TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Foreign Account Tax Compliance Act:  Improvements Are Needed to Strengthen Systems Development Controls for the Foreign Financial Institution Registration System

 

 

 

September 27, 2013

 

Reference Number: 2013-20-118

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number  /  202-622-6500

E-mail Address /  TIGTACommunications@tigta.treas.gov

Website           /  http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

FOREIGN ACCOUNT TAX COMPLIANCE ACT:  IMPROVEMENTS ARE NEEDED TO STRENGTHEN SYSTEMS DEVELOPMENT CONTROLS FOR THE FOREIGN FINANCIAL INSTITUTION REGISTRATION SYSTEM

Highlights

Final Report issued on September 27, 2013

Highlights of Reference Number:  2013-20-118 to the Internal Revenue Service Chief Technology Officer and the Commissioner, Large Business and International Division.

IMPACT ON TAXPAYERS

The development of the Foreign Financial Institution Registration System allows the IRS to support requirements of the Foreign Account Tax Compliance Act (FATCA) legislation.  The expected benefits of this information technology project include the ability to:  1) effectively register Foreign Financial Institutions; 2) increase annual enforcement revenue; and 3) support the IRS’s new overall information reporting system for the FATCA.  The successful development, deployment, and implementation of the Foreign Financial Institution Registration System should significantly improve taxpayer compliance internationally and enhance IRS tax administration.

WHY TIGTA DID THE AUDIT

The overall objective of this review was to determine whether the IRS’s systems development approach for the Foreign Financial Institution Registration System is sufficiently mitigating risks with the application of information technology management controls for successful development and delivery of requirements and capabilities aimed at FATCA milestones and goals.  Specifically, TIGTA evaluated the IRS’s key management controls and processes over program management, security control processes, testing documentation, requirements management, and fraud detection controls.

WHAT TIGTA FOUND

The IRS is developing the Foreign Financial Institution Registration System within its new Enterprise Life Cycle Iterative Path systems development and testing process.  The initial system release was substantially developed and nearing deployment when the IRS terminated the effort in November 2012.  Following new Department of the Treasury regulations, changes with Intergovernmental Agreements, and new processes needed to implement the FATCA, the IRS was unable to fully utilize the initial system.  Subsequently, the IRS modified and expanded the scope of the system requirements.  The major redesign and initiation of a new development effort was necessary because the IRS did not sufficiently develop requirements for the initial Foreign Financial Institution Registration System as needed for new system development.

While the IRS has taken steps to improve management controls for this major information technology investment, additional improvements are needed to ensure consistent adherence to risk mitigation processes for program management, security control processes, testing documentation, and requirements management.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer and the Commissioner, Large Business and International Division, timely identify and communicate system changes for future FATCA releases and ensure that the IRS consistently documents and maintains test cases and test results.  In addition, the Chief Technology Officer should ensure that adequate program management controls are in place and consistently followed to allow the IRS to accomplish its FATCA goals and objectives.  Finally, the Chief Technology Officer should ensure that all system requirements documentation includes the requirements being tested and all security requirements, and that corresponding test cases are identified and sufficiently traced, managed, and tested.

The IRS agreed with all six recommendations.  However, TIGTA believes that the action plans provided by the IRS for two of the recommendations were not fully responsive.

 

September 27, 2013

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

                                  COMMISSIONER, LARGE BUSINESS AND INTERNATIONAL DIVISION

 

FROM:                       Michael E. McKenney /s/ Michael E. McKenney

Acting Deputy Inspector General for Audit

SUBJECT:                  Final Audit Report – Foreign Account Tax Compliance Act:  Improvements Are Needed to Strengthen Systems Development Controls for the Foreign Financial Institution Registration System (Audit # 201320015)

 

This report presents the results of our review of the Foreign Financial Institution Registration System (FRS).  The overall objective of this review was to determine whether the Internal Revenue Service’s (IRS) systems development approach for the FRS is sufficiently mitigating risks with the application of information technology management controls for successful development and delivery of requirements and capabilities aimed at Foreign Account Tax Compliance Act milestones and goals.  This audit is included in the Treasury Inspector General for Tax Administration Fiscal Year 2013 Annual Audit Plan and addresses several major management and performance challenges confronting the IRS including:  Implementing the Affordable Care Act and Other Tax Law Changes; Globalization; and Security for Taxpayer Data and Employees.

Management’s complete response to the draft report is included as Appendix VI.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  If you have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services).

 

 

Table of Contents

 

Background

Results of Review

Program Management Controls Were Not Consistently Followed During the Development of the First Release of the Foreign Financial Institution Registration System

Recommendation 1:

Recommendation 2:

Security Controls Need Improvement to Ensure Long-Term Success of the Foreign Financial Institution Registration System

Recommendation 3:

Testing Documentation Procedures Need Improvement

Recommendations 4 and 5:

Requirements Management Controls Need Improvement

Recommendation 6:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Glossary of Terms

Appendix VI – Management’s Response to the Draft Report

 

 

Abbreviations

 

FATCA

FI

FFI

FRS

IGA

IRM

IRS

IT

LB&I

PMO

RTVM

SAT

Foreign Account Tax Compliance Act

Financial Institution

Foreign Financial Institution

Foreign Financial Institution Registration System

Intergovernmental Agreement

Internal Revenue Manual

Internal Revenue Service

Information Technology

Large Business and International

Program Management Office

Requirements Traceability Verification Matrix

System Acceptability Testing

SCA

Security Controls Assessment

 

 

Background

 

The Foreign Account Tax Compliance Act (FATCA) is an important development in the efforts to improve U.S. tax compliance involving foreign financial assets and offshore accounts.  The FATCA legislation was enacted in 2010 as part of the Hiring Incentives to Restore Employment Act.[1]  Changes required by the FATCA will:  1) combat tax evasion by U.S. persons holding investments in offshore accounts; 2) expand the Internal Revenue Service’s (IRS) global presence; 3) pursue international tax and financial crimes; 4) fill a gap in the IRS’s information reporting system; and 5) generate additional enforcement revenue.  The Department of the Treasury issued the final FATCA regulations on January 28, 2013.

