IT Audit of AST system in Deptt of Revenue, Govt of India

advertisement
GLOSSARY OF ACRONYMS AND TERMS
Page 1
AO
Assessing Officer
AIR
Annual Information Return
AIS
Assessee Information System; a module of the ITD Applications consisting of the database of Permanent Account
Numbers (PAN) allocated to assessees
AR
Audit Report
Arrear DCR
Arrear Demand and Collection Register
AST
Blue Book
Assessment Information System, a module of the ITD Applications
A Register maintained by the Assessing Officer for all the
assessees in his jurisdiction with details of name, address,
returns filed and returned income for three years
C&AG
Comptroller and Auditor General Of India
CASS
Computer Aided Selection for Scrutiny
CBDT
Central Board of Direct Taxes
CCIT
Chief Commissioner of Income Tax
CCP
CD
Comprehensive Computerisation Programme of the Income tax Department
Compact Disc
CIT (CO)
Commissioner of Income Tax (Computer Operations)
CoBiT
Control Objectives in Information Technology
Current DCR
Current Demand and Collection Register
DBA
Data Base Administrator
DIT (Systems)
Director of Income Tax (Systems), the co-ordinating officer for systems of the Income Tax Department in/
Directorate of Income tax (Systems)
DP
Data Processing
E-TDS
Electronic-Tax Deducted at Source, a modified version of
the TDS module
GLOSSARY OF ACRONYMS AND TERMS
Page 2
IRLA
IT
Individual Running Ledger Account, a module of ITD
Applications containing snapshots of each assessees
demand/ refund position
Information Systems
IT Act
Income Tax Act
ITD Applications
Income Tax Department Applications i.e. the software
developed for different business processes of the Department contained in 10 different modules.
JCIT
Joint Commissioner of Income Tax
LBS
Local Building Server
LTCG
Long Term Capital Gains
MAT
Minimum Alternate Tax
MIS
Management Information System
MSTU
Ministerial Staff Training Unit
NADT
National Academy of Direct Taxes
NCC
National Computing Centre
NIIT, SSI
Vendors for hardware, software and IT training
NRI
Non Resident Indian
OLTAS
PAN
Online Tax Accounting System, a modified version of
the TAS module
Permanent Account Number
PC
Personal Computer
PIP
Persons in Position
PVCS
A version control software
RCC
Regional Computer Centre (Where backend database
servers reside; 36 such centers exist in the entire department)
Relational Data Base Management System
RDBMS
GLOSSARY OF ACRONYMS AND TERMS
Page 3
RKU
RRR
RTI
Record Keeping Unit
Returns Receipt Register
Regional Training Institute
RTS
Return transcription software
SDD
System Design Document
SLA
Service Level Agreement
SQL
Structured Query Language
SRS
System Requirement Specifications
STCG
Short Term Capital Gains
TAS
Tax Accounting System ,an original module of the ITD
Applications
TCS
Tata Consultancy Services
TDS
Tax Deduction at Source, an original module of the ITD
Applications
TMS
Tax Management System , the software used for processing cases u/s 143 (1) at non networked stations
UAT
User Acceptance Testing
VPN
Virtual Private Network
WAN
Wide Area Network
EXECUTIVE SUMMARY
Page 5
Performance Audit of AST System using the CoBiT Framework
The AST module, a part of ITD Applications, was conceptualized as an on-line, menu
driven software capable of carrying out all assessment and related functions. The objective of
AST is to “assist the assessing officer in doing assessments and related proceedings”. The system
was to also monitor the progress and results of a case at various stages viz. assessments, reassessments, appeal, revision, rectification, penalty, waiver, settlement commission, penalty
proceedings as well as prosecutions and audit objections. In practice, however, the software is
being used for processing Income Tax returns under section 143 (1) and rectification under
section 154. This system was conceptualized in 1994 and development was completed in 1997.
Audit evaluation focused on the activities and performance of the system from 2001-02 to 200405.
AST is currently operational at 60 stations of a total of 514 stations in the country. In terms
of number of assessing officers 2571 out of 4436 are using the system. An in-house application
called TMS is used at the other stations. Twelve out of these 60 stations, where AST is currently
operational, were selected for audit. The selection covers approximately 50% of the total number
of assessing officers using AST.
Methodology
The Audit of the AST system was conducted using the CoBiT framework of the IT
Governance Institute, which has been adopted by the Comptroller and Auditor General of India
as the framework for conducting Information Technology Audits. The Management was
familiarized with the methodology used through an entry conference.
SQL Query:
The errors in the output thrown up in the sample selected, which were systemic in nature,
were sought to be further validated by running queries on the entire data at the concerned RCCs.
SQL queries were accordingly designed to substantiate systemic issues.
Major Audit Conclusions
Inadequate technical feasibility study of AST system has limited the usefulness of the
system and also delayed its implementation as AST is dependent on network connectivity and
stabilization of PAN. The dependence of AST on network connectivity has affected its
implementation as well as use as the system is not fully available to users on a 24/7 basis. All
stations are yet to be brought on the network although eight years have passed since its
commencement in 1997.
EXECUTIVE SUMMARY
Page 6
In the absence of measurable parameters for benefits from the system and details of the cost
of the project the economic feasibility of AST could not be assessed.
The envisaged benefits of AST system in terms of increased efficiency have apparently not
accrued as the country wide pendency has increased and the number of cases processed on the
system had actually declined at two of the selected stations due to both problems of
communication links and links with other modules
AST application has been designed and developed without proper synchronization with the
enterprise data model, which has a centralized data base of PAN (AIS) functioning as the index
key between decentralized ITD applications like OLTAS, TDS and AST. This has led to
problems in their implementation as inputs from OLTAS and e-TDS are not reaching AST.
The heavy unreconciled balances in the OLTAS system indicated that the bank validated
input regarding the payment of tax, is not available at the time of processing returns. The
assessing officer cannot verify through the AST system whether the amount claimed to be paid
by the assessee has actually been paid. A similar situation exists for tax deduction at source. Prior
period data in respect of arrear demand is also unreliable. This entails a risk of loss of critical
information relating to revenue due to the government. Inputs from OLTAS and e-TDS are not
reaching AST through IRLA due to problems in the working of this index key of PAN, affecting
the processing integrity of the system.
Audit found that although the manual Blue Book and other Registers had been replicated in
the AST Module they were not reengineered to take advantage of the information available in the
systems environment. The functionalities of these registers were also not in general use leading to
controls which had existed in the manual environment being discontinued in the systems
environment.
Input form design was not adequate to ensure integrity and completeness of data. The input
form does not capture all the data which is required for processing of a return under
section 143 (1).
There is no system in the AST software to ensure that all the returns received are being
included in the bundles and processed. Field audit reports indicate input controls are inadequate
and issues relating to authorization are not adequately addressed.
The control over data entry process was inadequate to detect errors indicating that the
necessary verifications of input data were not being done. There was no check box for validation
of the mandatory enclosures with a return of income .
There may be data processing errors in the system as indicated by the SQL query run on the
EXECUTIVE SUMMARY
Page 7
data. Data processing errors are also occurring due to the failure of linkages between modules
and incorrect interfaces between modules. Data Processing Integrity was not ensured in the
system as illustrated by errors thrown up by the control totals calculated by Audit. The results
included cases which would need verification and manual rectification, if necessary. The process
of verifying the data processing by running control totals was not in place. Mistakes in the
processed returns were being rectified subsequently, on being pointed out either by the assessee
or noticed by the department at the time of scrutiny assessment. The system does not evaluate the
integrity of the output data by any other check.
A review of the changes carried out in AST revealed that majority of the changes were in
the nature of rectifying design deficiencies. The fact that the system has required so many
changes is indicative of the fact that there were weaknesses in communicating the User
Requirements to the developer; inadequate scrutiny before acceptance of design; and incomplete
User Acceptance Testing.
No systematic/inbuilt monitoring in respect of time taken to execute changes by RCCs is
available. This could lead to errors remaining un-rectified in the system with risk of loss of
revenue. There is no method of impact assessment for the changes carried out in the system.
In the absence of a system of categorization and prioritization of problems, there was a risk
that problems of a critical nature, which may even have an impact on the core objectives of the
department, may remain unresolved, or may be resolved symptomatically without addressing the
cause.
Although user manuals were prepared, these were not available to all the users. The user
awareness of the system features was also limited. This resulted in the suboptimal utilization of
the features of the software. The process of updating the manuals, as changes take place in
computer systems due to changes in the business rules was not in place.
The absence of an operating manual points to incomplete inputs given to operating
personnel and a consequent lack of knowledge of procedures.
The process of “Training Needs Identification” was weak. The users were generally not
satisfied with the training and wanted more exposure to the features of the AST System. As a
result, in most of the instances the full features of the AST software were not being used.
Multiplicity of agencies in training organization led to a blurring of efforts and lack of focus.
There was no coherent policy regarding identification of the areas where third party service
providers should interface with the organization. There was no uniformity or clarity on the issue
of third party contracts. The relationship with the third party service provider was not adequately
safeguarded, with reference to security and confidentiality issues, by appropriate provisions in
EXECUTIVE SUMMARY
Page 8
the contract and supporting processes in a standardized manner.
Major Recommendations
Department should institute a process of conducting specific and detailed technological
feasibility studies of projects before taking them up. The existing information architecture with
reference to the communication links and AIS as an index key requirement of the ITD
Applications needs to be reviewed.
Guidelines need to be laid down for assessing economic feasibility of IT projects. Cost
benefit analysis of the AST application development and implementation needs to be carried out.
