IRS High-Risk Issues: Modernization of Processes and Systems Necessary to
Resolve Problems (Testimony, 03/04/97, GAO/T-GGD-97-52).

GAO discussed the Internal Revenue Service's (IRS) efforts to improve
the efficiency and effectiveness of its program areas that GAO has
designated as high risk because of their vulnerability to waste, fraud,
abuse, and mismanagement.

GAO noted that: (1) for years GAO has chronicled IRS' struggle to
modernize and manage its operations, especially in the high-risk areas,
and has made scores of recommendations to improve IRS' systems,
processes, and procedures; (2) it is clear that in order to achieve its
stated goals of reducing the volume of paper tax returns, providing
better customer service, and improving compliance with the nation's tax
laws, IRS must successfully modernize its systems and operations; (3) to
accomplish this modernization, however, IRS needs to develop
comprehensive business strategies to ensure that its new and revised
processes drive systems development and acquisition; (4) solving the
problems in the high-risk areas is not an insurmountable task, but it
requires sustained management commitment, accurate information systems,
and reliable performance measures to track IRS' progress and provide the
data necessary to make informed management decisions; and (5) at a
minimum, IRS needs an implementation strategy that includes both
performing cost-benefit analyses and developing reasonable estimates of
the extent, time frames, and resources required to correct its high-risk
vulnerabilities.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-GGD-97-52
     TITLE:  IRS High-Risk Issues: Modernization of Processes and 
             Systems Necessary to Resolve Problems
      DATE:  03/04/97
   SUBJECT:  Risk management
             Tax administration systems
             Systems conversions
             Financial management
             Accounts receivable
             Systems design
             Strategic information systems planning
             Fraud
             Delinquent taxes
             Computer security
IDENTIFIER:  IRS Tax System Modernization Program
             TSM
             IRS Electronic Fraud Detection System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Oversight, Committee on Ways and Means,
House of Representatives

For Release
on Delivery
Expected at
10:00 a.m.  EDT
Tuesday, March 4, 1997

IRS HIGH-RISK ISSUES -
MODERNIZATION OF PROCESSES AND
SYSTEMS NECESSARY TO RESOLVE
PROBLEMS

Statement of Lynda D.  Willis, Director, Tax Policy and
Administration Issues, General Government Division

GAO/T-GGD-97-52

GAO/GGD-97-52T


(268786)


Abbreviations
=============================================================== ABBREV


============================================================ Chapter 0

Madam Chairman and Members of the Subcommittee: 

We are pleased to be here today to assist the Subcommittee in its
review of the Internal Revenue Service's (IRS) efforts to improve the
efficiency and effectiveness of its program areas that we have
identified as high risk because of their vulnerability to waste,
fraud, abuse, and mismanagement.  A key factor in understanding IRS'
ongoing difficulties in the high-risk areas is the realization that
its major processes and systems were developed and implemented
decades ago and were not designed to address the critical needs and
vulnerabilities that confront IRS in the 1990s.  In addition, the
problems IRS faces in attempting to eliminate its high-risk
vulnerabilities are compounded by the interdependency of the
high-risk areas.  For example, IRS' success in addressing the
weaknesses in its program areas is clearly linked to its success in
modernizing its information systems.  However, this understanding of
the difficulties IRS faces does not mitigate our concern over IRS'
progress in developing a comprehensive strategy or detailed business
plan to modernize its outdated processes and systems.  Without
successfully modernizing its processes and systems, IRS cannot hope
to resolve the problems in its high-risk areas. 


   OVERVIEW
---------------------------------------------------------- Chapter 0:1

In February 1997, we issued our third series of reports on the status
of high-risk areas across the government.\1 One report in the series
discussed the four long-standing high-risk areas at IRS:  (1) tax
systems modernization--IRS' development of the business and
management strategies, software acquisition and development
capabilities, and technical infrastructure and systems architecture
needed to modernize its systems and processes; (2) financial
management--IRS' efforts to properly account for its tax revenues,
obligations, and disbursements; (3) accounts receivable--IRS'
initiatives to better understand the composition of its tax debt
inventory and to devise effective collection strategies and reliable
programs to prevent future delinquencies; and (4) filing fraud--IRS'
efforts to gather sufficient information to determine the
effectiveness of its attempts to deter the filing of fraudulent
returns.\2

Our 1997 high-risk report series also designated five new high-risk
areas, two of which have government-wide implications and directly
affect IRS' operations.\3 One area is information security--IRS'
initiatives to better protect the confidentiality and accuracy of
taxpayer data from unauthorized access and manipulation.  The other
area is the year 2000 problem--IRS' plans to protect itself from the
operational and financial impacts that could affect tax processing
and revenue collection systems if its computer systems cannot
accommodate the change of date to the year 2000. 

