United States General Accounting Offke I Testimony Before the Committee on Governmental Affairs United States Senate For Releaseon Delivery Expectedat 930 a m Tuesday July 19 1994 IFS AUTOMATION Controlling Electronic Filing Fraud and Improper Access to Taxpayer Data Statement of JamesF Hinchrnan Special Assistant to the Comptroller General of the United States GAO T-AIMDIGGD-94-183 I Li uliiniisifi nviv ruiwin udulr l Etta 3 35 Mr Chairman and Members of the Committee We are pleased to be here today to discuss the Internal Revenue Service's IRS efforts to 1 control the growing instances of fraud in the electronic filing program 2 safeguard taxpayer automated files from unauthorized access and manipulation by IRS employees and 3 remove unnecessary risk from its computer These matters are critical to ensure that IRS systems environment has reasonable assurance that the issues proper refunds confidentiality and accuracy of taxpayer data are protected and has adequate computer systems security In recent years the American public has come to expect quick sector access to information and services when dealing with private enterprises and now also expects the same responsiveness with Today's automated technology has federal government transactions ability to deliver services and to access greatly increased IRS' Along with this technology has come new and information faster taxpayer data greater challenges to protect IRS' highly sensitive IRS has recognized the problems associated with electronic filing fraud browsing of taxpayer files by IRS employees and a wider IRS has taken some steps range of computer security weaknesses However and plans to take others to improve these areas additional action and sustained emphasis are necessary to improve controls over electronic filings and protect taxpayer information This is especially important considering the upward trend in fraud associated with the electronic filing program the unauthorized browsing by IRS employees of taxpayer files that IRS has identified and the overall computer as a problem in all of its regions systems Security risks IRS continues to face ELECTRONIC FILING FRAUD IS GROWING Electronic filing shows the potential benefit of a paperless tax filing system However IRS has not yet shown how such a system Electronic filing can be adequately safeguarded against fraud began as a demonstration project for Tax Systems Modernization and was offered nationwide in 1990 With this alternative to the traditional filing of paper returns taxpayers could receive refunds within 2 weeks Since 1990 the number of individual income tax returns filed electronically has increased--from 4 2 million then to 13 5 million this year IRS views electronic filing as a cornerstone of its future business vision and the goal is to receive 80 million electronically filed tax returns annually by 2001 While we support the need to modernize IRS and the movement to electronic filing we are concerned about the growing instances of electronic filing fraud We recognize that electronic filing is not the only sources of filing fraud Fraud associated with paper 1 filing is also a problem electronic filing is not tap into IRS' tax data that has grown in recent years ' Further an avenue through which individuals can We agree with the electronic filing concept but stress the need for adequate systems security and controls to protect against fraudulent electronic returns Thus far the number of electronic returns identified as fraudulent in any 1 year has been relatively small-- for example in 1993 about 26 000 electronic returns were identified as fraudulent worth over $50 million However the growth rate of such returns is high and it is unclear how much of the growth is due to an increase in fraudulent activity rather than an improvement in fraud detection Even more troubling is the uncertainty as to how much fraud might be going undetected As of July 1 1994 IRS had received 110 4 million individual income tax returns of which about 13 5 million were filed electronically-9 5 percent more than at the same time in 1993 comparison IRS reports show that 64 percent more fraudulent electronically filed returns were identified during the first 5 months of 1994 compared to the first 5 months of 1993--20 937 compared to 12 730 By If experience can predict future trends many more fraudulent electronic returns will be identified by the end of the year During the last 7 months of 1993 for example IRS identified another 13 227 fraudulent electronic returns bringing the annual total to just under 26 000 If the 64 percent growth rate during the first 5 months of 1994 remains constant during the rest of the fraudulent electronic returns could year the number of identified increase to about 43 000 by the end of the year Electronic filing has made it easier for IRS to process returns because the tax information is submitted directly to IRS' computers As a result the paper return is eliminated and the time it takes to process a return is reduced However fraud detection is compromised because of the a-week time constraint that IRS imposes on processing a return the use of manual methods to identify fraudulent returns and the lack of W-2 information to confirm wage earnings IIn 1993 IRS