Cost data for each module of the ITD Applications including AST should be separately
maintained.
A valid enterprise data model for ITD applications and feasible information architecture to
synergize the IT efforts needs to be defined. The linkages should be improved or be made less
critical to the functioning of the system. A national database of information in ITD applications is
desirable to enable better and efficient MIS reporting and reconciliation of data from different
applications. A time bound action plan to link the arrear demand data to AST system is required
to ensure that no revenue due to government is lost sight of.
Since availability of the application to the users, is and remains a crucial factor, it is
recommended that the Department may consider solutions for connectivity including virtual
private networks with the appropriate technology.
A control register of the basic source data which has all necessary pieces of information
should be designed within the AST System with inputs as necessary from all the information
available in all the modules of ITD Applications. This could be a reengineered format of the
Blue Book.
Department may review the source document formats and ensure that they provide for all
the information that is necessary for processing of a return. The acceptance of returns and giving
of acknowledgement numbers should be made a part of the AST module. Data from the Annual
Information Returns should be linked and entered. Crucial information from the Profit & Loss
Account and Balance Sheet could also be captured to increase the efficiency of picking up cases
for scrutiny through CASS.
Department may institute procedures to ensure that all the returns are entered into the
system, in the proper order and all the returns entered are processed in the proper order, by
devising reports such as gap-analysis at various stages.
EXECUTIVE SUMMARY
Page 9
Guidelines for authorization of data before it is entered in the system, for cases when it is
done by outside parties etc. need to be laid down. Assessing officers should be issued strict
guidelines for verifying the entries made and supervisory authorities should ensure adherence.
A process to check correctness of data entry needs to be instituted. Checks like Control
totals of source data and data as input should be devised. A procedure may be considered for
detection of data entry error and resubmission under proper authorisation. Department should
devise methods for ensuring DP Integrity through an adequate use of control totals run as checks.
The department may consider automatic generation of mismatch report and its reconciliation
being made a prerequisite for processing.
A method of minimising DP errors and setting benchmarks for acceptable levels of errors
must be done. The software may be reviewed with respect to such benchmarks. Procedures for
controlling errors and establishing accuracy of outputs have to be put in place and enforced.
The evaluation of data processing, as done by Audit through SQL queries, needs to be done
at regular intervals by the department itself. The PAN database in the AIS module needs to be
made error free expeditiously since none of the modules including AST can function if the PAN
database is faulty.
User Acceptance Testing should be reviewed. The contracts for changes in the software
should be given after following the due procedure.
An impact assessment feature should be built into the software and used after the
incorporation of changes. A monitoring system for recording and tracking changes should be
built into the software.
The user manuals of the system need to be made available to all the users of the system
through a process of dissemination and monitoring. All the features of the system may be taught
to the users so that all the functionalities of AST are put to use. User manuals of AST should be
updated to reflect all the changes carried out in the software.
A separate Operational Manual may be prepared and issued to the personnel at the RCC so
that they are helped in the proper upkeep and maintenance of the database.
The department should carry out training needs analysis for various categories of users of
the system. Training modules may accordingly be prepared including refresher trainings; when
buying off the shelf trainings, the linkage between the training and actual job requirement should
be clearly established.
A policy document on nature and kind of services that can be outsourced to third parties
should be prepared. Guidelines regarding hiring of third party services and a model contract
EXECUTIVE SUMMARY
Page 10
should be worked out incorporating all the concerns that need to be considered while outsourcing
activities. Security and confidentiality issues should be identified, explicitly stated and agreed to.
An exit conference was held with the CBDT on 12th January 2006 where the major
recommendations were discussed. Department stated that they would look into the issues raised
by audit. They also stated that some of the issues raised by audit were expected to be addressed in
Phase III of the computerization programme as also during the Business Process Reengineering
programme expected to commence shortly which could include re writing of the software.
AUDIT APPROACH
Page 11
1. Introduction
AST or Assessment Information System is one of the important modules in the Income Tax
Department (ITD) Applications. The Government approved the Comprehensive Computerization
Programme with ITD Applications for all the important functions of the Income tax Department
in 1993. This included the AST module and is currently in its third phase.
The AST module was conceptualized as an online, menu driven software capable of
carrying out all assessment and related functions. This system was conceptualized in 1994 and
development was completed in 1997. The objective of AST is to “assist the assessing officer in
doing assessments and related proceedings”1. The system was to also monitor progress and
results of a case at various stages viz. assessments, re-assessments, appeal, revision, rectification,
penalty, waiver, settlement commission, penalty proceedings as well as prosecutions and audit
objections. In practice however the software is being used for only processing income tax returns
under section 143 (1) and rectification u/s 154.
There are some other important modules of the ITD Applications, which are critical for the
working of the AST module. They are
•
The TAS module now renamed OLTAS;
•
The TDS module now renamed as e-TDS; and
•
The AIS (PAN Database) module
•
The IRLA module
Tax payments by the subscribers to government account, by way of Advance Tax, Self
Assessment tax etc., through the authorized banks, are credited and accounted for by the banks in
the OLTAS system.
Tax deducted or collected at source by entities making payments to assessees, where
required to be done, is accounted for in the e-TDS System.
Using the unique assessee identification number, Permanent Account Number (PAN)
which is available in the AIS module of the ITD Applications, these receipts are to be routed
through IRLA and then sent to the AST module to be credited to the correct assessee. The AST
1
AST User Manual Section 1.1
AUDIT APPROACH
Page 12
module calculates the tax due, adjusts the credits as afforded from these two systems and arrives
at the net tax or refund due which is then uploaded back to IRLA, providing a snapshot of the tax
payer entity’s account with the department. The net tax effect appearing in the IRLA with the
amount due from or to the assessee is expected to be available online to the assessee.
The following diagram shows these linkages.
Figure 1 : AST in context of other ITD Applications
The information regarding Advance Tax, Self Assessment Tax, surcharge and TDS
is uploaded to IRLA through OLTAS and e-TDS and demands/refunds from AST to IRLA
using the PAN for identification of assessees.
AUDIT APPROACH
Page 13
2. Audit Scope and Sampling
AST has been implemented at different stations at different points of time. Audit evaluation
of the performance of the system was made for the years 2001-02 to 2004-05 taking into account
the actual date of implementation at the selected stations.
AST is currently operational at 60 stations of a total of 514 stations in the country. In terms
of number of assessing officers 2571 out of 4436 are using the system. An in-house application
called TMS is used at the other stations.
Twelve out of these 60 stations were selected for audit, keeping in mind the coverage in
terms of revenue and number of assessees and the need to arrive at a judicious mixture of the
large, medium and small stations so as to present a representative picture of the country as a
whole. The selection covers approximately 50% of the total number of assessing officers using
AST. The sample was chosen for the 12 selected stations listed in the table as detailed below:
Table 1 : Audit Sample
Serial No./Station
Sample size for Assessing Officers
Units
Sample size for Returns
1.Mumbai
2%
2%
2.Delhi
2%
2%
3.Kolkata
2%
2%
4.Chennai
2%
2%
5.Bangalore
2%
2%
6.Hyderabad
2%
2%
7.Chandigarh
5%
5%
8.Simla
5%
5%
9.Rajkot
5%
5%
10.Lucknow
5%
5%
11.Jaipur
5%
5%
12.Ranchi
5%
5%
AUDIT APPROACH
Page 14
3. Audit Objectives and Methodology
The Audit of AST system was conducted using the CoBiT framework of the IT
Governance Institute, which has been adopted by the Comptroller and Auditor General of India
as the framework for conducting information technology audits. The framework provides a set of
internationally accepted benchmarks against which the information technology activities of an
organization can be evaluated.
The four high level domains of the CoBiT framework consist of macro level statements of
desired state of processes. Each of the domains is further broken down into high-level control
objectives and detailed control objectives.
Two domains and eight high-level control objectives were selected in concordance with the
audit objectives. The audit guidelines of the CoBiT framework were suitably adapted to the
functioning of the AST system.
The audit objectives were mapped to the CoBiT framework and the following high level
control objectives were selected for evaluation.
Table 2 : Selected CoBiT Domains and High Level Control Objectives
Domain
High Level CoBiT Control Objectives
Acquisition and Implementation
Identify Automated Solution
Acquire and Maintain Application Software
Develop and Maintain Procedures
Manage Changes
Delivery and Support
Manage Third Party Services
Educate and Train Users
Manage Problems and Incidents
Manage Data
A uniform approach to audit all over the country was adopted by issuing:
•
•
The relevant CoBiT guidelines;
Questionnaires for the three different levels of the National Computer Centre, the
Regional Computer Centers and the Assessing Officers; and
AUDIT APPROACH
Page 15
•
A detailed Audit Work Programme.
A random sample of all assessing officers units at the concerned stations was selected as
per the sampling table given above. Separate questionnaires were issued to the National
Computer Centre and the Regional Computer Centres, if any, at the selected stations, and the
selected assessing officer units. For each Assessing Officer Unit a random selection of 2% or 5%
of the Returns filed were taken as per the sampling table given above. The detailed audit checks
in the Audit Work Programme were applied as follows:
Table 3: Audit Checks at different points
Audit check
RCC
Randomly selected AO Randomly selected ReUnit
turns
1.Receipt and preliminary Not Applicable
checking of returns
Applicable
Not Applicable
2.Making of Bundles
Not Applicable
Applicable
Not Applicable
3.Data entry of RRR
Not Applicable
Applicable
Not Applicable
4.Data entry of Acknowl- Not Applicable
edgement Sheet
Not Applicable
Applicable
5.Generation of Notices
Not Applicable
Applicable
Applicable
6.Allocation of Bundles
Not Applicable
Applicable
Not Applicable
7.Systemic errors
Not Applicable
Not Applicable
Applicable
8.Computation of output
Not Applicable
Not Applicable
Applicable
9.Despatch of output
Not Applicable
Not Applicable
Applicable
10.Efficiency
Applicable
Applicable
Not Applicable
11.Security
Applicable
Applicable
Applicable
12.Availability
Applicable
Applicable
Not Applicable
13.Scrutiny Assessment
Applicable
Applicable
Not Applicable
14.Outsourcing
Applicable
Applicable
Applicable
15.Miscellaneous
Applicable
Applicable
Applicable
The Management was familiarised with the methodology used through an entry conference.
