TIGTA Discusses IRS Efforts to Modernize IT Infrastructure

“IRS Reform: Challenges to Modernizing IT Infrastructure”

TESTIMONY
OF
DANNY VERNEUILLE
ASSISTANT INSPECTOR GENERAL FOR AUDIT
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
before the
COMMITTEE ON WAYS AND MEANS
SUBCOMMITTEE ON OVERSIGHT
U.S. HOUSE OF REPRESENTATIVES

October 4, 2017

Chairman Buchanan, Ranking Member Lewis, and Members of the Subcommittee, thank you for the opportunity to testify on the topic of challenges to modernizing information technology infrastructure at the Internal Revenue Service (IRS).

The Treasury Inspector General for Tax Administration (TIGTA) was created by Congress in 1998 to ensure integrity in America’s tax system. It provides independent audit and investigative services to improve the economy, efficiency, and effectiveness of IRS operations. TIGTA’s oversight activities are designed to identify high-risk systemic inefficiencies in IRS operations and to investigate exploited weaknesses in tax administration. TIGTA plays the key role of ensuring that the approximately 85,000 IRS employees¹ who collected more than $3.3 trillion in tax revenue, processed more than 244 million tax returns, and issued more than $400 billion in tax refunds during Fiscal Year (FY)² 2016,³ have done so in an effective and efficient manner while minimizing the risk of waste, fraud, and abuse.

TIGTA’s Office of Audit (OA) reviews all aspects of the Federal tax administration system and provides recommendations to: improve IRS systems and operations; ensure the fair and equitable treatment of taxpayers; and detect and prevent waste, fraud, and abuse in tax administration. The Office of Audit places an emphasis on statutory audit coverage required by the IRS Restructuring and Reform Act of 1998 (RRA 98)⁴ and other laws, as well as on areas of concern raised by Congress, the Secretary of the Treasury, the Commissioner of Internal Revenue, and other key stakeholders. The specific high-risk issues examined by the OA include identity theft, refund fraud, improper payments, information technology, security vulnerabilities, complex modernized computer systems, tax collection and revenue, and waste and abuse in IRS operations.

MODERNIZATION EFFORTS TO REPLACE LEGACY SYSTEMS

Successful modernization of IRS systems and the development and implementation of new information technology applications are critical to meeting the IRS’s evolving business needs and to enhancing services provided to taxpayers. The IRS’s reliance on legacy (i.e., older) systems, aged hardware, and its use of outdated programming languages pose significant risks to the IRS’s ability to deliver its mission. Modernizing the IRS’s computer systems has been a persistent challenge for many years and will likely remain a challenge for the foreseeable future.

One of the IRS’s top-priority information technology investments is the Customer Account Data Engine 2 (CADE 2). The IRS has been using the Individual Master File (IMF), which uses an outdated assembly language code, for more than 50 years. The IMF is the source for individual taxpayer accounts. Within the IMF, accounts are updated, taxes are assessed, and refunds are generated. Most of the IRS’s information systems and processes depend on the IMF, either directly or indirectly.

In 2009, the IRS began developing CADE 2 to address the issues regarding tax processing and to eventually replace the IMF. CADE 2 is the data-driven foundation for future state-of-the-art individual taxpayer account processing and data-centric technologies designed to improve service to taxpayers, enhance IRS tax administration, and ensure fiscal responsibility.

In September 2013, TIGTA reported that the CADE 2 database could not be used as a trusted source for downstream systems due to the 2.4 million data corrections that had to be applied to the database, and to the IRS’s inability to evaluate 431 CADE 2 database columns of data for accuracy.⁵ To address these issues, the IRS developed additional tools and implemented a new data validation testing methodology intended to ensure CADE 2’s timeliness, accuracy, integrity, validity, reasonableness, completeness, and uniqueness. The IRS requested that TIGTA evaluate the new data validation testing methodology.

In a September 2014 follow-up audit, TIGTA reported that the IRS had appropriately completed its data validation efforts.⁶ According to the IRS, the CADE 2 release plan is currently being adjusted to reflect impacts of staffing challenges and various possible budget scenarios. The loss of key IMF expertise is causing the reprioritization of CADE 2 goals to focus on IMF reengineering, the suspension of projects, and the potential deferral of planned functionality to be delivered. There are several reasons for the delays in implementing CADE 2, including other organizational priorities such as the annual filing season, other major information technology investments, contracting delays, aging architecture, lack of key subject matter experts on institutionalized processes, and outdated programming languages. There is no scheduled or planned completion date for CADE 2 development.

In FY 2018, TIGTA will be initiating an audit to assess the effect of legacy systems on the IRS’s ability to deliver modernized tax administration. TIGTA also plans to conduct an audit to determine the progress made on completing the CADE 2 project, including the IRS’s retirement strategy for the IMF and a comparison of estimated costs to actual expenditures.

