Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Integrated Financial System

 

Privacy Impact Assessment - Integrated Financial System

Data in the System

1. Generally describe the information to be used in the system in each of the following categories: taxpayer, employee, and other.

In accordance with its mission, the IFS project implements a set of modernized capabilities that are focused on improving the IRS’ internal management processes. The project is focused on the initial release of a commercial off-the-shelf (COTS) financial package for enterprise management of IRS’ budget, funds management, and accounting functions. The first release includes core financial management, general ledger, budget formulation, accounts payable, accounts receivable, funds management, cost management, and financial reporting.

  • Taxpayer - IFS will collect and process taxpayer information only through the HCTC interface.
  • Employee - Logs of user’s accesses of the IFS system will be maintained to provide the auditing functionality required by the IRS. Additionally, employee information, such as name, address, SSN will be collected as needed to process monetary transactions with employees such as travel reimbursements. Employee SSNs into SAP Business Warehouse query reports are available to a restricted group of IFS end-users and are used only for IRS-wide payroll reconciliation. There are approximately 3 - 4 IRS SMEs (two [2] primaries in addition to 1 or 2 alternates) from of the Administrative Accounting Branch (AAB) located in Beckley, West Virginia, who have access to these reports, which contain Employee SSNs generated by the SAP BW application. These limited IFS end-users are IRS employees and have undergone the appropriate background investigations and Online Form 5081 approval process prior to obtaining the level of system access required to perform their duties.
  • Other - All other information collected, processed and/or distributed by IFS is for the correct operation of the system and does not identify any person or organization specifically.

2. What are the sources of the information in the system?

IFS will interface with the same system components as the current AFS CPE system to obtain its financial information. In addition, sensitive data, such as Employee SSNs, will be obtained through the same means of communication and used for the sole purpose of IRS-wide payroll reconciliation. These interfaces will be batch file transfers only.


Table 2-1 provides a brief overview of each interface.

Table 2-1 Interface Summary
No. Interface Name

Description
1 Austin Data Warehouse

The ADW application supports the IRS in managing and processing data from the following:

  • Audit Information Management System (AIMS)
  • Resource Management Information System (RMIS)
  • Collection Activity Report (CAR)
2 AINFC Automated Interface to the National Finance Center AINFC system management performs an internal balancing process. This interface receives detailed payroll transactions and summarizes them before loading them into the standard general ledger (SGL). It also provides employee data input for verifying valid users of the system; employee information required to process AP, AR, and other transactions; and the information used for budgetary functions.
3 Disbursements Interface to create a file containing payment information from the disbursement process executed in the modernized core financial system. Disbursements will include vendor checks/EFTs and employee checks/EFTs for travel and relocation expense reimbursement, travel advances, non-travel related expenses and emergecy salary payment (ESP). Employee checks/EFTs do not include payroll-related transactions.
4 GLASS
General Ledger Accounts Support System		 This interface facilitates the verification of correct summarization of all cash accounting data and payroll transactions prior to posting them to the standard general ledger and includes updating all other associated accounts. GLASS is made up of four (4) components: Cash, OSL, Payroll, and ABCO.
5 HCTC
Health Coverage Tax Credit

HCTC is the application the IRS uses to process and manage the following:

  • Invoice creation for health care provider (vendors) and for individual refunds
  • Summary cash position
  • Payment extract advice for clearing

The HCTC application receives inbound interface file(s) from HCTC SAP to create invoices for health care providers and for individual refunds. HCTC receives payment advice extract file from IFS.
6 HR-Connect Interface between the modernized core financial system and the HR Connect system to synchronize common codes.
7 PCC
Paper Check Conversion System		 PCC converts paper checks into electronic debits to a check writer’s account. Because the conversion is automated, the collections and reporting process is more efficient. PCC can be used at the point-of-sale or at an Agency-collected lockbox location where mail-in checks are received at the Agency. PCC captures a complete electronic image of the check and allows for the retention of a facsimile without retaining paper. PCC verifies that the account upon which the item is written is not closed and that the check writer does not have a history of writing bad checks. PCC converts paper checks to electronic debits for processing through the Automated Clearing House (ACH) network.
8 RAPS
Relocation Allocation Payment System		 Interface between the modernized core financial system and Relocation Allocation Payment System (RAPS).  Relocation activities are initiated in RAPS, the associated disbursements are made from the core financial system.  RAPS is primarily used to calculate relocation withholdings and report to the employee via reports.
9 SAAS
Security Audit and Analysis System		 Interface between the modernized core financial system and the Security Technical Infrastructure Release (STIR) Security Audit and Analysis System (SAAS). Audit logs maintained within the IFS solution will be transmitted to SAAS, from which security audits will be performed.
10 SETR
Single Entry Time & Reporting System