At the entry conference, management stated that AST is not a separate project but a part of the
customised modules of ITD Applications which is being implemented in a phased manner. It is a
legacy system which should be examined with reference to the technology and management
AUDIT APPROACH
Page 16
practices in existence at the relevant time i.e. in the mid 1990s and the CoBiT framework was not
in existence when ITD applications were conceptualized and designed.
The concerns of the management are appreciated and have been taken into account during
the audit. Further, the criteria set out in CoBit embody a set of best practices which are
universally valid for the analysis of information systems.
SQL Query:
As per the methodology it was envisaged that the indicative errors in the system thrown up
in the sample selected and audited would further be validated by running queries based on these
errors at the concerned RCC for the entire set of data at the selected stations.
The DIT Systems was sent a detailed list of these queries after consolidation of data
received from all the 12 stations. Part of the query relating to interest calculations could not be
fully run at the stations of Mumbai and Bangalore. The data available through the queries has
been suitably incorporated in this report.
4. Audit Findings, Conclusions and Recommendations
Audit findings, conclusions and recommendations have been arranged in the order of highlevel control objectives grouped in the two selected Domains of CoBiT. The high level control
objectives further consist of detailed control objectives. The findings, conclusions and
recommendations have been separately set out for each of these detailed control objectives.
The audit criteria are specified as the “description” of the high level control objectives.
Audit Observations are given under the heading “control notes” and the audit conclusions are
given under the heading “assessment”. After taking into account the management response,
suitable recommendations have been framed.
IDENTIFY AUTOMATED SOLUTION
Page 17
Technological Feasibility Study
Description The organization’s system development life cycle methodology should provide for an examination of the technological feasibility of each alternative for
satisfying the business requirements established for the development of a
proposed new or modified information system project.
C o n t r o l A Working Group on computerisation was set up and its report was taken as
the basis of the tendering document and identification of the software develNotes
oper for AST, which was conceptualized and implemented as a regionally
centralized application. It was envisaged that there would be a National
Computer Centre at the apex linked through leased lines to the 36 Regional
Computer Centres which would be further linked through leased lines to the
Local Building Servers to which the assessing officers would be connected.
The AIS (PAN Database) was to serve as the index key for all the ITD Applications including AST.
Thus, for smooth implementation of this system, the existence of reliable
communication links from RCC to the users was critical as was the stabilisation of the AIS module. However the technological feasibility of having such
information architecture was not adequately carried out. The communication
links between the NCC, RCC and LBSs, are still not available in some cases
and are unreliable in others. Further, the AIS module which is the index key
unresolved issue relating to identification and migration of PAN. Eight years
after the introduction of AST only 2571 out of 4436 assessing officers all
over India i.e. 57.96% are using this application.
M a n a g e - The report of the Working group formed the basis of computerization and at
ment
Re- the time of conceptualization there was an inherent design constraint due to
which a single central database could not be made. The technical feasibility
sponse
of the hardware and communications solutions was evaluated by the Technical Evaluation Group as well as the report of the Technical Sub Committee
approved by the Working Group. The rest of the networking is being done in
Phase III and at present a standalone software called TMS is being used at
non-networked stations. AST is dependent on the stabilization of the PAN
database, therefore it could be started only in 2000 and 8 years have not
passed since its introduction.
I
IDENTIFY AUTOMATED SOLUTION
Page 18
A s s e s s - Audit found that the Working Group report referred to by the management
was based on various inputs which did not include feasibility reports. A feament
sibility study should have been carried out after the working group submitted its report in order to analyze the technical feasibility of the recommendations. The other two committees mentioned were mandated only with
evaluation of limited hardware requirements and not the technological feasibility of the proposed solutions. The fact that AST is dependent on network
connectivity and stabilization of PAN are reflections of the feasibility of the
linked model not being studied.
Absence of adequate communication links has been one of the factors due
to which the implementation as well as use of AST has remained incomplete2. Further, the fact that assessees are entitled to file their returns at any
place in India depending on their residential status makes the issue of correct jurisdiction an important one. This is the genesis of the problems of
identification and migration of PANs. This was not foreseen and built into
the application design or deliverability. Inadequate technical feasibility
study of AST system has limited the usefulness of the system and also delayed its implementation.
Recommen- 1.
dations
Department should institute a process of conducting specific and detailed technological feasibility studies of the projects before taking
them up. Such study should invariably form a part of the proposals.
2.
Department may review the existing information architecture with reference to the communication links and AIS as an index key requirement of the ITD Applications to address the shortcomings.
2In
some of the cities on the Wide Area Network (WAN) for the ITD Applications, new office
buildings were hired/constructed after the completion of Phase II of networking in 2002. These
buildings should also have been brought on the WAN but this was not done. Some buildings at the
60-networked stations do not have network connectivity. This is being provided in Phase III of
computerization
The AST Software was developed and implemented in 1997 in Delhi. Out of 354 assessing
officers in 2004-05, 89 assessing officers are still not using AST.
IDENTIFY AUTOMATED SOLUTION
Page 19
Economic Feasibility Study
Description
The organization’s system development life cycle methodology should provide,
in each proposed information systems development, implementation and
modification project, for an analysis of the costs and benefits associated with
each alternative being considered for satisfying the established business
requirements.
C o n t r o l AST is a part of ITD applications, which have been implemented in three
phases since 1993. An examination of the cost benefit analysis of the
Notes
proposal3 for Phase III revealed that the proposed outlay of Rs.251.56 crores
was given with a broad break up of activities, software products etc. The associated benefits were not quantified and the economic justification was based on
broad assumptions of rise in tax base and increase in service level to the
assessee as also tax compliance. No measurable parameters for increase in service levels or tax compliance were put forth in the proposal.
It was observed that as against the expected figure of the tax base of 5 crore
asessees by 31-3-2005 the actual tax base at the end of financial year 2005 was
only 2.71 crores (down from 2.92 crores as on 31.03.2004). Furthermore, it was
noticed that the department did not have expenditure figures of the AST project
separately and was therefore not in a position to provide details of the cost of the
project.
Management The AST module is being implemented in phases and the total cost of
developing ITD applications of which AST is one module was only Rs.72 lakhs.
Response
There has been an increase in productivity and service levels as the time limit
for processing has decreased and, as per the Kelkar committee report, all the
processing of the backlog of returns was completed in four months without any
extra man power. The number of cases processed on AST and the average
disposal per assessing officer has increased, while cost of collection has
decreased. Productivity per employee has increased and benchmark activities as
per the cabinet note as also electronic delivery of tax payer services are on track.
Assessment
In the absence of measurable parameters for benefits from the system and details
of the cost of the project, the economic feasibility of AST could not be assessed.
Further, the envisaged benefits of AST system in terms of increased efficiency
have apparently not accrued as the country wide pendency has increased4 and
the number of cases processed on the system were seen to have declined at two
of the selected stations due to both problems of communication links and links
with other modules5.
3The
sanctions for Phase I and Phase II of the computerization programme have been covered in the AR
12 of 2000
IDENTIFY AUTOMATED SOLUTION
Page 20
Assessment
Data entry work for processing of returns was through outsourced man
power6 and cost of collection in absolute terms as well as per assessee has
increased.7
Audit found that the method used for arriving at the figure of Rs.72 lakhs
took into account only the amount paid to the software developer for the
designing. The other costs relating to hardware, system software, application
software, implementation, operations, infrastructure and maintenance thereof
have not been included. The department has also not allocated costs to
individual modules of ITD applications to arrive at a cost benefit analysis for
each module.
R e c o m m e n - 3.
dation
The Income Tax department should carry out a cost benefit analysis of
the AST application development and implementation.
4.
Guidelines be laid down for assessing economic feasibility of such IT
projects. The guidelines should include measurable parameters of
benefits against which a subsequent evaluation of the project should be
possible.
5.
The department maintain the cost data separately for each module of
the ITD Applications including AST.
4
As per figures provided by DIT Systems the all-India pendency went up from 38.33 lakh (02-03) to
56.05 lakh (03-04) and 70.68 lakh (04-05); 17%, 25% and 30% respectively of the total returns filed
5
Delhi:
The pendency of summary assessment has increased from 4.71% (2002-03) to 42.48 % (2004-05).
Despite increase in number of assessing officers using AST from 248 (2003-04) to 265 (2004-05), the
average number of summary assessments completed using AST by assessing officers has declined
from 3120.29 to 3081.90. The average number of summary assessments completed (both manually &
using AST) has declined from 8479.35 (2002-03) to 3346.15 (2004-05) even though the number of
assessing officers has increased from 312 to 354. The decline is by 60% (approx.).
The reasons for pendency were mainly problems associated with PAN (See Appendix A for PAN
Problems in processing) and problems with the communication links established.
