May 20 Oversight Hearing on the Internal Revenue Service--Questions for the Record
Gao ID: GAO-03-962R June 27, 2003
GAO reviewed the Internal Revenue Service's (IRS) accomplishments in the 5 years since the IRS Restructuring and Reform Act of 1998 was past. Specifically, GAO determined (1) how much money IRS has spent on upgrading its security, (2) whether the challenges associated with ensuring information security are technological or managerial, and (3) if IRS is taking sufficient steps to eliminate overpayments to the Earned Income Credit (EIC).
According to IRS officials, spending for security in fiscal year 2003 is about $132 million,including about $39 million dedicated to information technology security improvements. For fiscal year 2004, IRS officials state that they have requested about $136 million for information security, with about $40 million dedicated to improvements. The challenges facing IRS in ensuring information security are largely managerial. Ensuring that known weaknesses affecting IRS's computing resources are promptly mitigated and that computer controls effectively protect its systems and data requires support and leadership from senior management of IRS's information technology and operating divisions, disciplined processes, and consistent oversight. We have reported that an underlying cause for the hundreds of information security weaknesses identified during our reviews of IRS's computer controls was that IRS has not fully implemented its agencywide information security program. Implementing such a program requires that IRS take a comprehensive approach that includes assessing risks and evaluating needs, establishing and implementing appropriate policies and controls, enhancing awareness and technical skills, and monitoring the effectiveness of controls on an ongoing basis. Further, a successful program will need the active and accountable involvement of both (1) operating division executives and managers who understand which aspects of their missions and information systems are the most critical and sensitive and (2) technical experts who know the agency's systems and understand the technical aspects of implementing security controls. Because IRS's latest compliance study uses tax year 1999 data and its new initiatives are in the early planning stages, it is too early to determine whether IRS's steps to reduce EIC overpayments will be sufficient. IRS has plans to evaluate the success of its initiatives, but data will not be available for some time. IRS has and continues to take steps aimed at reducing EIC overpayments. IRS received about $875 million in special appropriations for EIC compliance initiatives between 1998 and 2003. The most recent data available, for tax year 1999, showed that overpayments for the EIC are estimated to be between about 27 and 32 percent of dollars claimed or between $8.5 billion and $9.9 billion. For fiscal year 2004, IRS has asked for a total of $251 million. This included $100 million to enhance its EIC compliance initiatives--about $45 million for technology improvements and about $55 million for direct casework. The direct casework involves three new initiatives, each of which would be tested over the next year and, depending on the results, expanded in future years. The initiatives cover (1) qualifying child verification, (2) income misreporting, and (3) filing status.
GAO-03-962R, May 20 Oversight Hearing on the Internal Revenue Service--Questions for the Record
This is the accessible text file for GAO report number GAO-03-962R
entitled 'May 20 Oversight Hearing on the Internal Revenue Service--
Questions for the Record' which was released on June 27, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
June 27, 2003:
The Honorable William M. Thomas:
Chairman:
Joint Committee On Taxation:
Subject: May 20 Oversight Hearing on the Internal Revenue Service -
Questions for the Record:
It was a pleasure to appear before the Joint Committee on Taxation on
May 20, 2003, to discuss the Internal Revenue Service's (IRS)
accomplishments in the 5 years since the IRS Restructuring and Reform
Act of 1998 was passed. Enclosed are our answers to questions from the
Honorable Marsha Blackburn, dated June 3, 2003, which required a
written response. I hope this information is helpful.
Sincerely yours,
James R. White:
Director, Strategic Issues:
Signed by James R. White:
Enclosure:
(1) How much money has IRS spent on upgrading its security? Are the
challenges associated with ensuring information security technological
or managerial?
According to IRS officials, spending for security in fiscal year 2003
is about $132 million, including about $39 million dedicated to
information technology security improvements. For fiscal year 2004, IRS
officials state that they have requested about $136 million for
information technology security, with about $40 million dedicated to
improvements.
