IRS Connections to External Systems: Improvements are Needed, TIGTA Finds

Transcription

1 Treasury Inspector General for Tax Administration November 5, 2015 IRS Connections to External Systems: Improvements are Needed, TIGTA Finds Service (IRS) do not have proper authorization or security agreements, according to a report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA). TIGTA initiated its audit to determine whether controls are in place and operating effectively to protect IRS networks when connected to external information technology systems. Through such interconnections, the IRS shares Federal tax information and other records with many Federal, State, and local agencies, as well as private agencies and contractors. Because taxpayer and other sensitive data must be protected, the IRS is required to ensure that external system interconnections are authorized by written agreements that specify the technical and security requirements. TIGTA found that although the IRS has established an office to provide oversight and guidance for the development of security agreements, that office is not responsible for managing or monitoring agreements for all external interconnections in use in the IRS environment. TIGTA also found that improvements are needed to ensure that existing agreements contain all required elements and are renewed timely. "These system interconnections are critical and must be properly designed and managed to meet security requirements, said J. Russell 1

2 George, Treasury Inspector General for Tax Administration. If not, failures could compromise the connected systems and the sensitive data that they store, process, or transmit," he added. The IRS agreed with all of the six TIGTA audit recommendations and planned appropriate corrective actions. The IRS agreed to: 1) identify and document external interconnections; 2) establish a repeatable process for identifying external interconnections; 3) ensure that policies and procedures are developed and implemented for updating the interconnections inventory; 4) establish an escalation process to resolve agreement renewal issues; 5) ensure that interconnection agreements meet policies and are renewed timely; and 6) streamline and eliminate ineffective practices related to interconnection agreements. Treasury Inspector General for Tax Administration Office of Inspections and Evaluations The Internal Revenue Service Administered Corporate Net Operating Losses Efficiently and Effectively; However, Financial Reporting Could Be Improved Issued on October 13, 2015 This project was initiated because of the increasing percentage of corporation returns filed reporting net operating losses and the potential impact of those net operating losses as carryforwards on future Federal corporation tax revenues. In Processing Year 2010, 45.3 percent of corporations filed returns claiming net operating losses of $722.4 billion incurred in the Great Recession. In Processing Year 2012, corporate returns reported $1.96 trillion net operating loss 2

3 carryforwards available to offset future income tax. The objective was to evaluate IRS plans, activities, and programs to administrate the tax laws for corporate net operating losses and net operating loss carryovers. WHAT TIGTA RECOMMENDED TIGTA recommended that the Chief Financial Officer include in the unaudited information for the IRS financial statements the amount, net present value, and description of the corporate net operating loss carryforward amounts impact on future corporate tax revenues. In their response to the report, IRS officials disagreed with our recommendation citing the disclosure is not required by Federal accounting standards, it is unclear the value of such a disclosure, and the potential costs. TIGTA continues to believe that due to the material effect of net operating loss carryforwards on future corporate tax revenues, disclosure is warranted. IMPACT ON TAXPAYERS A corporate net operating loss occurs when a corporation s allowable tax deductions exceed its gross income for the year. This normally occurs when a corporation is subject to losses due to business and economic conditions, but can also occur when a corporation attempts to utilize corporate losses through aggressive tax planning. TIGTA found no evidence of the widespread or systematic abuse of corporate net operating losses based on IRS data and information reviewed. WHAT TIGTA FOUND TIGTA found the IRS has two significant responsibilities in administrating net operating losses in accordance with established tax policies. First, the IRS receives the claims for net operating loss carrybacks and must expedite their processing to ensure that refunds are timely issued to avoid paying unnecessary interest. Between Processing Years 2007 and 2010, the IRS became more efficient in reducing the percentage of interest paid during the period of increasing carryback return volumes. Second, the IRS has processes and procedures to determine the validity of loss claims and to ensure that net operating loss carryforwards are taken in accordance with legal guidelines. 3

4 TIGTA estimates that the $1.96 trillion in net operating loss carryforwards reported in 2012 have a net present value between $371 billion and $414 billion in reduced future corporate tax revenue. However, this information is not readily available in Government information sources and is material to future tax revenues. Treasury Inspector General for Tax Administration Office of Audit Processes Are Being Established to Detect Business Identity Theft; However, Additional Actions Can Help Improve Detection WHY TIGTA DID THE AUDIT Issued on September 9, 2015 The IRS recognizes that new identity theft patterns are constantly evolving and, as such, it needs to continually adapt its detection and prevention processes. The overall objective of this review was to determine the effectiveness of the IRS s efforts to implement a business return program to detect and prevent identity theft. WHAT TIGTA FOUND TIGTA found that the IRS recognizes continued efforts are needed to develop and implement systemic processes to detect identity theft. To date, the IRS has taken actions that include defining business identity theft, creating procedures for IRS employees to follow when they are made aware of a potential business identity theft situation, and 4

