Background

Many Controls Were Designed Into the Electronic Classification System

Additional Follow-up Is Necessary to Ensure that Audit Trail Reviews Are Performed

Information that Tax Returns Have Been Classified and Accepted as Filed Should Be Captured on the Masterfile

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Background

The Internal Revenue Service’s (IRS) Examination function examines tax returns to ascertain whether taxpayers have correctly determined their tax liability. The Examination function’s Planning and Special Programs (PSP) office is responsible for maintaining an inventory of tax returns available for assignment to field groups.

Since it is not possible to examine all tax returns filed, the Examination function relies on a scoring technique, the Discriminant Index Function (DIF), to identify the examination potential of tax returns. The premise of this system is that the higher the score, the greater the potential for a tax adjustment. Before an examination is initiated, Examination function employees review the tax returns with the highest DIF scores. This review, called classification, is to determine whether the tax returns actually warrant examination.

Traditionally, the classification process involves pulling original tax returns from storage files and sending field employees to a central location to review the original tax returns. The lead-time to obtain the original returns and prepare them for classification can be four to six months.

The Examination function developed the Alternative DIF Delivery System (ADDS) as an option for classifying tax returns without retrieving the original documents from storage files. In addition to saving travel and staff resources used in the traditional classification process, electronic classification enables the examination process to start closer to the date the taxpayer filed the return. This should reduce the amount of penalty and interest charged to the taxpayer when the examination results in additional tax owed, and help resolve the Congress’ concern that the IRS was not timely notifying taxpayers about tax deficiencies. Also, this process helps the IRS meet its Tax Administration Vision and Strategy goal of completing examinations quicker.

The ADDS is a sub-system of the Midwest Automated Compliance system (MACS). Tax return information available on both the MACS and the ADDS is based on information that is captured as original tax returns are being processed to the Masterfile.

Currently, the MACS Development Center (MDC) is redesigning the ADDS to improve the usability and effectiveness of the system. The redesigned system will be called the Automated DIF Delivery and Planning Tool (ADDAPT).

We performed audit work in or obtained information from the Chicago, IL; Denver, CO; Philadelphia, PA; Phoenix, AZ; and Springfield, NJ, PSP offices, the MDC offices, and the Small Business/Self-Employed (SB/SE) Division Headquarters Office between February and May 2001. The audit was conducted in accordance with Government Auditing Standards.

In reviewing the SB/SE Division’s plans and procedures for using the ADDS as a method to identify and select tax returns for examination, we learned that the ADDS has not been used extensively and the ADDAPT is still being designed. Therefore, we were not able to review the results of examinations identified through the systems. Further, some of the audit tests were designed to follow-up on corrective actions taken regarding portions of prior audit reports. Detailed information on our audit objectives, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.

Many Controls Were Designed Into the Electronic Classification System

The selection of returns for examination is a highly sensitive area that has been the subject of scrutiny from the Congress, the Treasury Inspector General for Tax Administration (TIGTA), and the media. Effective controls are necessary to help ensure objectivity in the selection process, protect taxpayers from unwarranted examinations, and protect the IRS when questions arise about selecting tax returns for examination.

As mentioned above, the MDC is in the process of redesigning the ADDS, and the redesigned system will be called the ADDAPT. In addition to redesigning the classification portion of the system, separate management information is being developed as a tool for managers to use to identify returns that are classified and available for delivery to groups, and for ordering those returns. These changes should make the system easier to use and more effective to identify tax returns for examination and deliver the work to field groups.

Both the ADDS and ADDAPT have similar controls that help prevent an employee from browsing or viewing tax return information for personal reasons. Tax returns can only be viewed in descending DIF score order, and a decision is required on each tax return before the next can be viewed. The decision can be to accept the tax return as filed or select it for examination. The ADDAPT also allows a temporary pass of the tax return if the classifier believes it should be viewed by another classifier with expertise in a specific industry. The system is programmed to auto-matically show that the tax return was accepted as filed if the other classifier does not review it and make a decision about examination potential within 60 days.

Access to the systems is subject to commonly used login and password controls. In addition, viewing tax returns on the systems requires entering a control number. This control number is obtained by completing a research request form that requires approval by the Chief, PSP. The control number is captured for each access on the audit trail.