SETR is the vehicle through which hours are reported on two time reporting systems:

  • Integrated Management Planning Information System (IMPIS), which is the Service Center Work Planning and Control (WP&C) System
  • Personal Computer Time and Attendance Remote Entry (PC-TARE), which is the time keeping component of the Treasury Integrated Management Information System (TIMIS) payroll system

The purpose of the SETR interface is to pass the effort, in number of hours, expended to produce products/services by employees who use organization, function, and program codes to recognize the activities they perform.
11 Treasury Interface between the modernized core financial system and Treasury. This includes FMS, Tier, Facts I and II, 224, OPAC, IPAC, and FICA/Medicare Withholding. Confirmation reports returned to the IRS by FMS are used to track check ranges used for payments.
12 Validation Data Files
(Various Target Systems)		 The Validation files are nothing but accounting string files that are essential for any external application to share data with the IFS application. The main purpose of this exercise is that the IRS internal financial applications share the same accounting strings/codes so that accounting data from the various applications may be shared
13 Web IPS RTS
Integrated Procurement System

Interface between the modernized core financial system and the Integrated Procurement System for the tracking purchase orders (PO), PO lines, PO receipts, PO returns, and PO payments.

Interface between the modernized core financial system and the automated acquisition system for creating, routing, approving, and tracking requisitions and procurement awards.
14 WebTRAS
Travel Reimbursement and Accounting System		 Interface between the modernized core financial system and the Travel Reimbursement and Accounting System (TRAS). This interface accepts user inputs of travel advances and voucher data, enables managerial approval of travel documents, and forwards approved documents to the IRS accounting system for processing and payment. It performs a comprehensive audit of each voucher field, and allows managers to request and receive real-time reports of travel expenditures.

The IFS Interfaces fall into several general categories:

  • IRS Internal Systems: Systems that are within the IRS. These can be further divided into Modernized and CPE.
  • IRS External Trading Partners: Any system that is NOT part of the IRS. For example, as depicted in the diagram above, US Treasury and Social Security Administration are both considered External Trading Partners.

In accordance with the “IRS FTP Policy” (dated April 2003), authored by IRS Security Policy Support and Oversight, as the IFS Data Transfer Server (DTS) only sends/receives data within the IRS enterprise network, no data transferred to or from the DTS is encrypted. Of note, IFS is currently still using FTP technology.

2a. What IRS files and databases are used?

The IRS files and databases used within IFS are specified in Section 2 Interface Overview of the following ICDs:

  • Austin Data Warehouse
  • Automated Interface to the National Finance Center
  • General Ledger Accounts Support System
  • Planning, Analysis & Decision Support
  • Relocation Accounting Payment System
  • Security Audit and Analysis System
  • Single Entry Time & Reporting System
  • Various Target Systems for Validation
  • Web-Integrated Procurement System Request Tracking System
  • Web-Enabled Travel Reimbursement and Accounting System

Other files and databases used within IFS are not IRS systems.

2b. What Federal Agencies are providing data for use in the system?

Federal systems to which IFS interfaces are:

  • Treasury for access to HR-Connect, Disbursements and WebTIER
  • Social Security Administration
  • Health Coverage Tax Credit (Accenture)
  • Paper Check Conversion System
  • Department of Agriculture [National Finance Center (NFC)] (Inbound Only)

Of note, the Department of Treasury (DoT) Financial Management System (FMS) provides disbursement data indirectly to Enterprise Computing Center- (ECC-MTB). That data is then transmitted from ECC-MTB to the Computing Center (DCC) for use within the IFS system.

2c. What State and Local Agencies are providing data for use in the system?

No state or local agencies have been identified that will provide information directly to IFS.

2d. From what other third party sources will data be collected?

IFS Release 1 will not collect data from any other third party sources.

2e. What information will be collected from the taxpayer/employee?

IFS will not collect any data directly from the taxpayer. IFS will receive a limited (refer to the IFS HCTC ICD, Version 2.2 for details) amount of taxpayer data via the HCTC interface. No data will be collected directly from employees; however in accordance with IRS auditing policy, audit data will be collected on user's activities and transmitted to SAAS (refer to IFS SAAS ICD, Version 2.2 for details).

3a. How will the data collected from sources other than IRS records and the taxpayer be verified for accuracy?

The transfer protocols used by the IFS system to communicate with the various interfaces include data integrity mechanisms to verify that the file sent is the file received. If there is a data integrity failure, the file is either (depending upon the interface) automatically re-transmitted or the production support team is notified via email via the Tivoli Maestro Workflow Scheduler. In either case, corrupt files are not accepted by IFS for processing.

Additionally, files received by the Data Transfer Server (DTS) are passed to Informatica, where additional data integrity checks are made. If the file does not pass the integrity check, the process is aborted (with an appropriate error message added in the Error Control table).

