The cost Effectiveness and

The cost Effectiveness and
Security of Taxpayer Data in the
Electronic Transcript Delivery System

June 1999

Reference Number: 092903

June 30, 1999

MEMORANDUM FOR cOMMISSIONER ROSSOTTI

FROM: David c. Williams /s/ David c. Williams

Inspector General

SUBJEcT: Final Audit Report – The cost Effectiveness and Security of Taxpayer Data in the Electronic Transcript Delivery System

This report presents the results of our review of the Internal Revenue Service's (IRS) Electronic Transcript Delivery System (ETDS). ETDS is an automated system to provide third parties, such as mortgage lenders and government agencies, faster access to tax return information. The taxpayer's consent is required before this information is released.

In summary, the cost effectiveness of ETDS has not been determined. Also, IRS management has not adequately addressed the risks that third parties may misuse tax information, and that third parties as well as IRS may not adequately protect tax information from unauthorized disclosures. The IRS can reduce these risks by following through on our recommendations. However, these risks are significant and must be weighed collectively in determining whether to continue development of this project.

We briefed IRS management on the issues contained in this report on April 10, 1998, and provided them a draft of this report for comment on July 2, 1998. In his
February 22,1999, response to the draft report, the Assistant commissioner (Electronic Tax Administration) agreed with most of the findings and recommendations presented. He did not address our recommendations to require third party computer systems to meet minimum security standards and to require background investigations for third party employees who access ETDS. We have also excluded one of our recommendations based on a counsel opinion issued after our draft report.

copies of this report are being sent to the IRS managers who are affected by the report recommendations. Please call me at (202) 622-6500 if you have any questions, or your staff may contact Pamela J. Gardiner, Deputy Inspector General for Audit, at

(202) 622-6510.

Table of contents

Legislation to Restrict the Unauthorized Use of
Tax Return Information by Third Parties Is Incomplete

Security Requirements for Third Party computers Are
Not Adequate to Deter Unauthorized Disclosure of
Tax Return Information

Security of Data on IRS computers Is Not Adequate to
Deter Unauthorized Disclosure of Tax Return Information

conclusion

Appendix I - Detailed Objectives, Scope and Methodology

Appendix II - Major contributors to This Report

Appendix III - Report Distribution List

Appendix IV - Management’s Response to the Draft Report

Appendix V - Office of Audit’s comments to Management’s Response

Executive Summary

The Internal Revenue Service (IRS) is developing the Electronic Transcript Delivery System (ETDS), an automated system to provide third parties, such as mortgage lenders and government agencies, faster access to tax return information. With the taxpayer's consent, the IRS will release up to three years of tax information to each requestor.

ETDS is being designed to provide the information to requestors within 24 hours compared to the 7 to 10 days currently required to process a request for a summary of tax return information received through the mail, and the 60 days required for a photocopy of the tax return. In addition to faster service, the IRS estimated that ETDS could improve voluntary compliance by $2 to $4 billion annually by encouraging taxpayers to report all their income to support their mortgage applications. The IRS estimated it would cost $7.67 million to implement ETDS, but it has not yet developed estimates for operating and maintenance costs.

The objectives of our review were to validate the costs and benefits of ETDS, and determine if controls were adequate to ensure taxpayer privacy and data security.

Results

We could not verify the IRS' estimated costs and benefits for ETDS due to its lack of documentation and testing. However, we did identify concerns over the security and privacy of taxpayer data. The IRS needs to address the following concerns in determining the priority for rolling out the ETDS project compared to other projects needed for IRS modernization:

Potential unauthorized use of the released tax return information by third parties.
Potential unauthorized access to tax information on third party computer systems.
Potential unauthorized access to tax information on IRS computer systems.

Summary of Recommendations

The IRS should initiate legislation to prohibit the unauthorized use of taxpayer information on ETDS by third parties. Also, it should take a more proactive role to advise taxpayers of the risk in releasing data to third parties, and in ensuring better security over taxpayer data by third parties. The IRS also needs to ensure that ETDS meets government security standards.

