This is the accessible text file for GAO report number GAO-02-619T 
entitled 'Tax Administration: IRS Continues to Face Management 
Challenges in its Business Practices and Modernization Efforts' which 
was released on April 15, 2002. 

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the 
printed version. The portable document format (PDF) file is an exact 
electronic replica of the printed version. We welcome your feedback. 
Please E-mail your comments regarding the contents or accessibility 
features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States General Accounting Office: GAO: 

Testimony: 

Before the Subcommittee on Government Efficiency, Financial 
Management, and Intergovernmental Relations, Committee on Government 
Reform, House of Representatives: 

For Release on Delivery: 
Expected at 10 a.m., EDT: 
Monday April 15, 2002: 

Tax Administration: 

IRS Continues to Face Management Challenges in its Business Practices 
and Modernization Efforts: 

Statement of Michael Brostek, Director, Tax Issues: 
Randolph C. Hite, Director, Information Technology Systems Issues: 
Robert F. Dacey, Director, Information Security Issues: 
Steven J. Sebastian, Acting Director, Financial Management Issues: 

GAO-02-619T: 

Mr. Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss the management challenges 
that continue to face the Internal Revenue Service (IRS). At your 
request, our statement today will cover four areas: (1) financial 
management, (2) performance management, (3) computer security, and (4) 
business systems modernization. Our emphasis will be on the 
developments over the past year since we testified at your April 2001 
oversight hearing on IRS’s management challenges.[Footnote 1] 

While we will address each of these areas individually, the general 
theme that runs through each of them is that while IRS has made 
progress, it needs better management information and controls to 
assess and implement changes to its current business operations and 
modernization efforts. 

Our statement, based primarily on our recent audit work, makes the 
following points: 

* IRS was, for the second consecutive year, able to prepare financial 
statements that received an unqualified opinion, meaning that they 
were fairly presented. However, this achievement once again came 
through the use of substantial, costly, and time-consuming processes 
to compensate for serious systems and control deficiencies to produce 
financial statements that present information that is reliable for 
just a single point in time. This approach does not provide timely, 
useful, and reliable information to assist in managing the day-to-day 
operations of the agency, which was the intent of the Chief Financial 
Officers Act of 1990 and other important reform legislation enacted in 
the last decade. While IRS has made progress in addressing these 
issues, our audit of its fiscal years 2001 and 2000 financial 
statements continued to identify several material internal control 
weaknesses and other reportable issues. These financial management 
issues affect IRS’s ability to routinely report reliable information 
for decision-making and have led to both increased taxpayer burden and 
lost revenue to the federal government, thus affecting IRS’s ability 
to effectively fulfill its responsibilities as the nation’s tax 
collector. Continued efforts are needed to devise lasting solutions to 
IRS’s financial management challenges. Some of these solutions can be 
achieved in the short term; others are longer term in nature, as they 
are dependent on the successful modernization of IRS’s information 
systems. 

* IRS has continued to make progress in revamping its performance 
management system by using its strategic planning and budgeting 
process to reconcile competing priorities and initiatives with the 
realities of available resources. Also, it now has an evaluation 
system for front-line employees that is aligned to the agency’s 
strategic goals and is developing a measure of voluntary compliance. 
However, IRS needs to ensure that it has comparable performance 
measures over time and sufficient data to assess performance. It also 
needs to do more and better evaluations of its business practices so 
it can determine the factors that affect program performance and 
identify ways to more effectively use resources and improve service. 
Further, the progress IRS is making internally to better link resource 
allocations to intended results also has begun to surface in its 
budget justifications. For instance, the fiscal year 2003 budget 
justification links resources requested for telephone services to 
expected performance. However, for some compliance problems such as 
abusive tax shelters that the commissioner of Internal Revenue has 
cited as being significant, the budget justification neither 
identifies the level of resources to be devoted to the problem nor the 
results IRS expects to achieve. 

* In the area of computer security, IRS corrected or mitigated many of 
the previously reported weaknesses, including those affecting its 
electronic filing or “e-file” systems, and is implementing a computer 
security program that should, when fully implemented, help it manage 
its risks in this area. However, security weaknesses continue to exist 
in IRS’s computing environment. Weaknesses in logical access controls 
introduce the risk of unauthorized access to computing resources that 
could, in turn, lead to the unauthorized disclosure, modification, and 
use of taxpayer data. Other information system controls need 
improvement to physically protect IRS computing resources, properly 
segregate incompatible functions among computer personnel, and 
effectively ensure the continuation of computer processing service in 
case of unexpected interruption. IRS has substantially improved 
safeguards that control external access to its e-file systems, yet 
additional safeguards are needed to fully protect electronically filed 
tax return data. 

* Business Systems Modernization (BSM) is IRS’ ongoing program to 
leverage information technology to revamp how the service does 
business and is integral to IRS achieving its customer-focused vision. 
Started in 1999, BSM has received about $968 million in congressional 
funding. To date, IRS has made important progress in establishing the 
systems infrastructure, delivering system applications, and 
establishing the modernization management controls and capabilities 
needed to effectively acquire and deploy modernized systems. This 
progress, while not yet producing benefit to taxpayers and IRS 
commensurate with costs incurred, has nevertheless laid the foundation 
from which the benefits of future business applications can be 
realized. Despite the important progress, IRS is not where it 
committed to be in acquiring infrastructure and business application 
systems and is not where it needs to be in implementing management 
controls and capabilities. This is because IRS’ first priority and 
emphasis has been to get new systems up and running and thus, 
establishment of management capacity has not kept up. Proceeding 
without needed controls and capabilities increases the risk of not 
delivering promised system capabilities on time and within budget. As 
IRS moves forward, this risk is amplified because system 
interdependencies and complexity increase dramatically during the 
later phases of system projects. IRS acknowledges these risks and is 
currently balancing the pace of BSM with management capacity and has 
committed to making correction of management control weaknesses, a 
priority. 

We will now discuss each of these areas in detail. 

Financial Management: 

IRS’s financial management has long been problematic. In fiscal year 
2001, it continued to be plagued by many of the serious internal 
control and financial management issues that we have reported each 
year since we began auditing IRS’s financial statements in fiscal year 
1992.[Footnote 2] Despite these issues, IRS was, for the second 
consecutive year, able to produce financial statements covering its 
tax custodial and administrative activities in fiscal years 2001 and 
2000,[Footnote 3] that were fairly stated in all material respects. 
However, this was achieved only through extensive reliance on costly, 
time-consuming processes; statistical projections; external 
contractors; substantial adjustments; and monumental human efforts 
that extended nearly four months after the September 30, 2001, fiscal 
year-end. These costly efforts would not have been necessary if IRS’s 
systems and controls operated effectively. However, IRS still does not 
have a financial management system capable of producing the reliable 
and timely information its managers need to make day-to-day decisions 
on an ongoing basis, which is a goal of the CFO Act. Additionally, IRS’
s current approach to developing its financial statements does not 
address the underlying financial management and operational issues 
that adversely affect IRS’s ability to effectively fulfill its 
responsibilities as the nation’s tax collector. 

Strong commitment and hard work by both IRS’s senior leadership and 
staff continued to be the key to its ability to overcome its 
fundamental systems and internal control deficiencies and achieve its 
goal of receiving an unqualified audit opinion on its fiscal years 
2001 and 2000 financial statements. However, IRS found it extremely 
difficult to prepare its financial records for audit examination and 
issue its financial statements within the reporting timeline required 
by the Office of Management and Budget (OMB) for fiscal year 2001. OMB 
has announced the executive branch’s intention to significantly 
accelerate this timeline for future years and by fiscal year 2004, IRS 
will be required to issue its financial statements by November 15, or 
6 weeks after fiscal year end. Also, the Department of the Treasury 
has established a goal of completing its fiscal year 2002 audit, 
including those of its component entities, and issuing its department 
wide accountability report by November 15, 2002. Without significant 
and systemic changes in how IRS processes transactions, maintains its 
records, and reports its financial results to accompany its extensive 
compensating processes, IRS’s ability to meet this accelerated 
reporting deadline while sustaining an unqualified opinion on its 
financial statements is questionable. 

We would now like to summarize the major financial management 
challenges confronting IRS. 

