Development Weaknesses Exist In ACA Health Care Premium Tax Credit Project: TIGTA

Systems development controls need to be fortified by the Internal Revenue Service in order to ensure the accuracy of tax credits that will be credited to individuals who buy health insurance through the health care exchange or marketplace, according to a recent report from he Treasury Inspector General for Tax Administration (TIGTA). Beginning in January 2014, eligible taxpayers who purchase health insurance through an exchange may qualify for and request a refundable tax credit known as the Premium Tax Credit (PTC) to assist with paying their health insurance premiums. The PTC is claimed on a federal tax return at the end of each coverage year, or it can be paid in advance, as the Advanced Premium Tax Credit (APTC), to a taxpayer’s health insurance provider to help cover the cost of premiums.

According to a recent TIGTA audit, the IRS should strengthen systems development controls for the PTC Project, which is part of the IRS’s ACA Information Technology (IT) Program Management Office (ACA PMO). The TIGTA report is limited to a review of the PTC Project’s ACA Release 3.0 activities, which focus on the implementation of health insurance purchasers’ eligibility and enrollment information processes that have an impact on tax administration.

The objective of ACA Release 3.0 is for the IRS to receive requests from the exchanges that include information on an applicant’s household income, coverage year, income as a percentage of the federal poverty level (FPL), and the adjusted premium for the second lowest cost silver plan on the exchange. The IRS will calculate maximum monthly APTCs and Remainder Benchmark Household Contributions (RBHCs), which are households’ contributions towards their monthly insurance premiums, and return responses to the exchanges via the HHS Hub.

Some data is lost, outdated. According to the TIGTA report, the IRS has completed development and testing for the PTC Computation Engine (PTC-CE), which will calculate the maximum APTC and RBHC and has developed a process to verify the accuracy of the PTC-CE calculations, but it needs to improve configuration and change management controls to ensure long-term success for the PTC Project. For example, the TIGTA was informed that its recent audit prompted a discovery that an original test case and run history were inadvertently overwritten and lost when updates were made. It also was discovered that another test case was initially developed and executed with an outdated input data file. According to the TIGTA, if these weaknesses had not been addressed prior to the implementation of the PTC-CE, the IRS testing would have used incorrect input data, and it could have resulted in incorrect calculations of the maximum APTC for applicants, which, in turn, could have resulted in improper tax payments.

The TIGTA also found five interagency test cases that did not contain all key requirements necessary to verify system capabilities. Staff from the IT Implementation and Testing organization, which is part of the ACA PMO, apparently explained that testing with other federal agencies involves new processes, and that everyone is learning as they go along, and added that the IRS had decided to restrict certain data from the Centers for Medicare and Medicaid Services (CMS) during the test case development process. The TIGTA has responded that this could result in inaccurate or incomplete traceability between requirements, test cases, and test results, and it concluded that the IRS has consequently not applied established systems development controls to verify that the HHS Hub and the IRS portal effectively transfer data as needed for the IRS to calculate the maximum APTC.

J. Russell George, Treasury Inspector General for Tax Administration, has stated that, “With the healthcare exchanges open for business, it is imperative that the IRS ensure the accuracy and completeness of Premium Tax Credit and Advanced Premium Tax Credit calculations and ensure the security of information provided by taxpayers to the IRS and subsequently transmitted to other government entities.” Recommendations made by the TIGTA to the IRS include the development of an action plan for resolving security test issues and an update to the Internal Revenue Manual to provide specific guidance on how to identify and mitigate potential fraud risks with the design, development, and testing of the new information technology systems that must be implemented to meet ACA requirements.

Fraud mitigation strategy lacking. The TIGTA report also included the finding that change management guidelines were not consistently followed when baseline security requirements were withdrawn from the PTC project and that there is no fraud mitigation strategy in place to guide ACA systems development, testing, initial deployment, and long-term operations. More specifically, the IRS conceded that its existing fraud detection system is unable to keep pace with increasing levels of fraud. Furthermore, the TIGTA found that alternative commercial software products were not fully considered prior to selecting technology solutions for the Return Review Program (RRP) System, which is one of the IRS’s news systems under development to address ACA tax refund fraud risk.

For more information, visit http://www.treasury.gov/tigta/auditreports/2013reports/201323119fr.pdf

Visit our News Library to read more news stories.