GAO reviewed the Internal Revenue Service's (IRS) accomplishments in the 5 years since the IRS Restructuring and Reform Act of 1998 was past. Specifically, GAO determined (1) how much money IRS has spent on upgrading its security, (2) whether the challenges associated with ensuring information security are technological or managerial, and (3) if IRS is taking sufficient steps to eliminate overpayments to the Earned Income Credit (EIC).
According to IRS officials, spending for security in fiscal year 2003 is about $132 million,including about $39 million dedicated to information technology security improvements. For fiscal year 2004, IRS officials state that they have requested about $136 million for information security, with about $40 million dedicated to improvements. The challenges facing IRS in ensuring information security are largely managerial. Ensuring that known weaknesses affecting IRS's computing resources are promptly mitigated and that computer controls effectively protect its systems and data requires support and leadership from senior management of IRS's information technology and operating divisions, disciplined processes, and consistent oversight. We have reported that an underlying cause for the hundreds of information security weaknesses identified during our reviews of IRS's computer controls was that IRS has not fully implemented its agencywide information security program. Implementing such a program requires that IRS take a comprehensive approach that includes assessing risks and evaluating needs, establishing and implementing appropriate policies and controls, enhancing awareness and technical skills, and monitoring the effectiveness of controls on an ongoing basis. Further, a successful program will need the active and accountable involvement of both (1) operating division executives and managers who understand which aspects of their missions and information systems are the most critical and sensitive and (2) technical experts who know the agency's systems and understand the technical aspects of implementing security controls. Because IRS's latest compliance study uses tax year 1999 data and its new initiatives are in the early planning stages, it is too early to determine whether IRS's steps to reduce EIC overpayments will be sufficient. IRS has plans to evaluate the success of its initiatives, but data will not be available for some time. IRS has and continues to take steps aimed at reducing EIC overpayments. IRS received about $875 million in special appropriations for EIC compliance initiatives between 1998 and 2003. The most recent data available, for tax year 1999, showed that overpayments for the EIC are estimated to be between about 27 and 32 percent of dollars claimed or between $8.5 billion and $9.9 billion. For fiscal year 2004, IRS has asked for a total of $251 million. This included $100 million to enhance its EIC compliance initiatives--about $45 million for technology improvements and about $55 million for direct casework. The direct casework involves three new initiatives, each of which would be tested over the next year and, depending on the results, expanded in future years. The initiatives cover (1) qualifying child verification, (2) income misreporting, and (3) filing status.
Click here for the full GAO Report, PDF Version, 3pgs. 42K