Financial Reporting Weaknesses Hinder Availability of Reliable and 
Timely Information to Support Decision-Making: 

IRS did not have internal controls over its financial reporting 
process adequate to enable it to timely, routinely, and reliably 
generate and report the information needed to prepare financial 
statements and manage operations on an ongoing basis. Information 
produced by IRS’s financial management systems is neither current nor 
accurate, and must be supplemented by extensive, costly, time 
consuming manual procedures that take months to complete and typically 
result in billions of dollars in adjustments. The resulting financial 
statement balances are not available until months later and are only 
reliable at a single point in time. During fiscal year 2001, IRS 
continued to lack (1) an adequate general ledger system for financial 
reporting and management purposes, (2) adequate internal controls over 
material balances maintained in its general ledger system and 
recording of financial transactions, (3) a cost accounting system 
capable of providing timely and reliable cost information related to IRS
’s activities and programs to assist management in making resource 
allocation decisions, and (4) the ability to separately report several 
of the federal government’s largest types of revenue collections. 

IRS’s pervasive financial reporting weaknesses prevented it from 
preparing timely and reliable financial statements or other financial 
information that Congress and senior IRS management could rely on to 
oversee and assist in managing operations during fiscal year 2001. 
Consequently, IRS was compelled to make certain business decisions 
affecting the disposition of tens of billions of dollars without 
current and reliable underlying financial information. For example, in 
each of the following cases involving taxpayer compliance issues, IRS 
indicated that resource limitations affected its ability to perform 
necessary follow-up. 

* From 1996 to 1999, IRS only followed-up on 21 percent of the over 53 
million underreported individual income tax cases it identified, which 
accounted for about 41 percent of the over $65 billion in 
underreported taxes IRS estimated on these cases; and; 

* As of September 30, 2001, IRS had either not started collection 
action or had stopped collection action in progress on unpaid tax 
assessment cases with outstanding balances totaling about $12 billion. 
In deciding the amount of resources to devote to follow-up on these 
cases, IRS should consider factors such as the effects on fairness to 
taxpayers and efforts to deter filing fraud. The relative costs and 
benefits involved in following up on questionable cases should also be 
an integral part of such decisions. However, in each of these 
circumstances, IRS could not readily determine or justify whether it 
would be cost-beneficial to devote additional resources for such 
follow-up because it was not able to readily determine (1) the cost of 
following up on cases or (2) how much it collected on those cases for 
which it did follow-up. Without this information, IRS cannot perform 
cost-benefit analysis to assist it in determining or justifying 
whether the amount of resources it has devoted to each of these 
programs is appropriate relative to costs and potential benefits 
involved.[Footnote 4] Consequently, IRS is hindered in its ability to 
justify its resource utilization decisions or provide justification 
for resource increases, which could result in potentially billions of 
dollars of revenue going uncollected, lead to further erosion in 
taxpayers’ confidence in the equity of the tax system, and adversely 
affect future compliance. 

Management of Unpaid Tax Assessments Hindered by Lack of Subsidiary 
Ledger and Record Keeping Deficiencies: 

Ongoing serious internal control deficiencies continued to render IRS 
unable to properly manage unpaid assessments and has led to increased 
taxpayer burden.[Footnote 5] IRS still lacks a subsidiary ledger that 
tracks and accumulates unpaid tax assessments on an ongoing basis. As 
a consequence, it must rely on specialized computer programs to 
extract unpaid tax assessment information from its master files—its 
only detailed databases of taxpayer account information—and then 
subject this information to statistical sampling procedures in order 
to prepare its financial statements. This process takes months to 
complete and typically requires tens of billions of dollars in 
adjustments to correct misclassifications and eliminate duplications 
in order to produce a reliable balance at a single point in time. 
Consequently, this information is not useful for ongoing management 
decisions. In addition, the lack of a subsidiary ledger renders IRS 
unable to timely develop reliable financial and management reports and 
promptly identify and focus collection efforts on accounts most likely 
to prove collectible. 

IRS’s management of unpaid assessments also continued to be hindered 
by significant errors and delays in recording taxpayer information and 
payments. As in prior years, the most prevalent errors we found 
involved IRS’s failure to record payments to all related taxpayers 
associated with unpaid payroll taxes.[Footnote 6] IRS’s current 
systems cannot automatically link each of the multiple assessments 
made for the one tax liability. Consequently, if the business or an 
officer pays some or all of the outstanding taxes, IRS’s systems are 
unable to automatically reflect the payment as a reduction in the 
related account or accounts. 

IRS also continued to experience problems in promptly releasing liens 
filed against the property of taxpayers who at one time owed the 
federal government for taxes but who had subsequently paid or 
otherwise satisfied these taxes. In one case we identified, IRS did 
not formally release a lien against a taxpayer’s property until 302 
days after the tax liability had been fully paid. Based on the results 
of our work, we estimated that for over 8 percent of unpaid tax 
assessment cases where IRS had filed a tax lien that was resolved in 
fiscal year 2001, IRS did not release the lien within the 30 day 
period required under section 6325 of the Internal Revenue Code. 
[Footnote 7] 

The serious internal control issues IRS continues to experience with 
its unpaid assessments can lead, and have led, both to undue taxpayer 
burden and lost revenue to the government. These conditions can also 
further erode the confidence of the nation’s taxpayers in the 
integrity and fairness of the tax collection process. 

Controls Over Tax Revenue and Refunds Are Not Fully Effective: 

During fiscal year 2001, we found that IRS’s controls were not fully 
effective in maximizing the government’s ability to collect what is 
owed and in minimizing the risk of payment of improper refunds. 
Inherent in the voluntary nature of the nation’s tax collection system 
is the concept that IRS must, to a large degree, rely on taxpayers to 
report their tax liabilities. When taxpayers either intentionally or 
unintentionally fail to report to IRS the full amount of taxes they 
owe the federal government, IRS’s ability to independently identify 
the taxpayers and determine the amount they owe is inherently limited. 
IRS does not always follow up on potential unpaid taxes it is aware 
of, and does not always pursue collection of those taxes it determines 
are owed. In addition, IRS often does not initiate follow-up of those 
unpaid taxes it does pursue until months after the related tax return 
has been filed and any related refund has been paid. This delay 
significantly affects IRS’s prospects of collecting amounts due on 
these cases. The options available to IRS in its efforts to identify 
and pursue the correct amount of taxes owed and to ensure that only 
valid refunds are disbursed are currently limited. Additionally, while 
it processes hundreds of millions of tax returns each filing season, 
IRS must issue refunds within statutory time constraints or be subject 
to interest charges.[Footnote 8] 

Nonetheless, IRS does have some preventive controls that, if 
effectively implemented, could help to reduce the risks associated 
with not identifying underreported taxes owed or issuing improper 
refunds. For example, IRS’s Examination Branch is responsible for 
performing examinations on tax returns with potentially invalid EITC 
claims[Footnote 9] to determine the validity of the claim. When 
performed before refunds are disbursed, these examinations are an 
important control to prevent disbursement of improper refunds. 
However, these examinations are often performed after any related 
refunds are disbursed. Consequently, they are not an effective 
preventive control overall. According to IRS’s report on its analysis 
of EITC compliance rates on tax year 1999 returns filed in 2000, (1) 
about one-half of the 18.8 million returns on which taxpayers claimed 
the EITC involved overclaims and (2) of the estimated $31.3 billion in 
EITC claims made by taxpayers who filed returns in 2000, between $8.5 
billion and $9.9 billion was invalid. Based on an average refund rate 
of about 84 percent of all EITC claims in tax year 1999, we estimate 
that at least $7 billion in improper refunds were disbursed on these 
invalid claims. 

IRS’s decisions concerning its ability to follow-up on unpaid taxes 
and to forgo follow-up examinations on invalid EITC claims and 
potentially underreported taxes were based in part on perceived 
resource constraints. However, as discussed previously, IRS’s 
financial management systems do not currently provide the timely, 
reliable information management needs to perform cost-benefit analyses 
to assist in determining the appropriate level of resources to devote 
to these compliance programs. As a result of these problems, billions 
of dollars of underreported taxes could remain uncollected and 
improper refunds could be disbursed. This, in turn, could further 
erode taxpayer confidence in the equity of the tax system and reduce 
compliance with the tax laws. 