5 conducting a Business Identity Theft Project to detect potential business identity theft relating to corporate tax returns. However, TIGTA also found areas where improvements could be made in identifying potential business identity theft. For example, the IRS maintains a list of suspicious Employer Identification Numbers (EINs) determined to be associated with a fictitious business. Our analysis of business returns filed during Processing Year 2014 identified that 233 tax returns were filed using a known suspicious EIN. Of these, 97 claimed refunds totaling over $2.5 million. In addition, TIGTA determined that processing filters could be developed to identify returns containing certain characteristics that could indicate potential identity theft cases. Business returns containing these characteristics could be proactively identified before the issuance of any refunds. TIGTA also found that State information sharing agreements do not address business identity theft. The agreements only address the detection of individual identity theft. Finally, TIGTA also identified that actions are needed to better promote awareness of business identity theft. WHAT TIGTA RECOMMENDED TIGTA recommended that the Commissioner, Wage and Investment Division, establish procedures to identify business returns containing certain characteristics that could indicate potential identity theft cases, evaluate the potential for expanding information sharing agreements to include the sharing of suspicious or potentially fraudulent business tax return filings; and continue to develop and offer additional outreach materials that directly inform businesses about business identity theft. The IRS agreed with our recommendations and has established some processes to detect potentially fraudulent business filings and will evaluate possible expansion of these processes to other business return filings in The IRS also plans to work with stakeholders to assess expanding the State Suspicious Filer Exchange to include business returns and update business outreach materials. 5

6 Treasury Inspector General for Tax Administration November 10, 2015 IRS Could Improve Detection of Business Identity Theft, TIGTA Finds The Internal Revenue Service (IRS) has taken actions and developed procedures to identify and detect business identity theft; however, TIGTA also found areas where improvements could be made to assist in this effort. That is a finding of a report released today by the Treasury Inspector General for Tax Administration (TIGTA). Identity theft continues to be a serious and evolving issue which has a significant impact on tax administration. It not only affects individuals, it can also affect businesses, said J. Russell George, Treasury Inspector General for Tax Administration. Therefore, it is incumbent upon the IRS to use all the data and tools to detect and prevent business identity theft from occurring, he said. The IRS defines business identity theft as creating, using, or attempting to use businesses identifying information without authority to claim tax benefits. The IRS recognizes that new identity theft patterns are constantly evolving and, as such, it needs to continually adapt its 6

7 detection and prevention processes. The overall objective of TIGTA s review was to determine the effectiveness of the IRS s efforts to implement a business return program to detect and prevent identity theft. TIGTA found that the IRS recognizes continued efforts are needed to develop and implement systemic processes to detect identity theft. To date, the IRS has taken actions that include defining business identity theft, creating procedures for IRS employees to follow when they are made aware of a potential business identity theft situation, and conducting a Business Identity Theft Project to detect potential business identity theft relating to corporate tax returns. However, TIGTA also found areas where improvements could be made in identifying potential business identity theft. For example, the IRS maintains a list of suspicious Employer Identification Numbers (EINs) determined to be associated with a fictitious business. TIGTA s analysis of business returns filed during Processing Year 2014 identified that 233 tax returns were filed using a known suspicious EIN. Of these, 97 claimed refunds totaling over $2.5 million. In addition, TIGTA determined that processing filters could be developed to identify returns containing certain characteristics that could indicate potential identity theft cases. Business returns containing these characteristics could be proactively identified before the issuance of any refunds. TIGTA also found that State information sharing agreements do not address business identity theft. The agreements only address the detection of individual identity theft. Finally, TIGTA also identified that actions are needed to better promote awareness of business identity theft. TIGTA recommended that the Commissioner, Wage and Investment Division, establish procedures to identify business returns containing certain characteristics that could indicate potential identity theft cases; evaluate the potential for expanding information sharing agreements to include the sharing of suspicious or potentially fraudulent business tax return filings; and continue to develop and offer additional outreach materials that directly inform businesses about business identity theft. 7

8 The IRS agreed with TIGTA s recommendations and has established some processes to detect potentially fraudulent business filings and will evaluate possible expansion of these processes to other business return filings in The IRS also plans to work with stakeholders to assess expanding the State Suspicious Filer Exchange to include business returns and update business outreach materials. Treasury Inspector General for Tax Administration Office of Audit Affordable Care Act Verification Service: Security and Testing Risks Issued on September 28, 2015 Starting with Tax Year 2014 individual income tax returns, the Affordable Care Act (ACA) requires taxpayers to file new forms (e.g., Form 8962, Premium Tax Credit, and Form 8965, Health Coverage Exemptions) to report that they have qualifying health care coverage, are eligible for a health coverage exemption, or make a shared responsibility payment. To process the new forms, the IRS developed the ACA Verification Service (AVS). WHY TIGTA DID THE AUDIT The overall objective was to determine if the IRS adequately developed and tested the AVS. WHAT TIGTA FOUND 8