3b. How will data be checked for completeness?

The data used is obtained from the authoritative sources (i.e. Treasury) in real-time and it is understood to be complete when obtained in this manner. If an error occurs, the data is either rejected and sent back to the feeder system or corrected through adjustment entries made by IFS personnel prior to processing. The Logging & Error Handling section of each IFS ICD explains in detail what is to be done in the event of incomplete or erroneous data being received by the IFS system.

3c. Is the data current?  How do you know?

In order to maintain current data, files are transferred between IFS and the other systems on a scheduled basis as follows:

  • Daily
    • HCTC
    • SAAS
    • RAPS
    • GLASS
    • WebIPS/RTS
    • WebTRAS
    • PCC
  • Bi-Weekly
    • HR-Connect
    • AINFC
  • Monthly
    • ADW
    • SETR
    • WebTIER

These systems are considered to be authoritative sources and the data received from them is understood to be current. Daily, biweekly and monthly transmissions are processed after being received and verified as eligible information for IFS processing.

4. Are the data elements described in detail and documented?  If yes, what is the name of the document?

All data elements of all 15 interfaces are identified in the ICDs specified in Section 1.4.2 Other Related Documents of this document.

Updates to existing ICDs are not necessary, as the Employee SSN is already existing data within IFS, which was never utilized for payroll reconciliation functions until IRS Business Requirements called for its inclusion as part of SAP BW query reports. The ABCO and Payroll Reconciliation SMEs need to see records categorized by Employee SSN to research and reconcile their reports.

Access to the Data

1. Who will have access to the data in the system (Users, Managers, System Administrators, Others)?

The IFS user community consists of four different types of users:

  1. The typical IFS user, of which there will be approximately 600-1000, will be granted access to the system by role. Each user is assigned a specific set of roles, which limit their access to those transactions and views specific to their functional requirements. For additional information on user roles, refer to Section 3.14 User Security Responsibilities of the IFS Security Features User’s Guide, Version 1.1.
  2. Business administrative users, of which there will be approximately 5-6, will have roles as defined above, but will also have the ability, in the development environments, to modify the business rules, reports, queries, transactions, etc. as needed to ensure that the IFS system is in sync with IRS business requirements. Changes to the production IFS system will follow the standard build-promote methodology to ensure all changes to the environment have been tested and approved prior to their introduction.
  3. System developers and administrators, of which there will be approximately 10-15, have access to the application software environment, but are not assigned financial transaction roles and cannot view any data within the system. These users will access the production system via the SAPgui client installed on their PCs, and not via the Employee User Portal as do all other users. These users are granted this access for troubleshooting and systems analysis purposes. These users will still be required to logon to the SAP environment and their activities will be audited in the same manner as all other users.
  4. Payroll Reconciliation Specialists, of which there will be no more than 3-4 users, may be reduced to 2-3 users once  the appropriate training and turnover of duties has occurred. The breakdown of the users is as follows: 1 primary for payroll reconciliation; 1 for backup; and, 1-2 technical people, who provide assistance for to any failures with the SAP Business Warehouse components. These particular users of IFS resources are IRS employees and have undergone the appropriate background investigations and Online Form 5081 approval process prior to obtaining the level of system access required to perform their duties.

Specific details of the assigned roles, transactions and table access permissions may be found in the "Role Transaction Code Content" report in the "Profile Generator of SAP".

2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

Payroll Reconciliation data is accessed by exactly three end users, two primary users and new backup. Access will be on a least-privilege basis and will be audited to ensure that IRS polices are being observed. The IFS SAP user configurations will be defined using role-based access. The business role of the user will determine the SAP roles to which that user is assigned. For additional information on user roles, refer to Section 3.14 User Security Responsibilities of the IFS Security Features User's Guide, Version 1.1. Specific details of the assigned roles, transactions and table access permissions may be found in the "Role Transaction Code Content" report in the "Profile Generator of SAP".

Access, by the payroll reconciliation specialists, to the refined BW query reports is controlled through object-oriented controls in addition to user profiling. In a Windows environment, a user profile is a record of user-specific data that define the user's working environment. The record can include display settings, application settings, and network connections. What the user sees on his or her computer screen, as well as what files, applications and directories they have access to, is determined by how their user profile is set up. If any end user, other than the payroll reconciliation specialist, attempts to log on to the designated workstations, the end-user does not have access or permissions to the data files designated for use by the payroll reconciliation specialist, which contains sensitive data elements from repeated saving of SAP BW query report files. The users only have access to assigned IRS resources, such as shared drives, networked printers, etc., per their roles and responsibilities.