Certain Internal Controls Over Tax Receipts and Taxpayer Data Are Not 
Adequate: 

Despite continued improvement during fiscal year 2001, IRS’s internal 
controls over cash, checks, and related taxpayer data did not 
adequately protect the federal government and taxpayers from 
vulnerability to loss from theft and inappropriate disclosure of 
proprietary taxpayer information. IRS has significantly reduced the 
average amount of time it takes to obtain the results of employee 
applicant fingerprint checks; further, it now requires the use of two 
bonded or insured couriers to transport tax receipts to depository 
institutions, and has limited courier access within service center 
premises. However, significant but readily correctable weaknesses 
continued to exist. For example, at IRS locations we visited as part 
of our fiscal year 2001 financial audit, checks were left in open, 
unlocked containers, and personal belongings of IRS’s employees were 
allowed into restricted areas where taxpayer receipts were being 
processed. We also found that IRS had not ensured that the couriers it 
entrusted with transporting taxpayer receipts and data met the 
necessary insurance coverage requirements and had completed their 
fingerprint checks before beginning work. These weaknesses increase 
the risk that taxpayer data could be inappropriately disclosed or 
receipts stolen. 

In April 2000, IRS issued a policy prohibiting new employees from 
working at IRS facilities until IRS had received and reviewed the 
results of their fingerprint checks. This was in direct response to a 
security issue we had reported for several years concerning new 
employees being allowed to handle tax receipts and sensitive taxpayer 
data before IRS received and evaluated the results of their 
fingerprint checks. IRS made significant progress on this issue during 
fiscal year 2001. However, we continued to identify instances where 
IRS’s policy was not being followed. 

A related vulnerability is that this IRS policy does not apply to 
individuals employed at ten commercial banks that process tax receipts 
for the agency. The Department of the Treasury’s Financial Management 
Service contracts with these banks to process manual tax receipts, but 
the banks were not prohibited from hiring new employees before the 
results of their fingerprint checks were received and reviewed. 
Consequently, at the two banks we visited during our fiscal year 2001 
audit, fingerprint checks were not always required or performed for 
either temporary or permanent employees. 

These weaknesses subject IRS to unnecessary risk of theft or loss of 
tax receipts, and expose taxpayers to increased risk of losses from 
financial crimes committed by individuals who inappropriately gain 
access to confidential information entrusted to IRS. 

Controls Over Administrative Accounts and Budgetary Resources 
Are Not Adequate: 

During fiscal year 2001, IRS continued efforts to correct longstanding 
weaknesses in accountability over its administrative accounts and 
budgetary resources,[Footnote 10] and is working aggressively to 
address issues we have raised regarding controls over its property and 
equipment and budgetary activity. However, it continued to experience 
significant internal control deficiencies in these areas during fiscal 
year 2001. 

Significant deficiencies in accountability for property and equipment 
have been reported by IRS every year since 1983. IRS lacks an 
integrated property management system to appropriately record, track, 
and account for property and equipment additions, disposals, and 
existing inventory on an ongoing basis. While IRS has made progress in 
improving the timeliness and accuracy of recording such activity in 
its inventory records, we continued to find significant errors in 
these records. For example, IRS was unable to locate 25 of 210 items 
we selected from its inventory records; these items included 
computers, monitors, and printers. In addition, because of the lack of 
an integrated property management system that includes reliable cost 
information on each item, IRS continued to need the assistance of a 
contractor to develop and implement a process to enable it to report 
reliable property and equipment-related balances in its financial 
statements. These weaknesses seriously impair IRS’s ability to ensure 
that property and equipment are properly safeguarded and utilized only 
in accordance with laws, regulations, and management policy, and 
preclude IRS from having reliable information on its balance of these 
assets throughout the fiscal year. 

With respect to controls over its budgetary activity, IRS has 
developed additional compensating procedures to address weaknesses we 
previously reported. For example, IRS developed procedures to identify 
and eliminate from the applicable general ledger accounts transactions 
that were incorrectly recorded as adjustments to prior years’ 
obligations.[Footnote 11] However, IRS only employed these procedures 
as a one-time corrective action at fiscal year-end, rather than as a 
routine operating procedure throughout the fiscal year. In addition, 
we continued to identify instances in which IRS did not timely record 
obligations or expenditures. As a result, IRS’s internal controls did 
not ensure that its budgetary resources were routinely accounted for, 
reported, and controlled. Without adequate budgetary controls, IRS 
cannot ensure the reliability of key budgetary information it needs on 
an ongoing basis to manage its operations and ensure that its 
obligations do not exceed budgetary authority. 

Continued Efforts Needed To Address Financial Management Challenges: 

IRS acknowledges the issues raised in our financial audits, and the 
Commissioner and Deputy Commissioner of Operations continue to pledge 
their commitment to addressing these long-standing issues. We have 
assisted IRS in formulating corrective actions to address its serious 
internal control and financial management issues by providing 
recommendations over the years, and we will continue to work with the 
agency on these matters. 

The challenge for IRS will be to build on the goals reached in fiscal 
year 2001: to not only improve its compensating processes but, more 
importantly, to develop and implement the fundamental long-term 
solutions that are needed to address the management challenges we have 
identified. Some of these solutions can be addressed in the near term 
through the continued efforts and commitment of senior IRS managers 
and staff. Others, such as those involving modernizing IRS’s financial 
and operational systems, will take years to fully achieve. Until IRS’s 
systems and processes are overhauled and internal controls 
strengthened, heroic efforts will have to be sustained for IRS to 
continue to produce reliable financial statements. Additionally, 
without significant and systemic changes in how IRS processes 
transactions, maintains its records, and reports its financial 
results, IRS’s ability to meet OMB’s accelerated reporting deadline or 
to achieve Treasury’s even more ambitious reporting goals for fiscal 
year 2002, while sustaining an unqualified opinion on its financial 
statements is questionable. 

Performance Management System: 

IRS has continued to make progress in revamping its performance 
management system-a system designed to measure, assess, and improve 
organizational and employee performance. It has begun to implement a 
new employee evaluation system; develop a measure of voluntary tax 
reporting compliance; and use its strategic planning, budgeting, and 
performance management process to assess the allocation of resources 
in its fiscal year 2003 budget and to oversee use of resources during 
fiscal year 2002. While this progress is notable, our work over the 
past year has shown that IRS could do a better job of designing and 
implementing performance measures and evaluation practices that 
support its on-going business operations, modernization efforts, and 
budget requests. Further, IRS could make additional progress in 
linking its budget request to intended results so that Congress can 
make more informed budget decisions and better assess IRS’s use of 
resources. 

Key Accomplishments Over the Past Year: 

The key accomplishments over the year include the following: 

* In October 2001, IRS rolled out its new employee evaluation system 
for front-line employees. This system, like that implemented earlier 
for executives and managers, was developed to structurally align 
performance expectations for employees with IRS’s three strategic 
goals to encourage behaviors and actions that support and advance 
those goals. IRS recognizes that it may take a while before the new 
front-line employee evaluation system achieves the intended results. 
For example, front-line enforcement employees are asked to balance 
expectations that may appear to conflict, such as providing quality 
customer service while still enforcing the tax laws. These 
expectations mean enforcement employees should use appropriate 
enforcement actions while at the same time listening to and 
considering the taxpayer’s point of view. Employees may need time to 
better understand what the new performance expectations mean in terms 
of their daily work and which behaviors they should change in order to 
put IRS’s new operational environment into practice. 

* IRS has made progress in developing a way to measure the voluntary 
compliance of individual taxpayers without placing an undue burden on 
them. Each year billions of dollars in taxes are not voluntarily 
reported and paid. To understand the overall extent of noncompliance, 
IRS plans to begin conducting its study of tax reporting compliance 
later this fall. study should provide IRS with data to update the 
criteria it uses to select tax returns for audit and thereby reduce 
the number of compliant taxpayers selected. Also, the study is 
intended to provide detailed information about compliance, such as why 
taxpayers fail to comply with a specific tax law provision. Having 
such information should enable IRS to make operational changes such as 
modifying tax forms and instructions or to recommend tax law changes 
that could improve compliance. As we have reported, the importance of 
this study cannot be understated because the most current data IRS has 
on compliance levels is over 10 years old.[Footnote 12] Furthermore, 
measures of voluntary compliance are vital to understanding the 
ultimate impact of IRS’s taxpayer service and compliance programs. 
Their absence from IRS’s array of organizational performance measures 
compromises the effectiveness of the performance management system. 

