims are filed in the spring of
2004. Any EIC refund would then be frozen until IRS could verify the
taxpayer*s income through document matching or audit procedures in the
fall of 2004.

Filing status Initiative: Another common problem associated with EIC
claims is improper filing status. IRS plans to verify the filing status
for 5,000 cases, but the criteria for selecting the cases have not yet
been determined.

- - - - - We are sending copies of this letter to the Commissioner,
Internal Revenue, and interested congressional committees. We will also
make copies available to others upon request. In addition, this report
will be available at no charge on the GAO Web site at http:// www. gao.
gov.

If you have any questions about this letter or need additional
information, please call me on 202- 512- 9110 or Joanna Stamatiades,
Assistant Director, on 404- 679- 1984. Key contributors to this letter
included Libby Mixon and Greg Wilshusen.
*** End of document. ***