IRS Needs to Improve Security for ObamaCare Tax Credits
On top of the other problems associated with the troubled rollout of the federal government’s online health insurance exchange, the Internal Revenue Service is now being urged to strengthen the security and anti-fraud protections for the tax credits it will be providing to help taxpayers afford the cost of the insurance premiums.
The IRS needs to strengthen the systems development controls for the Premium Tax Credit Project that it undertook to implement the Affordable Care Act, the Treasury Inspector General for Tax Administration said in a new report publicly released Tuesday.
Beginning next month, eligible taxpayers who purchase health insurance through the Health Insurance Marketplace exchange may qualify for and request the Premium Tax Credit to help them pay for their health insurance premiums. The PTC is claimed on the taxpayer’s federal tax return at the end of each coverage year. Because it is a refundable credit, taxpayers who have little or no income tax liability can still benefit. The PTC can also be paid in advance to a taxpayer’s health insurance provider to help cover the cost of premiums. This credit is referred to as the Advanced Premium Tax Credit, or APTC.
The IRS’s implementation plan for ACA Exchange provisions includes providing information that will support the Department of Health and Human Services and the health insurance exchanges in three main areas: eligibility and enrollment; developing calculations for the maximum APTC; and reconciling PTCs with reported taxable income.
TIGTA reviewed whether the IRS is adequately managing systems development risks for the PTC Project. TIGTA evaluated the IRS’s key management controls and processes for risk management, requirements and change management, testing, security, and fraud detection for the PTC Project.
The report found that the IRS has completed development and testing of the software used to calculate the Advanced Premium Tax Credit and the Remainder Benchmark Household Contribution, or RBHC, which is the household’s contribution towards the monthly insurance premium.
In addition, the IRS developed a process to verify the accuracy of the PTC calculations. Based on an analysis of IRS test cases for the software, TIGTA was able to replicate the IRS’s results showing that the software accurately calculated the maximum APTC and RBHC amounts for eight specific test cases within the IRS test environment. While the IRS was able to accurately calculate the maximum APTC amounts within the software testing environment, TIGTA was unable to assess the software’s full operational capabilities based on the test cases.
TIGTA found that improvements are needed to ensure the long-term success of the PTC Project by adhering to systems development controls for configuration and change management, interagency test management process, security, and fraud detection and mitigation in accordance with applicable guidance.
“With the healthcare exchanges open for business, it is imperative that the IRS ensure the accuracy and completeness of Premium Tax Credit and Advanced Premium Tax Credit calculations and ensure the security of information provided by taxpayers to the IRS and subsequently transmitted to other government entities,” said TIGTA Inspector General J. Russell George in a statement.
IRS acting commissioner Danny Werfel responded to the report, stressing the IRS's track record with tax data. "The IRS has a strong, effective system in place for administering the Premium Tax Credit," Werfel said in a statement. "We have a proven track record of safely and securely transmitting federal tax information, and we have a robust and secure process in place to deliver this important credit for taxpayers.”
TIGTA made seven recommendations to the IRS, including that it develop an action plan for resolving security test issues and that the Internal Revenue Manual be updated to provide specific guidance on how to identify and mitigate potential fraud risks with the design, development, and testing of the new information technology systems that must be implemented to meet ACA requirements.
The IRS agreed with six of the recommendations and plans to implement corrective actions. However, the IRS disagreed with TIGTA’s recommendation that the IRS’s Cybersecurity organization develop an action plan with specific time periods to address the failed security tests, claiming it already does so. But TIGTA maintains that this recommendation should be addressed to verify the completion of the necessary corrective measures for the failed information technology controls that were observed during the audit.
IRS chief technology officer Terence V. Milholland pointed out in response to the report that the IRS’s Affordable Care Act Program Management Office has put in place sound management practices that have been recognized by TIGTA in earlier reviews, but he acknowledged that there are always opportunities for improvement.
“The IRS has a consistently strong focus on both securing our information technology systems and guarding against tax administration fraud,” Milholland added. “In conducting its fieldwork, the audit team observed the IRS while it conducted the Security Control Assessment (SCA). In line with our current practice and procedures, we developed an action plan for any issues identified at the conclusion of the SCA. As part of our process, our Cybersecurity organization has completed the Security Assessment Report and a risk mitigation plan since the closing of the audit in accordance with National Institute of Standards and Technology guidelines.”