* In part through use of its strategic planning, budgeting, and 
performance management process, IRS identified various expected 
efficiency improvements, technological enhancements, labor-saving 
initiatives, and workload decreases that it projects will enable it to 
redirect $157.5 million in its base fiscal year 2003 budget to higher 
priority areas. Examples include (1) saving over $67 million from re-
engineering and quality improvement efforts, such as consolidating 
form printing and distribution operations and updating an antiquated 
workload selection system to reduce or eliminate the substantial 
number of tax returns that are ordered but never audited, and (2) 
reducing the resources used for the innocent spouse program by $13.8 
million due to an expected decrease in caseload. While these actions 
are commendable, the likelihood that the savings from these 
improvements will be realized is unclear because IRS did not provide 
details on how specific savings were computed. Also, any shortfall in 
estimated labor and nonlabor savings will only be exacerbated if IRS 
has to absorb unanticipated cost increases such as those that could 
occur if civilian pay increases for fiscal year 2003 are higher than 
currently proposed. 

Better Performance Measures and Program Evaluation Practices Needed: 

A key part of any performance management system is performance 
evaluation, which is the collection of data on performance and the 
analysis of those data to determine the factors that explain 
performance. Over the past year we reported on certain aspects of the 
2001 filing season where IRS lacked comparable measures or had 
insufficient data to assess performance. We also reported on various 
compliance and taxpayer service programs where IRS managers did not 
consistently evaluate the performance of their program to make 
decisions about how to improve performance. Additionally, we recently 
reported on how IRS’s congressional justification for its fiscal year 
2003 budget was not always well linked to its performance goals. 

Lack of Comparable Performance Measures and Data Hindered the 
Assessment of Certain Aspects of the 2001 Filing Season: 

Our assessment of the tax year 2001 filing season found that IRS 
lacked or had insufficient performance measures and data to evaluate 
refund processing, face-to face taxpayer assistance, returns 
processing initiatives, and electronic filing impediments. [Footnote 
13] 

* In past years, our assessment of IRS’s performance in processing 
paper tax returns and refunds included a comparison of various 
performance measures against IRS’s goals and prior year performance. 
We were unable to make such a comparison for measures for 2001 because 
in some instances IRS revised measures that it had been using to 
assess processing performance. For example, IRS revised the start date 
for determining the way it measures the timeliness of issuing refund 
checks. Before 2001, IRS used the date the taxpayer signed the return 
as the start date for computing refund timeliness and had set a goal 
of processing a certain percentage of those refunds within 40 days of 
that date. For the 2001 filing season IRS used the IRS-received date 
as the start date for computing timeliness because it had control over 
its own operations but not over when taxpayers signed their returns. 
While we support IRS’s efforts to develop and refine its performance 
measures to help assure that they are valid and balanced, frequent or 
extensive changes deprive the various programs of stability and 
comparability, thus hampering the ability to set or achieve goals. 

* Measures of timeliness and quality, which IRS defines as the 
accuracy of the answers to tax law questions, are important for 
gauging how well IRS responds to taxpayers’ inquiries. IRS did a good 
job of measuring the daily average wait time of taxpayers who visited 
a Taxpayer Assistance Center for face-to-face assistance during the 
2001 filing season. However, unlike the 2000-filing season when IRS 
employees posed as taxpayers to obtain data to measure tax law 
accuracy, IRS did not measure the quality of the assistance in 2001 
because of staffing and training challenges associated with IRS’s 
reorganization. Instead the Treasury Inspector General for Tax 
Administration (TIGTA) reviewers, posing as taxpayers, asked tax law 
questions of IRS representatives. This year IRS is using a 
contractor’s employees to pose as taxpayers in order get a measure of 
tax law accuracy. In each of the three filing seasons a different 
measurement methodology was used to measure tax law accuracy and each 
came up with a different result. The accuracy rate reported by IRS in 
2000 was 24 percent, by TIGTA in 2001 was 51 percent, and by IRS 
contract employees in 2002 was 84 percent. Although the results in 
each of the 3 years were based on visits to the assistance centers by 
persons posing as taxpayers, there were differences in such things as 
the questions the persons asked, the number of weeks covered by the 
reviews, and the number of sites visited and how they were selected. 
Given the use of different methodologies, IRS may not know if it 
realized improvements in quality until the 2003 filing season or 
later, after it has had time to analyze results using comparable 
methodologies. 

* IRS implemented several processing initiatives for 2001 that were 
intended to either improve processing operations or enhance 
compliance. However, IRS’s evaluations of such initiatives were 
limited. IRS officials generally drew conclusions about the 
effectiveness of initiatives based on broad numbers and trends. One 
such example deals with the evaluation of the checkbox that IRS added 
to the individual tax form through which taxpayers could authorize IRS 
to discuss tax return problems with their tax practitioner. The check 
box could be used instead of submitting a separate authorization form. 
IRS estimated that the checkbox initiative would save taxpayers about 
2 million hours by not having to prepare the separate authorization 
form. IRS assumed that because about 28 million taxpayers checked the 
third-party authorization box that this directly equated to a 
reduction in the number of separate authorization forms it would 
receive from these taxpayers. However, IRS did not have sufficient 
data to do a detailed analysis that would support this assumption. 

* While IRS experienced an increase of 13.7 percent in all individual 
income tax returns filed electronically in 2001 compared to 2000, that 
rate of increase was below IRS’s goal of 20 percent and was the lowest 
percentage increase since 1996. This declining growth rate reduces the 
likelihood that IRS will achieve its long-range goal of having 80 
percent of individual income tax returns filed electronically by 2007. 
Although IRS has taken steps to identify impediments to electronic 
filing, it does not have sufficient information to determine actions 
it could take to remove some impediments. For example, it lacked 
information on why about 40 million individual income tax returns were 
prepared on computer but filed on paper in 2001. We recommended that 
IRS directly survey tax professionals and taxpayers that file computer-
prepared returns on paper to get more specific information on why they 
are not filing electronically. We have been told that IRS will be 
undertaking such a survey in the near future. 

Once IRS has comparable performance measures and data on the several 
filing season issues discussed, it should be able to better evaluate 
the issues and take corrective actions. 

Insufficient Program Evaluation Efforts for Some IRS Programs: 

As discussed below, IRS’s efforts to improve the efficiency of its 
Offer in Compromise program, telephone assistance accessibility and 
accuracy, and employment tax compliance were hindered by insufficient 
program evaluation efforts. 

* In our report on IRS’s Offer in Compromise program, which allows 
taxpayers to settle their tax liability for less than the full amount, 
[Footnote 14] we pointed out that IRS lacked program evaluation plans 
for various initiatives it undertook to try to reduce the offer 
inventory and processing time. In addition, IRS lacked performance and 
cost data needed to monitor program performance and had not set goals 
for offer processing time that were based on taxpayer needs, other 
benefits, and costs. Such information would give program managers, who 
are likely to face divergences between actual and projected results, a 
better understanding of the factors affecting the initiatives’ 
performance and options for improving their performance. We 
recommended that IRS develop plans for evaluating offer initiatives, 
determine which program performance and cost data should be collected, 
and set goals for offer processing time. 

* Our report on IRS telephone assistance[Footnote 15] showed that IRS 
missed some opportunities to analyze data to better understand the 
factors affecting telephone performance, including the actions it took 
to improve performance. IRS collected and analyzed a variety of data 
about the key factors affecting telephone access and accuracy. 
However, IRS officials sometimes reached conclusions about these key 
factors without conducting analyses to test their conclusions. For 
example, most field directors at IRS call sites we reviewed cited 
higher-than-usual attrition rates among telephone assistors and 
problems with computer-based research tools that assistors used to 
answer taxpayers questions as reasons for the limited progress IRS 
made toward providing world-class telephone service during the 2001 
filing season. Yet, in most cases field directors had not conducted 
any analysis to support these conclusions. IRS officials also missed 
opportunities to plan evaluations to determine the effectiveness of 
the actions IRS took to improve access and accuracy. 