The FATCA legislation directly impacts three key groups:  1) taxpayers who meet the reporting requirements threshold for foreign financial assets; 2) Foreign Financial Institutions (FFI) that report to the IRS foreign financial account information exceeding certain thresholds held by U.S. taxpayers; and 3) withholding agents[2] who withhold a 30 percent tax on taxpayers who fail to properly report their specified financial assets related to U.S. investments.

Prior to the FATCA legislation, the IRS did not have an international system to detect offshore tax evasion.

Prior to the FATCA legislation, the IRS did not have an international system to detect tax evasion by U.S. persons holding investments in FFIs, including foreign financial assets or offshore accounts.  The IRS is developing a new international system called the FFI Registration System (FRS) to support the requirements of the FATCA legislation.  The FFIs will register and then provide offshore account information that is reported through the FRS.  The new system is a major information technology investment[3] for the IRS.  The FRS is the first of the FATCA systems development projects planned through Fiscal Year 2017.  The first release includes requirements for Drop 1 and Drop 2.[4]  FRS users include registered officers of the FFIs and IRS employees.  Figure 1 presents a timeline for key FATCA legislative and FRS development activities.

Figure 1:  Timeline - FATCA Legislative and FRS Development Activities

FATCA Legislative/FRS Development Activity

Date

FATCA Legislation Enacted

March 18, 2010

FRS Project Started System Development

April 25, 2011

FATCA Project Kickoff Meeting

July 19, 2011

FRS Release 1.0 Milestones 1/2 Exit

September 15, 2011

FRS Release 1.0 Milestones 3/4a/4b Start

September 16, 2011

Proposed FATCA Regulations Issued

February 8, 2012

FATCA Governance Board Approved Creation of Information Technology (IT) FRS Project Management Office

September 13, 2012

Intergovernmental Agreement (IGA) Scope Changes Identified

November 2, 2012

FRS Release 1.0 Terminated[5]

November 5, 2012

FRS Release 1.1 Redesigned

January 7, 2013

Final FATCA Regulations Issued

January 28, 2013

FATCA Governance Board Approved Scope and Schedule Changes to Develop Release 1.1

January 31, 2013

FRS Release 1.1 Drop 1 Scheduled Deployment[6]

July 14, 2013

FATCA IT Program Management Office (PMO) Stand-up

August 2013

FRS Release 1.1 Drop 2 Scheduled

November 2013

FFIs Deadline to Register on the FRS

April 25, 2014

IRS Publishes First Participating FFI List 

June 2, 2014

Withholding Begins on All U.S. Payments

July 1, 2014

Source:  Treasury Inspector General for Tax Administration analysis, dated August 7, 2013.

The objective of our audit was to determine whether the IRS’s systems development approach for the FRS is sufficiently mitigating risks with the application of information technology management controls for successful development and delivery of requirements and capabilities aimed at FATCA milestones and goals.

This review was performed at the Large Business and International (LB&I) Division offices in Washington, D.C., and the IT Organization offices at the New Carrollton Federal Building in Lanham, Maryland, during the period January through July 2013.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Program Management Controls Were Not Consistently Followed During the Development of the First Release of the Foreign Financial Institution Registration System

The IRS is developing the FRS within its new Enterprise Life Cycle Iterative Path systems development and testing process.  The initial system release was substantially developed and nearing deployment when the IRS terminated the effort in November 2012.  Following new Department of the Treasury regulations, changes with IGAs, and new processes needed to implement the FATCA, the IRS was unable to fully utilize the initial system.  Subsequently, the IRS modified and expanded the scope of the system requirements.  The major redesign and initiation of a new development effort was necessary because the IRS did not sufficiently develop requirements for the initial FRS as needed for new system development.  While the IRS has taken steps to improve management controls for this major information technology investment, additional improvements are needed to ensure consistent adherence to risk mitigation processes for program management, security control processes, testing documentation, and requirements management.

The first release of the FRS was substantially developed and nearing deployment

The FRS is needed to register FFIs to assist in achieving the primary objective of the FATCA legislation, which is the disclosure of U.S. taxpayer foreign accounts.  By November 2012, the IRS had made a significant investment in developing Release 1.0 of the FRS and was one month away from deployment of a major software release.

The FFI registration process is electronic through the FRS; however, online registration is not mandatory and a paper process is currently available.  The IRS informed us that after the planned initial 12-month registration period, FFI registration will be an ongoing function.  The IRS also estimated that 200,000 to 400,000 FFIs, expected to be foreign entities, will register through the FRS.  Once FFIs are registered, they will be asked to provide identifying information for certain U.S. accounts maintained by the institution such as account number, balance, gross receipts, and withdrawals.  Figure 2 highlights examples of key capabilities and features developed for FRS Release 1.0.

Figure 2:  Examples of Key Capabilities and Features of FRS Release 1.0

Capabilities

Features

The FRS is a modern web-based application with 24/7 accessibility.  Specifically, it:

Ø Allows Financial Institution (FI) users to establish an online account, including the ability to choose a password and create challenge questions.

Ø Displays a customized home page for FIs to manage their accounts.

Ø Ensures security for all data provided on behalf of FIs.