Himachal Pradesh:
During the year 2001-02 and 2002-03 when the returns were processed manually, there was no pendency at the close of the year but with the introduction of AST system w.e.f.13.08.2003 it was noticed
that 4411 returns out of 12735 and 3853 out of 13457 returns were pending for processing at the close
of the year 2003-04 and 2004-05 respectively. Pendency of returns at the close of the year was due to
problems with the communication links established as well as issues relating to PAN.
6
Please see section on Manage Third Party Services
7
Please see footnote 4 and table 2.24 of Report no. 8 of 2006 (Direct Taxes) of the C&AG
IDENTIFY AUTOMATED SOLUTION
Page 21
Information Architecture
Description
Management should ensure that attention is paid to the enterprise data model
while solutions are being identified and analyzed for feasibility.
Control Notes AST is a regionally centralized application at 36 locations. The system,
therefore, consists of 36 databases in as many locations running a single
common application. The users are connected to their respective RCCs
through leased lines.
The enterprise data model existing at the time of the current phase of IT
initiative, of which AST is a major part, centered on the PAN database. The
PAN database, whose objective is to uniquely identify every assessee in the
country, was a centralized database. The centralized nature is a business
requirement to achieve the integrity constraint of uniqueness. However, the
system envisaged that credits would be available from OLTAS for advance
tax and self-assessment tax and e-TDS for the tax deducted at source. These
were to be credited against the demand worked out in the AST module using
PAN as the linking key, and the refund/demand as worked out was to be
updated in the IRLA system.
Due to problems in the implementation of OLTAS the credits for self assessment and advance tax are not correctly available from the system.8 Credits
from the TDS module named e-TDS can also not be linked to the AST
module data as e-TDS is in the process of implementation.
The issue is further compounded by cases of non-allocation and nonmigration of PAN.
8
AST Instruction No 16 details the procedure to correct the wrong data posted to IRLA from the erstwhile TAS System.
AST Instruction No. 34 details the list of the problems in the modified version called OLTAS which
includes wrong information of challans posted from OLTAS to IRLA, non availability of information
on paid challans in posted records in OLTAS, minor head mismatch in AST and OLTAS, challan
lying in suspense in OLTAS, Challan Identification Number of challan entered in AST not available
in OLTAS, PAN mismatch in AST and OLTAS and existence of non posted records from AST.
AST Instruction No 18 details the method of correction of wrong TDS entries made through AST and
posted to IRLA.
IDENTIFY AUTOMATED SOLUTION
Page 22
Control Notes The “Individual Running Ledger Account” (IRLA) maintains the details of
all the transactions of assessees with the department. However, IRLA does
not have the correct details of arrear demand.
Manual uploading of the prior period data has also not been effective since
assesses with arrear demands outstanding do not all have PANs and therefore cannot be linked with the IRLA data.
The NCC has a link with all the 36 RCCs. However, the department has
not created any national database of the information available in the 36
databases. In the absence of such a database the ability of the department
to use AST at the national level for important MIS needs is limited.9
Management The conceptual design of ITD Applications is an interlinked one with data
from the AIS, TAS and TDS module. The modified OLTAS and e-TDS
Response
are in the process of stabilization; though the linkages exist and are
functional, quoting of PAN is not accurate therefore automated credits are
not being given and credits are routed through a verification routine by the
assessing officer. The entire data model is of regionally centralized
databases at RCCs. Only five out of 14 parameters of the PAN Database
are stored at NCC which does not change its architecture into a centralized
one. OLTAS data is available to the assessing officers who have been
given a functionality to locate challans to avoid wrong posting of data to
IRLA. OLTAS has deductor wise data for TDS which cannot be directly
posted into AST therefore credit is given on the basis of TDS certificates
enclosed with the return. MIS can be generated regionally since the architecture is regionally centralized. A single National Database is being set up
in Phase III of the Comprehensive Computerization Programme by consolidation of 36 regional databases.
9
Generating MIS information necessitates changing the forms of AST, making it as a patch and then
getting RCCs to run the query and fax the reports to NCC. (AST Instruction No 25 dated 3.12.2003.)
IDENTIFY AUTOMATED SOLUTION
Page 23
Assessment
AST application has been developed without ensuring proper synchronization with
the enterprise data model which has a centralized data base of PAN on one side
and OLTAS and TDS on the other which at the time of data capture cannot
validate the data against PAN. The conceptual plan document of AIS data base
described the system as centralized for processing and decentralized in terms of
data input and output.
This disparate data model has led to serious issues. The heavy un-reconciled
balances10 in the OLTAS system mean that the bank validated input regarding the
actual payment of the tax challan into the government accounts cannot be given to
the assessing officer who is using the AST system for processing. The assessing
officer therefore cannot verify through the AST system whether the tax claimed to
be paid by the assessee has actually been paid. Tax deduction at source is also
unverifiable through the AST system.
Online information regarding the assessee’s tax liability or refund due which was
expected to be provided through the output from the AST system to the IRLA is
not operational. The digitization of arrear demand also suffers from operational
problems due to which prior period data in respect of arrear demand is unreliable.
This entails a risk of loss of critical information relating to revenue due to the
government. Generation of all India level MIS cannot be done due to the
inadequate considerations to information architecture.11
Use of AIS as the index key to ITD application systems led to problems in
implementation as already pointed out in AR 12 of 2000 by the C&AG. Since the
Income tax Department is highly decentralised in terms of operation, the AIS
system design which was centralised was found to be weak in implementation,
thereby affecting the functioning of AST12.
R e c o m m e n - 6.
dation
It is recommended that the income tax department define an enterprise data
model for its application resulting in adequate information architecture so
that the IT efforts of the department are synergized.
7.
Department may consider developing a national database of information in
ITD applications to enable better and efficient MIS reporting and
reconciliation of data from different applications.
8.
Department may prepare a time bound action plan to link the arrear demand
data to AST system to ensure that no revenue due to government is lost sight
of.
10
Rs.1526 crores are lying in suspense in OLTAS in Delhi
11
Please see the section on the SQL Query and Appendix C and footnote
12
Please Para 3.2.10 (b) of AR 12 of 2000
ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
Page 25
Source Data Collection Design
Description
The organization’s system development life cycle methodology should
require that adequate mechanisms for the collection and entry of data be
specified for each information system development or modification
project.
Control Notes
AST is used for assessment of income tax returns of assessees. The
process starts with entering the returns received from assessees into the
system. Audit found13 that the returns received were being entered in
the system and a return receipt register generated which was not linked
to the AST system and was not correlated with the “Blue Book” by
updating it. In these nine states Blue Books were not being maintained
through the system. The Blue Book which is the main control register of
the Income Tax Department for its assessment functions contains details
of returns filed, assessments done and demand raised for the last three
years. However, this is not being generated/updated in the computerized
environment. As a result, lists of non filers, stop filers, jurisdiction
change list and list of cases where notices u/s 142(1) are to be sent are
also not being generated in these States.
Management Re- AST has the functionality of generating the Blue Book and the form is
the same as existed in the manual environment. AST generates all the
sponse
registers which were in use in the manual environment. It also allows
generation of lists such as those of non filers, transfer cases, and cases
selected for scrutiny. Monthly Telegraphic Report can also be
generated. These can be generated in the AST Module and are linked to
PAN.
Assessment
Audit found that although the manual Blue Book and other Registers
had been replicated in the AST Module they were not re engineered to
take advantage of the information available in the systems environment.
The functionalities of the registers which were available were also not
in general use leading to controls which had existed in the manual
environment being discontinued in the systems environment.
This was found in the states of Delhi, Maharashtra (Mumbai), West Bengal, Tamil Nadu, Karnataka, Gujarat, Punjab, Himachal Pradesh and Uttar Pradesh.
13
This was seen in the states of Delhi, Maharashtra (Mumbai), West Bengal, Tamil Nadu, Karrnataka,
Gujarat, Punjab, Himachal Pradesh and Uttar Pradesh.
ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
Page 26
R e c o m m e n - 9.
dation
A control register of the basic source data which has all necessary pieces
of information should be designed within the AST System with inputs as
necessary from the information available in other modules of ITD
Applications, which gives details of filing of returns, assessments,
demand creation and payment for the past three years. This could be a re
engineered format of the Blue Book so that data relating to demand and
collection is also available in this Control Register. Data from the other
modules of OLTAS and e-TDS could also be linked to this.
10.
It should be ensured that the functionalities of lists and registers available
currently are actually being used.
Availability as a Key Design Factor
Description
The organization’s system development life cycle methodology should
provide that availability is considered in the design process for new or
modified information systems at the earliest possible stage. Availability
should be analyzed and, if necessary, increased through maintainability and
reliability improvements.
Control Notes
The AST system’s back end (data base server) is located in 36 RCCs. The
database server used was Oracle, with front end in Developer, in two-tier
architecture.14 The use of two-tier architecture meant that only way of making
the system available to the users in remote locations was by having dedicated
communication links.
DIT Systems stated that implementation of AST required certain prerequisites
which were stabilisation of network connectivity and the AIS Module, and
training of personnel.15
A large proportion of users have not been brought onto the system.16
Problems of connectivity have meant that a large number of users on the
WAN could not use the system fully.
ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
Page 27
M a n a g e m e n t The system was conceptualised on the technology available in 1993-94 as per
the recommendation of the Working group. Bandwidth has been augmented for
Response
users in the 60 stations of Phase I and Phase II and the rest of the cities will be
connected in Phase III. Simultaneous country wide implementation was not
possible.
Assessment
The dependence of AST on network connectivity has affected its
implementation as well as use as the system is not fully available to users on a
24/7 basis. All stations are yet to be brought on the network although eight
years have passed since its commencement in 1997.
