IRS Systems Security and Funding: Employee Browsing Not Being Addressed
Effectively and Budget Requests for New Systems Development Not Justified
(Testimony, 04/15/97, GAO/T-AIMD-97-82).

GAO discussed: (1) Internal Revenue Service (IRS) employees' electronic
browsing of taxpayer files; and (2) IRS' fiscal years (FYs) 1998 and
1999 budget requests for tax systems modernization (TSM) development.

GAO noted that: (1) on April 8, 1997, GAO issued a report disclosing
many serious computer security weaknesses at IRS; (2) these weaknesses
make IRS computer resources and taxpayer data unnecessarily vulnerable
to external threats, such as natural disasters and people with malicious
intentions; (3) they also expose taxpayer data to internal threats, such
as employees accessing taxpayer files for purposes unrelated to their
jobs (for example, reading the files of celebrities or neighbors) or
making unauthorized changes to taxpayer data, either inadvertently or
deliberately for personal gain (for example, to initiate unauthorized
refunds or abatements of tax); (4) such unauthorized and improper
browsing of taxpayer records has been the focus of considerable
attention in recent years; (5) nevertheless, GAO's report shows that IRS
is not effectively addressing the problem; (6) IRS still does not
effectively monitor employee activity, accurately record browsing
violations, consistently punish offenders, or widely publicize reports
of incidents detected and penalties imposed; (7) compounding IRS'
serious and persistent computer security and employee browsing problems
are equally serious and persistent TSM management and technical problems
that must be corrected if IRS is to effectively invest in TSM; (8) IRS
is requesting $1.131 billion in FYs 1998 and 1999 for TSM development
and deployment; (9) however, IRS does not know how it will spend this
$1.131 billion and has not yet corrected the management and technical
problems that IRS has acknowledged have resulted in hundreds of millions
of dollars being wasted thus far on TSM; and (10) this is inconsistent
with the Government Performance and Results Act of 1993 and the
Clinger-Cohen Act of 1996, which require that information technology
investments be supported by convincing business case analyses and
disciplined management and technical processes.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-82
     TITLE:  IRS Systems Security and Funding: Employee Browsing Not 
             Being Addressed Effectively and Budget Requests for
             New Systems Development Not Justified
      DATE:  04/15/97
   SUBJECT:  Computer security
             Tax administration systems
             Federal employees
             Tax information confidentiality
             Electronic forms
             Personnel management
             Presidential budgets
             Systems conversions
             Information resources management
             ADP procurement
IDENTIFIER:  IRS Tax System Modernization Program
             TSM
             IRS Electronic Audit Research Log System
             IRS Integrated Data Retrieval System
             IRS Distribution Input System
             IRS Integrated Collection System
             IRS Totally Integrated Examination System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Treasury and General Government, Committee
on Appropriations, United States Senate

For Release on Delivery
Expected at
9:30 a.m.
Tuesday,
April 15, 1997

IRS SYSTEMS SECURITY AND FUNDING -
EMPLOYEE BROWSING NOT BEING
ADDRESSED EFFECTIVELY AND BUDGET
REQUESTS FOR NEW SYSTEMS
DEVELOPMENT NOT JUSTIFIED

Statement of Dr.  Rona B.  Stillman
Chief Scientist, Computers and Telecommunications
Accounting and Information Management Division

GAO/T-AIMD-97-82

GAO/AIMD-97-82T


(511539)


Abbreviations
=============================================================== ABBREV

  EARL - Electronic Audit Research Log
  GPRA - Government Performance and Results Act
  IDRS - Integrated Data Retrieval System
  IRS - Internal Revenue Service
  OMB - Office of Management and Budget
  TSM - tax systems modernization

============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee: 

We appreciate the opportunity to testify on Internal Revenue Service
(IRS) employees' electronic browsing of taxpayer files, as well as
IRS' fiscal years 1998 and 1999 budget requests for tax systems
modernization (TSM) development currently before this Subcommittee. 