The IFS standing procedure is to save IFS Payroll Reconciliation data to the network drives. Also, the same data is sometimes temporarily stored to the local hard drive. IFS BW data is first stored to the local hard drive, then immediately uploaded to a network drive. After the data is uploaded, the copy on the hard drive is deleted. The interim step of saving to the local hard drive is a necessity due to the configuration of the CITRIX environment. The controls for protecting Payroll Reconciliation data when downloaded onto the desktop system is managed by the End User Equipment and Services (EUES) organization.

Paper copies of data are stored in either locked file cabinets or a locked file room with limited access.

Data stored to CDs is stored in a locked file room with restricted access.

3. Will users have access to all data on the system or will user's access be restricted? Explain.

All users are limited via role-based access, profiles, and separation of duties to ensure that users can only access data and perform transactions as required by their specific jobs. For additional information on user roles, refer to Section 3.14 User Security Responsibilities of the IFS Security Features User’s Guide, Version 1.1. Specific details of the assigned roles, transactions and table access permissions may be found in the "Role Transaction Code Content" report in the "Profile Generator of SAP". Access to the BW reports containing Employee SSNs is restricted through the use of object-oriented controls and user profiles. SAP BASIS administrators configure these access controls upon obtaining management approval for granting the Payroll Reconciliation Specialists the requested privileges.

4. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

IFS will interface with the Security Audit and Analysis System (SAAS) in a batch, file-based manner. SAP audit logs, which will contain information about all data manipulations performed in the system, will be transferred to SAAS in the ISS-defined file format.

The IFS (SAP) Security Audit Log records security-related system events on IFS (SAP) components. Components include the, R/3, BW, and SEM.

The SAP Portal’s Presentation and Repository servers are audited by the operating system audit.

The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the IFS (SAP) application. When activated, the Security Audit Log keeps a record of the specified activities of all users. The audit logs can be accessed at any time for evaluation in the form of an audit analysis report. Access to the security audit logs is restricted to the security administrator(s). The details of the interface, including data elements and the interval at which this data will be transferred are documented can be found in the IFS Security Audit and Analysis System ICD, Version 2.2.

Although the addition of Employee SSNs is available within SAP BW reports, the same auditing controls are applicable for preventing the misuse of the data by those limited users having access to this level of sensitive data (Employee SSNs).

5a. Do other systems share data or have access to data in this system? If yes, explain.

Not in an online/real-time manner, but IFS business requirement necessitate the transmission of information as batch file transfers to the following systems:

  • HCTC
  • SAAS
  • Treasury (Disbursements and W2 information to the SSA)
  • WebIPS/RTS
  • WebTRAS
  • AINFC
  • WebTIER

5b. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?

The system receiving data from IFS will be responsible for the proper use of that data. The data exchanges between IFS and the interfaces are governed by the following documents:

  • Interconnection Security Agreement Between IFS and Internal Revenue Service, Version 2.1
  • Interconnection Security Agreement Between IFS and the Social Security Administration, Version 2.1
  • Interconnection Security Agreement Between IFS and the U.S. Department of Treasury, Version 2.1

For the payroll reconciliation functionality, there will be no use of external interfaces to third-party entities or resources. All use of the payroll reconciliation information, which includes the Employee SSNs, is used internally by the IRS and its employees.

6a. Will other agencies share data or have access to data in this system (International, Federal, State, and Local, Other)?

The only agencies outside the IRS to receive data from IFS are:

  • Treasury (for Disbursements, WebTIER and HR-Connect)
  • HCTC (Accenture)
  • Social Security Administration

Data will be shared as a batch file transfer, and is not available online/real-time. No third-party interface to IRS-wide payroll reconciliation data that includes the Employee SSNs will be permitted.

6b. How will the data be used by the agency?

The purpose of IFS is to enable effective Internal Management (IM) of business processes related to the following business areas: Core, General Ledger (GL), Accounts Payable (AP), Accounts Receivable (AR), Budget Formulation (BF) and Execution (BE), and Cost Accounting (CO). IFS will also provide the IRS with a unified Standard General Ledger (SGL) compliant system for both Custodial and IM accounting information.

For details about how each interface’s data is used within IFS, refer to the IFS ICDs.

6c. Who is responsible for assuring the proper use of the data?

The Chief Financial Officer will be responsible for the proper use of the data. The data exchanges between IFS and the interfaces to external partners are governed by the following documents:

  • Interconnection Security Agreement Between IFS and Internal Revenue Service, Version 2.1
  • Interconnection Security Agreement Between IFS and the Social Security Administration, Version 2.1
  • Interconnection Security Agreement Between IFS and the U.S. Department of Treasury, Version 2.1

6d. How will the system ensure that agencies only get the information they are entitled to under IRC 6103?

The handling of IFS data that includes payroll reconciliation information and Employee SSNs is controlled through Privacy Act requirements.