In addition to CADE 2, the IRS replaced its Electronic Fraud Detection System (EFDS) with the Return Review Program (RRP), which enhanced its capabilities to prevent, detect, and resolve criminal and civil non-compliance. The RRP is an important development in the IRS’s efforts to keep pace with increasing levels of fraud and in serving the organization’s evolving compliance needs.

In a September 2017 report, TIGTA reviewed the RRP to determine if the system could identify all fraud currently identified by other existing fraud detection systems, and assessed the EFDS retirement plans.⁷ TIGTA concluded that the RRP better meets the IRS business objectives of delivering greater fraud detection at a lower false detection rate than the EFDS.

Results from recent tax filing seasons support the IRS’s decision to retire the EFDS models. TIGTA believes that the RRP is better positioned than the EFDS to address the changing nature of identity theft. Specifically, the EFDS uses models to generate one fraud score for each return. In contrast, RRP models generate a set of predictive scores for every return. This enables the RRP to individually assess tax returns. In addition, the RRP fraud detection models provide greater flexibility in adjusting to new emerging fraud trends than the EFDS.

The IRS retired the EFDS identity theft models for the 2016 Filing Season. The EFDS identified tax returns involving identity theft totaling $60 million (1.5 percent of the total $3.92 billion in returns involving identity theft) that were not identified by any other fraud detection system. In contrast, the RRP identified tax returns involving identity theft totaling $1.88 billion (47.8 percent of the $3.92 billion in returns involving identity theft) that were not selected by any other fraud detection system.

In addition, when the IRS ran the EFDS and the RRP non-identity theft models in parallel for the 2016 Filing Season, the RRP selected 41,710 fraudulent tax returns not selected by the EFDS, representing $328 million in revenue protection. By comparison, the EFDS selected 6,824 fraudulent tax returns not selected by the RRP, representing $17 million in revenue protected. TIGTA does not believe the relatively small amount of non-identity theft tax returns selected by the EFDS warranted delaying the retirement of the EFDS non-identity theft models after the 2016 Filing Season.

In September 2015,⁸ TIGTA recommended that the IRS develop a system retirement plan for the EFDS and retire the system after validating that the RRP effectively identifies, at a minimum, all issues currently identified in the EFDS. The IRS agreed with the recommendation, and in December 2015, the IRS Executive Steering Committee unanimously approved the EFDS Retirement Strategy. However, our review of the EFDS Retirement Strategy showed that the IRS cannot shut down EFDS until all 19 system components have been decommissioned. Eleven of the 19 components are related to the Enterprise Case Management project and have retirement dates as late as December 2018. With the Enterprise Case Management project starting over with software selection, the IRS will likely miss the December 2018 target date for retiring the remaining 11 EFDS components. As a result, the IRS will continue to incur annual costs to operate and maintain the EFDS system in each filing season for which it remains in operation beyond the 2018 Filing Season. The IRS estimated that the annual operating and maintenance cost for the EFDS for the 2018 Filing Season is $13.9 million.

INFORMATION TECHNOLOGY INITIATIVES TO MODERNIZE OPERATIONS, APPLICATIONS, AND THE E-MAIL SYSTEM

In addition to modernization efforts to replace legacy systems, the IRS is developing and implementing new information technology to modernize its operations, applications, and e-mail system to provide more sophisticated tools to taxpayers and IRS employees. TIGTA has identified several areas where the IRS can improve its efforts to upgrade or enhance its information technology systems.

TIGTA conducted an audit to review the implementation and use of cloud technologies and services.⁹ In July 2016, the IRS created an Integrated Planning Team with an overall goal of developing an enterprise-wide cloud strategy for implementation within the IRS. The Integrated Planning Team’s mission is to help the IRS define a “cloud” and to provide some specific guidance to assist in the selection and deployment of cloud services within the IRS. However, TIGTA reported that the IRS does not have an enterprise-wide cloud strategy and also that the IRS did not follow Federal and agency cloud service guidelines for the Form 990 Cloud Project.¹⁰ The IRS stated that there is no current timetable for adoption and implementation of the enterprise-wide cloud strategy. Not having a documented enterprise-wide cloud strategy creates a significant risk that organizations outside of the IRS Chief Information Officer and Information Technology (IT) organization may deploy systems and potentially expose Federal tax information with no reasonable assurance that the systems meet applicable Federal security guidelines. The IRS may also miss the opportunity to deliver value by increasing operational efficiency and responding more quickly to stakeholder needs.

The Tax Exempt and Government Entities Division entered into an agreement to utilize a public cloud service with limited involvement from the IRS IT organization. In October 2015, the Tax Exempt and Government Entities Division had discussions with the Associate Chief Information Officer for Enterprise Services regarding the Form 990 Cloud Project. However, the Tax Exempt and Government Entities Division was not instructed to appoint an authorizing official, generate an agency Authority to Operate letter, or ensure that the cloud service complied with Federal Risk and Authorization Management Program requirements.