Management’s Response: With the exception of Recommendation 3, which was not addressed (see pages 7 and 8), the Assistant commissioner (Electronic Tax Administration) has agreed with the findings and has developed corrective actions to address the issues. Management’s comments are incorporated in the report where appropriate, and the full text of their response is included as Appendix IV.

Office of Audit’s comments: We agree with the corrective actions outlined in management’s response. However, the Assistant commissioner (Electronic Tax Administration) did not address Recommendation 3 to require third party computer systems to meet the same security standards the IRS and state agencies are required to meet, and to require background investigations for personnel accessing ETDS. We believe these are important preventive controls that would decrease the risk of unauthorized disclosure while increasing taxpayer confidence in the system.

Objectives and Scope

The objectives of our review were to validate the costs and benefits of the Electronic Transcript Delivery System (ETDS), and determine if controls were adequate to ensure taxpayer privacy and data security. We conducted the review from August 26, 1997, through March 31, 1998, in accordance with Government Auditing Standards.

To accomplish our objectives we:

Reviewed the Internal Revenue Service’s (IRS) assumptions about current and future estimated costs of developing, establishing, and maintaining ETDS.
Reviewed the IRS’ estimated increase in revenues from increased voluntary compliance when ETDS is implemented.
Evaluated the risks to taxpayer privacy and data security by releasing tax return information to third parties under ETDS.

Appendix I provides the detailed objectives, scope and methodology of our review. A listing of major contributors to this report is shown in Appendix II.

Background

Mortgage lenders and some federal agencies indicated they would like to receive IRS tax return information faster and more efficiently than via the current paper process. The paper process provides taxpayers or authorized third parties a summary of tax return information in 7 to 10 workdays after IRS receives the request through the mail.

The IRS is developing ETDS to provide tax data faster and more efficiently. ETDS is an automated system designed to give tax information to third parties, such as mortgage lenders and government agencies, in an electronic format within 24 hours. The request could be for as many as three years of tax return information.

To help ensure fair treatment for taxpayers, Vice President Gore recommended testing and implementing ETDS in his Reinventing Service at the IRS document published in March 1998.

As currently designed, a third party will complete, and have the taxpayer sign, a request for tax return information. The ETDS user will then gain system access only after passing several authorization checks. These checks include a Personal Identification Number, a password, and the use of a Smartcard (a system similar to that used by Automated Teller Machines). Once the request has been placed with the IRS, a series of programs will be used to ensure the accuracy and completeness of the request. After the request passes this validation process, the IRS will place the information in a secure electronic mailbox for receipt by the requestor.

The IRS currently provides tax return information to third parties by mailing them a summary of the tax return information or a photocopy of the tax return. Instructions on the Request for copy or Transcript of Tax Form (Form 4506), indicate it will take 7 to 10 workdays to obtain a summary of this information after IRS receives the request through the mail, and up to

60 calendar days to obtain a copy of the tax return. The summary includes most of the line items from the tax return that the IRS has entered into its computer system. A copy of a tax return includes all tax return information.

ETDS would provide only 24 of the line items from the tax return. It would also include one additional item to reflect a revised taxable income, if applicable (e.g., the taxable income could be revised due to the taxpayer filing an amended tax return or the IRS disallowing deductions). ETDS will also use a validation process and maintain a record to identify the individuals requesting and obtaining the tax return information. With these features, the system could quickly provide relevant tax information.

Results

We could not validate the IRS’ assumptions about future estimated costs of developing, establishing, and maintaining ETDS. The ETDS Project Office has estimated the total cost for implementation of ETDS at $7.67 million, but has not developed sufficient information to support its estimate. In addition, the Project Office does not have sufficient information to determine operating and maintenance costs for ETDS. The Project Office would need the assistance of Information Systems Field Operations personnel in obtaining accurate information regarding the potential future costs of the system. However, these personnel would not be available to assist in this area until the project has been approved for pilot testing. As of
June 7, 1999, ETDS had not been approved for pilot testing.