There is 6103 data (taxpayer return or return information) sent to, from, or contained within IFS via the HCTC interface. Section 5 of the HCTC ICD identifies the specific fields that are received from and transmitted to HCTC. No other interface into IFS sends, receives or manipulates 6103 data.

Attributes of the Data

1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

The data maintained in IFS is both relevant and necessary to support the functionality specified in the contractual requirements. Details for each interface and the data elements managed therein are contained in the IFS ICDs.

Payroll reconciliation of IRS-wide financial data by the Reports & Reconciliation Section is both relevant and necessary. The designated ABCO and Payroll Reconciliation SMEs have a need to see records by SSN to research and reconcile their reports. SSNs that come from the flat files (text-only reports) are stored in an Operational Data Store (ODS) , to which users have no access. The creation of queries against the ODS will allow the designated ABCO and Payroll Reconciliation SMEs to sort the payroll reconciliation records by SSN. The special privileges assigned to the Payroll Reconciliation Specialists are extremely pertinent so that these individuals can perform their roles and responsibilities and satisfy the IRS business requirements in a timely manner.

2a. Will the system derive new data, derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No new data will be stored or derived about the individual taxpayer nor employees of the IRS.

As part of the auditing and logging activities of IFS, user activity data will be collected, stored and transmitted to SAAS. This data will describe the user's accesses and transactions within certain restrictions; for additional information, refer to Section 3.4 What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

2b. Will new data be placed in the individual's record (taxpayer or employee)?

No new data will be collected or placed in the taxpayer's record by the IFS application. IFS provides information to other systems which may update taxpayer and/or employee records.

The activity data on administrative users captured in audit logs will not be placed in the employee's record, however, IFS Audit Trail data is sent to SAAS for use by UNAX applications

2c. Can the system make determinations about taxpayers or employees that would not be possible without the new data?

The IFS system does not make any automated determinations about taxpayers or employees. As a manual operation, the SAP activity logs will allow the Security Auditor to make determinations as to the appropriateness of all user activities.

2d. How will the new data be verified for relevance and accuracy?

The audit data is relevant because it is created directly by user activity.

The activity data in the audit logs will be captured directly from the system. The accuracy can only be verified by the assurance that the system has been implemented correctly. The Certification and Accreditation of IFS will provide this assurance

3a. If the data is being consolidated, what controls are in place to protect the data from unauthorized access or use?

In IFS Release 1 no data consolidation will take place.

3b. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

In IFS Release 1 no process consolidation will take place.

4. How will the data be retrieved? Can a personal identifier retrieve it? If yes, explain.

Data within SAP can be retrieved using a wide variety of criteria. There are database views within IFS that allow users to retrieve information based on personally identifiable information. These views are a part of the business requirements of IFS and are subject to the same restrictions by role as specified in Section 3.3 Will users have access to all data on the system or will user's access be restricted?

All users are limited via role-based access (RBAC), profiles, and separation of duties to ensure that users can only access data and perform transactions as required by their specific jobs.

For payroll reconciliation purposes, Employee SSNs are primarily used by the designated payroll specialists to sort query reports by fields that are being generated by SAP BW components.

What are the potential effects on the Due Process rights of taxpayers and employees of:

4a. Consolidation and linkage of files and systems - IFS does not consolidate or link any files or systems that are not currently consolidated or linked in other IRS systems. This will have no effect on Due Process rights.

4b. Derivation of data - IFS does not derive any data that is not currently consolidated or linked in other IRS systems. This will have no effect on Due Process rights.

4c. Accelerated information processing and decision making - Data will be timely and accurate and thus will result in improved service to and about the employee and/or taxpayer. This will have no effect on Due Process rights.

4d. Use of new technologies - The use of the EUP and SAP roles as well as the ability to audit user access to taxpayer and employee data will increase the protection given to the data. This will have no effect on Due Process rights.

The use of SEIDs instead of SSNs was investigated. However, SEIDs were not used as a possibility because some of the CPE feeder systems do not yet use SEID. These CPE systems are source systems for SAP Business Warehouse (BW); and therefore, BW uses SSNs, rather than SEIDs, to uniquely identify each IRS employee.

How are the effects to be mitigated?

IFS has no effect on Due Process rights of taxpayers or employees and thus requires no mitigation.

Maintenance of Administrative Controls

1a. Explain how the system and its use will ensure equitable treatment of taxpayers and employees.

Neither taxpayers nor the general population of employees will have access to IFS data during Release 1, preventing taxpayers and employees from being treated in other than an equitable manner. All activities of users within IFS are audited and reviewed to ensure equitable treatment of taxpayers and employees.

1b. If the system is operated at more than one site, how will consistent use of the system and data be maintained in all sites?