Today, we will briefly discuss the problems IRS faces in these six
high-risk areas, the progress IRS has made since our last series of
high-risk reports in 1995, and the measures IRS must take to resolve
the problems in its high-risk areas.  This testimony is based on our
prior reports and recent information obtained from IRS. 


--------------------
\1 GAO/HR-97-20SET. 

\2 GAO/HR-97-8. 

\3 GAO/HR-97-9. 


   IRS' HIGH-RISK AREAS
---------------------------------------------------------- Chapter 0:2

For years we have chronicled IRS' struggle to modernize and manage
its operations, especially in the high-risk areas, and have made
scores of recommendations to improve IRS' systems, processes, and
procedures.  It is clear that in order to achieve its stated goals of
reducing the volume of paper tax returns, providing better customer
service, and improving compliance with the nation's tax laws, IRS
must successfully modernize its systems and operations.  To
accomplish this modernization, however, IRS needs to develop
comprehensive business strategies to ensure that its new and revised
processes drive systems development and acquisition.  Solving the
problems in the high-risk areas is not an insurmountable task, but it
requires sustained management commitment, accurate information
systems, and reliable performance measures to track IRS' progress and
provide the data necessary to make informed management decisions. 


      TAX SYSTEMS MODERNIZATION
-------------------------------------------------------- Chapter 0:2.1

Over the last decade, IRS has been attempting to overhaul its
timeworn, paper-intensive approach to tax return processing.  At
stake is the over $3 billion that IRS has spent or obligated on this
modernization since 1986, as well as any additional funds that IRS
plans to spend on the modernization. 

In July 1995, we reported that IRS (1) did not have a comprehensive
business strategy to cost-effectively reduce paper tax return
filings; (2) had not yet fully developed and put in place the
requisite management, software development, and technical
infrastructure necessary to successfully implement its ambitious,
world-class modernization; and (3) lacked an overall systems
architecture, or blueprint, to guide the modernization's development
and evolution.\4 At that time, we made over a dozen recommendations
to the IRS Commissioner to address these weaknesses. 

Pursuant to subsequent congressional direction, we assessed IRS'
actions to correct its management and technical weaknesses.  We
reported in June and September 1996 that IRS had initiated many
activities to improve its modernization efforts but had not yet fully
implemented any of our recommendations.\5 We also suggested to
Congress that it consider limiting modernization funding exclusively
to cost-effective efforts that (1) support ongoing operations and
maintenance; (2) correct IRS' pervasive management and technical
weaknesses; (3) are small, represent low technical risk, and can be
delivered quickly; and (4) involve deploying already developed and
fully tested systems that have proven business value and are not
premature given the lack of a completed architecture. 

IRS has taken steps to address our recommendations and respond to
congressional direction.  For example, IRS hired a new Chief
Information Officer.  It also created an investment review board to
select, control, and evaluate its information technology investments. 
Thus far, the board has reevaluated and terminated several major
modernization development projects that were not found to be
cost-effective.  In addition, IRS provided a report to Congress in
November 1996 that set forth IRS' strategic plan and its schedule for
shifting modernization development and deployment to contractors. 

IRS is also finalizing a comprehensive strategy to maximize
electronic filing that is currently scheduled for completion in May
1997.  It is also updating its system development life cycle
methodology and is working across various IRS organizations to define
disciplined processes for software requirements management, quality
assurance, configuration management, and project planning and
tracking.  Additionally, IRS is developing a systems architecture and
project sequencing plan for the modernization and intends to provide
this to Congress by May 15, 1997. 

While we recognize IRS' actions, we remain concerned because much
remains to be done to fully implement essential improvements. 
Increasing the use of contractors, for example, will not
automatically increase the likelihood of successful modernization
because IRS does not have the technical capability needed to manage
all of its current contractors.  To be successful, IRS must also
continue to make a concerted, sustained effort to fully implement our
recommendations and respond effectively to the requirements outlined
by Congress.  It will take both management commitment and technical
discipline for IRS to accomplish these tasks. 