On April 8, 1997, we issued a report disclosing many serious computer
security weaknesses at IRS.\1 These weaknesses make IRS computer
resources and taxpayer data unnecessarily vulnerable to external
threats, such as natural disasters and people with malicious
intentions.  They also expose taxpayer data to internal threats, such
as employees accessing taxpayer files for purposes unrelated to their
jobs (for example, reading the files of celebrities or neighbors) or
making unauthorized changes to taxpayer data, either inadvertently or
deliberately for personal gain (for example, to initiate unauthorized
refunds or abatements of tax).  Such unauthorized and improper
browsing of taxpayer records has been the focus of considerable
attention in recent years.  Nevertheless, our report shows that IRS
is not effectively addressing the problem.  IRS still does not
effectively monitor employee activity, accurately record browsing
violations, consistently punish offenders, or widely publicize
reports of incidents detected and penalties imposed. 

Compounding IRS' serious and persistent computer security and
employee browsing problems are equally serious and persistent TSM
management and technical problems that must be corrected if IRS is to
effectively invest in TSM.  IRS is requesting $1.131 billion in
fiscal years 1998 and 1999 for TSM development and deployment. 
However, IRS does not know how it will spend this $1.131 billion and
has not yet corrected the management and technical problems that IRS
has acknowledged have resulted in hundreds of millions of dollars
being wasted thus far on TSM.  This is inconsistent with the
Government Performance and Results Act (GPRA) of 1993 and the
Clinger-Cohen Act of 1996, which require that information technology
investments be supported by convincing business case analyses and
disciplined management and technical processes. 


--------------------
\1 IRS Systems Security:  Tax Processing Operations and Data Still at
Risk Due to Serious Weaknesses (GAO/AIMD-97-49, April 8, 1997). 


   IRS IS NOT EFFECTIVELY
   ADDRESSING ELECTRONIC BROWSING
---------------------------------------------------------- Chapter 0:1

Employee electronic browsing of taxpayer records is a long-standing
problem at IRS.  We reported in September 1993 that IRS did not
adequately (1) restrict access by computer support staff to computer
programs and data files or (2) monitor the use of these resources by
computer support staff and users.\2 As a result, personnel who did
not need access to taxpayer data could read and possibly use this
information for fraudulent purposes.  Also, unauthorized changes
could be made to taxpayer data, either inadvertently or deliberately
for personal gain (for example, to initiate unauthorized refunds or
abatements of tax).  In August 1995, we reported that the Service
still lacked sufficient safeguards to prevent or detect unauthorized
browsing of taxpayer information.\3

To address employee browsing, IRS developed the Electronic Audit
Research Log (EARL), an automated tool to monitor and detect browsing
on the Integrated Data Retrieval System (IDRS).\4 IRS has also taken
legal and disciplinary actions against employees caught browsing. 
However, as our April 1997 report points out, EARL has shortcomings
that limit its ability to detect browsing.  In addition, IRS does not
have reliable, objective measures for determining whether or not the
Service is making progress in reducing browsing.  Further, IRS
facilities inconsistently (1) review and refer incidents of employee
browsing, (2) apply penalties for browsing violations, and (3)
publicize the outcomes of browsing cases to deter other employees
from browsing. 


--------------------
\2 IRS Information Systems:  Weaknesses Increase Risk of Fraud and
Impair Reliability of Management Information (GAO/AIMD-93-34,
September 22, 1993). 

\3 Financial Audit:  Examination of IRS' Fiscal Year 1994 Financial
Statements (GAO/AIMD-95-141, August 4, 1995). 

\4 IDRS is the primary computer system IRS employees use to access
and adjust taxpayer accounts. 