Ø Provides FIs with tools to oversee member and/or branch information.

Ø Establishes a streamlined environment for FIs to register in one place.

The FRS provides flexibility for FIs to report on and manage information throughout their corporate structure (branch and members).  Specifically, the system:

Ø Generates automatic notifications when an FI status changes.

Ø Implements a universal numbering system (Global Intermediary Identification Number) that can be used by local taxing authorities.

Ø Allows FIs to appoint delegates (points of contact) to perform registration tasks.

Source:  FRS overview presented by the IRS to the Treasury Inspector General for Tax Administration on February 21, 2013.

The FRS project team has followed the IRS Enterprise Life Cycle Iterative Path provisions for systems development projects.[7]  For example, planned project scope and activities were detailed in a Project Management Plan and a Work Breakdown Structure, and regular oversight of project progress was accomplished during monthly Information Technology Project Control Reviews.  In addition, the Project Management Plan identified dependencies for the development of the FRS.

Release 1.0 was approaching the scheduled deployment date when the IRS terminated it

In November 2012, approximately one month before the initial FRS was scheduled to be deployed, IRS executives terminated Release 1.0.  The IRS provided the following reasons for termination of Release 1.0 and the redesign of the FRS:

·       The FATCA regulations took more than 11 months to be finalized.  During this time, the IRS was developing Release 1.0 of the FRS.  After the final regulations were issued in January 2013, the IRS identified requirements in the regulations that were not part of the design of Release 1.0.

·       Department of the Treasury negotiations on IGAs with different countries identified changes for the FFIs responsibilities in the registration process. 

·       The Release 1.0 requirements did not meet the complexities of these registration changes; therefore, the IRS decided to terminate Release 1.0.  In order to incorporate the requirements from the regulations and the IGA changes, the IRS began developing Release 1.1.

·       As FATCA processes were developed, the IRS determined the need to create a unique identifier for the FFIs that successfully register.  This unique identifier must be present on the IRS Participating FFI list to inform withholding agents of an FFI’s FATCA status and to track an FFI’s U.S. account reporting. 

The IRS also informed us that FRS scope changes were necessary due to the following changes in the IGAs:

·       IGA negotiations with foreign countries resulted in the proposal of an alternative framework for implementing the FATCA.

·       Two Reporting Models were decided upon:  Model 1[8] and Model 2.[9]

·       Reciprocal[10] and Non-Reciprocal Versions of Model 1 were decided upon.  In the case of a reciprocal Model 1 IGA, the IRS agrees to provide the country with reciprocal information on foreign citizens from their jurisdictions who have U.S. accounts. 

·       Competent Authority Agreements[11] would be entered into to further implement the IGAs.

To address the issues encountered while developing Release 1.0, FATCA management plans to establish a new IT Organization PMO in Applications Development within the Fiscal Year 2013 time frame.  Going forward with the FRS, it is important that the IRS address and build on the following critical lessons learned[12] from Release 1.0, including: 

·       Working with the System Acceptability Testing (SAT) and Security Controls Assessment (SCA) teams to identify their needs and address them in advance.

·       Working on the requirements and baselining them as early as possible in order to speed up the development process.

·       Identifying much earlier the Business Objects Enterprise reports, requirements, calculation fields, and system deployment reports for the drop.

During our review, we determined program management control processes did not timely identify and communicate system design changes to ensure the successful development of the FRS.  Beginning in April 2011, the FATCA PMO comprised of LB&I Division and IT personnel, began development of FRS Release 1.0.

Major revisions of the FATCA business requirements began in late 2012 following delays with finalization of the FATCA regulations and the IGA negotiations that occurred outside of IRS’s control.  These revisions were needed to expand and modify the FRS scope to address key policy issues, and to modify, add, or delete existing system requirements.  The IRS provided documentation that, in September 2012, they became aware that the program scope was expanding.  During that time frame, the IRS also initiated the creation of a new IT Organization PMO to help mitigate FATCA system development risks.

In November 2012, Release 1.0, originally scheduled for production in December 2012, was terminated.  In December 2012, the IRS began revisiting the work it completed prior to resuming work to design FRS Release 1.1 (two drops) in January 2013, and integrating various portions of the Enterprise Life Cycle artifacts from Release 1.0.  The first system delivery (referred to as Drop 1) of Release 1.1’s planned two drops was originally scheduled to deploy on July 1, 2013, but was pushed back to July 29, 2013.  On July 30, 2013, IRS management confirmed that Drop 1 for Release 1.1 was deployed.

The IRS spent $8.6 million and took 19 months to develop FRS Release 1.0 that was terminated.

The IRS spent $8.6 million and took 19 months to develop FRS Release 1.0 before the effort was terminated.  The IRS informed us that it was able to include most of the functionality developed for Release 1.0 in Release 1.1.  The IRS originally planned to spend a total of $14.4 million to develop and deploy the FRS.  However, the current cost estimate to deploy the system in Release 1.1 is $8.0 million.  This $8.0 million in addition to the $8.6 million already spent on Release 1.0 results in a total cost of $16.6 million for the FRS.  Based on current estimated costs for Release 1.1 ($16.6 million) compared to the planned cost for Release 1.0 ($14.4 million), we identified the potential inefficient use of resources to be $2.2 million.  See Appendix IV for details on this outcome.

Program management control processes were not consistently followed to ensure the successful development of the FRS

During our review, we determined that program management controls were not consistently followed to ensure the successful development of the FRS.  Beginning with an initial FRS Project Kickoff meeting in July 2011, LB&I Division worked with the IT Organization and led the development efforts for the FRS. 