reported identifying 51 883 fraudulent paper returns The kind of fraud being perpetrated on electronically filed returns is no different than that being perpetrated on paper returns--for example the preparation of bogus W-2s claiming fraudulent wages and withholdings thus supporting a fraudulent refund claim or earned income tax credit 2 We have made several recommendations to improve IRS' controls over The recommendations which I will now electronic filing fraud ' highlight involved 1 improved screening and monitoring of persons and firms authorized to file returns electronically 2 validations and editing in the electronic filing systems that would help prevent fraudulent electronic returns from being of fraudulent returns that have accepted and 3 better detection been accepted Better Screening and Monitorinq Electronic Returns Preparers and Transmitters of One way to help prevent fraud is to ensure that only reputable To file preparers and transmitters file tax returns taxpayers can either have an IRS-approved electronically practitioner prepare and submit the return or take a return that has already been prepared to an individual or business that IRS has Because some preparers and transmitters approved as a transmitter have been involved in schemes involving fraudulent electronic returns we recommended in 1992 that IRS do more to check the backgrounds of persons applying to participate in the electronic filing program One step we recommended was that IRS obtain information from the Federal Bureau of Investigation FBI to identify preparer and IRS is transmitter applicants with prior criminal convictions working with the FBI to obtain this information IRS can also rescind the electronic filing privilege of electronic return preparer or transmitter who fails to various operating requirements stipulated by IRS The by the this rescission authority however is mitigated any servicewide procedure to prevent a barred preparer transmitter from reapplying To correct this problem designing a system that can be used to screen preparers transmitters Preventinq Fraudulent Returns any abide by effect of absence of or IRS is and From Beinq Accepted IRS does not adequately prevent fraudulent returns from being accepted The aspect of electronic filing that most attracts That speed taxpayers is the speed with which they can get refunds also makes electronic filing appealing to potential defrauders because IRS has less time to identify and stop questionable refunds once an electronic return has been accepted One way to deal with the problem is to prevent questionable returns from being accepted Y In this respect electronic filing gives' IRS an opportunity that it does not have with paper returns --the ability to verify the critical information on the return before accepting it and issuing a refund When IRS implemented the electronic filing system it did not build in adequate validity checks to help protect against fraud However as the need for such checks became more apparent IRS has Now before accepting an electronic return implemented several for example IRS verifies that the taxpayer's name and Social Security number on the electronic transmission match information in IRS' records If there is a mismatch IRS will not accept the return That validity check resulted in over 200 000 rejected returns in 1994 IRS does not know how many of the returns rejected through the various validity checks involved attempted fraud or how many were simply the result of errors by taxpayers or preparers in recording or transcribing names Social Security numbers or other data Nonetheless even with the various upfront controls and all of the rejections the number of fraudulent electronic returns getting into the system and later being identified by IRS continues to increase Another potentially effective control would involve an automated comparison of wage data on tax returns with wage data provided by employers which is not currently possible Toward this end IRS may have an opportunity to use partial-year data to at least verify that an employer employee relationship exists and that the taxpayer's reported wages appear reasonable To do this IRS has been looking into the possibility of using quarterly wage data that employers submit to states for unemployment compensation purposes In 1995 IRS plans to pilot such an effort in conjunction with the State of California If use of this information proves feasible IRS might be able to match three quarters of employer wage data against information on a taxpayer's return Detectinq Fraudulent Returns After returns are accepted IRS uses computer screening Criteria to identify questionable returns These returns are then referred to analysts for various levels of review This is a slow labor intensive process that is not automated The screening criteria are broad and generate many more questionable returns than can be reviewed by analysts creating a backlog Despite the amount of effort devoted to this nonautomated review relatively few fraudulent returns are actually identified For example of approximately 3 million potentially fraudulent returns IRS reviewed in 1993 almost 26 000 or less than 1 percent were determined to be fraudulent 4 IRS is taking steps to improve its