Recommenda- 11. Since availability is and remains a crucial factor it is recommended that
the Department may consider solutions for this including virtual private
tion
networks with the appropriate technology.
14
The operating system and RDBMS software have multi user licenses. The operating system originally
installed was AIX version 4.1, which was upgraded to version 11i. The RDBMS originally provided was
upgraded to 7.3.4. The current HP server provided has Oracle 8i. The system is being migrated to 9i and
quasi 3 tier architecture as part of Phase III of comprehensive computerisation plan.
15
AIS and Training have been separately discussed in “Identify Automated Solutions” and “Educate
and Train Users” respectively.
16
AST was installed for initial Acceptance on 15.11.1996 and approved on 22.7.1997. Only 2571 Assessing officers were using AST at 60 stations against the total number of 4436 Assessing officers till
31.3.2005. Partial implementation was found in Delhi, Andhra Pradesh, Uttar Pradesh, Jharkhand, Gujarat,
Maharashtra, West Bengal, Tamil Nadu.
ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
Page 28
IT Integrity Provisions in Application Program Software
Description
The organization should establish procedures to assure, where applicable, that
application programmers contain provisions which routinely verify the tasks
performed by the software to help assure data integrity, and which provide in
the restoration of the integrity through rollback or other means.
Control Notes The AST software is required to work in conjunction with other ITD applica-
tions. Implementation of PAN database was a pre-requisite for the processing
integrity of AST. Similarly the processing integrity of AST requires that its
interfaces with TDS, OLTAS, and IRLA etc. are properly defined and are
working. However, it was observed in audit that links of AST with a key
system, OLTAS, were not working adequately leading to as much as Rs.
1526.18 crores lying in suspense at only one station namely Delhi.17 TDS
credits are also not being received from the e-TDS module. Correct data
relating to the demand outstanding or refund due is also not uploaded from
AST to IRLA.18
Management The ITD Application is an integrated one with inbuilt linkages between
appropriate modules. In the initial stages of implementation of OLTAS, PAN
Response
was not properly quoted by assessees and so the tax credits could not be
posted to the IRLA of the concerned assessee. These are stabilization issues
and are not connected with the working of the linkages. The reconciliation
between tax collected by banks and the amount transferred to government
account is a separate process being appropriately monitored and there is no
suspense amount in this regard. Suspense is of the amount which has been
received and remains un-posted to IRLA. There is no deficiency in the
AIS-AST interface.
17
18
Pl see section on Information Architecture with special reference to FN 8.
It has been observed at all the 12 selected stations that Assessing officers are using only the functionalities relating to processing and rectification. All the other functionalities of AST i.e. scrutiny,
reassessment, appeal, revision penalty, waiver, settlement commission, prosecution, audit objections
were not used. As a result issues of orders/notices/demands relating to these were not being generated through AST. Therefore, IRLA is not being accurately being updated through AST.
The functioning of other modules of software in ITD i.e. AIS, OLTAS, e-TDS and IRLA, have to be
reviewed for smooth functioning of AST.
ACQUIRE AND MAINTAIN APPLICATION SOFTWARE
Page 29
Assessment
The AIS Module is the pivot on which the system of linkages works. Due to
various inherent and operational problems19 AIS has not been able to
perform efficiently thus affecting the processing integrity of AST. In the
absence of the linkage with OLTAS and e-TDS working properly there was
no assurance that tax paid as per orders passed by the assessing officers was
actually received by the government. This lack of integrity in the system
means that the income tax department cannot validate that tax collected has
been credited to the correct assessee. The snapshot of the assessee’s demand
and collection position to be provided by the IRLA Module is therefore not
accurate.
Audit found that AIS was the main index key for the working of the ITD
Applications.20 As a result of this, AST cannot work the way it was
conceptualized as the necessary inputs from the other modules are not
available. As inputs from OLTAS and e-TDS do not reach AST through
IRLA affecting the processing integrity of the system, various manual
interventions for entering the correct advance tax, self assessment tax, TDS
and surcharge paid by assessees are being done.21 Further, errors in the AIS
data are reflected in the AST module as for example in the case of wrong
addresses of assessees generated in AST due to inaccuracies in AIS.
Recommendation
12. A review of the use of AIS as a link should be carried out so that the
integrity of the AST system can be established and maintained.
19
Please see AR 12 of 2000 of the C& AG ;Para 3.2.10.2 (b)(i) and (ii).
20
Pl see the section on Identify Automated Solutions.
21
Pl see Control Notes of section on Output Review and Error Handling (with special reference to Foot
Notes 24 and 27) and also Appendix A Table 4 for number of manual interventions into the system.
MANAGE DATA
Page 31
Data Preparation Procedures
Description
Management should establish data preparation procedures to be followed by
user departments. In this context, input form design should help to assure that
errors and omissions are minimized. Error handling procedures during data
origination should reasonably ensure that errors and irregularities are detected,
reported and corrected.
Control
Notes
The source documents from which data was entered in the system were found
inadequate, as they were not capturing certain crucial information. Majority of
the users commented that the fields available in the Acknowledgement Sheet
were not sufficient for entering data.
Certain information such as details of challans, capital gains, exempt income,
brought forward loss and set off of brought forward loss, amount of book profit
(for 115JA/115JB), investment u/s 88, income from other sources, income
clubbed under Section 64 was not captured in the input form design. The
system also needs inclusion of parameters to populate the due dates in respect
of Form Nos 1, 2 and 3. There is no provision for entering advance tax more
than Rs 100 crores.
The acceptance of returns and giving of acknowledgement numbers is not a part
of AST.
Management Source documents are statutory, therefore there are inherent limitations outside
the scope of computerization. Automatic population of due dates cannot be proResponse
vided as they often change. Entry of Advance Tax more than Rs. 100 crore can
be done through search and claim from OLTAS/AST has the functionality for
computerized receipt of returns in its RRR sub-module. Due to practical problems it is difficult to enter returns in the RRR sub module. AST has provisions
for trapping data entry errors with alert messages.
Assessment
Input form design was not sufficient to ensure integrity and completeness of
data.
Computerization efforts have to be in synergy with the business requirements
and statutory provisions of the Department; these issues would need to be dealt
with within the purview of the overall computerization effort.
MANAGE DATA
Page 32
R e c o m m e n d a - 13. The department should review the source document formats and ensure that
they provide for all the information that is necessary for processing of a return.
tion
Procedures should be set down to trap errors in the acknowledgement sheets and
that to detect and correct these in a timely manner. The acceptance of returns and
giving of acknowledgement numbers should be made a part of the AST module.
Data from the Annual Information Returns should be linked and entered. Crucial
information from the P&L Account and Balance Sheet could also be captured to
increase the efficiency of picking up cases for scrutiny through CASS.
Source Document Authorization Procedures
Description
Management should ensure that source documents are properly prepared by
authorized personnel who are acting within their authority and that an adequate
segregation of duties is in place regarding the origination and approval of source
documents.
Control Notes
Returns received from the assessee in the receipt section of the range office are
made into bundles according to the convenience of the concerned assessing
officers. Bundles should be prepared by the Range JCIT and allocated to the
different assessing officers which is not being done.
Bundles do not contain all the returns sequentially based on the acknowledgement
numbers. Further, the returns received are made into bundles consisting of “Nil
Demand”, “Refund” and “Demand”. The assessing officer/assessing officer Staff
generates the bundle number sequentially in the AST software.
No check is exercised to ensure that all the returns received are included in the
bundles.
Management
Response
JCITs allocate bundles only in pilot ranges and not in normal ranges. Returns need
to be segregated to process refund returns on priority. The seasonal rush of returns
makes it impractical to issue sequential acknowledgement numbers but physical
control is exercised by assessing officers and JCITs.
MANAGE DATA
Page 33
Assessment
The segregation of duties between origination of source document (tapal
section) and authorization in the assessing officers section was adequate.
The concept of pilot ranges and normal ranges has now been discontinued
according to the new system of record keeping units (RKUs), all records are
centralized with the range JC who is to allocate returns to all the assessing
officers in the jurisdiction.
However, the system allowed for the authorized returns to be entered in the
system in any order which is in contravention of the business rule of
following the order of acknowledgement number.
There is no system in the AST software to ensure that all the returns
received are being included in the bundles and processed.
Audit found that the issue of sequential acknowledgement numbers was
feasible and desirable in order to requisitely control and monitor the processing of returns.
R e c o m m e n - 14. The department should institute procedures to ensure that
dation
(a) All the returns are entered into the system sequentially.
(b) All the returns entered are processed sequentially, by devising reports
such as gap-analysis at various stages.
MANAGE DATA
Page 34
Data Input Authorization Procedures
Description
The organisation should establish appropriate procedures to ensure that only
authorized staff performs data input.
Control Notes The entries made by the staff into the system are to be validated by the
assessing officer but this process is not satisfactory in all the states selected
for audit.
It was found that outsourcing was being done in Tamil Nadu, Karnataka,
Mumbai, Uttar Pradesh and Himachal Pradesh for data entry of returns. The
process was not being controlled and monitored to ensure that data entry
was mandatorily authorized by the assessing officer.
Data already entered by the staff in one State was accessible to the
outsourcing agents who had the user Id and password of the departmental
officers.
Management The roles available in the AST module allow the assessing officer and the
staff to make entries but only the assessing officer can process the
Response
entries .Outsourcing is done according to a scheme which has the necessary
guidelines and operates in a limited manner. Data already entered was not
available to the outsourcing agents as the work was done under the
supervision of the officers of the department. Assessing officers are
involved in verification of data entry.