To develop successful new information technology systems needed for the FATCA, the IRS must plan, monitor, and control the work specified by the system life cycle.  This should include the adequate formation and management of information technology projects.

In September 2012, the FATCA Governance Board approved the creation of a FATCA IT Organization PMO to execute, monitor, and control all FATCA information technology projects through Fiscal Year 2017.

The IRS is taking steps to establish an IT Organization PMO to lead FATCA systems development including the FRS Release 1.1 activities.  The acting program director for the current PMO does not yet have staff assigned for program management activities.  Further, the IT Organizations PMO for FATCA systems relied on resources provided by a separate Applications Development organization.  IRS officials informed us that initialization of the planned IT Organization PMO has been delayed due to budget constraints.  While the FRS is currently the only FATCA Program project under development, other information technology projects are planned for development through Fiscal Year 2017.

Inadequate controls over key system development risk areas, as subsequently discussed, puts the system at risk of not functioning as intended once it is moved into production.  Without effective program management controls, the IRS lacks assurance that current and future FATCA projects will be adequately managed to ensure long-term success.  Strengthening the existing IT PMO for the FATCA would better enable the IRS to maintain adequate systems development risk mitigation controls including system requirements management, key test processes and documentation, and information technology costs estimates and schedules.

Recommendations

Recommendation 1:  The Chief Technology Officer and the Commissioner, LB&I Division, should ensure that the FATCA Organization PMO and FATCA information technology management timely identify and communicate system changes to minimize costs and reduce waste for future information technology development projects.

            Management Response:  The IRS agreed with this recommendation and stated that it will ensure that the LB&I Division and the IT PMO will continue to work very closely to ensure that they timely identify and communicate system changes to minimize costs and reduce waste for future information technology development projects.  Also, in the written response, the Chief Technology Officer disagreed with our conclusion that a major redesign of the system was necessary due to the IRS not sufficiently developing requirements and, hence, the title of our audit report.

Office of Audit Comment:  In the IRS’s response to the draft report, the Chief Technology Officer takes exception with our conclusion that a major redesign of the system was necessary due to the IRS not sufficiently developing requirements.  Our audit found, however, that major additional work was required in Release 1.1 because of the significant increase in the number of requirements from the time Release 1.0 was terminated through the completion of the Release 1.1 requirements development.

The Chief Technology Officer also disagreed with our conclusion that adequate program controls improvements are necessary.  During our audit closing discussion with IRS management, we discussed our concerns about specific management controls needed for major information technology investments.  Specifically, we informed the IRS and we maintain that FATCA requirements should be considered in an Enterprise Architecture.  Consideration to goals and milestones for the FATCA within the IRS’s Enterprise Architecture would better enable the LB&I Division and the IT Organization PMO to work more effectively and efficiently going forward to strengthen program management controls and guide major information technology planning and investments.  Moreover, this important management control could better enable the IRS to avoid unnecessary costs and delays with IT development projects required for the FATCA.

In its written comments, the IRS also informed us that the FRS Release 1.1 Drop 2 deployment date is November 2013.  We have made the necessary change to this date in our final report.

Recommendation 2: The Chief Technology Officer should ensure that adequate program management controls are in place and are consistently followed to guide the future system development activities needed for the FATCA and to better position the IRS to accomplish its goals for improving the benefits of its FATCA goals and objectives.

            Management Response:  The IRS agreed with this recommendation and the FATCA Program Management Plan will be approved by the FATCA Governance Board.  The plan will ensure that adequate program management controls are in place and will guide future system development activities.

Security Controls Need Improvement to Ensure Long-Term Success of the Foreign Financial Institution Registration System

The SCA Security Test Plan was not completed

The IRS must ensure that the FRS operates with appropriate management review and that there is adequate monitoring of system security controls.  Specifically, the Security Assessment and Authorization process involves completing the SCA Security Test Plan.  However, the FRS plan will not be available until mid-September 2013,  when all SCA testing is completed for both Drops 1 and 2 of Release 1.1.  We observed the SCA testing held in July 2013 and believe that the SCA testing results for Drop 1 should be in the plan before Drop 1 is deployed.

This process is an important risk mitigation control for ensuring that all test cases are traced to specific security requirements.  By not including the SCA testing results for Drop 1, the IRS may be unable to adequately determine whether:

·       The SCA Test Plan included adequate security controls prior to deployment of the FRS.

·       The security controls aligned with the National Institute of Standards and Technology guidance, IRS requirements and testing manuals, and other applicable standards.

·       The SCA Test Plan contained test cases that tested all the security requirements.

·       The test cases were mapped to the security controls.

Failed security controls identified by SCA testing require corrective actions prior to system implementation

During our fieldwork, we also observed that SCA testers did not have the documentation to verify that testing of controls was completed from SA-10 developers’ configuration testing and SA-11 developers’ security testing at the beginning of the SCA testing.  The SA-10 and SA-11 documentation was eventually provided during the SCA testing period.  While the SA-10 test cases were passed, one SA-11 test case was failed.  

Cybersecurity management needs to ensure that the SA-11 security control is adequately tested according to established National Institute of Standards and Technology and IRM guidelines.  Without assurance that this control is in place, the FRS may not operate as intended.

Recommendation

Recommendation 3:  The Chief Technology Officer should ensure that the SCA Test Plan and Developer Security Test and Evaluation Plan are prepared so that all security requirements, security controls, and test cases are identified, traced, and tested, and all security testing is performed before deployment of Drop 1 to ensure that the FRS operates as intended.

            Management Response:  The IRS agreed with this recommendation and stated that the FATCA PMO will improve oversight of security requirements and associated testing by first identifying security testing gaps in the Lessons Learned Report.  In addition, the FATCA PMO will ensure that developer testing activities are included in the FRS Drop 2 schedule.