We also could not validate the Project Office's projections of increased revenue and taxpayer compliance attributed to the use of ETDS. The Project Office estimates ETDS would increase revenue and voluntary compliance by $2 to $4 billion annually by encouraging taxpayers to report all income in support of their mortgage applications. The Project Office, however, has not yet prepared a comprehensive business case to support its projections. The Project Office plans to complete a comprehensive business case by
June 1999, using the information obtained during the pilot testing.

Although ETDS will provide less information on a taxpayer’s return than is being released through the current paper process, ETDS has the potential to greatly increase the number of taxpayers whose tax information is in the hands of third parties. Therefore, the IRS needs to address the following concerns over the security and privacy of taxpayer data in determining the priority of rolling out this project compared to other projects needed for modernization:

Potential unauthorized use of the released tax return information by third parties.
Potential unauthorized access to tax information on third party computer systems.
Potential unauthorized access to tax information on IRS computer systems.

Legislation to Restrict the Unauthorized Use of Tax Return Information by Third Parties Is Incomplete

We have concerns about the potential unauthorized use of taxpayer information and the IRS’ ability to properly enforce laws relating to the improper use of the information. Because taxpayer data will be furnished in an electronic format, third-party users of ETDS could more easily use the electronic tax information in ways other than intended, such as developing marketing or mailing lists.

Legislation is currently being drafted to address this issue. However, in our opinion, the draft legislation is not specific enough to fully address the risks of unauthorized use. Existing legislation is very specific regarding how taxpayer data can be used by other government agencies. For example, the Health care Financing Administration is restricted to using taxpayer data "only for the purposes of, and to the extent necessary in, determining the extent to which any medicare beneficiary is covered under any group health plan." However, the draft legislation does not contain the same specific restrictions on the use of taxpayer data by third parties. For example, mortgage lenders are not restricted to using the data only for mortgage lending activities.

The legislation does not specifically restrict unauthorized use of taxpayer information by third parties. Representatives from the Office of chief counsel, Office of Disclosure, and the Privacy Advocate have also expressed concerns about these issues. The release form taxpayers sign states that IRS has no liability over the use of the information given to third parties. However, we are concerned that taxpayers may not be aware that third parties could misuse the tax information. Having taxpayer data in an electronic format increases the ease, and thus the risk, that it could be misused.

In our opinion, without specifically restricting the use of tax return information, the legislation is not sufficient. ETDS Project Office personnel did not resolve these issues before developing the system.

Recommendations

The IRS should ensure that proposed legislation prohibits the secondary (inappropriate) use of any taxpayer information, including information currently released through other processes.

Management's Response: IRS management agreed and will request that the Internal Revenue code be modified to restrict unauthorized use of tax information by third parties.

The IRS should develop an awareness program to provide direction to taxpayers if they believe confidential tax return information has been inappropriately released.

Management's Response: IRS management agreed and will communicate to taxpayers through information provided in Form 4506, and common publications and instructions for the Form 1040 family.

Security Requirements for Third Party computers Are Not Adequate to Deter Unauthorized Disclosure of Tax Return Information

There are no regulations or procedures in place to protect the tax return information released by the IRS to third parties. The risk exists that computer "hackers" or employees of third parties could access and misuse the tax information from ETDS.

The number of requests for taxpayer information released through ETDS may dramatically increase over the current paper volume if other industries (such as automotive dealers or high-dollar retail sellers) gain access to ETDS for income verification. Such an increase will result in an even greater risk of unauthorized disclosures.

The IRS is required to maintain minimum security standards over tax return information. When this information is shared with state agencies, IRS Disclosure Officers are required to make visitations to the agencies to ensure that proper security controls are in place. However, the IRS has no plans to require the same security over electronic tax return information released to private businesses.

The draft Memoranda of Understanding (MOU) between third parties and the IRS for using ETDS do not include computer security standards that would safeguard taxpayer information. IRS counsel is of the opinion that computer security standards should not be included in the MOU. counsel does not want taxpayers to perceive the IRS as still "owning" the tax information after it has been provided to third parties.