A primary focus for the IRS over the past two decades has been to migrate taxpayers to electronic filing. Outside of filing activities, taxpayers also use the Internet to download forms, view content, and check the status of their refund. These types of online activities will increase as the IRS implements its Future State Initiative. ¹¹¹²

TIGTA conducted an audit to review the development and implementation of the online Web Applications (Web Apps)¹³ designed to deliver an online account for individual taxpayers along with the abilities to see a balance due, see payment status/history, make a payment, and view/download tax transcripts. The audit, released in September, found that the development and deployment of Release 1.0 of the Web Apps system has been significantly delayed. The Web Apps Program Management Office was initially tasked with delivering its four original functionalities for Release 1.0 of the Web Apps system by September 30, 2015. A lack of funding caused a delay in the Web Applications Program Management Office obtaining the necessary staffing resources. Similarly, the IRS’s inconsistent governance process contributed to project delays. These delays prevented taxpayers from being able to use any of Release 1.0 of the Web Apps system’s planned functionalities for the 2016 Filing Season.

In addition, further delays resulted in taxpayers being unable to use the Web Apps system to see payment status and history or view and download transcripts at the start of the 2017 Filing Season. To acquire this information, taxpayers had to use the separate Get Transcript Online Service or IRS2GO mobile phone app, or had to call, mail, fax, or visit an IRS taxpayer assistance center, which does not achieve the IRS’s goals to modernize and increase the efficiency of the taxpayer experience. These requests could have been provided in a timelier and more direct manner by Release 1.0 of the Web Apps system if it had been deployed on schedule.

TIGTA has also evaluated the IRS’s efforts to establish information technology capabilities to manage temporary and permanent e-mail records. TIGTA determined that the IRS purchased subscriptions for an enterprise e-mail system it could not use.¹⁴ The purchase was made without first determining project infrastructure needs, integration requirements, business requirements, security and portal bandwidth, and whether the subscriptions were technologically feasible on the IRS Enterprise. IRS executives made a management decision to consider the enterprise e-mail project an upgrade to existing software instead of a new development project or program. As a result, the IRS did not follow its Enterprise Life Cycle guidance. The IRS authorized the $12 million purchase of subscriptions over a two-year period; however, the software to be used via the purchased subscriptions was never deployed. The IRS violated Federal Acquisition Regulation requirements by not using full and open competition to purchase the subscriptions.

In an audit requested by the Chairman of the House Committee on Ways and Means and the Chairman of the Senate Committee on Finance, TIGTA determined that IRS policies are not in compliance with Federal electronic records requirements and regulations.¹⁵ The IRS’s current e-mail system and record retention policies do not ensure that e-mail records are automatically archived for all employees and can be searched and retrieved for as long as needed. The current e-mail system requires users to take manual actions to archive e-mail and results in e-mail records that can be stored in multiple locations, such as a mailbox folder, exchange server, network shared drive, hard drive, or on removable media or backup tape.

According to the IRS, its Future State e-mail system is being developed to potentially allow records to be available and searchable while automatically applying a retention policy. However, until a solution is effectively implemented, these e-mails remain difficult, if not impossible, to retain and search.

TIGTA has also evaluated the readiness of the IRS to establish an upgraded e-mail solution with the information technology capabilities to manage e-mail records in compliance with the directive of the Office of Management and Budget and the National Archives and Records Administration, which requires that agencies eliminate paper records and use electronic recordkeeping to the fullest extent possible.¹⁶ TIGTA found that more effort is needed by the IRS to meet the National Archives and Records Administration e-mail management success criteria prior to the deployment of the enterprise e-mail solution. Specifically, TIGTA determined that as of January 31, 2017, 13 of the 32 (41 percent) requirements related to the e-mail management success criteria remained under development. The requirements need to be fully developed and implemented before the IRS can successfully deploy its enterprise e-mail solution. Due to delays in developing and deploying the enterprise e-mail solution, the IRS will most likely not begin receiving any of the expected benefits of Federal records reform until the end of Calendar Year 2017, nearly a year after the initially mandated deployment date.

HARDWARE MODERNIZATION

The IRS has a large and increasing amount of aged hardware, some of which is three to four times older than industry standards. In its FY 2016 President’s Budget Request, the IRS noted that its information technology infrastructure poses significant risk of failures, although it is unknown when these failures will occur, how severe they will be, or whether they will have material impacts on tax administration during the filing season.