* In our report on IRS’s efforts to improve the compliance of small 
businesses with requirements that they report and pay employment 
taxes,[Footnote 16] we found that IRS had not successfully followed 
through on its plans to evaluate new early intervention programs. IRS 
had developed three new programs designed to prevent or reduce 
employment tax delinquencies by speeding up or enhancing the 
notification to certain groups of businesses. To evaluate the 
program’s effectiveness and to support informed judgments about 
whether to adopt new programs, IRS planned to compare compliance rates 
of test and control groups and to use customer surveys and focus 
groups. However, IRS efforts to evaluate these programs were adversely 
affected by, among other things, delays in obtaining reliable data. We 
recommended that IRS evaluate whether the benefits derived from 
expansion of the programs justify the programs’ cost. IRS indicated 
that it would develop and execute a plan for evaluating the 
effectiveness of the employment tax early intervention programs. 

As IRS moves forward with modernization, the capacity to conduct sound 
performance evaluations on its current and planned operations will be 
one building block for success. The Government Performance and Results 
Act of 1993, IRS’s guidance, and our prior work all stress the need 
for analyses of program performance to determine the factors affecting 
performance and to identify opportunities for improvement.[Footnote 
17] We recognize that some analysis can be costly and thus the costs 
need to be balanced against the benefits. Considering that IRS devotes 
considerable resources to many of its programs, the benefits of 
analysis-—identifying ways to more effectively use resources and 
improve service-—could be substantial. 

Budget Justification Not Always Linked to Performance Goals: 

The Government Performance and Results Act of 1993 requires agencies 
to establish linkages between resources and results so that the 
Congress and the American public can gain a better understanding of 
what is being achieved in relation to what is being spent. As we 
reported last week,[Footnote 18] IRS has made progress in linking some 
of its budget justification to performance goals, but in other 
instances the budget justification lacked performance goals or 
contained inconsistencies between the budget request and performance 
goals. For example: 

* IRS’s congressional justification has several good links between the 
resources being requested and IRS’s performance goals. For example, IRS’
s budget includes an increase of 213 FTEs and $14.1 million to improve 
its telephone level of service, and its performance measures show an 
expected increase in toll-free telephone level of service from 71.5 
percent in fiscal year 2002 to 76.3 percent in fiscal year 2003. 

* In some instances IRS’s congressional justification contained no 
performance goals against which the Congress can hold IRS accountable. 
For example, the budget request includes increased resources for 
systematic noncompliance problems identified by the commissioner of 
Internal Revenue, such as for abusive corporate tax shelters and 
failure to pay large accumulations of employment taxes, yet it is 
unclear from IRS’s budget justification how many resources IRS intends 
to devote to each of these problems. And, for none of these areas does 
the budget justification include performance measures and goals that 
Congress can use to assess IRS’s progress in addressing these major 
compliance problems. 

* The budget justification seems to contain some inconsistencies 
between the amount of resources being requested and the expected 
change in performance or work. For example, the budget request 
indicates that field examination units will have about the same number 
of staff years as the year before and will receive a budget increase 
of less than 3 percent. However, IRS’s performance measures show that 
the units are expected to examine 33 percent more individual returns 
and almost 35 percent more business returns. It is not clear from the 
budget justification how IRS expects to do so much more work with just 
a small increase in resources. 

A major purpose of the Government Performance and Results Act and IRS’
s strategic planning, budgeting, and performance management system is 
to support better-informed decisions on allocating scarce resources by 
focusing on the results likely to be achieved and then supporting 
subsequent oversight and accountability by establishing transparent 
measures to assess performance. IRS’s new planning process and the 
linkages in its budget justification between some of its resource 
requests and expected results are commendable steps to implement this 
management approach. Improved linkages in IRS’s budget justifications 
would better enable Congress to make difficult resource allocations 
decisions and to hold IRS accountable for achieving results with the 
resources it is provided. 

Computer Security: 

Computer security is an important consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. It is especially important for government 
agencies, where the public’s trust is essential. The dramatic 
expansion in computer interconnectivity and the rapid increase in the 
use of the Internet are changing the way in which our government, the 
nation, and much of the world communicate and conduct business. 
Without proper safeguards, however, these developments pose enormous 
risks because it is easier for individuals and groups with malicious 
intent to intrude into inadequately protected systems and use such 
access to obtain sensitive information, disrupt operations, commit 
fraud, or launch attacks against other computer systems and networks. 

IRS relies extensively on interconnected computer systems to collect 
and store taxpayer data, process tax returns, calculate interest and 
penalties, generate refunds, and provide customer service, in so doing 
collecting and maintaining a significant amount of personal and 
financial data on every American taxpayer. The confidentiality of this 
sensitive information is important because without it, taxpayers could 
be exposed to loss of privacy and financial loss and damages resulting 
from identity theft and financial crimes. 

Although Computer Security Improvements Made, Taxpayer Data Still at 
Risk: 

IRS has corrected or mitigated many of the computer security 
weaknesses cited in our previous reports, and is implementing a 
computer security program that should, when fully implemented, help it 
better manage its risks in this area. Actions IRS has taken include 
strengthening certain controls over its networks and mainframe 
systems, updating security standards, and implementing an intrusion 
detection capability. However, we also continued to find weaknesses 
with general controls designed to protect IRS’s computing resources 
from unauthorized disclosure, modification, and use. Although the 
agency has established many policies, procedures, and controls to 
protect computing resources, they were not always effectively 
implemented to ensure the confidentiality, integrity, and availability 
of the computer-processed data. Weaknesses over logical access to IRS’
s computing resources place data at risk of unauthorized access. 
Further, weaknesses in other information system controls, including 
physical security, segregation of duties, and service continuity, 
further increase risk to IRS’s computing environment. Because of these 
weaknesses, we again reported computer security as a material 
weakness[Footnote 19] in our audit of IRS’s fiscal year 2001 and 2000 
financial statements.[Footnote 20] 

Weaknesses in Logical Access Controls Introduce Risk: 

A basic management objective of any organization is the protection of 
its information systems and critical data from unauthorized access. 
Organizations accomplish this objective by establishing logical access 
controls that are designed to prevent, limit, and detect user access 
to computing resources. These controls include user accounts and 
passwords, access rights and permissions, network services and 
security, and audit and monitoring. Inadequate logical access controls 
diminish the reliability of computerized data and increase the risk of 
unauthorized disclosure, modification, or use. 

IRS’s logical access controls to prevent, limit, and detect access to 
its computing resources were sometimes implemented ineffectively. IRS 
did not adequately control user accounts and passwords to ensure that 
only authorized individuals were granted access to its servers. For 
example, the agency did not always securely configure password 
parameters, and users sometimes employed easily guessed passwords on 
computers, routers, and switches. IRS also did not adequately restrict 
user rights and allowed excessive access permissions to sensitive 
directories and files on its computers. Such weaknesses could 
compromise the integrity of the operating system and the privacy of 
data that reside there. 

In addition, IRS did not securely control network services on its 
computers, routers, and switches in that it enabled unnecessary, 
outdated, and/or misconfigured network services. For example, 
intruders could have readily obtained useful system and user 
information on certain computers that could have facilitated an 
intrusion attempt. Running insecure network services increase the 
risks for system compromise, such as unauthorized access to and 
manipulation of sensitive system data, disruption of services, and 
denial of service. 

Moreover, IRS did not effectively audit and monitor system activity on 
some of its computers. In some cases, its computers did not record key 
security-related events and security specialists did not routinely or 
fully examine audit logs for unauthorized activity. As a result, 
greater risk exists that unauthorized system activity will not be 
promptly detected. 

Other Information System Controls Need Improvement: 

In addition to logical access, controls over other important areas 
should be in place to ensure the confidentiality, integrity, and 
availability of an organization’s data. These information system 
controls include policies, procedures, and techniques that physically 
secure data processing facilities and resources, properly segregate 
incompatible duties among computer personnel, and effectively ensure 
the continuation of computer processing service in case of unexpected 
interruption. 