--------------------
\4 Tax Systems Modernization:  Management and Technical Weaknesses
Must Be Corrected If Modernization Is to Succeed (GAO/AIMD-95-156,
July 26, 1995). 

\5 Tax Systems Modernization:  Actions Underway But IRS Has Not Yet
Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June
7, 1996) and Tax Systems Modernization:  Actions Underway But
Management and Technical Weaknesses Not Yet Corrected
(GAO/T-AIMD-95-165, Sept.  10, 1996). 


      FINANCIAL MANAGEMENT
-------------------------------------------------------- Chapter 0:2.2

Our audits of IRS' financial statements have outlined the substantial
improvements needed in IRS' accounting and reporting in order to
comply fully with the requirements of the Chief Financial Officers
Act of 1990 (CFO Act).  The audits for fiscal years 1992 through 1995
have described IRS' difficulties in (1) properly accounting for its
tax revenues, in total and by reported type of tax; (2) reliably
determining the amount of accounts receivable owed for unpaid taxes;
(3) regularly reconciling its Fund Balance With Treasury accounts;
and (4) either routinely providing support for receipt of the goods
and services it purchases or, where supported, accurately recording
the purchased item in the proper period. 

IRS has made progress in addressing problems in these areas and has
developed an action plan, with specific timetables and deliverables,
to address the issues our financial statement audits have identified. 
In the administrative accounting area, for example, IRS reported that
it has identified substantially all of the reconciling items for its
Fund Balance With Treasury accounts, except for certain amounts IRS
has deemed not to be cost-beneficial to research further.  It also
has successfully transferred its payroll processing to the Department
of Agriculture's National Finance Center and has begun designing both
a short-term and a long-term strategy to fix the problems that
contribute to its nonpayroll expenses being unsupported or reported
in the wrong period. 

In the revenue accounting area, IRS' problems are especially affected
and complicated by automated data processing systems that were
implemented many years ago and thus not designed to support the new
financial reporting requirements imposed by the CFO Act.  Therefore,
IRS has designed an interim solution to capture the detailed support
for revenue and accounts receivable until longer-term solutions can
be identified and implemented.  Some of the longer-term actions
include (1) implementing software, hardware, and procedural changes
needed to create reliable subsidiary accounts receivable and revenue
records that are fully integrated with the general ledger; and (2)
implementing software changes that allow the detailed taxes reported
to be maintained separately from the results of compliance efforts
that would not be valid financial reporting transactions in the
masterfile, other related revenue accounting feeder systems, and the
general ledger. 

Over the past 4 years, we have made numerous recommendations to
improve IRS' financial management systems and reporting, and IRS has
been working to position itself to have more reliable financial
statements for fiscal year 1997 and thereafter.  To accomplish this,
especially in accounting for revenue and the related accounts
receivables, IRS will need to institute long-term solutions involving
reprogramming software for IRS' antiquated systems and developing new
systems as required. 

Follow-through to complete necessary corrective measures is essential
if IRS is to ensure that its corrective actions are carried out and
effectively solve its financial management problems.  Solving these
problems is fundamental to providing reliable financial information
and ensuring taxpayers that the government can properly account for
their federal tax dollars.  The accuracy of IRS' financial statements
is vital to both IRS and Congress for (1) ensuring adequate
accountability for IRS programs; (2) assessing the impact of tax
policies; and (3) measuring IRS' performance and cost effectiveness
in carrying out its numerous tax enforcement, customer service, and
collection activities. 


      ACCOUNTS RECEIVABLE
-------------------------------------------------------- Chapter 0:2.3

IRS routinely collects over a trillion dollars annually in taxes, but
many taxpayers are unable or unwilling to pay their taxes when due. 
As a result, IRS estimates that its accounts receivable amounts to
tens of billions of dollars.  Unfortunately, IRS' ability to
effectively address its accounts receivable problems is seriously
hampered by its outdated equipment and processes, incomplete
information needed to better target collection efforts, and the
absence of a comprehensive strategy and detailed plan to address the
systemic nature of the underlying problems. 

IRS' collection efforts have also been hampered by the age of the
delinquent tax accounts.  Because of the outdated equipment and
processes used to match tax returns and related information
documents, it can take IRS several years to identify potential
delinquencies and then initiate collection actions.  In addition,
according to IRS, the 10-year statutory collection period generally
precludes it from writing off uncollectible receivables until that
period has expired.  As a result, the receivables inventory includes
many relatively old accounts that will never be collected because the
taxpayers are deceased or the companies defunct. 