      EARL'S ABILITY TO DETECT
      BROWSING IS LIMITED
-------------------------------------------------------- Chapter 0:1.1

EARL cannot detect all instances of browsing because it only monitors
employees using IDRS.  EARL does not monitor the activities of IRS
employees using other systems, such as the Distributed Input System,
the Integrated Collection System, and the Totally Integrated
Examination System, which are also used to create, access, or modify
taxpayer data.  In addition, information systems personnel
responsible for systems development and testing can browse taxpayer
information on magnetic tapes, cartridges, and other files using
system utility programs, such as the Spool Display and Search
Facility,\5 which also are not monitored by EARL. 

Further, EARL has some weaknesses that limit its ability to identify
browsing by IDRS users.  For example, because EARL is not effective
in distinguishing between browsing activity and legitimate work
activity, it identifies so many potential browsing incidents that a
subsequent manual review to find incidents of actual browsing is
time-consuming and difficult.  IRS is evaluating options for
developing a newer version of EARL that may better distinguish
between legitimate activity and browsing. 


--------------------
\5 This utility enables a programmer to view a system's output, which
may contain investigative or taxpayer information. 


      IRS PROGRESS IN REDUCING AND
      DISCIPLINING BROWSING CASES
      IS UNCLEAR
-------------------------------------------------------- Chapter 0:1.2

IRS' management information systems do not provide sufficient
information to describe known browsing incidents precisely or to
evaluate their severity consistently.  IRS personnel refer potential
browsing cases to either the Labor Relations or Internal Security
units, each of which records information on these potential cases in
its own case tracking system.  However, neither system captures
sufficient information to report on the total number of unauthorized
accesses.  For example, neither system contains enough information on
each case to determine how many taxpayer accounts were
inappropriately accessed or how many times each account was accessed. 
Without such information, IRS cannot measure whether it is making
progress from year to year in reducing browsing. 

A recent report by the IRS EARL Executive Steering Committee\6 shows
that the number of browsing cases closed has fluctuated from a low of
521 in fiscal year 1991 to a high of 869 in fiscal year 1995.\7
However, the report concluded that the Service does not consistently
count the number of browsing cases and that "it is difficult to
assess what the detection programs are producing .  .  .  or our
overall effectiveness in identifying IDRS browsing."

Further, the committee reported that "the percentages of cases
resulting in discipline has remained constant from year to year in
spite of the Commissioner's 'zero tolerance' policy." IRS browsing
data for fiscal years 1991 to 1995 show that the percentage of
browsing cases resulting in IRS' three most severe categories of
penalties (i.e., disciplinary action, separation, and
resignation/retirement) has ranged between 23 and 34 percent, with an
average of 29 percent.\8


--------------------
\6 Electronic Audit Research Log (EARL) Executive Steering Committee
Report (September 30, 1996). 

\7 We did not verify the accuracy and reliability of these data. 

\8 The mix among these three categories has remained relatively
constant each year with disciplinary action accounting for the vast
majority of penalties. 


      BROWSING INCIDENTS ARE
      REVIEWED, REFERRED,
      DISCIPLINED, AND PUBLICIZED
      INCONSISTENTLY
-------------------------------------------------------- Chapter 0:1.3

IRS processing facilities do not consistently review and refer
potential browsing cases.  The processing facilities responsible for
monitoring browsing had different policies and procedures for
identifying potential violations and referring them to the
appropriate unit within IRS for investigation and action.  For
example, at one facility, the analysts who identify potential
violations referred all of them to Internal Security, while staff at
another facility sent some to Internal Security and the remainder to
Labor Relations. 

IRS has taken steps to improve the consistency of its review and
referral process.  In June 1996, it developed specific criteria for
analysts to use when making referral decisions.  A recent report by
the EARL Executive Steering Committee stated that IRS had implemented
these criteria nationwide.  Because IRS was in the process of
implementing these criteria during our work, we could not validate
their implementation or effectiveness. 