Authoritative IFS data will be maintained at DCC and the IFS application servers will be operated only at DCC. Data backups will be warehoused at DCC and at the off-site storage. IFS will not be operational at more than one computing center at a time. Disaster recovery for IFS is available in the IFS Technical Contingency Planning Document, Version 3.1.

1c. Explain the possibility of disparate treatment of individuals or groups

IFS provides no processing that would result in disparate treatment of individuals or groups. All existing policies, practices, and procedures that ensure equal and fair treatment of all taxpayers continue to be enforced.

2a. What are the retention periods of data in this system?

As per IRM 1.15.16-1 Records Control Schedule for the Chief Financial Officer (01-01-2003), IFS retains information according to the following schedule:

IFS Records Retention Schedule
ITEM NO. DESCRIPTION OF RECORDS  AUTHORIZED DISPOSITION
 1 Budget Correspondence Files.  
Correspondence files in formally organized budget offices pertaining to routine administration, internal procedures, and other matters not covered elsewhere in this schedule, EXCLUDING files relating to agency policy and procedure maintained in formally organized budget offices.		 Destroy when 2 years old.
 2 Budget Background Records.  
Cost statements, rough data and similar materials accumulated in the preparation of annual budget estimates, including duplicates of budget estimates and justifications and related appropriation language sheets, narrative statements, and related schedules; and originating offices’ copies of reports submitted to budget offices.		 Destroy 1 year after the close of the fiscal year covered by the budget.
 3 Budget Reports Files.  
Periodic reports on the status of appropriation accounts and apportionment.		  
   a. Annual report (end of fiscal year).  Destroy when 5 years old.
   b. All other reports.   Destroy 3 years after the end of the fiscal year.
 4 Budget Apportionment Files.  
Apportionment and reapportionment schedules, proposing quarterly obligations under each authorized appropriation. 		 Destroy 2 years after the close of the fiscal year.
 

[Note: The following budget files are not covered by the General Records Schedules:

  • Budget office correspondence or subject files documenting budget policy and procedures and reflecting policy decisions affecting expenditures for agency programs.
  • Budget estimates and justifications of formally organized budget offices at the bureau (or equivalent) or higher organizational level. Depending on agency record keeping practices and patterns of documentation, these records may have archival value and must be scheduled by requesting Disposition Authority in accordance with IRM 1(15)00, Records Administration.]
  
 5  Accountable Officers' Files.      
   a. Original or ribbon copy of accountable officers' accounts maintained in the agency for site audit by GAO auditors, consisting of statements of transactions, statements of accountability, collection schedules, collection vouchers, disbursement schedules, disbursement vouchers, and all other schedules and vouchers or documents used as schedules or vouchers, exclusive of commercial passenger transportation and freight records and payroll records, EXCLUDING accounts and supporting documents pertaining to American Indians. If an agency is operating under an integrated accounting system approved by GAO, certain required documents supporting vouchers and/or schedules are included in the site audit records. These records document only the basic financial transaction, money received and money paid out or deposited in the course of operating the agency. All copies except the certified payment or collection copy, usually the original or ribbon copy, and all additional or supporting documentation not involved in an integrated system are covered by succeeding items in this schedule.  

 Retire to the Federal Records Center after GAO audit or after 1 full fiscal year, whichever is earlier.

Destroy 6 years and 3 months after period covered by account.
  Site audit records include, but are not limited to, the Standard and Optional Forms listed below. Also included are equivalent agency forms which document the basic financial transaction as described above.  
  b. TRAS (Travel Automated System)  
TRAS is a menu driven computer program that automates travel. The original paper documentation that support travel reimbursements made through an automated system must be retained at a level in the organization designated to maintain custody and control over the records. Travel receipts are no longer sent to the Fiscal Office. The original receipts are to be kept in the approving manager's office until they are collected and sent to the Federal Records Center.		  
  The following travel records must be maintained and filed alphabetically by traveler's name: Transmittal sheet; Form 6858, Request for Travel; original lodging receipts; common carrier receipts; original receipts for expenses greater than $75; original rental vehicle receipts; other receipts or documentation supporting expenses.

Retain, at a minimum, one current and one prior year.

Retire to the Federal Records Center after GAO audit or 1 full fiscal year, whichever is earlier. A detailed reconciliation report must be included with the shipment to the Federal Records Center.