Testing Documentation Procedures Need Improvement

For successful systems development, it is important that test cases are created to test specific conditions.  IRS systems development guidelines are in place for developing and tracing requirements to test cases.[13]  The documentation for these risk mitigation processes should demonstrate that the requirements were adequately tested in order to validate that the FRS is functioning as intended.  In addition, each test case must utilize specific test data that are developed or acquired to verify that all required conditions are met.

On May 14 and 15, 2013, during the SAT for the FRS, we found the SAT testers and the Business Office Environment testers were inconsistently following testing procedures to document their test cases. 

·       First observation:  The SAT testers are required to document their test cases in a spreadsheet that includes the test script, the requirements being tested, the expected results, and the actual results.  The Business Office Environment testers provided very limited test steps and had no documentation available for these steps.  It is important that project-generated test artifacts or work products, such as test plans, test scripts, test cases, test reports, and measurements be recorded and maintained in an approved repository.

·       Second observation:  In one case, the SAT tester shared plans to create a new test case from an error in a script instead of failing the test case and retesting it.  This condition highlighted a risk of the possibility of testers independently writing their own tests.  To ensure the integrity of the testing process, the individual who writes the test case should not be the same person testing the case.  Specifically, it is important that the test team[14] review and analyze the requirements, create test cases/scripts, execute the test cases, and document the results in an approved traceable repository.  This risk mitigation control is not in place if testers are permitted to independently create and execute their own test cases during the testing process.

The IRS issued new testing procedures in May 2013 stating that:  

The objective is to have everyone using the same tools and techniques and follow the same repeatable steps so that the organization can quantify how well the procedure is working and train future staff members who may not currently know the routine.  Ensuring consistency is a critical component for ensuring optimum efficiency.

The FRS testing conditions that we observed, however, reflect inconsistencies in testing documentation procedures for the SAT testers and the Business Office Environment testers.

Further, the IRS acknowledged in a June 2013 Risk Detail Report for the FRS that Performance Testing was scheduled to end June 7, 2013; however it has been delayed due to errors…in the SAT environment.  Based on our review, we concluded one or more of the errors identified during the SAT testing may have been caused by a database programming error not detected by the SAT testers. 

Recommendations

Recommendation 4:  The Chief Technology Officer should ensure that all testing groups follow the recently established Internal Revenue Manual (IRM) procedures for documenting test cases for consistency in testing requirements and in detecting and correcting errors to ensure that the FRS meets all of its requirements as needed.

            Management Response:  The IRS agreed with this recommendation and stated that testing groups will continue to follow the recently established IRM procedures for documenting test cases to maintain consistency in testing requirements and in detecting and correcting errors to ensure that FRS meets all of its requirements as needed.

Recommendation 5:  The Commissioner, LB&I Division should establish IRM procedures for all testing groups to ensure that documentation of test cases is consistent with and supports the IT Organization requirements testing process.

            Management Response:  The IRS agreed with this recommendation and stated that the LB&I Division will meet with IT Organization professionals with subject matter expertise to ensure that documentation of test cases is consistent with and supports the IT Organization’s requirements testing processes.  Applicable IRMs will be modified as appropriate.

Requirements Management Controls Need Improvement

On April 4, 2013, the IRS informed us that there were a total of 1,409 requirements for the FRS Release 1.1.  The IRS subsequently provided us with the April 30, 2013, Requirements Traceability Verification Matrix (RTVM) for Drop 1 which had 892 requirements listed.  The IRS explained the difference between the 1,409 requirements and the 892 requirements in the April 30, 2013, RTVM were the requirements for Drop 2.  Although we agree that the April 30, 2013, RTVM was for Drop 1 SAT testing, that version of the RTVM still had approximately 100 out-of-scope Drop 2 requirements listed.

We observed SAT testing in May 2013.  We subsequently reviewed the test cases and found requirements that could not be traced back to the April 30, 2013, RTVM.  The IRS explained that the RTVM was not brought up-to-date until during-and-after Drop 1 SAT testing was completed. 

We concluded that the Enterprise Systems Testing team did not have an up-to-date RTVM in place to ensure complete traceability between the FRS requirements and test cases.  This process is an important risk mitigation control for ensuring that all test cases are traced to specific requirements.  Otherwise, incomplete, missing, or invalid requirements could lead to an adverse impact on the functionality of the FRS or jeopardize the successful implementation of future FATCA systems.

Recommendation

Recommendation 6:  The Chief Technology Officer should ensure that IRM guidelines are followed so that the RTVM is established at the beginning of the testing life cycle and updated and maintained throughout the requirements management and testing processes, and that the RTVM is utilized on a regular basis to ensure that all FRS and future FATCA system requirements are included in test cases and tested.

            Management Response:  The IRS agreed with this recommendation and currently ensures that IRM guidelines are followed so that the RTVM is established at the beginning of the testing life cycle and updated and maintained throughout the requirements management and testing processes.  In addition, the IRS makes certain that the RTVM is utilized on a regular basis to ensure that all FRS and future FATCA requirements are included in test cases and tested.

Office of Audit Comment:  While the Chief Technology Officer agreed with our recommendation that IRM guidelines should be followed, during our audit we observed that the RTVM had a significant number of requirements that were not in-scope for the SAT testing.  Our concern is that, although the recent changes in IRS guidelines allow for updates to the RTVM throughout the requirements management and testing processes, at the outset of and during the test, the RTVM should contain specific requirements for the test cases.  We maintain that improved controls are needed to ensure that all requirements trace to test cases.  