9 The ACA authorizing official signed the ACA security authorization, and the AVS was placed into production on January 20, 2015, prior to the completion of the security assessment. The authorizing official made this decision based on the results of security testing that had been completed, the Cybersecurity organization s memorandum concurring with the authorizing official s granting of an update to the current security authorization, and the urgent need to deploy ACA Release 5.0 at the start of the 2015 Filing Season. The Cybersecurity organization completed the security assessment in May AVS testing delays prevented the completion of security testing and the completion of documents needed for the security authorization package prior to deploying the AVS into production. In addition, delays in testing extended the test period. Testing delays were caused by late code deliveries, changes in the test environment, and time needed to correct defects. Testing delays also caused numerous ACA builds, including the AVS, to be submitted for the Final Integration Test program approximately one week before the start of the 2015 Filing Season, increasing the risk that defects would not be corrected prior to production. Finally, test results from designated sources did not match the test results reported in the project-level and release-level draft End-of-Test Completion Reports. Discrepancies identified were due to clerical errors and the use of the Implementation and Testing organization s internal tracking system instead of only using the mandated tools. WHAT TIGTA RECOMMENDED TIGTA recommended the Chief Technology Officer ensure that: 1) AVS security vulnerabilities are corrected prior to the next filing season; 2) security testing and security authorization packages are completed prior to authorizing and placing systems into production; 3) ACA developers are notified in advance when changes to the development, test, and production environments are made; and 4) testing organizations use only the information from the designated tools for documenting requirements, test results, and defects to prepare the End-of-Test Completion Report. 9

10 In their response to the report, IRS officials agreed with two of the four recommendations and partially agreed with the remaining two. For vulnerabilities that cannot be corrected prior to the next filing season, the IRS plans to continue following established procedures for addressing the vulnerabilities. When security testing and security authorization packages cannot be completed prior to system deployment, the IRS plans to exercise risk-based decision making with appropriate governance approvals and documentation. IRS officials also stated that they have taken or plan to take appropriate corrective actions. Treasury Inspector General for Tax Administration Office of Audit Measurable Agreements On Security Controls Are Needed To Support the Enterprise Storage Services Solution Issued on October 30, 2015 The Enterprise Storage Services (ESS) Program is sponsored by the IRS Storage Program Management Office. This office delivers data storage services to Enterprise applications at IRS facilities through deployment of tiered storage, encrypted backup/recovery, and data replication strategies that enable high-performance systems operations, business continuity, and dynamic and secure disaster recovery. The IRS estimates that its new Storage-As-a-Service approach will save millions of dollars by providing better utilized resources. The new ESS environment stores IRS data, including taxpayer and other sensitive data. WHY TIGTA DID THE AUDIT 10

11 The overall objective was to assess the efficiency and effectiveness of the IRS s ESS Program by considering progress toward established goals and the risk mitigation approach for the enterprise-wide cloud storage services that support IRS systems and information technology operations. WHAT TIGTA FOUND The IRS has reported cost savings with its migration of production data into the ESS storage environment since March However, TIGTA found that more detailed contractual agreements are needed to support the ESS Program with data security controls including security monitoring and incident management. Clear agreements between the IRS and the ESS contractor would better ensure adequate preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. Also, the Service Level Objectives established under the current contract do not clearly stipulate time frames for the contractor to mitigate losses and resecure the ESS environment should a data breach occur. WHAT TIGTA RECOMMENDED TIGTA recommended that the IRS Chief Technology Officer: 1) modify the ESS contract to include measurable Service Level Agreements based on a complete risk assessment and security plan for the ESS Program and 2) address specific risks affecting IRS systems related to ESS security monitoring and incident management. The IRS disagreed with both recommendations, stating that the ESS provides disk storage as one component of a larger, multilayered infrastructure. Risk and security of all data, including access to the data in addition to IRS incident management and security monitoring, are performed at the General Support System and Application layers using IRS standard practices and processes. TIGTA believes that risk factors associated with contract responsibilities and ownership of ESS data storage devices should be considered under the ESS Program. IRS policy requires risk management for all infrastructure equipment capable of storing or transmitting data. However, a risk assessment has not been conducted, 11

12 and the security plan is not complete. Further, the IRS has not provided TIGTA with verification that security controls to address specific ESS risks have been considered at the General Support System and Application layers. The ESS contract does not include or reference a detailed process to guide security monitoring and overall incident management controls. Treasury Inspector General for Tax Administration Office of Audit Improvements Are Needed in Resource Allocation and Management Controls for Audits of High-Income Taxpayers IMPACT ON TAXPAYERS Issued on September 18, 2015 High-income taxpayers are frequently involved in complex entities and financial arrangements that provide greater opportunities for aggressive tax planning. It is important for the IRS to demonstrate that it enforces tax laws equally by ensuring that its compliance strategies are applied fairly to all segments of the taxpayer population. WHY TIGTA DID THE AUDIT High-income taxpayers can present a unique challenge to tax administration due to the complexity of their financial affairs. This audit was initiated to evaluate the IRS s efforts to ensure the tax compliance of high-income taxpayers. WHAT TIGTA FOUND 12