Destroy 6 years, 3 months after the period covered by shipment.
  c. Memorandum copies of accountable officers' returns including statements of transactions and accountability, all supporting vouchers, schedules, and related documents not covered elsewhere in this schedule, EXCLUDING freight records covered by Schedule 9 and payroll records covered by Schedule 2.   Destroy when 1 year old.
Note:
Accounts and supporting documents pertaining to American Indians are not authorized for disposal. Such records must be retained indefinitely since they may be needed in litigation involving the Government's role as trustee of property held by the Government and managed for the benefit of Indians.   
 6  GAO Exceptions Files.  
General Accounting Office notices of exceptions such as Standard Form 1100, formal or informal, and related correspondence. 		  Destroy 1 year after exception has been reported as cleared by GAO.
 7  Certificates Settlement Files.  
Copies of certificates and settlement of accounts of accountable officers, statements of differences, and related records.		  
   a. Certificates covering closed account settlements, supplemental settlements, and final balance settlements.   Destroy 2 years after date of settlement.
   b. Certificates covering period settlements.   Destroy when subsequent certificate of settlement is received.
 8  General Fund Files.  
Records relating to availability, collection, custody, and deposit of funds including appropriation warrants and certificates of deposit, other than those records covered by Item 1 of this schedule.  		  Destroy when 3 years old.
 9  Accounting Administrative Files.  
Correspondence, reports, and data relating to voucher preparation, administrative audit, and other accounting and disbursing operations.		  
   a. Files used for workload and personnel management purposes.   Destroy when 2 years old.
   b. All other files.   Destroy when 3 years old.
10 Federal Personnel Surety Bond Files.
   a. Official copies of bond and attached powers of attorney.  
   (1) Bonds purchased before January 1, 1956.     Destroy 15 years after bond becomes inactive.
   (2) Bonds purchased after December 31, 1955. Destroy 15 years after end of bond premium period.
   b. Other bond files including other copies of bonds and related documents.   Destroy when bond becomes inactive or after the end of the bond premium period.
11 Gasoline Sales Tickets.  
Hard copies of sales tickets filed in support of paid vouchers for credit card purchases of gasoline. 		 Destroy after GAO audit or when 3 years old, whichever is sooner.
12 Telephone Toll Tickets.  
Originals and copies of toll tickets filed in support of telephone toll call payments. 		 Destroy after GAO audit or when 3 years old, whichever is sooner.
13 Telegrams.  
Originals and copies of telegrams filed in support of telegraph bills. 		 Destroy after GAO audit or when 3 years old, whichever is sooner.
14 Administrative Claims Files.
a. Claims against the United States. Records relating to claims against the United States for moneys that have been administratively (1) disallowed in full or (2) allowed in full or in part, and final payment of the amount awarded, EXCLUDING claims covered by subitem c. below.   Destroy when 6 years, 3 months old.
   b. Claims by the United States subject to the Federal Claims Collection Standards and 28 U.S.C. 2415 or 31 U.S.C. 3716(c)(1).  
   Records relating to claims for money or property that were administratively determined to be due and owing to the United States and that are subject to the Federal Claims Collection Standards (4 CFR Chapter II), EXCLUDING claims covered under subitem c. below.  
(1) Claims which were paid in full or by  means of a compromise agreement pursuant to 4 CFR Part 103.
(2) Claims for which collection action has  been terminated under 4 CFR Part 104.
(a) Claims for which the Government's right to collect was not extended. Destroy 10 years, 3 months after the year in which the Government's right to collect first accrued.
(b) Claims for which the Government is entitled (per 28 U.S.C. 2415) to additional time to initiate legal action. Destroy 3 months after the end of the extended period.
(3) Claims that the agency administratively determines are not owed to the United States after collection action was initiated.  Destroy when 6 years, 3 months old.
c. Claims files that are affected by a court order or that are subject to litigation proceedings.  Destroy when the court order is lifted, litigation is concluded, or when 6 years, 3 months old, whichever is later.
15 Waiver of Claims Files. 
  Records relating to waiver of claims of the United States against a person arising out of an erroneous payment of pay allowances, travel expenses, or relocation expenses to an employee of an agency or a member or former member of the uniformed services or the National Guard, including bills of collection, requests for waiver of claim, investigative reports, decisions by agency and/or GAO approving or denying the waiver, and related records.
a. Approved waivers (agencies may approve amounts not aggregating to more than $500 or GAO may approve any amount). Destroy 6 years, 3 months after the close of the fiscal year in which the waiver was approved.
   b. Denied waivers.   Destroy with related claims files in accordance with items 10b. and 10c. of this schedule.

2b. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

IFS complies with IRM 2.7.4.4 (05-30-2003) Purging of Sensitive but Unclassified (SBU) Data and Destruction of Computer Media.

2c. While data is retained in the system, what are the requirements for determining if data is accurate, relevant, timely, and complete to ensure fairness in making determinations?

IFS regularly receives data inputs from external sources as a mechanism to ensure the data within the system is current.  In order to maintain current data, files are transferred between IFS and the other systems on a scheduled basis as follows:

  • Daily
    • HCTC
    • SAAS
    • RAPS
    • GLASS
    • WebIPS/RTS
    • WebTRAS
    • PCC
  • Bi-Weekly
    • HR-Connect
    • AINFC
  • Monthly
    • ADW
    • SETR
    • WebTIER

These systems are considered to be authoritative sources and the data received from them is understood to be current.