In future reviews of systems development activities for the FATCA, we will continue to consider the adequacy of the new IRM guidelines for RTVM development and implementation.  Also, the program-level RTVM should be maintained throughout the requirements management and testing processes to ensure complete functionality of the FRS and long-term successful implementation of the FATCA Program.  We believe that the IRS’s corrective action as provided is non-responsive to our recommendation because it does not address the need for appropriate, in-scope requirements to be established and documented in the RTVM at the beginning of the testing life cycle.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

Our overall objective was to determine whether the IRS’s systems development approach for the FRS is sufficiently mitigating risks with the application of information technology management controls for successful development and delivery of requirements and capabilities aimed at FATCA milestones and goals.  To accomplish our objective, we:

I.                 Determined whether key systems development controls were in place within the IRS’s Enterprise Life Cycle Iterative Path[15] methodology for the FRS in accordance with Department of the Treasury, Office of Management and Budget, the IRM, and other applicable guidance.

A.    Determined whether FRS risks were properly identified, monitored, and mitigated in accordance with applicable guidance.

1.     Judgmentally[16] selected eight of 21 risks with a Risk Identification Date from March 1, 2012, up to the May 23, 2013, FATCA Risk Detail Report.  The sample of eight risks:  a) had a status of Red; b) did not have a status of Withdrawn; and c) were inside the scope of FATCA Release 1.1, Drop 1.

2.     Re-performed the risk analysis on the judgmentally selected sample from Step I.A.1. to determine whether we agree with the IRS’s conclusion for each risk.

B.    Determined whether the IRS is adequately managing the requirements and change management risks and system testing activities for the FRS to effectively address the requirements of the FATCA legislation in accordance with applicable guidance.

II.               Considered whether the IRS was effectively estimating and tracking budgeted and actual costs, performance goals, and key milestones for the FRS in accordance with Department of the Treasury, Office of Management and Budget, IRM, and other applicable financial management guidance.

A.    Identified the FRS’s budget and planned life cycle costs and determined whether controls were in place to effectively manage these costs.

B.    Identified the FRS’s actual life cycle costs and determined if they are being effectively managed.

III.             Determined whether required systems security controls have been sufficiently planned and addressed in the design of the FRS and whether systems security testing activities are adequate for ensuring the protection of FFIs’ Personally Identifiable Information and other sensitive data in accordance with Department of the Treasury, Office of Management and Budget, IRM, and National Institute of Standards and Technology guidance, as well as other applicable guidance.

A.    Determined if required security controls are designed into the FRS.

B.    Determined if Personally Identifiable Information is part of the FRS.

C.    Determined if fraud detection controls are being designed into the FRS.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  IRM and related IRS guidelines and the processes followed in the development of information technology projects.  We evaluated these controls by conducting interviews with management and staff, observing testing activities, and reviewing documentation.  Documents reviewed include the FATCA Project Management Plan, the FATCA Program Configuration Management Plan, and other documents that provided evidence of whether the IRS is adequately managing systems development risks for the FATCA Project.

 

Appendix II

 

Major Contributors to This Report

 

Alan Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Gwendolyn McGowan, Director, Systems Modernization and Applications Development

Suzanne Westcott, Audit Manager

Mark Carder, Lead Auditor

Cindy Harris, Senior Auditor

Lynn Ross, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Acting Commissioner

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Deputy Commissioner, Large Business and International Division  SE:LB

Deputy Commissioner (International) Executive Assistant  SE:LB:IN

Deputy Chief Information Officer for Operations  OS:CTO

Director, Privacy, Governmental Liaison and Disclosure  OS:P

Associate CIO, Applications Development  OS:CTO:AD
Associate CIO, Cybersecurity  OS:CTO:C

Director, Risk Management Division  OS:CTO:SP:RM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Director, Risk Management Division  OS:CTO:SP:RM

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

Methodology Used to Measure the Reported Benefit:

The IRS had spent $8.6 million over 19 months to develop FRS Release 1.0 before the effort was terminated.  The IRS informed us that they were able to include most of the functionality developed for Release 1.0 with its development of Release 1.1.  The IRS originally estimated $14.4 million to develop and deploy the FRS.  However, the current cost estimate to deploy the system with Release 1.1 is $8.0 million.  This $8.0 million estimate is in addition to the $8.6 million already spent on Release 1.0 for an estimated cost of $16.6 million for the FRS.  Based on current estimated costs for Release 1.1 ($16.6 million) compared to the estimated cost for Release 1.0 ($14.4 million), we identified the potential inefficient use of resources to be $2.2 million.

Total.................................................................................................................. $2.2 million

 

Appendix V

 

Glossary of Terms

 

Term

Definition

Enterprise Architecture

The IRM 2.15.1.1.2 defines an Enterprise Architecture as a strategic information asset base which defines the mission, the information and technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to the changing needs of the mission.  The Enterprise Architecture will:

  • Capture the current state of the IRS Enterprise in an As-Built Architecture.
  • Define the desired future state of the IRS Enterprise in a Target Architecture.
  • Define a plan for getting from the current state to the desired future state in a Transition Strategy and Release Architecture.

The IT Organization also posted on its website that the Enterprise Architecture is defined as the process of translating business vision and strategy into effective enterprise change by creating, communicating, and improving the key requirements, principles, and models that describe the enterprise’s future state and enable its evolution.  The IRS Enterprise Architecture is a tool used by business and IT managers to plan and manage their investments in business and technology solutions.

Intergovernmental Agreement

The U.S. Department of the Treasury agreement with foreign countries to implement the information reporting and withholding tax provisions of the FATCA via an automatic exchange of information.