13 The IRS has taken steps to improve its audit coverage of high-income taxpayers. The IRS adopted a High-Income and High-Wealth strategy focused on auditing more tax returns related to high-income individuals. As a result, audit coverage of high-income taxpayers has improved. However, the IRS should reevaluate whether the threshold for its High-Income and High-Wealth strategy, set at $200,000, results in an efficient allocation of examination resources. Additionally, as part of this strategy, the Large Business and International (LB&I) Division established the Global High Wealth (GHW) Industry to specifically address tax compliance issues of highincome taxpayers. The GHW Industry takes a comprehensive approach in auditing high-income taxpayers by extending the audits beyond the individual income tax return to include examining the entities that these taxpayers control. However, LB&I Division management has not yet established the GHW Industry as a standalone industry capable of conducting all of its own examinations. Currently, management is using resources from three other LB&I Division industries to assist with auditing GHW Industry enterprise cases without having evaluated the impact of that decision on those other industries. TIGTA also found that the complexity of the financial affairs of many high-income taxpayers and the limitations of the IRS s audit information systems prevent the IRS from systemically quantifying GHW Industry audit performance. Further, the LB&I Division has not taken a number of steps to ensure that the GHW Industry evolves into a mature industry. For example, the GHW Industry has not implemented a quality review process for its audits. WHAT TIGTA RECOMMENDED TIGTA recommended that the IRS: 1) reevaluate the income thresholds in its High-Income and High-Wealth strategy; 2) conduct a cost/benefit analysis of the GHW Industry s outsourcing initiative; 3) explore system modifications needed to systemically quantify GHW Industry enterprise case examination results; 4) ensure that its management reports accurately reflect that there currently is no audit quality measure for the GHW Industry; 5) establish a permanent ongoing 13

14 quality review system; and 6) require quality reviews of closed GHW Industry examination cases. The IRS agreed with four of the six recommendations. However, the IRS does not agree that its decision to outsource GHW Industry enterprise cases requires a cost/benefit analysis and is not planning to explore system modifications needed to better quantify enterprise case examination results. TIGTA believes that both the cost/benefit analysis and better information on examination results would improve program decisions. Treasury Inspector General for Tax Administration November 19, 2015 Improvements Are Needed in Resource Allocation and Management Controls for Audits of High-Income Taxpayers The Internal Revenue Service (IRS) has taken steps to improve its audit coverage of high-income taxpayers. However, it should reevaluate whether the threshold of $200,000 for its High-Income and High-Wealth strategy results in an efficient allocation of examination resources. That is among the findings of an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA). 14

15 TIGTA performed this audit to evaluate the IRS s effort to ensure the tax compliance of high-income taxpayers. The IRS identifies highincome taxpayers as those who reported total positive income of at least $200,000 on Form Because the IRS is devoting more audit resources for these taxpayers, it is important to know at what level of income or wealth taxpayers tend to begin establishing complex financial holdings that are at greater risk for noncompliance with the tax laws. TIGTA found that the IRS has taken a number of actions to help to ensure tax compliance of high-income taxpayers. The IRS adopted a High-Income and High-Wealth strategy to audit more tax returns related to these individuals. The resulting audit coverage of highincome taxpayers has improved. However, the IRS s High-Income and High-Wealth strategy devotes nearly 50 percent of its high-income audits to taxpayers earning $200,000 to $399,999, whose tax returns potentially present the least productivity of all high-income taxpayers. The IRS should reevaluate the income level it uses to identify taxpayers for its High-Income and High-Wealth strategy so that it can better allocate audit resources to the most significant audit risks, said J. Russell George, Treasury Inspector General for Tax Administration. The IRS Large Business and International Division (LB&I) established the Global High Wealth (GHW) Industry, which takes a comprehensive approach in auditing high-income taxpayers by extending the audits beyond the individual income tax return and examines the entities that these taxpayers control. GHW is not yet a stand-alone industry capable of conducting all of its own examinations. The IRS is using resources from three other LB&I industries to assist with auditing GHW cases, but has not evaluated the impact of that decision on those other industries. Also, the IRS cannot quantify its GHW audit performance because of the limitations of IRS audit information systems, and GHW has not implemented a quality review process for its audits. TIGTA made six recommendations in the audit report, including that the IRS establish a permanent quality review system for GHW cases. The IRS agreed with four of the six recommendations, not agreeing that its decision to outsource GHW Industry enterprise cases requires a 15