screening review process--steps that may produce more exacting criteria that better identify potentially fraudulent returns and help analysts do better in reviewing those returns The major effort in this regard is a 4-year four-phase initiative involving IRS and the Los Alamo8 in the National Laboratory In the first phase which was piloted IRS Cincinnati Service Center in 1994 and is to be implemented nationwide in 1995 IRS automated existing processes to among provide for on-line review of questionable returns other things and provide an interface to on-line databases to verify information on the return The other three phases are expected to result in more sophisticated methods of detecting fraud and refining criteria for screening fraudulent returns for review THE RISK OF IMPROPERACCESS TO TAXPAYERDATA CONTINUES In August 1993 we testified before this Committee that IRS did not adequately control access authority given to computer support personnel or adequately monitor employee access to taxpayer information 3 For example in 1992 IRS' internal audit found that some employees had used their access 1 to monitor their own fraudulent returns 2 to issue fraudulent refunds and 3 to inappropriately browse through taxpayer accounts We also reported on this matter as part of our audits of IRS' financial statements Officers for fiscal years 1992 and 1993 under the Chief Financial Act Public Law lOl-576 ' In its examinations of all of its regional offices IRS found similar problems IRS also reevaluated the disposition of the Southeast Region's suspected browsing cases Of the 328 cases analyzed the IRS Office of Ethics agreed with the disciplinary actions in 213 cases and disagreed in 83 cases For the remaining 32 cases the IRS Office of Ethics was unable to determine the appropriateness of the disciplinary action because of inadequate information Overall the Office of Ethics concluded and IRS management agreed that the disciplinary actions in 51 of the 328 cases reviewed or about 16 percent were too lenient Moreover the Office of Ethics found cases of inconsistent punishment for similar offenses 'Financial Revealed Manaqement First Financial Audits of IRS and Customs Serious Problems GAO T-AIMD-93-3 August 4 1993 4Financial Audit Examination of IRS' Fiscal Year 1992 Financial Statements GAO AIMD-93-2 June 30 1993 IRS Information Systems Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information GAO AIMD-93-34 September 22 1993 and Fiscal Year 1993 Financia 1994 5 including office minimum privacy managers disparate treatment between offices and within the same IRS revised penalty guidelines to set In this regard and maximum penalties for violating computer security and The guidance provides important assistance to laws to encourage fair and consistent application of penalties An internal systems security study commissioned by IRS in 1993 pointed out that one of the greatest risks to SeCUrity is from a December 1993 review by IRS' internal Nevertheless employees auditors found that there were virtually no controls programmed into the Integrated Data Retrieval System IDRS to limit what employees can do once they are authorized IDRS access and The review indicated that authorized to input account adjustments IRS' internal security program had identified instances of employee attempts to embezzle funds using IDRS IRS has planned corrective actions to limit the adjustments to an account record details of each account transaction and report unusual and high risk account adjustment activity IRS officials told us that some employees were confused and uncertain about whether IDRS security rules applied in certain circumstances and were unclear as to what actions constituted an IRS has taken steps to improper access or unauthorized conduct better inform and educate employees on their responsibilities These steps have concerning IDRS security and privacy issues included distributing articles and newsletters showing videos and of which emphasize forwarding a message from the Commissioner --all We endorse these IRS' policy regarding proper use of tax data actions and in addition believe that IRS needs to consistently apply appropriate penalties and publicize all disciplinary actions to heighten employees' awareness of security rules With the technology available today unauthorized access to taxpayer accounts can be restricted with systems controls IRS' August 1993 action plan to address security weaknesses in IDRS is attempting to move IRS in this direction For example IRS reports that it can now use system controls to detect and intervene if employees attempt to access their own accounts or those of their spouses Similar restrictions are not yet implemented to control employee access to the accounts of others such as neighbors relatives or celebrities IRS needs effective systems controls to not only restrict access to necessary taxpayer accounts but to record audit trails of virtually everything that goes on with taxpayers' accounts Managers have the responsibility to monitor the use of the system to make sure it is secure Since their time is limited it is important that exception reports provide managers only the information needed to investigate potential problems Such reports are planned as