Although IRS implemented several physical security controls, certain 
weaknesses reduced their effectiveness in controlling physical access 
to its data processing facilities. Likewise, IRS did not segregate 
incompatible duties associated with certain system functions, thereby 
providing certain individuals with the opportunity to add fictitious 
users with elevated system access privileges and perform unauthorized 
activities without detection. In addition, because IRS has not 
developed or tested disaster recovery plans for certain systems, it 
lacks sufficient assurance that it will be able to recover essential 
information systems and critical business processes should an 
unexpected interruption occur. 

In addition, internal controls over key computer applications used by 
IRS personnel do not provide adequate assurance that access to 
taxpayer data is granted only to those authorized to have it. Such 
weaknesses increase the vulnerability of the data processed. 

IRS Has Improved Security Over Its e-file Systems, But Vulnerabilities 
Remain: 

Last year, we reported[Footnote 21] and testified[Footnote 22] before 
this subcommittee about the effectiveness of key computer controls 
designed to ensure the security, privacy, and reliability of IRS’s 
electronic filing (“e-file”) systems and electronically filed taxpayer 
data during the 2000 tax-filing season. At that time, IRS had not 
adequately secured access to its electronic filing systems or to the 
electronically transmitted tax return data those systems contained. We 
demonstrated that unauthorized individuals, both internal and external 
to IRS, could have gained access to IRS’s electronic filing systems 
and viewed and modified taxpayer data contained in those systems 
during the 2000 tax-filing season. We were able to gain such access 
because IRS at that time had not (1) effectively restricted external 
access to computers supporting the e-file program, (2) securely 
configured the operating systems of its electronic filing systems, (3) 
implemented adequate password management and user account practices, 
(4) sufficiently restricted access to computer files and directories 
containing tax return and other system data, or (5) used encryption to 
protect tax return data on e-file systems. We also reported that these 
weaknesses jeopardized the security of sensitive business, financial, 
and taxpayer data on other critical IRS systems that were connected to 
e-file computers through its wide area network. We provided specific 
technical recommendations to IRS to improve access controls over its 
electronic filing systems and networks. 

Today, we are pleased to report that IRS has substantially improved 
safeguards that control external access to its electronic filing 
systems and to the electronically transmitted tax return data those 
systems contain. IRS has taken steps to improve perimeter defenses and 
prevent individuals from gaining unauthorized access to e-file systems 
and electronically transmitted data through e-file’s external 
connections with its trading partners.[Footnote 23] To illustrate, IRS 
has redesigned the e-file system architecture, strengthened modem 
controls, and recently installed network control devices that 
collectively are configured to filter inbound and outbound computer 
network traffic to e-file computers and allow only authorized traffic 
through its filters. Although the filters on these devices can be 
strengthened to deny certain unnecessary network services, they 
reasonably limit external access to e-file computers from the trading 
partners’ typical connections. IRS also strengthened user access, 
password, and operating system controls on network control devices. 
For example, the agency implemented access rules restricting the use 
of a certain service, encrypted passwords, and disabled certain risky 
and unnecessary computer network services on these devices. Moreover, 
IRS’s redesigned e-file architecture provides additional safeguards 
against unauthorized external access to unencrypted tax return data 
stored on e-file computers and includes a network-based intrusion 
detection capability. 

While IRS has substantially improved security over external access to 
its e-file computers, additional improvements are needed to fully 
protect the electronically transmitted data on those computers from 
unauthorized access attempts by users on IRS’s internal network. The 
removal of one network control device and the configuration of several 
others do not sufficiently limit network traffic to e-file computers 
from the IRS wide-area network. The agency also has not fully resolved 
some of the previously reported control weaknesses affecting e-file 
computers. For example, weak password control practices continue to 
allow easily guessed passwords, access permissions for certain 
computer files and directories remain excessive, risky and unnecessary 
services continue to be available on e-file computers, and a host-
based intrusion detection capability is not present. IRS believed it 
had corrected some of these weaknesses and has longer term actions 
planned to correct some of the others. Until these weaknesses are 
corrected or mitigated, e-file computers and the data they contain 
will continue to be vulnerable to unauthorized access attempts from 
the IRS wide-area network. 

Despite the continued existence of certain weaknesses affecting its e-
file systems, IRS’s actions indicate that it has taken a systematic, 
risk-based approach to correcting identified weaknesses. Such an 
approach will continue to be important in ensuring that corrective 
actions are effective on a continuing basis and that new risks are 
promptly identified and addressed. 

Also, we previously reported[Footnote 24] that taxpayers who file 
their returns electronically may not have been fully aware of the 
risks of filing electronically. For example, IRS did not prescribe 
minimum computer security requirements for transmitters and did not 
assess or require an assessment of the effectiveness of computer 
controls within the transmitters’ operating environment. In response, 
IRS changed their web site to recommend that taxpayers read and 
understand the privacy and security policies and procedures of the IRS 
and of any industry partner that will handle tax return information. 
Such cautionary language helps to clarify that the security of filing 
electronically is dependent upon the security of trading partner 
systems, for which IRS provides no assurance. Similarly, IRS should 
consider including such cautionary language or referring to such 
language on its web site in its radio advertisements and printed 
materials that state e-file is secure. 

Business Systems Modernization: 

We now turn to the business systems modernization (BSM)—IRS’s ongoing, 
multiyear, multibillion-dollar program intended to leverage the power 
of information technology (IT) to revamp how the service does 
business. Since its start in late 1999, the program has received about 
$968 million in congressional funding. Going forward, IRS expects to 
need about a half billion dollars annually in funding over the next 5 
years. As of today, BSM consists of 20 ongoing system acquisition 
projects at different life-cycle stages, along with various program-
level initiatives that are to provide IRS the means by which to manage 
these projects. 

Over the past 3-plus years, IRS has made important progress in 
establishing the infrastructure systems that are to provide the 
platforms, if you will, upon which future business applications will 
run. Establishing this systems infrastructure is a necessary 
prerequisite to introducing the business applications that are in turn 
intended to provide benefits to taxpayers and IRS. During this time, 
IRS has also made important progress in delivering two systems 
applications—-Customer Communications 2001 and Customer Relationship 
Management Exam—-that are producing benefits as of today. For example, 
Customer Communications 2001, which is software improvements to IRS’s 
customer service telephone system, was implemented last summer and is 
now routing routine taxpayer inquiries to automated menu driven 
information services, thereby freeing IRS customer service 
representatives to answer complex or less common inquiries. Progress 
has also been made over this period in establishing the modernization 
management controls needed to effectively acquire and implement BSM 
systems. For example, IRS recently issued an updated version of its 
enterprise architecture (modernization blueprint) for how it wants to 
transition its business systems environment, thus giving a high-level 
roadmap to guide and constrain business and technological change. 

This progress, however, needs to be put into proper perspective with 
the long-term picture of planned BSM delivery of measurable mission 
value. In particular, the nature of progress thus far should not be 
viewed solely in the context of what taxpayer service and IRS 
efficiency benefits are being realized today. Rather, this progress 
should also be viewed in terms of laying the necessary foundation from 
which the benefits of future applications can be realized. As a matter 
of fact, at this point in time, the level of tangible mission-related 
benefits that have been realized from modernization investments are 
not yet commensurate with costs incurred. In our view, this is not 
unreasonable because, as depicted in figure 1, expected return on 
these and future investments are to materialize later when new 
business applications are brought on line. 

Figure 1: National BSM Benefits Versus Costs: 

[Refer to PDF for image: line graph] 

Vertical matrix: Cost and Benefit Amounts; 
Horizontal matrix: Time. 
Cost and benefits are indicated by lines. 

Source: GAO. 

