While the Financial Institution Registration System Deployed on Time, Improved Controls Are Needed

Treasury Inspector General for Tax Administration

Office of Audit

WHILE THE FINANCIAL INSTITUTION REGISTRATION SYSTEM
DEPLOYED ON TIME, IMPROVED CONTROLS ARE NEEDED

Issued on September 30, 2014

Highlights

Highlights of Report Number: 2014-20-094 to the Internal Revenue Service Chief Technology Officer and the Commissioner, Large Business and International (LB&I) Division.

IMPACT ON TAXPAYERS

The deployment of the Financial Institution Registration System (FRS) supports provisions of the Foreign Account Tax Compliance Act (FATCA).  Taxpayers meeting the reporting requirements threshold began reporting their foreign financial assets on Form 8938, Statement of Specified Foreign Financial Assets, beginning with the 2012 Filing Season.  Foreign financial institutions are required to report to the IRS information about financial accounts that exceed certain thresholds held by U.S. taxpayers or foreign entities in which U.S. taxpayers hold a substantial ownership interest.  Withholding agents will withhold a 30 percent tax on taxpayers who fail to properly report specified financial assets related to U.S. investments.  Expenditures for FRS development totaled approximately $16.7 million for Fiscal Year 2011 through Fiscal Year 2013.  In Fiscal Year 2014, funding available for the FATCA Program was $46.6 million.

WHY TIGTA DID THE AUDIT

Our objective was to determine whether the IRS Information Technology organization has adequately mitigated systems development risks for the FRS.  TIGTA reviewed risk management processes, the FRS solution architecture, Systems Acceptability Testing results, security testing results, and access controls implemented for users of the FRS.  TIGTA also assessed IRS actions taken to ensure that the FRS electronic signature process is as reliable as is appropriate for the intended purpose.

WHAT TIGTA FOUND

The IRS deployed FRS Release 1.1 in December 2013 to provide functionality to Foreign financial institutions and authorized IRS employees.  Our review found that the IRS has not yet:  (1) approved and implemented FRS business performance measures; (2) completely traced FRS system-specific security requirements to security controls, test cases, and test results; (3) fully evaluated the risks of using electronic signatures for registration forms; (4) fully documented FRS system access controls design, implementation, and functionality; and (5) integrated an automated tool suite to enable effective requirements management.

WHAT TIGTA RECOMMENDED

The Chief Technology Officer should (1) coordinate with the LB&I Division to implement business performance measures to quantify the benefits of the IRS’s FRS investment; (2) completely trace FRS system-specific security requirements to controls, test cases, and test results to ensure security requirements are fully tested prior to deployment; (3) determine whether a particular technology and set of procedures for electronic signatures as selected are as reliable as is appropriate for the intended purpose; (4) document system access controls in sufficient detail to permit analysis and testing; and (5) apply integrated automated tools to manage FATCA systems requirements traceability. TIGTA also recommends that the Commissioner, LB&I Division, complete a risk analysis and cost-benefit analysis to assess the likelihood and cost of implementing enforceable electronic signatures.

The IRS agreed with two recommendations but disagreed with five recommendations related to security requirements traceability, electronic signatures, security access controls, and integrating automated requirements management tools.  TIGTA maintains that definitive corrective actions are needed to ensure long-term success for the FRS and to fully support IRS goals for FATCA implementation.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2014reports/201420094fr.html.

E-mail Address: TIGTACommunications@tigta.treas.gov

Phone Number: 202-622-6500

Website: http://www.treasury.gov/tigta