The challenges facing IRS in ensuring information security are largely
managerial. Ensuring that known weaknesses affecting IRS's computing
resources are promptly mitigated and that computer controls effectively
protect its systems and data requires support and leadership from
senior management of IRS's information technology and operating
divisions, disciplined processes, and consistent oversight. We have
reported that an underlying cause for the hundreds of information
security weaknesses identified during our reviews of IRS's computer
controls was that IRS has not fully implemented its agencywide
information security program.[Footnote 1] Implementing such a program
requires that IRS take a comprehensive approach that includes assessing
risks and evaluating needs, establishing and implementing appropriate
policies and controls, enhancing awareness and technical skills, and
monitoring the effectiveness of controls on an ongoing basis. Further,
a successful program will need the active and accountable involvement
of both (1) operating division executives and managers who understand
which aspects of their missions and information systems are the most
critical and sensitive and (2) technical experts who know the agency's
systems and understand the technical aspects of implementing security
controls. At the same time, technology is certainly part of the answer.
While there are no silver bullets, there are many tools today that are
very helpful in implementing information security and could assist IRS
in its efforts to strengthen security. Until IRS effectively and fully
implements its agencywide information security program, assurance will
remain limited that IRS's financial information and taxpayers' personal
information are adequately safeguarded against unauthorized use,
disclosure, and modification, and its exposure to these risks will
remain unnecessarily high.
Is IRS taking sufficient steps to eliminate overpayments to the Earned
Income Credit?
Because IRS's latest compliance study uses tax year 1999 data and its
new initiatives are in the early planning stages, it is too early to
determine whether IRS's steps to reduce Earned Income Credit (EIC)
overpayments will be sufficient. IRS has plans to evaluate the success
of its initiatives, but data will not be available for some time. We
are preparing a report on the precertification initiative, due in late
July, which discusses, among other things, IRS's evaluation efforts for
that program.
IRS has and continues to take steps aimed at reducing EIC overpayments.
IRS received about $875 million in special appropriations for EIC
compliance initiatives between 1998 and 2003. The most recent data
available, for tax year 1999, showed that overpayments for the EIC are
estimated to be between about 27 and 32 percent of dollars claimed or
between $8.5 billion and $9.9 billion.
For fiscal year 2004, IRS has asked for a total of $251 million. This
included $100 million to enhance its EIC compliance initiatives--about
$45 million for technology improvements and about $55 million for
direct casework. The direct casework involves three new initiatives,
each of which would be tested over the next year and, depending on the
results, expanded in future years. The initiatives cover (1) qualifying
child verification, (2) income misreporting, and (3) filing status.
Qualifying Child Verification Initiative: Filers that improperly claim
qualified children represent the single largest area of EIC overclaims.
Under this proposed initiative, IRS would notify taxpayers of their
need to provide certain documentation to prove EIC eligibility and
taxpayers would send in the required documentation prior to receiving
the EIC portion of their refund, thus providing an opportunity for
examiners to either accept or deny the claim. IRS plans to test this
proposal beginning in late summer 2003 by mailing 45,000 notices to
taxpayers considered to be high risk because IRS could not verify
eligibility for EIC through any available means.
Income Misreporting Initiative: Income misreporting is another common
problem with EIC claims. IRS plans to use document matching to identify
EIC filers who have a history of misreporting income in order to
increase (or receive) the EIC. Based on that history, 175,000
taxpayers' returns would be flagged when their 2003 EIC claims are
filed in the spring of 2004. Any EIC refund would then be frozen until
IRS could verify the taxpayer's income through document matching or
audit procedures in the fall of 2004.
Filing status Initiative: Another common problem associated with EIC
claims is improper filing status. IRS plans to verify the filing status
for 5,000 cases, but the criteria for selecting the cases have not yet
been determined.
We are sending copies of this letter to the Commissioner, Internal
Revenue, and interested congressional committees. We will also make
copies available to others upon request. In addition, this report will
be available at no charge on the GAO Web site at http://www.gao.gov.
If you have any questions about this letter or need additional
information, please call me on 202-512-9110 or Joanna Stamatiades,
Assistant Director, on 404-679-1984. Key contributors to this letter
included Libby Mixon and Greg Wilshusen.
FOOTNOTES
[1] U.S. General Accounting Office, Information Security: Progress
Made, but Weaknesses at the Internal Revenue Service Continue to Pose
Risks, GAO-03-44 (Washington, D.C.: May 30, 2003).