[End of figure] 

Despite important progress, IRS is not where it committed to be in 
acquiring both infrastructure and application systems and not where it 
needs to be in implementing modernization management controls. This is 
because IRS’s first priority and emphasis has been to get the newer, 
more modern systems—with their anticipated benefits to taxpayers—up 
and running. In so doing, however, the establishment of management 
capacity to ensure that these systems are introduced successfully has 
not been given equal attention and thus has not kept up. As shown in 
figure 2, this emphasis on new systems progress adds significant cost, 
schedule, and performance risk that escalates as the program advances. 
Simply stated, proceeding without these controls increases the risk of 
not delivering promised systems capabilities on time and within 
budget. Moreover, these risks are amplified as IRS moves forward 
because interdependencies among current ongoing projects and the 
complexity of associated work activities to be performed, have and 
will continue to increase dramatically as more system projects move 
into the latter stages of their life-cycles and are deployed. More 
recently, IRS has acknowledged this risk and initiated efforts to 
better balance controls with project pace and workload. 

Figure 2: Increasing Risk with Growing Project Workload: 

[Refer to PDF for image: line graph] 

Management Capability matrixed against Project Workload. 

Lines indicate Desired and Actual. 

The gap between these lines indicates Risk. 

Source: GAO. 

[End of figure] 

Testimony before this subcommittee last spring outlined the same 
general concern that we are stating today.[Footnote 25] At that time, 
we feared that systems workload and pace were getting too far ahead of 
the agency’s ability to deal with them effectively, i.e., having 
proper management controls and capacity in place. Since then, IRS has 
continued to move forward with its ongoing infrastructure and business 
application projects while simultaneously taking steps to implement 
missing management controls and capabilities. During this time, 
however, the imbalance in project workload and needed management 
capacity has remained a concern. More recently, our report of this 
past February[Footnote 26] recommended that the commissioner of 
internal revenue reconsider the scope and pace of the program to 
better strike a balance with the agency’s capacity to handle the 
workload. The commissioner agreed, promising action in these areas. In 
particular, the commissioner agreed to align the pace of the program 
with the maturity of IRS’s controls and management capacity, including 
reassessing the portfolio of projects that it planned to proceed with 
during the remainder of fiscal year 2002. BSM officials plan to 
complete this reassessment and present it to the commissioner and BSM 
executive steering committee for approval in the next month or two. 
The commissioner also made correcting remaining management control 
weaknesses a priority. 

For the past 7 years we have discussed with and communicated to IRS 
the importance of establishing sound management controls to guide its 
systems acquisition projects. Beginning in 1995, when IRS was involved 
in an earlier attempt to modernize its tax processing systems, and 
continuing since then, we have made recommendations to implement 
fundamental modernization management capabilities before acquiring new 
systems; we concluded then that until such controls were in place, IRS 
was not ready to invest billions of dollars in building modernized 
systems.[Footnote 27] We are not unmindful of IRS’s competing 
pressures: to implement these controls and to also field new systems. 
However, to the extent that essential controls are still lacking, risk 
is unavoidably increased. The areas in which we have reported in the 
past that controls are lacking and have made recommendations for 
improvement fall into five interrelated and interdependent IT 
management categories, as shown in figure 3: investment management, 
system life-cycle management, enterprise architecture management, 
software acquisition management, and human capital management. 

Figure 3: Categories of Management Controls Needed for Full 
Modernization Capability: 

[Refer to PDF for image: illustration] 

Modernization Management Capability: 
* Investment Management; 
* Life-Cycle Management; 
* Enterprise Architecture Management; 
* Human Capital Management; 
* Acquisition Management. 

Source: GAO. 

[End of figure] 

In December 1998 IRS hired a systems integration support contractor to 
help it develop and implement these capabilities. In 1999, the 
commissioner adopted a modernization strategy that required, for 
example, (1) the use of incremental investment decisionmaking, (2) 
adherence to a rigorous systems and software life-cycle management 
method, and (3) development and implementation of an enterprise 
architecture or modernization blueprint to guide and constrain the 
content, sequencing, and integration of systems investments. This 
laudable approach, however, included simultaneously proceeding with 
project acquisition, in anticipation that program controls would be in 
place and functioning when the projects reached their later, less 
formative stages. Figure 4 illustrates this approach. 

Figure 4: Concurrent Development of Program-Level Controls and 
Projects: 

[Refer to PDF for image: time line illustrations] 

The following are depicted: 

Program Management Capability: 

Program management office: 
Selected management capabilities (e.g., Configuration Management, 
Quality Assurance, Risk Management): 
Enterprise Architecture: 

Selected Key Projects: 

STIR: 
IRFoF (Release 1): 
CADE (Releases 1,2): 
e-Services: 
Other projects (15): 

Icons denote the following: 
Milestone 3 - beginning of detailed design and development; 
Milestone 4 - completion of detailed design and development/beginning 
of deployment 
Management capability fully established. 

Source: GAO. 

[End of figure] 

During the modernization’s first 18 months, progress in implementing 
these management controls was slow, while at the same time project 
acquisitions moved rapidly. At that time we reported to IRS’s Senate 
and House appropriations subcommittees that projects were getting 
ahead of the modernization management capacity that needed to be in 
place to manage them effectively.[Footnote 28] In response to our 
concerns and the subcommittees’ direction, IRS scaled back on its 
projects, giving priority to implementing needed management capacity. 

As previously noted, IRS has since made important progress in its 
modernization management capacity. Most recently, we reported[Footnote 
29] that IRS (1) reviewed the contractor’s quality-assurance function, 
concluding that it was not always effective and that it required a 
higher level of IRS–contractor oversight, and listing specific 
corrective actions that could reduce the probability of deliverables 
not meeting expectations; (2) defined risk management policies and 
procedures for its enterprise life-cycle approach; (3) issued version 
2.0 of its enterprise architecture and implemented steps to ensure 
project alignment with the architecture and integration with other 
modernization projects; and (4) plans an independent assessment of 
selected projects against the Software Engineering Institute’s SA-CMM 
[Footnote 30] level 2 requirements by December 31, 2002. 

In addition, IRS recently hired technical and managerial executives 
with substantial private-sector experience for its reorganized BSM 
program office. 

We remain concerned, however, because projects are entering critical 
stages, and not all essential management controls are in place and 
functioning. In particular, in our ongoing work for IRS’s 
appropriations subcommittees, we found that it is proceeding with 
building systems— including detailed design and software development 
work—before it has for example (1) fully implemented mature software 
acquisition management processes, (2) developed and deployed a human 
capital management strategy, and (3) established effective cost and 
schedule estimating practices. 

Weaknesses in any one of these modernization management controls 
introduces an unnecessary element of risk to the BSM program, but the 
combination of these weaknesses introduces a level of risk that 
increases exponentially over time. IRS has reported that BSM projects 
have already encountered cost, schedule, and/or performance 
shortfalls. Our analysis has showed that weak management controls 
contributed directly to these problems, or were the basis for prudent, 
proactive IRS decisionmaking not to start or continue projects. Given 
that IRS’s fiscal year 2002 BSM spending plan supports progress 
towards the later phases of key projects and continued development of 
other projects, it is likely that BSM projects will encounter 
additional cost, schedule, and performance shortfalls. Figure 5 
depicts this combination of circumstances. 

Figure 5: Current Time Line Depicting Escalating Program Execution 
Risk: 

[Refer to PDF for image: illustration] 

Information from Figure 4 is presented with an arrow indicating 
Execution Risk rapidly escalating over time. 

Source: GAO. 

[End of figure] 

IRS acknowledges these risks. According to its chief information 
officer, until the weaknesses are fully addressed, IRS is (1) relying 
on existing immature processes; (2) leveraging the knowledge, skills, 
and abilities of experienced senior executives to ensure that issues 
are proactively managed; and (3) hiring additional experienced 
executives. In our view, based on past experience, relying on such 
measures is not enough given the size and complexity of the BSM 
program. Past government and industry experience shows that the 
probability of repeated successes on projects proceeding in this 
manner is low, and the incidence and cost of rework is high. Again, we 
believe the answer lies in a more modest scope and pace of systems 
projects until management capacity is brought up to the level needed. 

Timing is critical. While the lack of controls can be risky in a 
projects early stages, it is essential that such controls be in place 
when projects enter system design, development, and implementation. To 
mitigate this added risk, IRS needs to fully implement the remaining 
management controls that we have recommended. 