IRS facilities are not consistently disciplining employees caught
browsing.  After several IRS directors raised concerns that field
offices were inconsistent in the types of discipline imposed in
similar cases, IRS' Western Region analyzed fiscal year 1995 browsing
cases for all its offices and found inconsistent treatment for
similar types of offenses.  For example, one employee who attempted
to access his own account was given a written warning, while other
employees in similar situations, from the same division, not only did
not receive a written warning but were not counseled at all. 

The EARL Executive Steering Committee reported widespread
inconsistencies in the penalties imposed in browsing cases.  For
example, the committee's report showed that for fiscal year 1995, the
percentage of browsing cases resulting in employee counseling ranged
from a low of 0 percent at one facility to 77 percent at another. 
Similarly, the report showed that the percentage of cases resulting
in removal ranged from 0 percent at one facility to 7 percent at
another.  For punishments other than counseling or removal (e.g.,
suspension), the range was between 10 percent and 86 percent. 

IRS facilities did not consistently publicize the penalties assessed
in browsing cases to deter such behavior.  For example, we found that
one facility never reported disciplinary actions.  However, another
facility reported the disciplinary outcomes of browsing cases in its
monthly newsletter.  By inconsistently and incompletely reporting on
penalties assessed for employee browsing, IRS is missing an
opportunity to more effectively deter such activity. 

In summary, although IRS has taken some action to detect and deter
browsing, it is still not effectively addressing this area of
continuing concern because (1) it does not know the full extent of
browsing and (2) it is addressing cases of browsing inconsistently. 
Because of this, our April report recommends that the IRS
Commissioner (1) ensure that IRS completely and consistently
monitors, records, and reports the full extent of electronic browsing
and (2) report IRS' progress in eliminating browsing in its annual
budget submission.  IRS has concurred with these recommendations and
stated that it will implement them.  We plan to monitor its progress
in doing so. 


   FISCAL YEARS 1998 AND 1999 TSM
   BUDGET REQUESTS NOT JUSTIFIED
---------------------------------------------------------- Chapter 0:2

Recent legislation, such as GPRA and the Clinger-Cohen Act, require
that information technology investments be supported by accurate cost
data and convincing cost-benefit analyses.  However, IRS' fiscal
years 1998 and 1999 TSM budget requests, which combined total $1.131
billion, do not include credible, verifiable justifications. 
Exacerbating this problem is the fact that the systems modernization
continues to be at risk due to uncorrected management and technical
weaknesses\9 that we first reported in July 1995.\10 Such an approach
to modernization spending is exactly the cause of IRS' past
modernization failures, and giving IRS more money under these
circumstances not only undermines the objectives of GPRA and the
Clinger-Cohen Act, but also increases the risk of more money being
wasted. 


--------------------
\9 GAO High Risk Series, IRS Management (GAO/HR-97-8, February 1997);
Tax Systems Modernization:  Actions Underway But Management and
Technical Weaknesses Not Yet Corrected (GAO/T-AIMD-96-165, September
10, 1996); Tax Systems Modernization:  Actions Underway But IRS Has
Not Yet Corrected Management and Technical Weaknesses
(GAO/AIMD-95-106, June 7, 1996); Tax Systems Modernization: 
Management and Technical Weaknesses Must Be Overcome To Achieve
Success (GAO/T-AIMD-96-75, March 26, 1996); and Tax Systems
Modernization:  Management and Technical Weaknesses Must Be Corrected
If Modernization Is to Succeed (GAO/AIMD-95-156, July 25, 1995). 

\10 Tax Systems Modernization:  Management and Technical Weaknesses
Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156,
July 25, 1995). 


