TREASURY INSPECTOR GENERAL
FOR TAX ADMINISTRATION
THE INTEGRATED SUBMISSION AND REMITTANCE PROCESSING SYSTEM DEVELOPMENT PROJECT HAS MADE SIGNIFICANT PROGRESS, BUT OPERATING RISKS REMAIN
Reference No. 2000-40-053
The Internal Revenue Service (IRS) replaced the computer systems used to annually process approximately 170 million paper tax returns and 50 million payments. The new system, referred to as the Integrated Submission and Remittance Processing (ISRP) System, is necessary because the existing computers cannot process data after
December 31, 1999. This is our third audit of the ISRP system. The first two audits evaluated the processes used by the IRS to design and develop the ISRP system. During this audit, we evaluated the IRSí process for ensuring that problems identified during the systemís pilot were adequately corrected.
Overall, the IRSí implementation of ISRP was successful. As of May 21, 1999, the IRS had processed over 66 million tax returns and over 11 million payments through the ISRP systems nationwide. Despite these notable accomplishments, the process of integrating ISRP with other IRS operations has resulted in additional risks and challenges affecting the IRS goal of ensuring that taxpayers are provided top quality submission processing services.
During this review, we found that document processing changes increased taxpayer burden, approval of a system enhancement placed the implementation at risk, contingency plans were incomplete and untested, and access to taxpayer information was not properly controlled.
Document Processing Changes Increased Taxpayer Burden
The implementation of ISRP required changes to the IRSí procedures for controlling documents. These changes resulted in additional taxpayer burden and created additional work in order to correct processing errors. For example, we found that:
Since the ISRP system does not assign matching control numbers to tax returns and their accompanying payments, process changes caused delays in the document numbering process and resulted in discrepancies between the actual IRS received dates and the dates reflected in the control number. Had this problem not been corrected, thousands of taxpayers could have been assessed erroneous penalties and issued erroneous balance due notices. In addition, we found that the mismatched control numbers often prevented the IRS from locating the original tax return, making it more difficult for the IRS to correct processing errors related to these payments.
Approval of an Enhancement Increased Implementation Risk
The IRS approved a significant enhancement to the design of the ISRP system despite delays in the projectís implementation schedule and unresolved development problems. After formally advising the vendor of concerns regarding the timely delivery of ISRP, the IRS authorized a significant system enhancement. The additional requirement increased the risk of delays in the vendorís delivery of the system. After we advised them of the potential risks, IRS management decided to delay development of the enhancement.
Contingency Plans Were Incomplete and Untested
On January 29, 1999, we advised the IRS of our concerns with its back-up plans for unexpected tax return and payment processing problems (i.e., contingency plans). We reported a lack of detail in the 1999 contingency plans, budget and staffing reductions that limited contingency alternatives, and the omission of the ISRP system from local recovery plans. In addition, we questioned the reliability of the IRSí payment processing capabilities if problems with ISRP occur after the year 2000. IRS officials agreed with our recommendations and took corrective actions regarding the 1999 contingency plans, but they did not agree with our recommendations regarding contingency plans for problems in the year 2000 and beyond.
We are still concerned with the IRSí year 2000 back-up payment processing capabilities. If detailed contingency plans are not both finalized and tested, unexpected problems with the IRSí payment processing systems may result in untimely deposits, unprocessed payment transactions, and errors in calculating tax due balances. As of October 14, 1999, the IRS had neither completed negotiations with the vendors expected to provide the back-up services nor tested the contingency plans currently in place.
Access to Taxpayer Information Was Not Properly Controlled
Due to the personal and sensitive nature of information on IRS computer systems and the legal requirements to safeguard the privacy of taxpayer information, the IRS established procedures to check the background of all individuals granted access to its computer systems. This includes the employees of vendors contracted to implement and maintain ISRP.
We reviewed the background investigation results for 51 vendor employees at 6 service centers. We found that 59 percent of these employees (30 of 51) did not have completed background investigations. Although we did not identify any misuse of taxpayer data, vendor employees with the computer knowledge and skills necessary to misuse this data were allowed access to ISRP before the completion of their background investigations.
Summary of Recommendations
The report contains specific recommendations for the IRS to improve the ISRP systemís control and accountability of all documents processed, to update submission processing contingency plans, and to improve ISRP controls designed to safeguard taxpayer information.
Managementís Response: IRS management agreed with the issues addressed in this report and stated that they have implemented corrective actions to improve the ISRP systemís control and accountability of documents, strengthen contingency plans, and improve ISRP controls designed to safeguard taxpayer information. IRS managementís complete response to the draft report is included as Appendix V.