16 cost/benefit analysis and is not planning to explore system modifications needed to better quantify enterprise case examination results. TIGTA believes that both the cost/benefit analysis and better information on examination results would improve program decisions. Treasury Inspector General for Tax Administration Office of Audit Trends in Compliance Activities Through Fiscal Year 2014 Highlights Issued on November 10, 2015 Highlights of Report Number: to the Internal Revenue Service Deputy Commissioner for Services and Enforcement. IMPACT ON TAXPAYERS This report is a compilation of statistical information reported by the IRS. The data presented in this report provide taxpayers and stakeholders with information about how the IRS focuses its compliance resources and the impact of those resources on revenue and compliance over time. WHY TIGTA DID THE AUDIT TIGTA conducts this review annually in response to continuing stakeholder interest in the analysis and trending of Collection and Examination function activities. The overall objective was to provide 16

17 various statistical information regarding Collection and Examination function activities. WHAT TIGTA FOUND The IRS has faced declining funding levels in three of the last four fiscal years. These budget reductions resulted in decreases in the number of employees available to provide services to taxpayers and enforce the tax laws. Overall, IRS employment (all employees who are on permanent, temporary, and term appointments) has declined 15 percent from 107,622 in Fiscal Year (FY) 2010 to 91,018 in FY The number of enforcement personnel decreased by nearly 1,000 employees during FY As resources decreased, the IRS s responsibilities have expanded. For example, in FY 2014, the IRS continued implementing tax-related portions of the Affordable Care Act and the Foreign Account Tax Compliance Act. Despite these challenges, total dollars received and collected (gross collections) increased for the fourth straight year to $3.1 trillion (a 6.8 percent increase) in FY Enforcement revenue collected also increased from $53.3 billion in FY 2013 to $57.1 billion in FY 2014 due, in part, to a relatively small number of large dollar examination cases. Tax return filings remained steady while gross accounts receivable increased to $412 billion. FY 2014 Collection function activities showed mixed results. The amount collected on delinquent accounts by both the Automated Collection System and the Compliance Services Collection Operations increased while the amount collected by Field Collection decreased. The Collection function continued to receive more delinquent accounts than it closed, although the number of delinquent accounts in the Collection queue decreased due, in part, to the removal of millions of accounts that were not resolved. While the use of levies increased, fewer Notices of Federal Tax Lien were filed and fewer seizures were made. Meanwhile, taxpayers use of the offer in compromise payment option decreased for the first time in the past five years. The Examination function conducted 11 percent fewer examinations in FY 2014 than in FY The decline in examinations occurred across 17

18 almost all tax return types, including individual, corporation, and S corporation. Seventy-one percent of return examinations were conducted via correspondence. In addition to the decline in the number of tax return examinations, productivity indicators also declined. The dollar yield per hour for most return types decreased. Also, the no-change rates increased for most types of examinations (individuals, corporations, and partnerships). WHAT TIGTA RECOMMENDED TIGTA made no recommendations in this report. IRS officials were provided an opportunity to review the draft report and did not provide any comments. Treasury Inspector General for Tax Administration Office of Audit Review of the Electronic Fraud Detection System Highlights Issued on September 29, 2015 Highlights of Report Number: to the Internal Revenue Service Chief Technology Officer. IMPACT ON TAXPAYERS Implemented in 1994, the Electronic Fraud Detection System (EFDS) remains the IRS s primary frontline system for detecting fraudulent 18

19 returns. The EFDS is designed to maximize revenue protection and fraud detection at the time that tax returns are filed to reduce the issuance of questionable refunds. The EFDS supports the Department of the Treasury strategic goal to Manage the Government s Finances Effectively. WHY TIGTA DID THE AUDIT This review is part of our Fiscal Year 2015 Annual Audit Plan and addresses the major management challenge of Fraudulent Claims and Improper Payments. The overall audit objective was to determine whether the IRS has properly designed and tested enhancements to the EFDS prior to the 2015 Filing Season. WHAT TIGTA FOUND The IRS is developing the Return Review Program to replace the EFDS due to its fundamental limitations in technology and design. However, the IRS has not set a termination date nor established a retirement plan for the EFDS. If the IRS does not efficiently transition to the Return Review Program so that it can retire the EFDS, the estimated additional operation and maintenance costs of running the EFDS could cost taxpayers approximately $18.2 million per year. The EFDS project team has taken steps to mitigate the risks associated with technical obsolescence. For example, the workload management system web release addressed concerns stemming from the client-server platform. However, a risk management plan and requirements plan were not updated. Additionally, the IRS did not use the required repository for managing the testing of system requirements. WHAT TIGTA RECOMMENDED TIGTA recommended that the Chief Technology Officer: 1) develop a system retirement plan for the EFDS and retire the EFDS after validating the Return Review Program effectively identifies, at a minimum, all issues currently identified by the EFDS; 2) update the Risk Management Plan to reflect the current organizational structure, management process methodology, documentation requirements, and 19