Assessment
Field audit reports indicate that input controls are inadequate and issues
relating to authorization are not adequately addressed.
As far as data entry by third party service providers is concerned, in the
absence of an adequate contract taking into account various aspects of
security and authorization there are possibilities of security lapses, which
would compromise and vitiate the data in the system.
The assessing officer has the final responsibility for the returns filed and
processed including the accuracy of the inputs and outputs of the system.
Therefore final authorization of the input data should be done by the
assessing officers. However, audit found that this was not strictly followed
in several cases in all selected states.
Tamilnadu
MANAGE DATA
Page 35
The assessing officers should be issued stricter guidelines for
R e c o m m e n - 15.
verifying the entries made and that supervisory authorities check this
dation
validation.
16
The department should lay down guidelines for authorization of data
before it is entered in the system, for cases when it is done by outside parties
etc. Such data should not be entered directly into the system and instead the
policy should provide for an authorization procedure, including due checks
before its entry into the AST system.
17
The user identities and passwords of departmental officers should
not be available to third parties.
Accuracy, Completeness and Authorization Checks
Description
Transaction data entered for processing (people-generated, systemgenerated or interfaced inputs) should be subject to a variety of controls to
check for accuracy, completeness and validity. Procedures should also be
established to assure that input data is validated and edited as close to the
point of origination as possible.
C o n t r o l The computation sheet enclosed along with the return was not verified to
ensure correctness of the data furnished in the Acknowledgement sheet
Notes
Section 139 of the IT Act sets down certain mandatory enclosures to be
appended to the return without which the return is to be treated as defective.
As there is no field in the system regarding the completeness of the
mandatory enclosures, the completeness of returns furnished could not be
ensured through the system. There was no check to confirm that
acknowledgement sheet was correctly filled in.
MANAGE DATA
Page 36
Management Computation sheets are non statutory and non standard and cannot be
used for data entry. Particulars of mandatory enclosures are verified at
Response
the time of filing of returns. Data is entered by staff and can be
processed only by the assessment officer. AST has inbuilt checks to
verify control totals and issue alerts.
Assessment
The controls over data entry process at the input level were not sufficient to detect errors and could lead to incorrect refund/demand. Audit
found that all the necessary verifications of input data some of which
were dependent on the computation sheets were not being done.
There is no check box for validation of the mandatory enclosures with a
return of income does not exist. Alerts exist in the system but are
Department should institute a process to check correctness of
R e c o m m e n - 18
data entry. Checks like control totals of source data and data as input
dation
should be devised and the two should be compared to identify the
errors.
MANAGE DATA
Page 37
Data Input Error Handling
Description
The organisation should establish procedures for the correction and
resubmission of data, which was erroneously input.
Control Notes We found that
•
Data once saved in the system could not be corrected and resubmitted
even if it had not been processed by the assessment officer.
•
Assessment years, date of filing of returns etc. are wrongly entered in
the system.
•
Non-verification of records before entry into the system led to
subsequent manual rectification.
•
Several data entry errors were noticed at all the stations.
•
Input controls were not adequate since entry was not being adequately
verified by the assessment officers.
Management Data entry can be corrected up to the stage of processing. Due dates are centrally entered by NCC. Initial data entry by staff and checking by assessment
Response
officer provide two levels of check with the final responsibility being the
assessment officers. For errors detected after processing, order u/s 154 is the
only legal recourse.
Assessment
The final verification of the data entered in the system by the assessing officer is not being done properly, leading to input errors being perpetuated in
the system. The only way of correction is through a separate order under
section 154.
Department may consider devising a procedure for detection of data
R e c o m m e n - 19.
entry error and resubmission under proper authorization.
dation
MANAGE DATA
Page 38
DP Integrity
Description
The organisation should establish procedures for the processing of data that
ensure separation of duties is maintained and that work performed is
routinely verified. The procedures should ensure adequate update controls
such as run-to-run control totals and master file update controls are in place.
Control Notes Certain control totals were run as an SQL query on the system.22
•
Section wise Chapter VIA deductions should be equal to total
deductions;
•
Returned Income should be equal to Gross Total Income less deductions;
•
Returned Income should be equal to Income taxed at normal rates
plus Income taxed at special rates.; and
•
Total of all heads of income should be equal to the total income.
The results of these runs threw up cases which would need verification and
rectification if necessary.
Ma n a g e m e n t AST has the necessary checks for control totals which are also available to
the assessing officer as alerts. The observations of audit are based on the
Response
results of the SQL query run which had certain limitations thus the mistake
is in the query and not the program. The results of the queries have been
examined in detail and discrepancies reconciled.
Assessment
The process of running control totals is a necessary check on data
processing integrity as it reveals the possibility of the existence of errors in
the system. The basic control total runs done by audit threw up several
cases for verification with the possibilities of error.
As the control totals were run by audit merely as indicators, cases thrown
up through running such control totals or any control totals devised by the
Department need to be rechecked for accuracy as a part of checking the
data processing integrity. This process is not in place as the checks for
control totals which are issued as alerts to the assessing officer are for guidance during processing of inputs. The control totals being considered here
are for verification of outputs at the system level to be run by the database
administrator.
22
See Appendix ‘B’
MANAGE DATA
Page 39
Recommendation 20.
The department should devise methods for ensuring DP integrity
through an adequate use of control totals run as checks.
DP Validation and Editing
Description
The organisation should establish procedures to ensure that data
processing validation, authentication and editing are performed as close to
the point of origination as possible.
Control Notes Mistakes in the processed returns are rectified subsequently on being
pointed out either by the assessee or noticed by the department at the time
of scrutiny assessment of the selected cases. The department has not
evaluated the integrity of the output data by any other checks.
The existence of the tool of the mismatch report to ensure that the data
generated by the system corresponds to the data entered was not generally
known. Differences were seen in data entered and data shown in the output, for example, in the fields of returned income, assessed income tax,
book profit etc.
Management Mismatch reports are automatically generated for enabling assessment
officers to correct data entry errors.
Response
Assessment
Not using the mismatch report was a weakness in the data processing. It
could lead to incorrect data being processed and going undetected. Before
processing of a return mismatch reports generated by this system and the
data entered should be verified against the output generated.
The mechanism of detecting/correcting the errors only after being pointed
out by agencies external to the system was a weakness in the process .
MANAGE DATA
Page 40
Recommen- 21.
dation
The department may consider reconciliation of mismatch reports being
made a prerequisite for processing.
22.
There should be a mechanism for running a check on the data processing.
DP Error Handling
The organisation should establish data processing error handling
procedures that enable erroneous transactions to be identified without
being processed and without undue disruption of the processing of other
valid transactions.
C o n t r o l A test check revealed the following shortcomings23
•
AST does not automatically adjust the refunds of current assessment
Notes
year against the demand of the previous assessment year. Such
adjustments were made manually on the output sheet.
•
Due date of filing of return was found incorrectly entered in the
output sheet.
•
There were mistakes in gross taxable income generated on the output
sheet.
•
The system is not correctly adding minus items.
•
Non allowance of credit of advance tax.
•
Incomplete processing of returns due to cancellation of vouchers of
refund.
•
Incorrect calculation of deduction u/s 80D, 80G.
•
Incorrect calculation of rebates under section 88, 88B, 88C.
•
Mistakes in calculation of taxable income and tax u/s 115JB. Manual
overrides are used to fill in the tax amount.
Description
23
The errors listed have been found and collated from all the 12 States selected for the audit. See
Appendix C for details of certain results of an SQL query on the AST data relating to some of these
errors.
MANAGE DATA
Page 41
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Mistakes in calculation of interest under sections 234A, 234B, 234C
and 244A due to differences in both rate and period for which
interest has to be charged.
Mistakes in calculation of tax due to excess credit of TDS by AST.
Mistakes in calculation of royalty income in the case of NRIs.
Mistakes in calculation of house property income.
Mistakes in calculation of tax on LTCG. In fact LTCG and STCG
details are not available and are not taken into account by the
system while computing tax. The tax on LTCG is separately calculated by the assessing officer and entered into the system.
Mistakes in giving credit for dividend tax under section 115 O and
115P as there is no field for their entry.
Mistakes in carry forward of short term capital loss.
Mistakes in calculation of refunds.
Mistakes in calculation of set off of long term capital loss against
business income.
Education cess not incorporated in the system.
Differential tax rate for winning from lotteries not accepted by the
system.
MAT cases cannot be distinguished by the system.
No check for correct calculation of income under section 24 i.e.
house property income.
PAN problems in processing; non-migration, non-allotment,
duplicate allotment, invalid PAN etc. There are unprocessed returns
also because the returns have been barred by limitation.
Revised returns have been processed after the processing of the
original return.
Incorrect inputs were noticed from OLTAS and e-TDS regarding
credit of taxes paid.
MANAGE DATA
Page 42
Management The data processing errors listed have been examined in detail .They have
arisen for one of the following reasons:
Response
Assessment
•
Certain legal provisions of the Income Tax Act impose restraints on
system functionalities. Other than these legal provisions are strictly
reflected in the AST system.
•
The query results have thrown up errors because of errors in framing
the SQL query, either due to incomplete logic or because of amounts
being compared between wrong tables/fields of the database.
•
Cases where incorrect interest was found computed by the system
had actually been modified by the assessing officer using overriding
functions.
The audit comments have been made based on inputs from field audit and
test check of manual records based on which the queries were designed in
consultation with the department and through a patch released by the DIT
(Systems). A detailed analysis of the issues thrown up through the queries
has been provided by the department supported by data which has, however, not been validated by audit. However, the explanations offered by the
department have been examined and it is felt that certain errors may be
contained in the system, specially in sensitive interest calculating sections.