      BUDGET REQUEST FOR FISCAL
      YEAR 1998 SYSTEMS
      DEVELOPMENT NOT JUSTIFIED
-------------------------------------------------------- Chapter 0:2.1

The Clinger-Cohen Act, GPRA, and OMB Circular No.  A-11 and
supporting memoranda require that information technology investments
be supported by accurate cost data and convincing cost-benefit
analyses.  However, IRS has not prepared such analyses to support its
fiscal year 1998 request of $131 million for system development.  The
budget request states that IRS does not know how it plans to spend
these funds because its modernization systems architecture and system
deployment plan have not yet been finalized.  These efforts are
scheduled for completion in May 1997 and are intended to guide future
systems development.  According to IRS budget officials, $131 million
was requested for fiscal year 1998 because it was approximately the
same amount IRS received in fiscal year 1997 for system development. 


      NO JUSTIFICATION TO SUPPORT
      INFORMATION TECHNOLOGY
      INVESTMENTS ACCOUNT REQUESTS
      FOR FISCAL YEARS 1998 AND
      1999
-------------------------------------------------------- Chapter 0:2.2

The administration, on IRS' behalf, is proposing to establish an
Information Technology Investments Account to fund future
modernization investments at IRS.  It is seeking $1 billion--$500
million in each of fiscal years 1998 and 1999--for
"yet-to-be-specified" development efforts.  According to IRS'
request, the funds are to support acquisition of new information
systems, any expenditures from the account will be reviewed and
approved by the Department of the Treasury's Modernization Management
Board, and no funds will be obligated before July 1, 1998. 

The Clinger-Cohen Act, GPRA, and OMB Circular No.  A-11 and
supporting memoranda require that, prior to requesting multiyear
funding for capital asset acquisitions, agencies develop accurate,
complete cost data and perform thorough analyses to justify the
business need for the investment.  For example, agencies need to show
that needed investments (1) support a critical agency mission, (2)
are justified by a life-cycle-based cost-benefit analysis, and (3)
have cost, schedule, and performance goals. 

IRS has not prepared such analyses for its fiscal years 1998 and 1999
investment account request.  Instead, IRS and Treasury officials
stated that during executive-level discussions, they estimated that
they would need about $2 billion over the next 5 years.  This
estimate was not based on analytical data or derived using formal
cost estimating techniques.  According to Office of Management and
Budget (OMB) officials responsible for IRS' budget submission, the
request was reduced to $1 billion over 2 years because they perceived
the lesser amount as being more palatable to the Congress.  These
officials also told us that they were not concerned about the
precision of the estimate because their first priority is to "earmark
funds" in the fiscal years 1998 and 1999 budgets so that funds will
be available when IRS eventually determines how it wants to modernize
its systems. 

In 1995 we made over a dozen recommendations to the Commissioner of
Internal Revenue to address systems modernization management and
technical weaknesses.  We reported in 1996 that IRS had initiated
many activities to improve its modernization efforts, but had not yet
fully implemented our recommendations.\11 Since that time, IRS has
continued to take steps to address our recommendations and respond to
congressional direction.  While we recognize these actions as well as
actions taken by Treasury to address these problems, we remain
concerned.  Much remains to be done to implement essential
improvements in IRS' modernization efforts.  IRS is still in the
process of putting in place disciplined processes for designing and
developing new systems, has not yet completed its systems
architecture, and has no justification for the funding it has
requested. 

Given IRS' poor track record delivering cost beneficial TSM systems,
persisting weaknesses in both software development and acquisition
capabilities, and the lack of justification and analyses for over $1
billion in proposed system expenditures, we believe that the Congress
should not fund these requests until the management and technical
weaknesses in IRS' modernization program are resolved and the
required justifications are completed. 


--------------------
\11 Tax Systems Modernization:  Actions Underway But IRS Has Not Yet
Corrected Management and Technical Weaknesses (GAO/AIMD-95-106, June
7, 1996). 


-------------------------------------------------------- Chapter 0:2.3

Mr.  Chairman, this concludes my statement.  Lynda Willis, Director,
Tax Policy and Administration Issues, and I will be happy to respond
to any questions you or Members of the Subcommittee might have at
this time. 


*** End of document. ***