MODERNIZED E-FILE WILL ENHANCE PROCESSING OF ELECTRONICALLY FILED INDIVIDUAL TAX RETURNS, BUT SYSTEM DEVELOPMENT AND SECURITY NEED IMPROVEMENT

Treasury Inspector General for Tax Administration

Office of Audit

MODERNIZED E-FILE WILL ENHANCE PROCESSING OF ELECTRONICALLY FILED INDIVIDUAL TAX RETURNS, BUT SYSTEM DEVELOPMENT AND SECURITY NEED IMPROVEMENT

Issued on May 26, 2010

Highlights

Highlights of Report Number: 2010-20-041 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Modernized e-File Project’s (MeF) goal is to replace the Internal Revenue Service’s (IRS) current tax return filing technology with a modernized, Internet-based electronic filing platform. This will allow more individual taxpayers to take advantage of the benefits of electronic filing, while streamlining the IRS’ filing processes and reducing the costs associated with paper tax returns. The IRS’ management of the Project’s risks, requirements, and security can be improved to ensure the capabilities expected and approved to be deployed are appropriately implemented.

WHY TIGTA DID THE AUDIT

This review was part of our Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge of Modernization of the IRS. The overall objective of this review was to determine whether the MeF Project Release 6.1 development activities provided the capability to electronically receive, process, and secure U.S. Individual Income Tax Returns (Form 1040), delivering the intended benefits to the IRS and taxpayers.

WHAT TIGTA FOUND

On February 17, 2010, the IRS deployed MeF Release 6.1 and began processing electronically filed individual income tax forms. The MeF Release 6.1 development included a plan to limit the volume of forms for Calendar Year 2010 so the IRS and tax form transmitters have an opportunity to observe system behavior.

Although System Integration Test Results indicated all application requirements were tested and passed, supporting test documents showed that many of the requirements were not tested and many more failed the tests and no indication was provided to show the defects were corrected. During the first 3 weeks of operation, the MeF system rejected 23 percent of the individual income tax returns filed.

Additionally, TIGTA found that improvements to guidance in managing requirements and risks could have enhanced the project development schedule. The Project Team reported capacity testing as a risk to the project schedule, and may have identified the components of this earlier in the project development design phase by reviewing prior release development and deployment experiences – Lessons Learned Reports.

Further, controls were not adequate to manage all of the MeF system security risks, issues, and action items. Information provided by the IRS about the status of the previously reported security vulnerabilities showed that in December 2009, 10 of the 13 vulnerabilities were resolved. However, the January 2010 Security Test and Evaluation reported that only 2 of the 13 vulnerabilities were resolved.

WHAT TIGTA RECOMMENDED

TIGTA recommended the Chief Technology Officer ensure that project releases are deployed only after all system requirements are tested and met and that test results are verified to ensure their completeness and accuracy. Further, project development guidance should be modified to require consideration of prior Lessons Learned Reports and the Risk Identification Procedure as input to Project Initiation and Phase Kickoff Meeting Procedure.

To adequately control and resolve all MeF system security issues, the Chief Technology Officer should ensure the Cybersecurity organization completes implementation of the process to ensure that system owners comply with IRS policy to enter and track all system security weaknesses in IRS control systems.

In its response to the report, the IRS stated it plans to update project development guidance and that it completed the process to control system security weaknesses as of March 25, 2010. The IRS disagreed with the recommendation about release deployment only after testing showed requirements were met, citing milestone readiness reviews and the Executive Steering Committee as controls. With the significant number of failed tests and the resulting problems in rejected individual income tax returns filed, TIGTA questions whether the Executive Steering Committee had sufficient and timely information to make an informed risk-based decision for deploying MeF Release 6.1.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/auditreports/2010reports/201020041fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov