TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
THE INTERNAL REVENUE SERVICE SHOULD STRENGTHEN SYSTEM CONTROLS AND REEVALUATE THE PURPOSE OF THE ENFORCEMENT REVENUE INFORMATION SYSTEM
Reference No. 2000-30-124
The Enforcement Revenue Information System (ERIS) is an automated system developed to track Internal Revenue Service (IRS) enforcement revenues and associated costs. Enforcement revenues include the assessment and collection of all dollars resulting from IRS enforcement efforts.
The Department of the Treasury and the IRS use the ERIS for planning and budgeting. The ERIS also supplies data for the four IRS business units and is cited as a data source for measuring future IRS business results.
The ERIS works by compiling enforcement data from various IRS functional systems. These functions include Examination, Office of the Chief Counsel, Appeals, and Collection. Data from function-based "feeder" systems, such as the Examination Divisionís Audit Information Management System (AIMS) and the Information Returns Program (IRP), are merged with Masterfile and Non-Masterfile data to create summary databases from which ERIS reports are generated.
The overall objective of this audit was to assess ERIS data reliability. To achieve this objective, we determined if the ERIS accomplishes its stated purpose of compiling statistics and dollars associated with IRS tax collection enforcement actions. The scope of the review also included reviews of controls within the ERIS and limited data testing. Unless otherwise noted, we relied on comments provided by IRS management and did not specifically test control weaknesses identified to determine their actual effect. The audit was not intended to identify specific errors in ERIS reports but rather to evaluate the system controls and processing which affect data reliability. We also did not review the accuracy of functional IRS systems that supply enforcement data to the ERIS.
Our assessment of data reliability is separated into opinions based upon the two types of data (revenues and costs) the ERIS was intended to compile and report. Regarding the revenue data, we cannot issue an unqualified opinion on data reliability because the ERIS has systemic design and control weaknesses that can affect the reliability of historical and future revenue data and because the reliability of systems that supply data to the ERIS has not been determined. However, we did identify many system controls working as designed, and the results of our system functionality tests identified no processing discrepancies.
Regarding cost data, we cannot express an opinion on data reliability because the ERIS does not compile or report complete cost data associated with enforcement actions. For example, in Fiscal Year (FY) 1997, the ERIS did not report on at least $2.1 billion in enforcement-related costs. The ERIS does report direct hours for the Examination, Office of the Chief Counsel, and Appeals Divisions; however, these hours are not converted to costs. The incomplete cost data are contrary to the original intent of the ERIS.
We identified problems with two specific control areas in the ERIS. First, some users and contractor employees had unlimited access to the ERIS, and computer audit trails are not effectively reviewed. Second, timing and processing differences between the ERIS and related systems are not routinely reconciled. While these differences do not materially affect revenue dollars reported by the ERIS, they do affect the way dollars are reported by tax year.
Controls Over Enforcement Revenue Information System Data Can Be Strengthened
Computer system controls include general and application controls, which together provide reasonable assurance that computer-based data are complete, valid, and reliable. General controls are those that apply to an overall computer operation, such as management oversight of the systemís performance, assignment of responsibilities, and physical security. Application controls are those that apply to a specific application, such as testing software modifications before implementation and documenting program changes. While most of the ERIS general and application controls are adequate, we identified two specific control areas needing improvement.
Controls over ERIS computer user accountability can be further enhanced. Audit trails provide records of operator and system activity. These records provide invaluable day-to-day histories of system operations and account for actions both taken and omitted. At the time of our review, ERIS management did not see the need to routinely review ERIS-related audit trails, including database and system administrator activity. In addition, there was no audit trail of specific contractor activity at the Detroit Computing Center. ERIS management decided that some users needed unlimited system access for creating, updating, and/or deleting data within ERIS databases. Unlimited access, along with insufficient accountability and historical records of user actions, increases the risk of inappropriate access and data manipulation. It further creates an inability to determine the origin of errors.
Controls over ERIS error and functional data resolution are insufficient. One attribute of a successful, working system is a control to resolve processing errors. ERIS programming identifies errors and unmatched transactions, which it compiles to various registers. However, ERIS management stated that they do not resolve the problems identified on these registers because of the volume of transactions and the difficulty of performing cross-functional reconciliations. As a result, ERIS error and unmatched registers have grown exponentially since their creation. According to ERIS management, as of March 1999, the ERIS had 53,119 cases in error registers, out of approximately 236 million cases in the system. Further, as of March 1999, the ERIS had accumulated 1.05 million transactions (representing $25.5 billion) in "unmatched transaction" registers, out of about 1.9 billion transactions, since its creation. ERIS management advised us that they had identified the sources of 237,000 of these cases (representing $7.1 billion) as being AIMS- or IRP-related. Although the volumes in the error and unmatched transaction registers are not material in comparison to the overall volume of cases the ERIS processes for any given year, unresolved errors and unmatched transactions are a systemic processing weakness which can represent material, hidden discrepancies.
In addition to unmatched transactions, there are also unresolved discrepancies between the functional systems and the ERIS. According to ERIS management, the ERIS may report the correct revenue amount, tax period, and district office but may not be able to identify the program area within the functional office that conducted the enforcement effort. Except for periodic software upgrades, which resolve some errors and unmatched transactions, there is no structured, continuous reconciliation process between the ERIS project staff and the IRS functions to properly correct the misidentified program areas. Moreover, ERIS management has no plans to resolve unmatched and error transactions on a large scale. Instead, they will continue to address errors and unmatched transactions through ongoing means, such as making annual and periodic system programming upgrades and taking small, judgmental samples to detect additional errors. However, to help measure future business results, it is important to ensure the reliability of ERIS data.
The Purpose of the Enforcement Revenue Information System Should Be Reevaluated
The stated purpose of the ERIS is to compile and report revenues and costs associated with IRS tax enforcement actions. However, the ERIS has not fully accomplished this purpose because it was not provided data to calculate all applicable costs. Although the ERIS does report direct hours (time specifically spent on casework) for the Examination, Office of the Chief Counsel, and Appeals Divisions, the ERIS reports do not convert these hours into costs. For FY 1997, the excluded costs associated with enforcement actions were at least $2.1 billion, $582.5 million of which represented indirect costs. ERIS management acknowledged that the ERIS was designed to process all applicable costs and that the incompleteness is primarily caused by the various IRS functions not providing necessary cost data to the ERIS. When we brought the cost issue to ERIS managementís attention, they agreed that ERIS documents should not have references to cost data, except for direct hours. The ERIS information on the Chief Financial Officerís (CFO) website, which the program office developed during the course of our audit, does not contain references to cost data, only to direct hours. However, there are other documents (e.g., the Internal Revenue Manual) that still show the ERISí purpose as tracking enforcement-related revenues and costs. Management indicated they plan to correct these other documents concerning the omission of cost data.
Summary of Recommendations
We recommend the CFO evaluate the cost-effectiveness of resolving the ERIS control weaknesses, including implementing reconciliation processes and statistical sampling. The CFO should also either incorporate all relevant cost data into the ERIS or alter all statements of purpose to accurately reflect the systemís actual use. In addition, the IRS should disclose on all applicable reports that cost data are incomplete.
Managementís Response: IRS managementís initial response did not adequately address the recommendations in the report. They are currently revising and reissuing their response.