The ADDAPT is being programmed to facilitate quality reviews of the classifier’s work. The system will capture the quality reviewer’s identification and require that this be an employee other than the classifier.

As previously mentioned, data for the systems comes from information captured when tax returns are being processed. The MDC loads the data to discs and ships the discs to each area office so the data can be loaded to their MACS computers. In a previous audit report dated April 1999 the TIGTA reported that the discs were not adequately secured to prevent unauthorized access to taxpayer data. To address the issue, the MDC established a procedure that requires the discs to be timely returned to the MDC for destruction. In addition, the MDC has identified an encryption program that will work with the volume of data on the discs. They plan to implement an encryption process by the end of 2001.

In the April 1999 audit report, the TIGTA also reported that accesses to taxpayer information could not always be traced to a business case or tax examination. In response, the MACS was modified to allow users to capture the Taxpayer Identification Number of the primary case when accessing related tax return information. This is captured on the audit trail. In addition, the MACS audit trail has been enhanced to add additional indicators so audit trail reviewers can determine whether information has been viewed and/or printed.

Additional Follow-up Is Necessary to Ensure that Audit Trail Reviews Are Performed

In the April 1999 audit report mentioned above and in an audit report dated April 2000, the TIGTA reported that audit trails were not being reviewed. In response, the MDC developed a comprehensive Audit Trail Review Guide and provided training to MACS Security Officers based on the Guide. The MDC also included a section on audit trail review requirements in the MACS site authorizations sent to PSP Chiefs in early 2001. The PSP Chiefs were to sign the site authorizations, thereby accepting responsibility for ensuring that the MACS site operates in accordance with requirements described in the document.

Despite these efforts, none of the five field offices that we reviewed were completely following procedures requiring monthly reviews of MACS audit trail and event viewer files. The MACS audit trail captures actions such as viewing and printing tax return information. The event viewer files capture system actions such as unauthorized users attempting to access the system and the addition or deletion of users to the system. Responsibility to review the event viewer files started in early 2000 when the MACS was converted to a new operating system. The event viewer files replaced two audit trail files that existed under the previous operating system.

In three offices the audit trail file, but not the event viewer files, was being routinely (but not always monthly) reviewed. In the two other offices, neither the audit trail nor the event viewer files were being reviewed.

The MACS computers contain a significant amount of tax return information. The computers in the five offices contain information for 25.5 million tax returns filed during 2000 by taxpayers located in the geographic areas covered by the offices.

Our limited testing of audit trail files for two of the offices did not identify any inappropriate access to the ADDS. However, browsing and inappropriate access or attempted access to taxpayer information can go undetected when audit trail and event viewer files are not reviewed.

One reason given for not performing the reviews was that the security officers have difficulty finding time to do these collateral duties. The IRS’ reorganization in late Calendar Year 2000 also played a part. The SB/SE Division has no authority over two security officers that have taken jobs outside of the SB/SE Division. These security officers believed that the duties would be transferred to SB/SE Division employees. In addition, three security officers indicated they had not received instructions about how to use the audit trail and event viewer files under the new operating system. These instructions were e-mailed to PSP Chiefs when many of the existing Chiefs were transitioning to different positions. They may not have forwarded the message to the security officers.

Recommendations

The Commissioner, SB/SE Division, should:

1. Establish a policy that only SB/SE Division employees can be designated as MACS security officers.
2. Ensure that all MACS security officers have the current instructions for reviewing both the audit trail and event viewer files.
3. Establish a formal policy for spot checks of offices to ensure that audit trail reviews are being performed as required.

Management’s Response: Management’s response was due on September 14, 2001. As of September 17, 2001, management had not responded to the draft report.

Information that Tax Returns Have Been Classified and Accepted as Filed Should Be Captured on the Masterfile

Current procedures for electronic classification of tax returns do not require that a case control be established on the Audit Information Management System (AIMS) unless the case is identified for examination. As a result, informa-tion that electronically classified tax returns have been classified and accepted as filed is not captured on the Masterfile. Capturing classification results in a retrievable fashion, such as on the Masterfile, is important for proper functioning of the Examination workload selection process and for responding to taxpayer requests for information about their accounts.