However, releasing electronic tax return information to third parties is a new process for the IRS, and adequate controls must be established to safeguard taxpayer data. While mortgage lenders have been able to work with the paper processing time frame, the shorter time frame using ETDS could generate more requests, as well as interest from other industries.

Also, even though the IRS requires background checks on all of its employees who have access to taxpayer data, the draft MOUs do not require background investigations of third party employees who will have access to ETDS.

Recommendation

Electronic Tax Administration (ETA) management should incorporate security requirements, similar to those with which the IRS must comply, into the MOU and provide oversight of third parties to help ensure that tax return information is adequately protected. This would include ensuring third party computer systems meet the same security requirements as IRS and state agencies. In addition, ETA management should require background investigations of personnel in all entities accessing ETDS.

Management's Response: Management responded that, during the pilot, access to ETDS will be revoked if violations occur, and the system will be monitored for unauthorized disclosures through a confirmation program with taxpayers. Access will be limited by the use of passwords and Smartcards.

Office of Audit comment: IRS management did not address our recommendation that third party computer systems be required to meet the same security requirements as federal and state agencies when receiving taxpayer data. IRS management also did not address our recommendation to require background investigations for personnel accessing ETDS. We believe these are important preventive controls that would decrease the risk of unauthorized disclosure while increasing taxpayer confidence in the system.

The confirmation program, as proposed in management’s response, would be ineffective because it would validate only the taxpayers’ authorizations to release the information, and would not identify unauthorized disclosures by third parties.

Security of Data on IRS computers Is Not Adequate to Deter Unauthorized Disclosure of Tax Return Information

As mentioned earlier, the IRS must ensure that the ETDS computer system meets minimum security standards to protect electronic tax return information when the system is implemented. These standards are provided in Treasury Directive 71-10. Not meeting these standards increases the risks that computer "hackers" or unauthorized IRS employees could access and misuse tax information on IRS computers.

As noted in the System Security Test and Evaluation final report dated September 5, 1997, ETDS had not met these requirements in its current configuration. The report identified five problems encountered during testing:

All computer connections were not properly secured.
An audit log had not been established to track accesses.
The security officer had not been appointed.
The security officer had not been trained.
Encryption codes to prevent unauthorized accesses of electronically transmitted data were not changed every 45 days.

ETDS Project Office personnel had not placed sufficient emphasis on the security of data on ETDS computers.

Recommendation

ETA management needs to review the final configuration of ETDS before implementation to ensure that it adequately reduces the risk of unauthorized disclosures, and to ensure that the identified shortcomings are addressed.

Management's Response: ETDS was certified on May 15, 1998, and an additional endorsement was provided on July 6, 1998, from the chief Operations Officer. The Office of Security Standards and Evaluation was revalidating the certification as of December 9, 1998. ETDS is also undergoing a

Year 2000 certification.

Office of Audit comment: As of May 25, 1999, management had not completed the security certification.

conclusion

As designed, the ETDS will provide a faster process for providing limited tax return information to third parties than the current paper method. However, the following concerns should be resolved before further developing the system: insufficient information on the cost effectiveness of ETDS, insufficient legislation over inappropriate use of taxpayer information by third parties, and inadequate computer security which could lead to possible unauthorized disclosure of tax information on third party and IRS computers.

Appendix I

Detailed Objectives, Scope and Methodology

The Electronic Transcript Delivery System (ETDS) is an automated process being developed by the Internal Revenue Service (IRS) to release tax return information to third parties in an electronic format. We conducted this review to validate the costs and benefits of ETDS, and determine if controls were adequate to ensure taxpayer privacy and data security. To accomplish our objectives, we performed the following steps:

