With the advent of electronic filing in 1986, the number of tax returns claiming fraudulent refunds has increased dramatically. As a result, the Internal Revenue Service (IRS) developed the Electronic Fraud Detection System (EFDS). At its inception, there were four basic goals for EFDS. These goals were to:

• Automate the labor-intensive manual screening process of the Questionable Refund Program.
• Improve techniques to identify returns with the highest potential for fraud, and ensure that these returns were reviewed.
• Increase data sources to improve detection of fraud.
• Enhance scheme development for referral to the districts for criminal prosecution.

We performed this review to determine if EFDS was meeting its program goals, objectives and proper control standards, and if the Project Office maintained reliable project cost data.

The IRS has achieved many successes relative to its development of EFDS. Overall, EFDS has met most of its program goals and the needs of its users. The Project Office is working toward added functionality to help increase the criminal Investigation Division’s (cID) ability to detect fraudulent returns.

While the automated system is a significant improvement over the manual process used prior to EFDS, there are still changes that can be made to further improve or manage the system. We identified issues of concern regarding security of the system, delivery and effectiveness of some applications, and accounting for project costs. Some of the identified conditions from this report were also reported in prior Office of Audit reports. Specifically, these issues include:

• Initial and periodic password changes were not enforced.
• EFDS contingency plans were not updated and tested.
• EFDS Project costs were not accurate and complete.

Although management implemented corrective actions for these conditions, the actions did not resolve the past conditions.

Specific concerns regarding the security of EFDS, delivery and effectiveness of some applications, and accounting for project costs follow.

Based on the sensitivity of the information processed, EFDS must meet controlled Access Protection requirements, also known as c2 security requirements. EFDS obtained c2 security certification from the IRS certifying official on June 15, 1996. However, the issues discussed in this report illustrate that controls to prevent and detect unauthorized access to sensitive taxpayer data are not adequate within EFDS, and call into question whether EFDS should have received its unconditional security certification. We plan to separately review the certification process during Fiscal Year 1999.

Issues discussed in this report include the following:

• Access controls should be improved.
• The EFDS application audit trail does not capture essential information or, in some instances, does not contain accurate information.
• The EFDS application audit trail is ****2b,2e****.
• Security reviews at the service centers are not being performed.
• Security documentation is not current and, in some instances, does not reflect current system programming.
• contingency plans need to be updated and tested.

We have the following recommendations related to the above issues.

The Project Office should work with EFDS developers to ensure there are adequate controls over user passwords, to limit failed login attempts at workstation terminals, to ensure that audit trail records are maintained for all accesses to taxpayer data, and to ensure audit trail records are accurate.

The Project Office should review the current c2 required documentation and update the information to reflect the current programming and operating procedures of EFDS. It should also ensure that EFDS contingency plans are updated and tested at least annually.

Information Systems (IS) should clearly define, in the Internal Revenue Manual or other policy statements, who is responsible for performing security reviews on systems such as EFDS, and ensure that these reviews are performed.

We were informed that EFDS will soon undergo a new security certification. In our opinion, taking into account the audit trail and documentation issues discussed in this report, it is questionable whether EFDS should have received its prior security certification. In the upcoming certification process, IS should ensure that the issues discussed in this report are corrected, and that all other controls necessary for a proper certification are in place and functioning.

EFDS will meet all of its stated goals only after all requested applications are delivered and properly functioning. EFDS was not functioning as designed when sorting cases to ensure returns with the highest potential for fraud are reviewed first. Also, some EFDS applications are not being delivered timely by contract developers.

We recommend that the EFDS Project Office ensure program changes are made to EFDS which would allow returns with the highest fraud potential to be worked first. Also, the Project Office and cID should reach formal agreement on the requirements for EFDS. When the functional requirements are delivered, the Project Office should give timely, complete, and detailed feedback regarding changes necessary to the functional requirements.

Improvements are needed to accurately account for EFDS costs. The Project Manager has not ensured that cost figures maintained by the Project Office were complete or accurate. We identified accounting discrepancies in Project Office records that resulted in total costs being understated by $22.3 million. IRS officials need complete, accurate, and reliable accounting data to make informed decisions regarding EFDS costs and benefits.

Using the information we developed as a starting point, we recommend that the Project Office make a thorough review of EFDS cost records to ensure that no other misstatements or omissions have occurred. Also, the Project Office should maintain a schedule to track both non-Project Office and Project Office costs, and should reconcile its cost data to source documentation and to the Automated Financial System (AFS) on a regular basis.

Management’s Response: IS management agreed with the findings and has developed the following corrective actions to address the issues:

• The EFDS Project Office has taken steps to strengthen password controls and will work with the Assistant commissioner for Program Management and Architecture to strengthen access controls and to improve the system’s audit trail capabilities.
• All c2 security documents and contingency plans will be updated according to guidelines. The EFDS Project Office will ensure all controls necessary for security certification are in place.
• The IRS’ Office of Security Standards and Evaluation agreed to perform management reviews to ensure that security reviews of EFDS and other sensitive systems are performed.
• EFDS programming was changed to allow priority returns with the highest fraud potential to be worked first in processing year 1999. In addition, the EFDS Project Office is in the process of implementing a configuration control Board, and Requirements Traceability within the project which will require all partners to agree to the requirements of the system before they are forwarded for approval.
• The EFDS Project Office will use cost information identified during this audit as a beginning and will use IRS mandated systems to continue to track and reconcile costs.

We concur with the corrective actions outlined in their response. Their response is incorporated into the body of the report where appropriate. The complete text of management’s response is presented as Appendix V.

2b = Law Enforcement Guideline(s)
2e = Law Enforcement Procedure(s)