part Of IRS' new Electronic Audit Research Log system 6 IMPROVING IRS' OVERALL CORPUTERSYSTEMSSECURITY Following the August 1993 hearing we not only reviewed IRS' planned actions to correct IDRS' security problems but also made an assessment of the Service's overall computer systems security IRS' overall computer controls do not adequately ensure that taxpayer data are adequately protected from unauthorized access change and disclosure or loss of operations due to disaster Serious risks are not limited to the use of IDRS but apply to other IRS systems which also provide access to taxpayer data We found the following to be the primary weaknesses -- Inadequate control over access to computer systems IRS' systems do not adequately prevent unauthorized access which leaves taxpayer data at risk of illegal disclosure or alteration -- Limited monitoring of taxpayer account transactions Access to tax accounts may not be recorded or if recorded provide insufficient information to investigate possible unauthorized access -- Poor contingency This could leave services preparation IRS unable for recovery after a disaster to provide basic tax processing -- Improper management of software changes This creates a risky systems environment where the systems could be sabotaged The details surrounding these problems and our recommendations for corrective action are being reported to the Committee separately and will be limited to official use only None of our overall computer systems security findings were new to IRS In its 1993 Federal Managers' Financial Integrity Act report IRS added security over taxpayer data as a material weakness Over the last several years IRS has commissioned a number of studies which have revealed these and other serious systems security problems IRS is moving closer to resolving some of its longstanding computer security problems but until the solutions are actually in place serious risks remain Given the extent of the automated systems weaknesses we advised IRS to conduct a comprehensive systems risk analysis that would identify the security vulnerabilities in its mission-critical operations and include the computer systems and the networks that connect them We believe such an analysis is needed to ensure that all the major risks have been identified Also the analysis would enable IRS to determine whether the planned actions are sufficient to bring its computer security under adequate control 7 IRS has demonstrated a strong commitment to improve control over Much of what IRS considers as its access to its taxpayer records solution to its computer security problems is imbedded in the Tax which is 6 or more years away from Systems Modernization effort completion Today's risks however cannot be left for a future system to resolve and there are actions that can be taken today to secure Implementing better automated systems IRS' computer systems controls through some of the technology options now available will but require resources Thus IRS' managers face difficult such as deciding how many resources to devote important decisions to systems security in the current environment given the commitment to Tax Systems Modernization Mr Chairman IRS is at a critical juncture--automating tax services is the essence of Tax Systems Modernization and IRS' ability to carry out its mission This creates an entirely new set fraud and access to of challenges in managing IRS --controlling taxpayer data in an electronic age where technology is rapidly expanding IRS is working to better control electronic filings and the great risk of unauthorized access to taxpayer account data and to improve overall computer systems security IRS understands many of its underlying computer security weaknesses but at the present time serious and long-standing weaknesses remain Adequately reducing the risk in these areas will depend on the prompt and effective implementation of significant computer systems security improvements The continued oversight and support by this Committee in tackling this difficult challenge will also be most important This concludes my statement We would be pleased to respond to any questions you or members of the Committee may have at this time 8 Ordering Information The first copy of each GAO report and testimony is free Additional copies are $2 each Orders should be sent to the following address accompanied by a check or money order made out to the Superintendent of Documents when necessary Orders for 190 or more copies to be mailed to a single address are discounted 25 percent I c Orders by mail U S General Accounting Of e P-0 Box 6015 Gaithersburg MD 20884-6015 1 or visit Room 1100 700 4th St NW corner of 4th and G Sts NW U S General Accounting Office Washington DC Orders may also be placed by calling 202 or by using fax number 301 258-4066 512-6000 Each day GAO issues a list of newly available reports and testimony To receive facsimile copies of the daily List or any list from the past 30 days please call 301 258-4097 using a touchtone phone A recorded menu will provide information on how to obtain these lists T- PRINTED ON “y RECYCLED PAPER United States General Accounting Office Washington D C 20548-0001 Official Business Penaky for Private Use $300 Address Correction Requested