Iterative Path

An adaptive development approach in which projects start with initial planning and end with deployment, with repeated cycles of requirement discovery, development, and testing in between.  It is a more flexible and adaptable process than traditional sequential development approaches

Large Business and International Division

Serves corporations, subchapter S corporations, and partnerships with assets greater than $10 million.  These entities typically have large numbers of employees, deal with complicated issues involving tax law and accounting principles, and conduct their operations in an expanding global environment.

Personally Identifiable Information

Information that, either alone or in combination with other information, can be used to uniquely identify an individual.  Some examples of Personally Identifiable Information are:  name, Social Security Number, date of birth, place of birth, address, and biometric record.

Requirement

A formalization of a need; it is the statement of a capability or condition that a system, subsystem, or system component must have or meet to satisfy a contract, standard, or specification.

Requirements Traceability Verification Matrix

A tool that documents requirements and establishes the traceability relationships between the requirements to be tested and their associated test cases and test results.

SA-10 Developers Configuration Testing

Information system developers implement a configuration management process that manages and controls changes to the system, implements only IRS-approved changes, documents all approved changes, and tracks security flaws.

SA-11 Developers Security Testing

Addresses confidentiality, integrity, and availability of the software; data processed by the system; and resolution of issues that could result in security vulnerabilities.

Security Controls Assessment Security Test Plan

Security Controls Assessment is conducted in the IRS production environment and consists of activities designed to ensure that the system’s security safeguards are in place and functioning as intended.

System Acceptability Test

Verifies that the system satisfies software application requirements.

Withholding Agent

A U.S. or foreign person who has control, receipt, custody, disposal, or payment of any item of income of a foreign person that is subject to withholding.  A withholding agent may be an individual, corporation, partnership, trust, association, or any other entity, including any foreign intermediary, foreign partnership, or U.S. branch of certain foreign banks and insurance companies.

 

Appendix VI

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D. C. 20224

 

CHIEF TECHNOLOGY OFFICER

 

 

September 10, 2013

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                            Terence V. Milholland /s/ Terence V. Milholland

           Chief Technology Officer

 

SUBJECT:                       Draft Audit Report - TIGTA Draft Report - Foreign Account Tax Compliance Act:  Improvements Are Needed to Strengthen Systems Development Controls for the Foreign Financial Institution Registration System (Audit# 201320015)

 

Thank you for the opportunity to review and respond to the subject audit report.  IRS agrees with recommendations as noted by TIGTA with respect to the FATCA program.  This Congressionally-mandated program will allow the IRS to significantly improve taxpayer compliance internationally and enhance IRS tax administration.

 

In response to your recommendation we have attached our corrective action plan.  While we agreed with the recommendations, we take exception to the conclusion drawn by TIGTA that states a major redesign of the system was necessary due to IRS not sufficiently developing requirements and hence the title of the TIGTA report.  As we discussed during the audit, the major redesign was due to late regulatory changes, driven by significant public feedback on the draft regulations that impacted the in-flight system designThe facts show that IRS terminated the release immediately upon learning of the new regulations.  In addition, to ensure the new FATCA development was implemented and deployed timely and within acceptable cost thresholds, IRS management timely identified and communicated system changes to minimize costs and reduce waste.  IRS continues to adhere to published guidance, standards and procedures for life-cycle development, testing and program management.   Therefore, we disagree with TIGTA's conclusion that adequate program controls improvements are necessary.  FATCA did in fact have strong program management principles in place as evidenced by TIGTA's statements on Page 5 of the Draft Report.

 

We would also like to reiterate what we discussed during the audit and express our non-­ concurrence with the outcome measure outlined in the Draft Report.  The $2.2M cost increase was attributed to the late changes in scope due to determination of the final regulations resulting from the Hiring Incentives to Restore Employment (HIRE) Act of 2010.  FATCA Registration development was well underway in order to meet the already tight deadline for the existing law before the change in legislated scope requirements resulted in an additional $2.2M in cost.  The cost overrun was not due to inefficient use of resources as stated in the report; rather, a change of legislated scope that we had no choice but to account for by mandatory congressional deadlines.  IRS leadership supporting the FATCA effort leveraged staff from legacy investments and matrixed them into the program in order to meet the deadlines for FATCA registration despite other competing priorities and staffing shortages due to a continuing hiring freeze.

 

We would like to bring a discrepancy to your attention in the report.   In Figure 2, the deployment date for FRS Release 1.1 Drop 2 is reported as Apri12014.  However, the scheduled deployment date is November 2013.

 

We value your continued support and the assistance your organization provides.  If you have any questions, please contact me at (202) 622-6800, or a member of your staff may contact Lisa Starr, Senior Manager of Program Oversight, at (202) 283-3607.

 

Attachment

 

Attachment

 

RECOMMENDATION #1:  The Chief Technology Officer and the Commissioner, LB&I Division, should ensure that the FATCA Organization PMO and FATCA information technology management timely identify and communicate system changes to minimize costs and reduce waste for future IT development projects.

 

CORRECTIVE ACTION #1:  We agree with this recommendation.  LB&I and IT PMO will continue to work very closely to ensure that they timely identify and communicate system changes to minimize costs and reduce waste for future IT development projects.

 

IMPLEMENTATION DATE:  None

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, Applications Development and Director, International Data Management, LB&I

 

CORRECTIVE ACTION MONITORING PLAN:  None

 

RECOMMENDATION #2:  The Chief Technology Officer should ensure that adequate program management controls are in place and are consistently followed to guide the future system development activities needed for FATCA and to better position the IRS to accomplish its goals for improving the benefits its FATCA goals and objectives.