20 mitigation strategy; 3) update the Requirements Plan to reflect the current activities, methods, and techniques that are used to perform and support requirements development and requirements management; and 4) ensure that contractors have software licenses to use the required repository and verify that guidance is followed. IRS management agreed with our recommendations. The IRS plans to finalize the EFDS retirement plan by January 2016 and to review and update documentation concerning the role of the Enterprise Program Management Office. The IRS plans to update the Requirements Plan to reflect the current organizational structure and to continue to follow the requirements traceability process as defined by the IRS s Information Technology Strategy and Planning function. The IRS also plans to ensure that contractors performing integration testing within the development cycle for the EFDS have the software licenses required to use the requirements repository. Treasury Inspector General for Tax Administration November 25, 2015 IRS s Electronic Fraud Detection System Replacement Process Needs Improvement 20

21 The Internal Revenue Service (IRS) is developing a new system to detect fraudulent tax returns to replace their outdated system. However, as it has not set a termination date nor established a retirement plan for the old system, additional costs of running both systems could cost taxpayers approximately $18 million per year. That is the conclusion of an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA). Implemented in 1994, the Electronic Fraud Detection System (EFDS) remains the IRS s primary frontline system for detecting fraudulent returns. The EFDS is designed to maximize revenue protection and fraud detection at the time that tax returns are filed to reduce the issuance of questionable refunds. The EFDS supports the Department of the Treasury strategic goal to Manage the Government s Finances Effectively. This review is part of TIGTA s Fiscal Year 2015 Annual Audit Plan and addresses the major management challenge of Fraudulent Claims and Improper Payments. The overall audit objective was to determine whether the IRS has properly designed and tested enhancements to the EFDS prior to the 2015 Filing Season. The IRS is developing the Return Review Program to replace the EFDS due to its fundamental limitations in technology and design. However, the IRS has not set a termination date nor established a retirement plan for the EFDS. If the IRS does not efficiently transition to the Return Review Program so that it can retire the Electronic Fraud Detection System, the estimated additional operation and maintenance costs of running the system could cost taxpayers approximately $18.2 million per year, said J. Russell George, Treasury Inspector General for Tax Administration. The EFDS project team has taken steps to mitigate the risks associated with technical obsolescence. For example, the workload management system web release addressed concerns stemming from the client-server platform. However, a risk management plan and requirements plan were not updated. Additionally, the IRS did not use the required repository for managing the testing of system requirements. 21

22 TIGTA recommended that the Chief Technology Officer: 1) develop a system retirement plan for the EFDS and retire the EFDS after validating the Return Review Program effectively identifies, at a minimum, all issues currently identified by the EFDS; 2) update the Risk Management Plan to reflect the current organizational structure, management process methodology, documentation requirements, and mitigation strategy; 3) update the Requirements Plan to reflect the current activities, methods, and techniques that are used to perform and support requirements development and requirements management; and 4) ensure that contractors have software licenses to use the required repository and verify that guidance is followed. Treasury Inspector General for Tax Administration November 24, 2015 Additional Actions to Enforce Payment Card Reporting Requirements Could Reduce the Tax Gap In an effort to narrow the Tax Gap the estimated difference between the amount of tax that taxpayers owe and the amount that is paid timely and voluntarily Congress enacted legislation to increase voluntary compliance of businesses through information reporting. The 22

23 Department of the Treasury estimated that this new law would result in the additional collection of almost $10 billion over 10 years. The legislation required information returns to be filed for reportable payment card transactions starting in Calendar Year This is also when the Internal Revenue Service (IRS) committed to a multiyear, multi-treatment stream compliance pilot initiative, which leveraged information from Form 1099-K, Payment Card and Third Party Network Transactions, to reduce the Tax Gap. This audit continues the Treasury Inspector General for Tax Administration (TIGTA) ongoing oversight of the IRS s implementation of payment card reporting requirements. The IRS recognizes the challenges associated with using Forms 1099-K to identify noncompliance with income reporting. To address these challenges, the IRS implemented pilot initiatives to identify payment card noncompliance. Payment cards include credit cards, debit cards, and store-valued cards. The IRS continues to use the results from the pilot initiatives to refine the criteria used to identify underreporting of payment card income. However, TIGTA found that payers are not compliant with backup withholding requirements, which direct payers to withhold 28 percent of amounts reported on Forms 1099-K for payees who failed to provide a valid Taxpayer Identification Number (TIN). TIGTA s review of Calendar Year 2013 Forms 1099-K identified 10,216 Forms 1099-K with a missing TIN. These Forms 1099-K reported gross transactions totaling more than $10.6 billion. Payers were required to withhold almost $3 billion from these payees, but no backup withholding was taken, said J. Russell George, Treasury Inspector General for Tax Administration. This has a direct impact on the IRS s ability to reduce the Tax Gap, he added. TIGTA also found that the IRS received 2,933 Forms 1099-K with gross transactions totaling $543.9 million for which the payee TIN was that of a deceased individual. TIGTA identified that the TIN Matching Program, used by payers to verify a payee TIN, does not alert the payer when a TIN of a deceased individual is used. 23