This is not to say, however, that IRS has not been trying to overcome
its deficiencies.  In the last 2 years, IRS has undertaken
initiatives to correct errors in its masterfile records of tax
receivables, develop profiles of delinquent taxpayers, and study the
effectiveness of various collection techniques.  It has also
streamlined its collection process, placed additional emphasis on
contacting repeat delinquents, made its collection notices more
readable, and targeted compliance-generated delinquencies for earlier
intervention. 

IRS reported that, as a result of taking these actions, its
collection employees took in more money than they classified as
"currently not collectible" and that the amount of money collected
immediately following the revision of its collection notices
increased by almost 25 percent over a comparable period in 1995.  In
addition, IRS reported collecting more in delinquent taxes in fiscal
year 1996 than it ever has, almost $30 billion. 

Despite these positive results, IRS needs to continue the development
of information databases and performance measures to afford its
managers the data needed to determine which actions or improvements
generate the desired changes in IRS' programs and operations.  And,
this should not be looked upon as a short-term commitment.  It will
still take a number of years to identify the root causes of
delinquencies and to develop, test, and implement courses of action
to deal with the causes.  Furthermore, once the analyses and planning
are completed, it will still be some time before full results of the
new initiatives are realized. 

Therefore, IRS must take deliberate action to ensure that its
problem-solving efforts are on the right track.  Specifically, it
needs to implement a comprehensive strategy that involves all aspects
of IRS' operations and that sets priorities; accelerates the
modernization of outdated equipment and processes; and establishes
realistic goals, specific timetables, and a system to measure
progress. 


      FILING FRAUD
-------------------------------------------------------- Chapter 0:2.4

When we first identified filing fraud as a high-risk area in February
1995, the amount of filing fraud being detected by IRS was on an
upward spiral.  Since then, IRS has introduced new controls and
expanded existing controls in an attempt to reduce its exposure to
filing fraud.  Those controls are directed toward either (1)
preventing the filing of fraudulent returns or (2) identifying
questionable returns after they have been filed. 

To deter the filing of fraudulent returns, IRS (1) expanded the
number of up-front filters in the electronic filing system designed
to screen electronic submissions for selected problems in order to
prevent returns with those problems from being filed electronically
and (2) strengthened the process for checking the suitability of
persons applying to participate in the electronic filing program as
return preparers or transmitters by requiring fingerprint and credit
checks. 

To better identify fraudulent returns once they have been filed, IRS
placed an increased emphasis in 1995 on validating social security
numbers (SSN) on filed paper returns and delayed any related refunds
to allow time to do those validations and to check for possible
fraud.  IRS also revised the computerized formulas it used to score
all tax returns as to their fraud potential and upgraded the research
capabilities of its fraud detection staff. 

IRS' efforts produced some positive results.  For example, the number
of SSN problems identified by the electronic filing filters
quadrupled between 1994 and 1995, and about 350 persons who applied
to participate in the electronic filing program for 1995 were
rejected because they failed the new fingerprint and credit checks. 
IRS' efforts to validate SSNs on paper returns produced over $800
million in reduced refunds or additional taxes.  Unfortunately, IRS
identified many more SSN problems than it was able to deal with and
released about 2 million refunds without resolving the problems. 

IRS was less successful in identifying fraudulent returns,
identifying over 65 percent fewer fraudulent returns in 1996 than
during a comparable period in 1995.  IRS believes this decrease is
attributable to a 31-percent reduction in its fraud detection staff
and the resulting underutilization of its Electronic Fraud Detection
System, which enhances the identification of fraudulent returns and
lessens the probability of improperly deleting accurate refunds. 
However, IRS does not have the information it needs to verify that
the decline was the result of staff reductions or to determine the
extent to which the downward trend may have been affected by changes
in the program's operating and reporting procedures or by a general
decline in the incidence of fraud. 

Given the decrease in fraud detection staff, it is critically
important for IRS to (1) optimize the electronic controls that are
intended to prevent the filing of fraudulent returns and (2) maximize
the effectiveness of available staff.  Modernization is the key to
achieving these objectives, and electronic filing is the cornerstone
of that modernization.  One solution, then, is to increase the
percentage of returns filed electronically.  To achieve this goal,
IRS must first identify those groups of taxpayers who offer the
greatest opportunity to reduce IRS' paper-processing workload and
operating costs if they were to file electronically.  IRS must then
develop strategies that focus its resources on eliminating or
lessening impediments that inhibit those groups from participating in
the program. 