 

CORRECTIVE ACTION #2:  We agree with this recommendation.  The FATCA Program Management Plan will be approved by the FATCA Governance Board.  This plan will ensure that adequate program management controls are in place and will guide future system development activities.

 

IMPLEMENTATION DATE:  January 25, 2014

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #3:  The Chief Technology Officer should ensure that the SCA Test Plan and Developer Security Test and Evaluation Plan are prepared so all security requirements, security controls, and test cases are identified, traced, and tested, and all security testing is performed before deployment of Drop 1 to ensure that the FRS operates as intended.

 

CORRECTIVE ACTION #3:  We agree with this recommendation.  The FATCA PMO will improve oversight of security requirements and associated testing by first identifying security testing gaps in the Lessons Learned ReportIn addition, FATCA PMO will ensure that developer testing activities are included in the Foreign Financial Institute Registration Drop 2 schedule.

 

IMPLEMENTATION DATE:  November 25, 2013

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #4:  The Chief Technology Officer should ensure that testing groups follow the recently established IRM procedures for documenting test cases for consistency in testing requirements and in detecting and correcting errors to ensure that the FRS meets all of its requirements as needed.

 

CORRECTIVE ACTION #4:  We agree with this recommendation.  Testing groups will continue to follow the recently established IRM procedures for documenting test cases to maintain consistency in testing requirements and in detecting and correcting errors to ensure that FRS meets all of its requirements as needed.

 

IMPLEMENTATION DATE:  None

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  None

 

RECOMMENDATION #5:  The Commissioner, LB&I Division should establish IRM procedures for all testing groups to ensure documentation of test cases is consistent with and supports the IT organization requirements testing process.

 

CORRECTIVE ACTION #5:  LB&I agrees with this recommendation.  LB&I will meet with Information Technology professionals with subject matter expertise to ensure that documentation of test cases is consistent with and supports the IT organizations requirements testing processes.  Applicable IRM's will be modified as appropriate.

 

IMPLEMENTATION DATE:  November 25, 2014

 

RESPONSIBLE OFFICIAL:  William Holmes, Director, International Data Management, LB&I

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #6:  The Chief Technology Officer should ensure that IRM guidelines are followed so that the RTVM is established at the beginning of the testing life cycle and updated and maintained throughout the requirements management and testing processes, and that the RTVM is utilized on a regular basis to ensure that all FRS and future FATCA system requirements are included in test cases and tested.

 

CORRECTIVE ACTION #6We agree with this recommendation.  We currently ensure that IRM guidelines are followed so that the RTVM is established at the beginning of the testing life cycle and updated and maintained throughout the requirements management and testing processes.  In addition, we make certain that the RTVM is utilized on a regular basis to ensure that all FRS and future FATCA requirements are included in test cases and tested.

 

IMPLEMENTATION DATE:  None

 

RESPONSIBLE OFFICIALAssociate Chief Information Officer, Applications Development

 

CORRECTIVE ACTION MONITORING PLAN:  None



[1] Pub. L. No. 111-147, 124 Stat. 71 (2010).

[2] See Appendix V for a glossary of terms.

[3] Internal Revenue Manual 2.16.1.3.4.2, (April 25, 2012) defines a major information technology investment as having an annual cost of more than $5 million per year and a total life cycle cost of greater than $50 million.

[4] Drop 1 is the FRS functionality for FFI user requirements for Release 1.1.  The FRS Drop 1 was originally scheduled to deploy on July 1, 2013.  Drop 2 is the FRS functionality for IRS user requirements for Release 1.1. 

[5] FRS Release 1.1 thereafter leveraged the work performed in and associated with deliverables from Release 1.0.

[6] IRS furlough days and testing delays pushed the Drop 1 deployment back two weeks.

[7] The Enterprise Life Cycle Iterative Path received IRS executive approval on September 12, 2011.

[8] Model 1:  The Treaty Partner country agrees to provide the IRS with FATCA-specific data on U.S. accounts in its country via the exchange of information.  FFIs in the Treaty Partner country report to the Tax Authority, not directly to the IRS.

[9] Model 2:  FFIs in the Treaty Partner country report U.S. taxpayer account information directly to the IRS, rather than going through their Tax Authority; certain additional information, such as details on recalcitrant account holders, will be reported through the Tax Authority.

[10] The reciprocal version of the IGA provides for the United States to exchange information currently collected on accounts held in U.S. financial institutions by residents of partner countries, and includes a policy commitment to pursue regulations and support legislation that would provide for equivalent levels of exchange by the United States. 

[11] A Competent Authority Agreement is an agreement between persons or organizations (e.g., foreign countries) that have the legally delegated or invested authority, capacity, or power to perform designated functions.

[12] The IRS provided a list of 15 lessons learned from the termination of Release 1.0. 

[13] Internal Revenue Manual (IRM) 2.110, Requirements Engineering, Requirements Engineering Process, (February 1, 2013) provides guidelines for developing requirements, while IRM 2.127, Software Testing Standards and Procedures, (May 15, 2013) provides guidelines for tracing the requirements to the test cases and executing the test cases.  IRM 2.127.1.2 states that test cases are created to document specific conditions to be tested. 

[14] IRM 2.127.2.1.5.3,  IT Test Preparation Procedure, (May 15, 2013) provides the activity steps to verify the test environment review documentation; prepare test cases, scripts, and data; and conduct a test readiness review.  IRM 2.127.2.1.6.3, IT Test Execution Procedure, (May 15, 2013) provides the activity steps to execute test cases/scripts, document results, and report the test status.

[15] See Appendix V for a glossary of terms.

[16] A judgmental sample is a non-statistical sample, the results of which cannot be used to project to the population.