Manual interventions by assessing offices have a serious risk of compromising the controls since neither the system processing nor the assessing
office is completely accountable in this mixed environment.
There may be data processing errors in the system due to algorithm
mistakes in setting down the business rules of certain sections in the Act.
As has been seen from a study of the patches issued by the DIT Systems
the same problems tend to recur.
Data processing errors are also occurring due to the failure of linkages
between modules and incorrect outputs of other modules being sent as
inputs into AST.
The functioning of other modules of software in ITD viz. AIS, TAS, TDS
and IRLA, have to be reviewed for smooth functioning of AST.
MANAGE DATA
Page 43
R e c o m m e n d a - 23.
tion
A method of minimising DP errors and setting benchmarks for
acceptable levels of errors must be done. The software may be
reviewed as the errors pointed out above are only indicative in nature
and taken from a sample of the cases processed through AST.
24.
The query run by audit and results thereof are an important part of the
process of validation of data processing which requires to be done at
regular intervals by the department itself.
25.
The PAN database in the AIS module has to be made error free
urgently since it affects the functioning of other modules including
AST.
Output Review and Error Handling
Description
The organization’s management should establish procedures for assuring that the
provider and the relevant users review the accuracy of output reports.
Procedures should also be in place for controlling errors contained in the
output.
C o n t r o l Test checks revealed that the assessing officers were not generating the list of
non-filers and also not issuing notice u/s 142(1) to them.
Notes
Test checks revealed that the assessing officers were taking prints of orders/
notices relating to assessments u/s 143(1) only. The prints of orders/notices required under other provisions under the Income Tax Act for which the
functionalities exist in the system were not taken out.
Intimation sheet and refund orders are only generated through the system.
Demand notice, challans and Registers for matters relating to penalty,
prosecution, appeal, rectification, demand and collection are not generated/
maintained by the systems.
MANAGE DATA
Page 44
C o n t r o l All necessary outputs such as reports routinely sent to the CBDT by all field
formations such as those relating to the Central Action Plan as well as other
Notes
statistical reports are not there as required in the AST module.
Mistakes in the processed returns are rectified subsequently; either on being
pointed out by assesses or noticed by the department during scrutiny. Integrity
of output is not evaluated by any set down routine procedures.
There are mistakes in outputs of other modules used as inputs in AST such as
name and address of the assessee24 and credits for taxes paid due to errors in
linked systems25.
There are systems errors in processing of returns which are taken care of by
manual overrides26 or by unnecessary orders under Section 154. Compensating
entries are also made to negate mistakes in data entry or processing27 specially
instances relating to TDS credits.
Refunds have also been given manually, previous years demand of the assessee
is adjusted against the current years refund manually.
Status reports on returns due and received, assessed in summary and scrutiny
and cases to be transferred are not generated.
Management Functionalities for generating notices, lists and registers etc. relating to non filers, processing outputs (intimation sheets, refund cheques, demand notices etc.)
Response
and appeal/prosecution etc. are available either in the AST or the IRLA module. However, since computerization of post processing functions is being done
only now as per the recommendations of the Working Group on computerization, certain registers etc. may not be in use. There are no mistakes due to errors in linked modules and system errors for processing are not taken care of by
manual overrides.
24
This was noted during the audit in Delhi ,Rajasthan and Gujarat
See section on IT Integrity Provisions in Application Program Software
26
See Appendix A Table 4
27
Rajasthan
25
MANAGE DATA
Page 45
Assessment
The list of non-filers was not being generated by the assessing
officers as a result of which the possibility of assessees with income
escaping the tax net cannot be ruled out. All functionalities and their
outputs were not being used, and several statistical reports were being
prepared manually. Further several cases of manual overrides have
been noticed.
Lack of correct data in linked modules affects the outputs of AST.
Audit found that the working group report which has been taken as the
basis of computerisation efforts did not talk of phasing the rollout of
the plan functionality wise. There was no recommendation to
operationalise only two functionalities of AST and ignore the rest. The
recommendation was to implement the critical modules of AIS, AST,
TAS and TDS before the other less crucial modules. The phased plan
is also as per geographical location and not functionality.
Recommendation 26.
Procedures for controlling errors and establishing accuracy of
outputs have to be put in place and enforced.
MANAGE CHANGES
Page 47
Change Request Initiation and Control
Description
Management should ensure that all requests for changes, system
maintenance and supplier maintenance are standardized and are subject
to formal change management procedures. Changes should be
categorized and prioritized and specific procedures should be in place to
handle urgent matters. Change requestors should be kept informed about
the status of their request.
IT management should ensure that change management, and software
control and distribution are properly integrated with a comprehensive
configuration management system.
The change process should ensure that whenever system changes are
implemented, the associated documentation and procedures are updated
accordingly.
IT management should ensure that the release of software is governed
by formal procedures ensuring sign-off, packaging, regression testing,
handover, etc.
Specific internal control measures should be established to ensure
distribution of the correct software element to the right place, with
integrity, and in a timely manner with adequate audit trails.
Control Notes
There is a formal procedure for changes right from problem report and
change request till its solution. Operational documents are also prepared
for changes. The changes are also approved and accounted for.
The system developed and implemented in 1997 did not completely
fulfill all the business requirements. Changes have been necessitated not
only due to changes in the Annual Finance Act and changing technology
from time to time but also due to shortcomings in the system as pointed
out by the assessing officers/users.
The charges for development of any additional query/report
programmes or to undertake substantial modifications/changes are
negotiated separately. The work has been awarded to Tata Consultancy
Services without inviting tenders from other prospective contractors.
Rs. 83.78 lakhs have been paid to TCS during 2000 to 2005 for carrying
out changes to the AST software.
MANAGE CHANGES
Page 48
Management
Response
There have been only 32 changes to the AST Software since its
inception and most of them have been because of changes in the IT Act.
The work has been awarded to TCS through an open tender. Since these
systems were being set up for the first time there were no live databases
and testing had to be done in a simulated environment.
Assessment
A review of the changes carried out in AST revealed that majority of the
changes were not because of external reasons such as amendments to
the Finance Act etc. and were in the nature of design deficiencies. The
fact the system has required so many changes is indicative of the fact
that there were weaknesses in
•
Communicating the User Requirements to the developer;
•
Inadequate scrutiny before acceptance of design; and
•
Incomplete User Acceptance Testing.
User Acceptance Testing was done on a very limited scale and only in a
simulated and not real field environment.
Open tender process was not followed while awarding the contracts for
changes to the system.
Recommendation
27.
User Acceptance Testing should be reviewed. The contract for
changes in the software should be given after due procedure.
MANAGE CHANGES
Page 49
Impact Assessment
Description
A procedure should be in place to ensure that all requests for change are
assessed in a structured way for all possible impacts on the operational system
and its functionality.
Control Notes
Whenever the software is modified through patches by DIT (System), the
system does not have any provision to identify similar type of errors/mistakes
that occurred in the processed data (by raising queries or reports) and to rectify
the same. Directions for manual checking for errors are sent by the DIT
(Systems).
No impact assessment study is undertaken and no queries are run to identify the
errors in the system so that they may be rectified. Instances have been noticed
where users have pointed out invalid rates, dates etc. in the system. While these
have been rectified later, impact assessment of the time lag has not been carried
out in the system. Appendix B details an attempt at a limited impact
assessment.
Management
Response
Assessment
Impact assessment is carried out before incorporating any changes in the
application modules; the modification is fully tested by the developer and the
module incharge before release. AST Instruction 21 through which directions
for manual checking were sent was due to a one off situation, due to a specific
ordinance being effective from the date of its promulgation.
There is no method of impact assessment for the changes carried out in the
system. This could lead to errors remaining un-rectified in the system with risk
of loss of revenue.
Audit found that though change impact assessment is being done through testing
of patches the impact in terms of the business requirement of calculation of tax/
interest/refund is not being done or being asked to be checked manually.
Recommenda- 28.
tion
An impact assessment feature should be built into the software and used
after the incorporation of changes.
MANAGE CHANGES
Page 50
Control of Changes
Description
IT management should ensure that change management, and software
control and distribution are properly integrated with a comprehensive
configuration management system. The system used to monitor changes to
application systems should be automated to support the recording and
tracking of changes made to large, complex information systems.
Control
Notes
Code changes, check in and check out procedures for changes exist. This is
done through PVCS version control management. The changes made were
approved and accounted for.
The patches made by TCS are sent to the RCCs for incorporation through a
separate procedure for each of them.28 There is no set down procedure to
ensure timely incorporation of patches at RCC to monitor the time taken.
Management The overall system was designed in 1994 on client server architecture
which was the best available model considering the state of technology and
Response
communication infrastructure then available in the country. In a regionally
centralized, model changes have to be implemented separately in each RCC.
Procedural safeguards are in place and AST Instruction No 19 shows that
monitoring is being done. Further computed figures of interest can be
manually corrected. In Phase III all RCC databases are being consolidated
into a single national database.
Assessment
As pointed out no systematic/inbuilt monitoring in respect of time taken to
execute changes by RCCs is available. The regionally centralized model has
led to the need for replication of efforts to deal with program changes in
AST29.
Recommendation
29.
A monitoring system for recording and tracking changes should be
built into the software.
28
AST Instruction No 19 points out irregular version updating by RCCs
29
Please see Identify Automated Solutions
MANAGE PROBLEMS AND INCIDENTS
Page 51
Problem Management System and Problem Escalation
Description Information services function management should define and implement a
problem management system to ensure that all operational events which are not
part of the standard operation (incidents, problems and errors) are recorded,
analyzed and resolved in a timely manner. Incident reports should be
established in the case of significant problems.