      INFORMATION SECURITY
-------------------------------------------------------- Chapter 0:2.5

Malicious attacks on computer systems are an increasing threat to our
national welfare.  The federal government now relies heavily on
interconnected systems to control critical functions which, if
compromised, place billions of dollars worth of assets at risk of
loss and vast amounts of sensitive data at risk of unauthorized
disclosure.  Increasing reliance on networked systems and electronic
records has elevated our concerns about the possibility of serious
disruption to critical federal operations. 

As a result of our recent work at IRS, we believe that the
vulnerabilities of IRS' computer systems may affect the
confidentiality and accuracy of taxpayer data and may allow
unauthorized access, modification, or destruction of taxpayer
information.  The overriding problem at IRS is that information
security issues are addressed on a reactive basis.  IRS does not have
a proactive, independent information security group that
systematically reviews the adequacy and consistency of security over
IRS' computer operations.  In addition, computer security management
has not completed a formal risk assessment of its systems to
determine system sensitivity and vulnerability.  As a result, IRS
cannot effectively prevent or detect unauthorized browsing of
taxpayer information and cannot ensure that taxpayer data is not
being improperly manipulated for personal gain. 

IRS needs to address its information security weaknesses on a
continuing basis.  More specifically, IRS needs to impress upon its
senior managers the need to conduct regular systematic security
reviews and risk assessments of IRS' computer systems and operations. 
The weaknesses identified by these reviews and assessments then need
to be corrected expeditiously by personnel who have the technical
expertise to effectively implement, manage, and monitor the necessary
security controls and measures. 


      THE YEAR 2000 PROBLEM
-------------------------------------------------------- Chapter 0:2.6

For the past several decades, computer systems have used two digits
to represent the year, such as "97" for 1997, in order to conserve
electronic data storage and reduce operating costs.  In this format,
however, the year 2000 is indistinguishable from the year 1900
because both are represented as "00." As a result, if not modified,
computer systems and applications that use dates or perform date- or
time-sensitive calculations may generate incorrect results beyond
1999. 

For IRS, such a disruption of functions and services could jeopardize
all of its tax processing systems and administration.  It could
effectively halt the processing of tax return and return-related
information, the maintenance of taxpayer account information, the
assessment and collection of taxes, the recording of obligations and
expenditures, and the disbursement of refunds.  At the very least,
IRS' core business functions and mission-critical processes are at
risk of failure, as is numerous other administrative and management
processes. 

To avoid the crippling effects of a multitude of computer systems
simultaneously producing inaccurate and unreliable information, IRS
must assign management and oversight responsibility within its senior
executive corps, define the potential impact of such a systems
failure, and develop appropriate renovation strategies and
contingency plans for its critical systems.  Modifying IRS' critical
computer systems is a massive undertaking whose success or failure
will, in large part, be determined by the quality of IRS' executive
leadership and program management. 


   SUMMARY OUTLOOK
---------------------------------------------------------- Chapter 0:3

For years, IRS has struggled to collect the nation's tax revenue
using outdated processes and technology.  The result has often been
inefficient and ineffective programs and operations that are
vulnerable to waste, fraud, abuse, and mismanagement.  Of particular
concern to us have been IRS' efforts to modernize its tax systems,
manage its administrative and revenue accounting systems, identify
and collect taxes owed the government, detect and prevent the filing
of fraudulent tax returns, protect the confidentiality of taxpayer
information, and prevent the future disruption of tax services due to
computer malfunctions. 

These areas of concern share common characteristics that IRS must
address in the very near future.  At a minimum, IRS needs an
implementation strategy that includes both performing cost-benefit
analyses and developing reasonable estimates of the extent, time
frames, and resources required to correct its high-risk
vulnerabilities.  IRS also needs to (1) better define, prioritize,
implement, and manage new information systems; (2) ensure that its
administrative and revenue accounting systems fully comply with
government accounting standards; (3) design and implement both
administrative and electronic controls to protect taxpayer data from
unauthorized access; and (4) develop performance measures that will
allow its managers, Congress, and us to track its progress.  And,
above all, IRS management needs to sustain an agencywide commitment
to solving the agency's high-risk problems. 


-------------------------------------------------------- Chapter 0:3.1

Madam Chairman, this concludes my prepared statement.  We will be
glad to answer any questions that you or the Members of the
Subcommittee may have. 

*** End of document. ***