While SB/SE Division management is aware of this situation, they have not yet identified an efficient method to capture the information on the Masterfile. Existing systems do not allow for both establishing a case control on a tax return considered for examination and closing the case control in the same action. The SB/SE Division is continuing to study the issue to determine how the information can be captured.

When information that a tax return is accepted as filed is captured on the Masterfile, the tax return is no longer available for DIF classification. However, because information that a tax return is accepted as filed for electronic DIF classification is not captured on the Masterfile, these taxpayers’ tax returns could be subject to an additional scrutiny through the traditional manual DIF classification process. Obtaining the original tax returns for this manual DIF process and the re-classification would also be an unnecessary use of limited IRS staffing.

In addition, disclosure staffs would have no means of knowing that these tax returns were classified and accepted as filed since this information is not captured on the Masterfile and it is not researchable in any other way. As a result, their responses may be incorrect or incomplete to taxpayers who request information about their accounts.

Recommendation

4. The Commissioner, SB/SE Division, should continue efforts to identify a reasonable and timely solution to capture information on the Masterfile that a tax return is accepted as filed. In the interim, SB/SE Division management should develop procedures to control these cases on the AIMS so the information can flow through to the Masterfile.

Detailed Objectives, Scope, and Methodology

The overall objectives of this review were to determine whether the Small Business/ Self-Employed (SB/SE) Division developed effective plans and procedures to use the Alternative DIF Delivery System (ADDS) as a method to identify and select tax returns for examination, and established adequate controls to protect sensitive taxpayer data available on the system. Since the ADDS has not been used extensively and the ADDAPT is still being designed, we were not able to review the results of examinations identified through the systems.

To accomplish our objectives, we conducted audit tests or obtained information from the Denver, CO, and Springfield, NJ, Planning and Special Programs (PSP) offices, the Midwest Automated Compliance system (MACS) Development Center offices, and the SB/SE Division Headquarters Office between February and May 2001. We also conducted limited testing regarding the reviews of audit trails (Step II. E. 3.) in the Chicago, IL; Philadelphia, PA; and Phoenix, AZ, PSP offices.

We conducted the following tests to accomplish our objective.