Conclusion: 

IRS has clearly made progress toward transforming itself into a more 
reliable, accountable, and customer-focused organization. We recognize 
that this transformation is not easy and will take time. We have made 
recommendations over the years to assist the agency in achieving its 
goals, and some have been implemented. We will continue to work 
closely with IRS officials as they strive to develop and implement new 
operating systems and business practices that are key to achieving 
IRS’s goals of improving service to taxpayers and compliance with the 
tax laws. 

Mr. Chairman, that concludes our statement. We would be pleased to 
respond to any questions that you or other members of the Subcommittee 
may have at this time. 

[End of section] 

Footnotes: 

1. U.S. General Accounting Office, Internal Revenue Service: Progress 
Continues But Serious Management Challenges Remain, [hyperlink, 
http://www.gao.gov/products/GAO-01-562T] (Washington, D.C.: Apr. 2, 
2001). 

2. U.S. General Accounting Office, Financial Audit: Examination of IRS’
s Fiscal Year 1992 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-93-2] (Washington, D.C.: June 30, 
1993). 

3. U.S. General Accounting Office, Financial Audit: IRS’s Fiscal Years 
2001 and 2000 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO-02-414] (Washington, D.C.: Feb. 27, 
2002). 

4. A cost-benefit analysis would consider the costs and expected 
benefits, both direct and indirect, in increasing resources to pursue 
collections of outstanding taxes or recovery of improper refund 
payments. These benefits could include not only increased collections 
of outstanding taxes and recoveries of improper refund payments, but 
also benefits to taxpayers through earlier IRS action that might 
prevent a build up of the outstanding tax liabilities. Improved 
compliance by taxpayers with the nation’s tax laws could also be a 
benefit. 

5. Unpaid tax assessments consist of (1) taxes due from taxpayers for 
which IRS can support the existence of a receivable through taxpayer 
agreement or a favorable court ruling (federal taxes receivable); (2) 
compliance assessments where neither the taxpayer nor the court has 
affirmed that the amounts are owed; and (3) write-offs, which 
represent unpaid assessments for which IRS does not expect further 
collections due to factors such as the taxpayer’s death, bankruptcy, 
or insolvency. Of these three classifications, only the first is 
reported on the principal financial statements. As of September 30, 
2001, IRS reported $20 billion (net of an allowance for doubtful 
accounts of $60 billion), $22 billion, and $137 billion in these three 
categories, respectively. 

6. When a company does not pay the taxes it withholds from employees’ 
wages, such as Social Security or individual income tax withholdings, 
IRS has the authority to assess all responsible officers individually 
for the taxes withheld from employees. Although assessed to multiple 
parties, the liability need only be paid once. Thus, IRS may record 
assessments against each of several individuals for the employee-
withholding component of the payroll tax liability of a given business 
in an effort to collect the total tax liability of the business. The 
assessments made against business officers are known as trust fund 
recovery penalties. 

7. We are 95 percent confident that the confidence interval around 
this estimate ranges from 3 percent to 19 percent. 

8. By statute, IRS must pay interest on refunds not paid within 45 
days of receipt or due date, whichever is later (26 U.S.C. §6611). 

9. Because it is a tax credit, an EITC claim always results in a 
reduction of the taxpayer’s calculated tax liability. However, 
depending on the taxpayer’s amount of taxes withheld, it may or may 
not result in a refund for a particular tax year. 

10. [hyperlink, http://www.gao.gov/products/GAO-02-414]. 

11. An adjustment to a prior year’s obligation is recorded when the 
dollar amount previously recorded is affected by a subsequent event, 
such as a change in the price of goods or services. 

12. See U.S. General Accounting Office, Tax Administration: Status of 
IRS’s Efforts to Develop Measures of Voluntary Compliance, [hyperlink, 
http://www.gao.gov/products/GAO-01-535] (Washington, D.C. June18, 
2001) and U.S. General Accounting Office, Department of the Treasury: 
Major Management Challenges and Program Risks, [hyperlink, 
http://www.gao.gov/products/GAO-01-254] (Washington, D.C. Jan. 2001). 

13. U.S. General Accounting Office, Tax Administration: Assessment of 
IRS’s 2001 Tax Filing Season, [hyperlink, 
http://www.gao.gov/products/GAO-02-144] (Washington, D.C.: Dec. 21, 
2001). 

14. U.S. General Accounting Office, Tax Administration: IRS Should 
Evaluate the Changes to its Offer in Compromise Program, [hyperlink, 
http://www.gao.gov/products/GAO-02-311] (Washington, D.C.: Mar.15, 
2002). 

15. U.S General Accounting Office, IRS Telephone Assistance: Limited 
Progress and Missed Opportunities to Analyze Performance in the 2001 
Filing Season, [hyperlink, http://www.gao.gov/products/GAO-02-212] 
(Washington D.C.: Dec. 7, 2001). 

16. U.S. General Accounting Office, Tax Administration: IRS’s Efforts 
to Improve Compliance With Employment Tax Requirements Should Be 
Evaluated, [hyperlink, http://www.gao.gov/products/GAO-02-92] 
(Washington, D.C.: Jan. 15, 2002). 

17. U.S. General Accounting Office, Managing for Results: Challenges 
Agencies Face in Producing Credible Performance Information, 
[hyperlink, http://www.gao.gov/products/GAO/GGD-00-52] (Washington, 
D.C.: Feb. 4, 2000). 

18. U.S. General Accounting Office, Internal Revenue Service: 
Assessment of Budget Request for Fiscal Year 2003 and Interim Results 
of 2002 Tax Filing Season, [hyperlink, 
http://www.gao.gov/products/GAO-02-580T] (Washington, D.C.: Apr. 9, 
2002). 

19. A material weakness is a condition that precludes an entity’s 
internal control from providing reasonable assurance that material 
misstatements in its financial statements would be prevented or 
detected on a timely basis. 

20. [hyperlink, http://www.gao.gov/products/GAO-02-414]. 

21. U.S. General Accounting Office, Information Security: IRS 
Electronic Filing Systems, [hyperlink, 
http://www.gao.gov/products/GAO-01-306] (Washington, D.C.: Feb. 16, 
2001). 

22. U.S. General Accounting Office, Internal Revenue Service: Progress 
Continues But Serious Management Challenges Remain, [hyperlink, 
http://www.gao.gov/products/GAO-01-562T (Washington, D.C.: Apr. 2, 
2001). 

23. IRS trading partners are commercial firms and individuals that IRS 
has authorized to participate in the electronic filing program. These 
partners include electronic return originators, who prepare electronic 
returns for taxpayers, and transmitters, who transmit the electronic 
portion of a return directly to IRS. 

24. [hyperlink, http://www.gao.gov/products/GAO-01-306]. 

25. U.S. General Accounting Office, Internal Revenue Service: Progress 
Continues, but Serious Management Challenges Remain, [hyperlink, 
http://www.gao.gov/products/GAO-01-562T] (Washington, D.C.: April 2, 
2001). 

26. U.S. General Accounting Office, Business Systems Modernization: 
IRS Needs to Better Balance Management Capacity with Systems 
Acquisition Workload, [hyperlink, 
http://www.gao.gov/products/GAO-02-356] (Washington, D.C.: February 
28, 2002). 

27. U.S. General Accounting Office, Tax Systems Modernization: 
Management and Technical Weaknesses Must Be Corrected If Modernization 
Is to Succeed, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-95-156] (Washington, D.C.: July 
26, 1995). 

28. See, for example, Tax Systems Modernization: Results of Review of 
IRS’ August 2000 Interim Spending Plan, [hyperlink, 
http://www.gao.gov/products/GAO-01-91] (Washington D.C.: November 8, 
2000). 

29. U.S. General Accounting Office, Business Systems Modernization: 
Results of Review of IRS’s March 2001 Expenditure Plan, [hyperlink, 
http://www.gao.gov/products/GAO-01-716] (Washington D.C.: June 29, 
2001), and [hyperlink, http://www.gao.gov/products/GAO-02-356]. 

30. Carnegie Mellon University’s Software Engineering Institute has 
developed criteria, known as the Software Acquisition Capability 
Maturity Model (SA-CMM), for determining organizations’ software 
acquisition management effectiveness or maturity. Capability Maturity 
Model and CMM are registered in the U.S. Patent and Trademark Office. 

[End of document]