IRS Needs to Mitigate Risks in Implementation of New Fraud Detection System

Each year, tax refund fraud totals $19.2 billion, according to IRS estimates.  IRS determined that its current system for fraud detection, the Electronic Fraud Detection System (EFDS) implemented in 1994, is outdated and would be inefficient to maintain or operated beyond 2015.  Successful implementation of the new RRP, which began in 2010, will increase IRS’ ability to identify fraudulent tax refunds. RRP will be the key automated component of the IRS’s pre-refund initiative. The system will implement the IRS’s new business model for a coordinated criminal and civil tax noncompliance approach to prevent, detect, and resolve tax refund fraud.

TIGTA conducted the audit to determine if the IRS technology development organization was adequately managing system development risks in order to achieve desired RRP objectives.  TIGTA found that the role of system integrator was not clearly documented or communicated.  Program-level governance roles were not yet established. Critical system development plans were not completed or approved prior to committing significant resources.  Initial system development efforts were hindered by the absence of prototype Enterprise Life Cycle guidance.  And the IRS did not fully consider commercial software products for the system.

TIGTA made the following recommendations for the CTO:

• Establish appropriate program-level governance with enterprise-wide authority for RRP.
• Clearly document and communicate RRP systems integrator roles and responsibilities.
• Ensure that RRP Prototype Management Plans clarify how to measure prototype success, map prototype activities to requirements, incorporate lessons learned, and obtain approval from governance bodies.
• Document for approval by RRP governance bodies the systems development path.
• Ensure that the IRS IT organization establishes sufficient Enterprise Lifecycle guidance for managing prototype efforts.
• Take appropriate steps to ensure that change requests include alternative analyses and impact assessment; and also establish and implement Enterprise Architecture guidelines for evaluating later versions of tested commercial products.

The IRS agreed with TIGTA recommendations in its response.  Two corrective actions have already been implemented:  creation of two enterprise-wide governance entities to oversee RRP, and updates to RRP prototype management plans and reports to include measures for performance criteria and functional performance requirements. 

Further planned IRS actions include:

• Documenting system integrator roles and responsibilities in the RRP Project Management Plan.
• Documenting the approved RRP systems development path.
• Updating the Internal Revenue Manual with prototype guidance.
• Developing a process for analyzing and processing Enterprise Architecture Change Requests in a standard, repeatable process.

Proper development and implementation of the new RRP system will greatly improve IRS’ ability to prevent, detect, and resolve tax refund fraud, including identity theft.