1. Determined whether procedures developed to provide for classifying and selecting returns for examination through the ADDS were effective.
1. Reviewed national and local procedures for selection of returns for examination through the ADDS.
2. Determined if procedures provide for adequate separation of duties between employees responsible for identifying, selecting, and examining tax returns obtained through the ADDS.
1. Reviewed the management control information added to the PSP Handbook to determine adequacy of separation of duty instructions.
2. Identified employees that were authorized to access the ADDS and determined where they were permanently assigned and what their job duties entailed to determine if potential separation of duties issues existed.
3. Identified the ADDS users that had access to the Examination Returns Control System (ERCS) and the Integrated Data Retrieval System (IDRS) and analyzed system profiles for those systems for potential separation of duties issues.
4. Discussed how the PSP managers ensured adequate separation of duties within the process.
5. Discussed separation of duties enhancements provided by the ADDS/ MACS with the National MACS Analyst.
3. Determined if data updates to the ADDS allowed for the selection of returns for examination in selected area offices that was "ratable" during the year (all returns with similar DIF scores had an equal chance of being submitted for classification).
1. Determined the frequency of data updates to the ADDS. Determined what data validation was done after the update was completed to ensure that there were no errors in loading the data.
2. Determined what measures were used to ensure that data for all district office/area office taxpayers were included in the system.
3. Discussed procedures for selecting returns for examination through the ADDS taking into consideration when the data was updated to the ADDS/MACS throughout the year and when returns were posted for the file year.
4. Determined how the SB/SE Division plans to evaluate the effectiveness of selecting returns through the ADDS.
2. Determined whether controls were in place to protect taxpayer data on the ADDS and ensure that the data was used only for official purposes.
1. Assessed physical security controls over access to the ADDS/MACS computers.
2. Reviewed controls over MACS data discs.
1. Determined how the MACS data discs were controlled during shipment between offices and once the data was loaded/updated to MACS.
2. Determined the status/results of studying the costs versus benefits of encrypting the data.
3. Reviewed the audit trail logs of accesses to the ADDS during December 2000 for Denver, CO, and August and September 2000 for Springfield, NJ. Compared names of employees that accessed the ADDS to the list of authorized employees prepared in Step I. B.2. above.
4. Determined how approval and the business reason were documented for accessing accounts via the ADDS.
5. Determined the effectiveness of the ADDS/MACS audit trail and whether it was effectively utilized.
1. Determined whether necessary information was captured on the audit trail.
1. Determined if and how user identification was captured.
2. Determined if an indicator was added to MACS to show when returns were printed.
3. Determined if MACS was enhanced to associate the Taxpayer Identification Number of the primary case with other related returns and if the feature was being used.
2. Determined whether tax return accounts identified and printed through the ADDS (those shown on the audit trail logs obtained in step C. above) were controlled on the ERCS/Audit Information Management System (AIMS).
3. Determined who reviews audit trail logs, how often, how it was documented, and whether they received any training on reviewing audit trails.
4. Determined who received results of audit trail reviews and how results were used.
5. Determined whether reviewers tested to ensure that data was only used for official purposes.
6. Analyzed audit trail review results to determine if deficiencies were identified and how they were resolved.
6. Analyzed the system for updating the ERCS/AIMS with returns selected for examination from the ADDS.
1. Determined if the process provided for an effective audit trail on the ERCS/AIMS.
2. Analyzed physical security over transferring the data.
3. Determined if the diskettes used for the transfer were adequately secured or the data was deleted once the transfer was complete.
7. Interviewed the MACS Development Center personnel and:
1. Determined what enhancements/revisions were planned for the ADDS and the status of the changes.
2. Identified systemic security features.
3. Determined the potential effectiveness of selecting returns for examination through the ADDS.
1. Interviewed PSP employees (ADDS classifiers) in selected area offices and determined:
1. If they believed information on lines from tax returns that were not transcribed (not available on the ADDS) would be necessary or useful in classification.
2. If they believed that adjustment issues were missed when returns were selected through the ADDS.
3. Their perspective (pros and cons) about using the ADDS, especially compared to classification with physical returns.
2. Interviewed employees that have received returns identified through the ADDS by the Springfield, NJ, PSP office (returns identified by the Denver, CO, PSP office had not been sent to field groups at the time of our visit) to determine:
1. If they believed returns selected through the ADDS had at least as great of an examination potential as those identified through physical classification.
2. If they used the ADDS/MACS prints to conduct the examination or if they requested the physical return.
3. If they believed that adjustment issues were not considered because not all line items were available on the ADDS/MACS for classification.
4. Their perspective (pros and cons) with using the ADDS compared to examinations identified through physical return classification.

Major Contributors to This Report

Gordon C. Milbourn III, Assistant Inspector General for Audit (Small Business and Corporate Programs)

Parker F. Pearson, Director

Amy L. Coleman, Audit Manager

Joseph P. Snyder, Senior Auditor

Donald Evans, Auditor

Ahmed Tobaa, Auditor

Report Distribution List

Commissioner N:C

Deputy Commissioner N:DC

Deputy Commissioner, Small Business/Self-Employed Division S

Director, Compliance, Small Business/Self-Employed Division S:C

Deputy Director, Compliance, Small Business/Self-Employed Division S:C

Deputy Director, Compliance Policy, Small Business/Self-Employed Division S:C:CP

Chief, Centralized Workload Selection & Delivery, Small Business/Self-Employed Division S:C:CP:CW

Program Manager, Examination Return Selection, Small Business/Self-Employed Division S:C:CP:CW:ERS

Territory Manager, PSP Support, East, Small Business/Self-Employed Division S:C:CP:CW:P:E

Territory Manager, PSP Support, West, Small Business/Self-Employed Division S:C:CP:CW:P:W

Director of Communications, Small Business/Self-Employed Division S:COM

Chief Counsel CC

National Taxpayer Advocate TA

Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O

Director, Legislative Affairs CL:LA

Office of Management Controls N:CFO:F:M

Audit Liaison:

Commissioner, Small Business/Self-Employed Division S