24 In addition, TIGTA identified 84,107 individuals and 443,528 businesses that did not file a tax return for transactions that payers reported on Forms 1099-K totaling more than $164.5 billion. TIGTA recommended that the Commissioner, Small Business/Self- Employed Division, ensure that a business case analysis is performed when making decisions to grant transitional relief; assess penalties on certain payers who do not comply with reporting requirements; and use Form 1099-K information as part of the IRS s nonfiler program. The IRS agreed with six of the seven recommendations that TIGTA made, and plans appropriate corrective actions. The IRS did not agree to implement a computer programming change, because it might encounter budgetary constraints and limited resources, but TIGTA believes this change should be a priority. Treasury Inspector General for Tax Administration Office of Audit Additional Actions to Enforce Payment Card Reporting Requirements Could Reduce the Tax Gap Issued on September 25, 2015 Highlights Highlights of Report Number: to the Internal Revenue Service Commissioner for the Small Business/Self-Employed Division. 24

25 IMPACT ON TAXPAYERS Congress enacted legislation in an effort to narrow the Tax Gap (the estimated difference between the amount of tax that taxpayers should pay and the amount that is paid voluntarily and on time) and increase voluntary compliance of businesses through information reporting. The legislation required information returns to be filed for reportable payment card transactions starting in Calendar Year The Department of the Treasury estimated that this new law would result in the additional collection of almost $10 billion over 10 years. WHY TIGTA DID THE AUDIT In Calendar Year 2012, the IRS committed to a multiyear, multitreatment stream compliance pilot initiative leveraging Form 1099-K, Payment Card and Third Party Network Transactions, information to reduce the Tax Gap. This audit continues our assessment of the IRS s implementation of payment card reporting requirements. WHAT TIGTA FOUND The IRS recognizes the challenges associated with using Forms 1099-K to identify noncompliance with income reporting. To address these challenges, the IRS implemented pilot initiatives to identify payment card noncompliance. These initiatives include new processes and changes to existing processes, treatment streams, and capabilities. The IRS continues to use the results from these pilot initiatives to refine the criteria used to identify underreporting of payment card income. TIGTA found that payers are not compliant with backup withholding requirements directing a payer to immediately withhold 28 percent of amounts reported on Forms 1099-K for payees that failed to provide a valid Taxpayer Identification Number (TIN). For example, TIGTA s review of Calendar Year 2013 Forms 1099-K identified 10,216 Forms 1099-K with a missing TIN. These Forms 1099-K reported gross transactions totaling over $10.6 billion. As such, payers were required to withhold almost $3 billion from these payees, yet no backup withholding was taken. In addition, TIGTA identified that the TIN Matching Program available to payers to verify a payee TIN does not alert the payer when 25

26 a TIN of a deceased individual is being used. TIGTA s review of Calendar Year 2013 Forms 1099-K found that the IRS received 2,933 Forms 1099-K with gross transactions totaling $543.9 million for which the payee TIN was that of a deceased individual. Finally, Form 1099-K information should be included in the IRS s nonfiler identification efforts. Review of Calendar Year 2013 Forms 1099-K identified 84,107 individuals for whom payers reported gross transactions on Forms 1099-K totaling nearly $9.1 billion and 443,528 businesses for which payers reported gross transactions on Forms K totaling over $164.5 billion that did not file a tax return. WHAT TIGTA RECOMMENDED TIGTA recommended that the Commissioner, Small Business/Self- Employed Division, ensure that a business case analysis is performed when making decisions to grant transitional relief; assess penalties on certain payers that do not comply with reporting requirements; and use Form 1099-K information as part of the IRS s nonfiler program. The IRS agreed with six of the seven recommendations and plans appropriate corrective actions. The IRS did not agree to implement a computer programming change because it could not guarantee that changes will be implemented due to budgetary constraints and limited resources. However, TIGTA believes this change should be a priority. Treasury Inspector General for Tax Administration Office of Audit 26

27 Employers Who Do Not Comply With Requests to Provide Complete and Accurate Wage Documents Are Not Always Assessed Penalties Issued on September 22, 2015 Highlights Highlights of Report Number: to the Internal Revenue Service Commissioner for the Small Business/Self-Employed Division. IMPACT ON TAXPAYERS Each year, the Social Security Administration (SSA), in a process called Annual Wage Reporting, matches wage and withholding information sent by employers to tax returns filed by those employers with the IRS to identify discrepancies between the information submitted to each agency. The SSA s primary focus is to identify discrepancies in which earnings and tax withholdings reported to the IRS on filed tax returns differs from amounts reported on Forms W-2, Wage and Tax Statement, submitted to the SSA. A discrepancy can indicate that employees earnings were not credited to their Social Security account. WHY TIGTA DID THE AUDIT The SSA refers unresolved discrepancy cases to the IRS because the IRS has the authority to penalize an employer if the employer fails to file complete and accurate Forms W-2 and W-3, Transmittal of Wage and Tax Statements. Discrepancies in crediting wages to an individual s Social Security account may affect the amount of Social Security benefits available to the employee upon retirement. The overall objective was to evaluate the IRS s processes and procedures for working SSA Combined Annual Wage Reporting discrepancy cases. WHAT TIGTA FOUND TIGTA found that the IRS did not always assess penalties against employers that did not reply to the IRS s requests to resolve SSAreported discrepancies as required. TIGTA s analysis of discrepancy cases referred to the IRS by the SSA for Tax Year 2011 found that the 27

