The Internal Revenue Service (IRS) is developing the Electronic Transcript Delivery System (ETDS), an automated system to provide third parties, such as mortgage lenders and government agencies, faster access to tax return information. With the taxpayer's consent, the IRS will release up to three years of tax information to each requestor.

ETDS is being designed to provide the information to requestors within 24 hours compared to the 7 to 10 days currently required to process a request for a summary of tax return information received through the mail, and the 60 days required for a photocopy of the tax return. In addition to faster service, the IRS estimated that ETDS could improve voluntary compliance by $2 to $4 billion annually by encouraging taxpayers to report all their income to support their mortgage applications. The IRS estimated it would cost $7.67 million to implement ETDS, but it has not yet developed estimates for operating and maintenance costs.

The objectives of our review were to validate the costs and benefits of ETDS, and determine if controls were adequate to ensure taxpayer privacy and data security.

We could not verify the IRS' estimated costs and benefits for ETDS due to its lack of documentation and testing. However, we did identify concerns over the security and privacy of taxpayer data. The IRS needs to address the following concerns in determining the priority for rolling out the ETDS project compared to other projects needed for IRS modernization:

• Potential unauthorized use of the released tax return information by third parties.

• Potential unauthorized access to tax information on third party computer systems.

• Potential unauthorized access to tax information on IRS computer systems.

The IRS should initiate legislation to prohibit the unauthorized use of taxpayer information on ETDS by third parties. Also, it should take a more proactive role to advise taxpayers of the risk in releasing data to third parties, and in ensuring better security over taxpayer data by third parties. The IRS also needs to ensure that ETDS meets government security standards.

Management’s Response: With the exception of Recommendation 3, which was not addressed (see pages 7 and 8), the Assistant commissioner (Electronic Tax Administration) has agreed with the findings and has developed corrective actions to address the issues. Management’s comments are incorporated in the report where appropriate, and the full text of their response is included as Appendix IV.

Office of Audit’s comments: We agree with the corrective actions outlined in management’s response. However, the Assistant commissioner (Electronic Tax Administration) did not address Recommendation 3 to require third party computer systems to meet the same security standards the IRS and state agencies are required to meet, and to require background investigations for personnel accessing ETDS. We believe these are important preventive controls that would decrease the risk of unauthorized disclosure while increasing taxpayer confidence in the system.