TIGTA conducted an audit to determine and measure the impact of inefficiencies of the IRS’s aged information technology hardware. Specifically, TIGTA analyzed all FY 2016 incident tickets¹⁷ from the Knowledge Incident/Problem Service Asset Management system¹⁸ categorized as either “critical” or “high” for all aged information technology hardware (e.g., desktop and laptop computers, servers, and telephone call routers). The aggregate length of time to resolve these incident tickets was 4,541 hours. Aged information technology hardware still in use could result in excessive system downtime due to hardware failures. As information technology hardware ages, it becomes more difficult to obtain adequate support. Aged hardware failures have a negative impact on IRS employee productivity, security of taxpayer information, and customer service.

Additionally, TIGTA reported that the IRS has not yet achieved its stated objective of reducing the percentage of its aged information technology hardware to an acceptable level of 20 to 25 percent. In fact, the IRS’s percentage of aged information technology hardware has steadily increased from 40 percent at the beginning of FY 2013 to 64 percent at the beginning of FY 2017.¹⁹ Aged information technology hardware, when combined with the fact that components of the infrastructure and systems are interrelated and interdependent, make outages and failures unpredictable and may also introduce security risks to critical taxpayer data that IRS systems must protect.

To provide further perspective on the negative effects that these aged hardware failures may have had on IRS employee productivity, the security of taxpayer information, and customer service, here are some examples of incidents that the IRS reported as having affected its ability to conduct daily operations.

• The existing Contact Recording²⁰ infrastructure is extremely aged and averages one outage per day, affecting the quality control feedback for more than 200 IRS toll-free call center employees interacting with taxpayers and their representatives.

• The IRS “Web Farm” houses over 500 internal websites, including many internal filing season-specific websites in use by all IRS business units. On October 31, 2016, the Taxpayer Advocate’s web page went off-line affecting more than 1,700 employees.

• More than 30 percent of the IRS’s installed network equipment had no end of software support* and required replacement in order to support deployment of Direct Model Personal Identity Verification. Until the hardware is replaced, no software support means no computer bug fixes, no maintenance releases, and no security patches. This significantly increased the security risk vulnerability of the at risk equipment. According to the IRS, hardware equipment for the proposed permanent solution was scheduled to be installed in August 2017.

TIGTA recommended that the Chief Information Officer conduct additional coordination with the Chief Financial Officer and other business unit executives to identify the availability of additional transfers, reprogramming, and possible carryover funds earlier in the process to maximize their use and develop plans to expeditiously spend any potential surplus funds that might become available to aid in reducing its aged information technology hardware infrastructure.

TIGTA believes the IRS needs to improve its project planning prior to starting development activities. This should include more clearly defined requirements and scope, a well-designed architecture, and comprehensive assessments of commercial off-the-shelf products to be used. The IRS also needs to ensure that it maintains its discipline in following established methodologies to guide project development. In addition, the IRS has more information technology demands than can be addressed with the properly skilled resources it has available. The IRS should focus on fewer projects and provide sufficient resources to ensure the completion of its highest priority projects before beginning new projects.

Finally, we have seen the IRS has success when appropriations are designated for specific programs, such as when additional FY 2016 funding was provided for cybersecurity enhancements and identity theft prevention. While the IRS needs to retain information technology funding flexibility to address legislative requirements and priorities, any additional funding should be designated for specific modernization projects with appropriate oversight to ensure timely delivery of the projects. In addition, we agree with the IRS’s request in the FY 2018 President’s Budget submission for additional Operations Support account funds to be available for two years due to the length of the information technology lifecycle process and because it provides the IRS with an opportunity to utilize appropriated funds before they expire.

We at TIGTA take seriously our mandate to provide independent oversight of the IRS in its administration of our Nation’s tax system. As such, we plan to provide continuing audit coverage of the IRS’s efforts to operate efficiently and effectively and to investigate any instances of IRS employee misconduct or other threats to tax administration.

Chairman Buchanan, Ranking Member Lewis, and Members of the Subcommittee, thank you for the opportunity to share my views.

---

Danny Verneuille
Assistant Inspector General for Audit
Treasury Inspector General for Tax Administration

Mr. Verneuille has served as an Auditor in the Treasury Inspector General for Tax Administration and the Internal Revenue Service Inspection Service, TIGTA’s predecessor organization, for over 30 years. In July 2017, Mr. Verneuille became a member of the Senior Executive Service and was promoted to the position of Assistant Inspector General for Audit (Security and Information Technology Services). He is responsible for providing guidance and direction to audits of the IRS’s information technology that evaluate systems security, systems development, and systems operations.

Prior to his current role, Mr. Verneuille was the Director, Systems Development, for TIGTA where he was responsible for reviews of the IRS’s modernization and systems development efforts. He also worked as the Director, Systems Operations, where he was responsible for reviews to assess the effectiveness of IRS’s information technology operations.

Mr. Verneuille has a Bachelor of Science Degree in Accounting from the University of New Orleans and is a Certified Internal Auditor.