TREASURY INSPEcTOR GENERAL
FOR TAX ADMINISTRATION
REVIEW OF THE ELEcTRONIc FRAUD DETEcTION SYSTEM
Reference No. 093009
With the advent of electronic filing in 1986, the number of tax returns claiming fraudulent refunds has increased dramatically. As a result, the Internal Revenue Service (IRS) developed the Electronic Fraud Detection System (EFDS). At its inception, there were four basic goals for EFDS. These goals were to:
We performed this review to determine if EFDS was meeting its program goals, objectives and proper control standards, and if the Project Office maintained reliable project cost data.
The IRS has achieved many successes relative to its development of EFDS. Overall, EFDS has met most of its program goals and the needs of its users. The Project Office is working toward added functionality to help increase the criminal Investigation Divisionís (cID) ability to detect fraudulent returns.
While the automated system is a significant improvement over the manual process used prior to EFDS, there are still changes that can be made to further improve or manage the system. We identified issues of concern regarding security of the system, delivery and effectiveness of some applications, and accounting for project costs. Some of the identified conditions from this report were also reported in prior Office of Audit reports. Specifically, these issues include:
Although management implemented corrective actions for these conditions, the actions did not resolve the past conditions.
Specific concerns regarding the security of EFDS, delivery and effectiveness of some applications, and accounting for project costs follow.
Security of the System
Based on the sensitivity of the information processed, EFDS must meet controlled Access Protection requirements, also known as c2 security requirements. EFDS obtained c2 security certification from the IRS certifying official on June 15, 1996. However, the issues discussed in this report illustrate that controls to prevent and detect unauthorized access to sensitive taxpayer data are not adequate within EFDS, and call into question whether EFDS should have received its unconditional security certification. We plan to separately review the certification process during Fiscal Year 1999.
Issues discussed in this report include the following:
We have the following recommendations related to the above issues.
The Project Office should work with EFDS developers to ensure there are adequate controls over user passwords, to limit failed login attempts at workstation terminals, to ensure that audit trail records are maintained for all accesses to taxpayer data, and to ensure audit trail records are accurate.
The Project Office should review the current c2 required documentation and update the information to reflect the current programming and operating procedures of EFDS. It should also ensure that EFDS contingency plans are updated and tested at least annually.
Information Systems (IS) should clearly define, in the Internal Revenue Manual or other policy statements, who is responsible for performing security reviews on systems such as EFDS, and ensure that these reviews are performed.
We were informed that EFDS will soon undergo a new security certification. In our opinion, taking into account the audit trail and documentation issues discussed in this report, it is questionable whether EFDS should have received its prior security certification. In the upcoming certification process, IS should ensure that the issues discussed in this report are corrected, and that all other controls necessary for a proper certification are in place and functioning.
Delivery and Effectiveness of Some Applications
EFDS will meet all of its stated goals only after all requested applications are delivered and properly functioning. EFDS was not functioning as designed when sorting cases to ensure returns with the highest potential for fraud are reviewed first. Also, some EFDS applications are not being delivered timely by contract developers.
We recommend that the EFDS Project Office ensure program changes are made to EFDS which would allow returns with the highest fraud potential to be worked first. Also, the Project Office and cID should reach formal agreement on the requirements for EFDS. When the functional requirements are delivered, the Project Office should give timely, complete, and detailed feedback regarding changes necessary to the functional requirements.
Accounting for Project costs
Improvements are needed to accurately account for EFDS costs. The Project Manager has not ensured that cost figures maintained by the Project Office were complete or accurate. We identified accounting discrepancies in Project Office records that resulted in total costs being understated by $22.3 million. IRS officials need complete, accurate, and reliable accounting data to make informed decisions regarding EFDS costs and benefits.
Using the information we developed as a starting point, we recommend that the Project Office make a thorough review of EFDS cost records to ensure that no other misstatements or omissions have occurred. Also, the Project Office should maintain a schedule to track both non-Project Office and Project Office costs, and should reconcile its cost data to source documentation and to the Automated Financial System (AFS) on a regular basis.
Managementís Response: IS management agreed with the findings and has developed the following corrective actions to address the issues:
We concur with the corrective actions outlined in their response. Their response is incorporated into the body of the report where appropriate. The complete text of managementís response is presented as Appendix V.
2b = Law Enforcement Guideline(s)
2e = Law Enforcement Procedure(s)