Reviewed the cost documentation for Fiscal Years 1996 and 1997 for reasonableness. The documentation reviewed included salaries, travel, hardware and software costs, and vendor costs.
Discussed with the ETDS Project Office the costs associated with initial implementation of the system nationwide (maintenance and operating costs after implementation had not been determined by the Project Office).
Reviewed the IRS information regarding the $2 to $4 billion increase in voluntary compliance due to ETDS.
Reviewed the outside contractor’s test results of the project to determine if it successfully passed the test. The contractor’s tests included: system hardware and software, telecommunication hardware and software, system interface, internal and external users, system security, and system performance.
Reviewed the outside contractor’s test results of the project to determine if the project was being designed to meet minimum government security requirements, known as c2 level of security.
Reviewed the draft Memoranda of Understanding for lenders and other federal agencies.
Discussed the security over the requests for information in the paper environment with Northeast Region Audit.
conducted a walk-through at the Fresno IRS Service center to determine how it processes paper requests.
Discussed any security or privacy concerns held by the Privacy Advocate, Disclosure, and counsel as it relates to ETDS.
Discussed with Legislative Affairs the legislation being drafted to restrict unauthorized use of released return tax information.

Appendix II

Major contributors to This Report

Stephen Mullins, Regional Inspector General for Audit

Gail Yorgason, Audit Manager

Richard calderon, Auditor

Bill Richards, Auditor

Karl Zenft, Auditor

Appendix III

Report Distribution List

National Director for Legislative Affairs cL:LA
chief Operations Officer OP
Assistant commissioner (Electronic Tax Administration) OP:ETA
Assistant commissioner (Research & Statistics of Income) OP:RS
Assistant commissioner (customer Service) OP:c
Assistant commissioner (Forms and Submission Processing) OP:FS
Office of Management controls M:cFO:A:M
chief counsel cc
Office of the National Taxpayer Advocate c:TA
Systems Standards and Evaluation Office IS:E
Audit Liaisons:
Assistant commissioner (Electronic Tax Administration) OP:ETA
Assistant commissioner (Research and Statistics of Income) OP:RS
Assistant commissioner (customer Service) OP:c
Assistant commissioner (Forms and Submission Processing) OP:FS
chief counsel cc
Office of the National Taxpayer Advocate c:TA
Systems Standards and Evaluation Office IS:E

Appendix IV

Management's Response to the Draft Report

Response has been removed due to its size. To see the complete Response, please go to the Adobe PDF version of this report.

Appendix V

Office of Audit’s comments to Management’s Response

Based on information provided in the response from the Assistant commissioner (Electronic Tax Administration) to our July 2, 1998, draft report (see Appendix IV), we:

Revised Recommendation 1 by deleting two of the three items that were part of the recommendation in the draft report. We deleted the recommendation to specify penalties and fines for unauthorized use of tax information because they are covered by existing laws. We also deleted the recommendation to designate a responsible official to ensure compliance with the law because the Internal Revenue Service (IRS) could not effectively do this based on the volume of requests received. See Management’s Response to Recommendation 1 on pages 15 and 16.
Deleted one finding and the related recommendation from this final audit report based on the opinion by Disclosure Litigation. See Recommendation 5 in Management's Response on page 19.

The following documents are referred to in Management's Response and were included as Attachments to the response, but have not been included in this final report because of the size of the documents:

Attachment A - Blank copy of Form 4506 (Rev. 5-97), Request for copy or Transcript of Tax Form
Attachment B - Blank copy of Form 4506 (Rev. 5-97), Request for copy or Transcript of Tax Form with suggested revisions
Attachment c - Two memoranda as follows:
Memorandum dated July 6, 1998, from chief Operations Officer to Assistant commissioner (Electronic Tax Administration), subject "Electronic Transcript Delivery System (ETDS) Accreditation"
Memorandum dated May 15, 1998, from Director, Telecommunications and Operations Division to Director, Office of Research, subject "certification Transmittal Memorandum for Electronic Transcript Delivery System (ETDS)" with two attachments:

-Electronic Transcript Delivery System (ETDS) certification Statement

-Electronic Transcript Delivery System (ETDS) Security Evaluation Report

Attachment D - Memorandum dated July 27, 1998, from chief, Branch 4 (Disclosure Litigation) to Regional Inspector, Western Region, subject "Disclosure of Net Operating Loss Information"