28 IRS did not correctly assess more than $200 million in penalties on 32 employer discrepancy cases referred by the SSA. A comparison of wages and withholding reported by these 32 employers on their tax return to Forms W-2 submitted to the SSA identified underreported Forms W-2 wages totaling more than $2 billion. IRS management indicated that no process was established to identify these cases and, as a result, the penalties were not assessed as required. In addition, TIGTA s analysis of discrepancy cases identified that the IRS excluded 22,814 of the 134,937 cases referred from the SSA. Of the 22,814 referred cases, 608 did not meet the IRS s case processing exclusion criteria and were erroneously excluded from being worked. As a result, the IRS did not assess more than $22 million in penalties. A comparison of wages and withholding reported by employers on their tax return to Forms W-2 submitted to SSA for these 608 cases identified underreported Forms W-2 wages totaling more than $225 million. As part of a settlement agreement resulting from a lawsuit to force prompt resolution of the backlog of unreconciled cases (i.e., wage information was not being timely recorded to earnings records), the IRS is required to work all cases referred by the SSA. IRS management indicated that the 608 cases were erroneously excluded because of computer programming errors. WHAT TIGTA RECOMMENDED TIGTA recommended that the Commissioner, Small Business/Self- Employed Division (1) develop a process to identify and ensure that penalties are assessed as required on those employers that do not reply to the IRS s requests for missing Forms W-2, and (2) correct computer programming errors to ensure that cases are accurately reflected in open inventory as needing to be worked and that penalties are assessed when appropriate. The IRS agreed with our recommendations and plans appropriate corrective actions. 28

29 Treasury Inspector General for Tax Administration November 23, 2015 Employers Who Do Not Comply With Requests to Provide Complete and Accurate Wage Documents Are Not Always Assessed Penalties The Internal Revenue Service (IRS) does not always assess penalties against employers who fail to respond to requests that they resolve discrepancies related to wage information that they have reported to the Federal Government, according to a new report released by the Treasury Inspector General for Tax Administration (TIGTA). Each year, the Social Security Administration (SSA) matches wage and withholding information that employers send to the SSA to tax returns that those employers file with the IRS to identify discrepancies between the information they submit to both agencies. In this process, known as Annual Wage Reporting, the SSA s primary focus is to identify discrepancies in which earnings and tax withholdings that employers reported to the IRS on filed tax returns differ from amounts that employers submitted to the SSA on Forms W-2, Wage and Tax Statement. The SSA refers unresolved discrepancy cases to the IRS, because the IRS has the authority to penalize an employer, if the employer fails to file complete and accurate Forms W-2 and W-3, Transmittal of Wage and Tax Statements. TIGTA evaluated the IRS s processes and procedures for working SSA Combined Annual Wage Reporting 29

30 discrepancy cases, and found that the IRS did not always assess penalties against employers who did not reply to the IRS s requests to resolve SSA-reported discrepancies, as required by law. TIGTA s analysis of discrepancy cases for Tax Year 2011 found that the IRS did not correctly assess more than $200 million in penalties on 32 cases. A comparison of wages and withholding reported by these 32 employers on their tax return to Forms W-2 submitted to the SSA identified underreported Form W-2 wages totaling more than $2 billion. The IRS had not established a process to identify these cases and, as a result, the penalties were not assessed as required. In addition, TIGTA s analysis of discrepancy cases identified that the IRS excluded 22,814 of the 134,937 cases referred from the SSA. Of the 22,814 cases, 608 were excluded because of computer programming errors. As a result, the IRS did not assess more than $22 million in penalties. A comparison of wages and withholding reported by these 608 employers identified underreported Forms W-2 wages totaling more than $225 million. As part of a settlement agreement from a lawsuit to force prompt resolution of the backlog of unreconciled cases, the IRS is required to work all cases that the SSA refers. IRS management indicated that the 608 cases were erroneously excluded because of computer programming errors. It is important that the IRS hold employers accountable for filing complete and accurate wage information, said J. Russell George, Treasury Inspector General for Tax Administration. Discrepancies in the wages credited to an individual s Social Security account may affect the amount of Social Security benefits available to the employee upon retirement, he added. TIGTA recommended that the IRS (1) develop a process to identify and ensure that penalties are assessed as required on those employers who do not reply to the IRS s requests for missing Forms W-2, and (2) correct computer programming errors to ensure that cases are accurately reflected as needing to be worked and penalties assessed when appropriate. The IRS agreed with TIGTA s recommendations and plans appropriate corrective actions. 30