3a. Is the system using technologies in ways that the IRS has not previously employed?

No, however, new technologies have been implemented by the ISS to support the IFS Application.

IFS has implemented a Citrix MetaFrame solution to provide end-users with SAPgui screens without the need for the SAPgui fat client to be installed on each end-user’s PC.

The use of SEIDs instead of SSNs was investigated. However, SEIDs were not considered as a possibility because some of the CPE feeder systems do not yet use SEIDs. These CPE systems are source systems for SAP BW, and, therefore, BW uses SSNs to uniquely identify each employee.

3b. How does the use of this technology affect taxpayer/employee privacy?

The IFS Application does not use any new technology, however, since IFS allows data from the IFS system to be saved onto the user’s local PC hard drive, there may be privacy and security implications. This issue is the responsibility of the End-User Employee Services (EUES) department which is tasked with managing the user’s PCs.

The Citrix implementation has no impact on taxpayer/employee privacy. All communication between the user’s PC and the EUP is encrypted using industry standard SSL. This encryption protects the information exchanged between the user and the EUP while in transit. Privacy and security of data saved from the IFS system onto the user’s local PC hard drive is the responsibility of the End-User Employee Services (EUES) department.

The use of the SEID technology was investigated and considered as a solution for payroll reconciliation functionality;but, as a result of CPE system incompatibilities, SSNs will be used instead.

The risk of SBU data being downloaded to a user’s desktop computer has been identified as an IRS matter. The risk has been captured as Risk Entry #A012 of Table 5-6. Application Risk Table of the IFS Application Security Risk Assessment (SRA) V3.1 [dated August 16, 2004]. The controls for protecting Payroll Reconciliation data when downloaded onto the desktop system is managed by the End User Equipment and Services (EUES) organization.

4a. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

The IFS application monitors the activities of users in accordance with the requirements of financial applications within the federal sector.

Employee information, such as name and address data, exists within the IFS environment, however, this is required to fulfill the business functions of the IFS system, and does not provide any information that is not available elsewhere in the IRS.

The addition of Employee SSNs for the payroll reconciliation reports allows designated users to identify, locate and monitor particular individuals. Penalties are pursuant if the use of this sensitive employee information is, in any way, utilized outside of the individual’s normal duties and responsibilities per IRM 20.1 Penalty Handbook.

4b. Will IFS provide the capability to identify, locate, and monitor groups of people? If yes, explain.

Employee information, such as name and address data, exists within the IFS environment, however, this is required to fulfill the business functions of the IFS system, and does not provide any information that is not available elsewhere in the IRS.

4c. What controls will be used to prevent unauthorized monitoring?

Information within IFS is available to users on a need-to-know basis. Only those users with the requirement to view employee name and address information are assigned a role with those privileges. Other users are not able to view this data. For additional information, refer to Section 3.3 Will users have access to all data on the system or will user's access be restricted?

All users are limited via role-based access (RBAC), profiles, and separation of duties to ensure that users can only access data and perform transactions as required by their specific jobs.

The implementation of user profiles and authentication credentials (such as user IDs and passwords) are used to prevent unauthorized personnel from accessing and/or viewing sensitive data elements on the workstation of the Payroll Reconciliation Specialist workstation. In a Windows environment, a user profile is a record of user-specific data that define the user's working environment. The record can include display settings, application settings, and network connections. What the user sees on his or her computer screen, as well as in files, applications and directories is determined by how the user profile is set up. If any end user, other than the payroll reconciliation specialist, attempts to log on to the designated workstations, the end-user will not have access or permissions to the data files designated for use by the payroll reconciliation specialist, which contains sensitive data elements from repeated saving of SAP BW query report files. The users will only have access to assigned IRS resources, such as shared drives, networked printers, etc., per their roles and responsibilities.

5a. Under which Systems of Record notice (SOR) does the system operate? Provide number and name.

Treasury/DO .210--Integrated Financial Management and Revenue System, last published in its entirety on August 31, 2000, at 65 FR 53085, is designated as "Treasury .009" and is being renamed as "Treasury Financial Management Systems". The SOR is currently in the process of being renewed. This action is being taken by the Office of Disclosure.

The HCTC SOR is Treasury/IRS 22.012, dated May 29, 2003.

5b. If the system is being modified, will the SOR require amendment or revision? Explain.

The SOR will not require amendment. The current AFS system operates under a SOR that covers all financial applications used Treasury-wide. Since the nature of the IFS system is fundamentally the same as that of the AFS system, a change in SOR is not required.
 


Page Last Reviewed or Updated: May 21, 2007