Management should define and implement problem escalation procedures to
ensure that identified problems are solved in the most efficient way on a timely
basis. These procedures should ensure that these priorities are appropriately set.
The procedures should also document the escalation process for the activation
of the information technology continuity plan.
Control
Notes
Whenever a problem is encountered in running of an application module at the
user level, it is first reported to DBA of the RCC. In case he is not able to
resolve it, the same is escalated for the respective module leaders at NCC who
addresses it himself and reverts back to RCC. Whenever necessary, help of
TCS is taken through problem report/change request mechanism. DBA of RCC
and module leaders at NCC depending upon the severity of the problem,
maintain first level record; complete record is maintained once a problem/
change request is given to TCS.
There is no rigid procedure for categorization of problems apart from what has
been described above. However, all problems are taken up and resolved on
their merits so as to keep the application up and running.
Before releasing the application software to the field, rigorous testing is done in
the simulated environment at NCC.
RCC has stated that there was no critical problem, which could stop
functioning of AST application.
MANAGE PROBLEMS AND INCIDENTS
Page 52
Management Response
The policy paper for categorisation of incidents is being formulated in phase
III.
Assessment The procedure for managing problems in running of the software was found to
be generally adequate but ad-hoc. The problems which were addressed and
resolved were documented. However instances of unresolved issues indicated
weaknesses in the process of managing problems and incidents.
In the absence of a system of categorization and prioritization of problems,
there was a risk that problems of critical nature, which could have an impact
on the core objectives of the department, may remain unresolved, or may be
resolved temporarily without addressing the basis of the problem.
As per the existing procedure the problems were escalated through the channel
of RCC and NCC to the software vendor. However, the process of
documentation and linking with the change management is formalized only
when the problem had to be taken up as a change request with the vendors.
Thus, there remained a possibility that even problems of critical nature, which
could be resolved at the level of RCC, would continue to exist in the version of
the system running in the other regions. Risk, therefore, existed that even
identified and rectified errors in the system in one region, with possible effect
on revenue, would continue to persist in the system.
Recommen- 30.
dation
The department should formulate a policy of categorization of problems
and incidents. The policy should inter-alia lay down the priorities for
various categories of problems, the time limits in which they should be
redressed and the procedure for escalation.
DEVELOP AND MAINTAIN PROCEDURES
Page 53
Operational Requirements and Service Levels
Description
The organization’s system development life cycle methodology should
ensure the timely definition of future operational requirements and service levels.
Control Notes
To a query whether operational requirements were determined with
historical performance statistics available, DIT System stated that
there were no automated system for assessments function prior to
implementation of AST application, historical performance statistics
were not available at time of development of AST. However,
performance tuning of AST was carried out to meet enhanced
operational requirements
All operational staff and users are not aware of performance
requirements of AST Software.
There were no service level agreements between the department and
the software developer. A technical cadre for the running of the
National Computer Centre has been formed but suffers from
shortages30 and also has to look after work of an administrative nature.
Management Response
There was no practice of entering into Service Level Agreements in
1994. Technical specifications of AST software have not been given to
the assessment officers as it is not necessary but users are aware of expected response time. Operational requirements are part of the SRS
and SDD documents which were made available to audit. The roles
and responsibilities of technical manpower are laid down in the
Computer Centre Manual. Shortage of technical manpower is due to
litigation problems and quashing of recruitment rules. The application
software is being maintained through a well defined change
management process. There has been no disruption to date and more
than 3.25 crore returns have been processed by more than 4000 users
in 60 cities.
The set of best practices embodied in SLAs were extant regardless of
the actual form given to them in terms of a formal agreement and these
need to be followed. Roles and responsibilities are not clear to users.
30
The EDP cadre Staffing Position is as follows
JD (S)
DD(S)
AD (S)
DPA (B)
DPA (A)
Sanctioned
5
26
73
55
104
PIP
0
24
29
38
20
DEVELOP AND MAINTAIN PROCEDURES
Page 54
Assessment
Users including RCCs and assessing officers were not aware of the
operational requirements. The operational requirement of the AST
software was not laid down as a part of systems development.
Resultantly we found that lack of technical expertise was felt in the
department. In the absence of service level agreements with the
vendors regarding maintenance there was a risk of business disruption
regardless of the fact that no disruption has occurred as yet.
The set of best practices embodied in SLAs were extant regardless of
the actual form given to them in terms of a formal agreement and
these need to be followed. Roles and responsibilities are not clear to
users.
Recommendation
31.
The operational requirements of AST system and ITD
applications in general should be defined and also disseminated.
The role of the technical cadre should be properly defined and
the work allocated to them accordingly. Suitable action should
be taken regarding shortages in the technical cadre.
DEVELOP AND MAINTAIN PROCEDURES
Page 55
User Procedures Manuals
Description
The organization’s system development life cycle methodology should
provide that adequate user procedures manuals and training manuals be
prepared and refreshed as part of every information system development,
implementation or modification project.
Control Notes
The user manual is generally not available with the staff and officers;
hence staff is not aware of and not able to use all the functions available in
the system.
Since the implementation of AST in Delhi in 1997, DIT System has
issued 35 instructions till date regarding several modifications in the
system. However, the revised AST manual incorporating the modifications
has not been prepared. Some of the sections under the IT Act have been
deleted/modified. The validation/range overflow checks specified in the
AST User Manual were not updated as per latest provisions of the IT Act.
For instance even after the abolition of additional tax under section 143 (1)
(a) the concept of a notional return still appears in the User manual.
Computer Based Tutorials were available to users in a limited fashion.
Management Response
Users manuals have been made available on CDs, updated manuals were
distributed on Taexpert; a self learning computer based tutorial was also
distributed. The user manuals were loaded on to the 8000 PCs supplied in
2004. At the initial stage emphasis has been given to processing of returns
so that a high volume low skill labour intensive activity could be
computerised and 3.25 crore returns have been processed.
Assessment
The preparation of user manuals for AST was undertaken as a one time
exercise.
Although user manuals were prepared these were not available to all the
users and the user awareness of the system features was also limited. This
resulted in the sub-optimal utilization of the features of the software other
than for processing and rectification.
The process of updating the manuals, as changes take place in computer
systems due to changes in the business rules, was not in place. These user
procedure manuals would eventually replace the office procedure manuals
in a fully computerised environment and would lead to errors if these were
not in consonance with the extant provisions of the Income Tax Act.
DEVELOP AND MAINTAIN PROCEDURES
Page 56
Recommendation
32.
The user manuals of the system should be made available to all
the users of the system through an adequate process of dissemination and monitoring.
33.
Steps may be taken to ensure users knowledge of the features of
the system and their linkage in the user manuals. All the features
of the system may be taught to the users so that all the functionalities of AST are put to use.
34.
The Income Tax department should update the user manuals of
AST to reflect all the changes carried out in the software due to
changes in the Income Tax Act and due to any other modifications carried out from time to time.
Operations Manual
Description
The organization’s system development life cycle methodology should
provide that an adequate operations manual be prepared and kept up-todate as part of every information system development, implementation or
modification project.
Control Notes RCC has no separate operation manuals and user manuals. RCCs stated
that they had only one user manual for all the modules of ITD applications, which is used as a user, training and operating manual. Soft copies
of all the manuals including AST are installed only on new PCs; the users working at the old PCs are assisted by a resource person.
Management
Response
There is a computer centre manual laying down the operational guidelines which was prepared in 2001. There are written down procedures for
taking back ups.
Assessment
The absence of an operating manual is a serious issue which points to
incomplete inputs given to operating personnel and a consequent lack of
knowledge of procedures. Inadequate maintenance increases the risk of
crashing of the system and puts the entire data at the 36 RCCs at a risk.
Extant data may also be at a risk of deletion.
Recommendation
35.
A separate Operational Manual may be prepared and issued to the
personnel at the RCC so that they are helped in the proper upkeep
and maintenance of the database.
EDUCATE AND TRAIN USERS
Page 57
Identification of Training Needs
Description In line with the long-range plan, management should establish and maintain
procedures for identifying and documenting the training needs of all personnel
using information services. A training curriculum for each group of employees
should be established.
Control
Notes
It was observed that the process of identification of training needs was not
evident. Training was given in areas of:
•
General Computers
•
Microsoft Windows
•
Microsoft Office
•
ITD Applications
There was no formal assessment of training needs for different categories of
users and development of focused training modules for them. Training was
imparted on Microsoft Technologies whereas the AST system is based on
Oracle Technologies.
It was found in 10 of the 12 states31 selected for the review that the users were
generally untrained/not satisfied with the training received and needed more
inputs on all the features of AST.
It was also found that training in some instances was being given on an older
version of software limiting the usefulness of training.
As a result of inadequate identification of training needs in most of the
instances the full features of the AST software were not being used. The users
of the system were reported to be learning by trial and error.
Management Response
31
Assessment of requirement of computer training was done and the scheduling
was matched with the rolling out of the applications. Training needs analysis
is continuously being done. Only the back end of ITD is on Oracle whereas
the front end is Windows 95 and training was provided on Windows for
familiarisation. Oracle training was restricted to technical manpower. A Training Steering Committee was set up to oversee these matters. It is not correct
that full features are not in use due to inadequate training or that users are
learning by trial and error. The training database is modified every year. No
off the shelf training is available for AST as it is customised; training was outsourced as Training labs were not available.
Himachal Pradesh , Delhi , Gujarat , Mumbai , Tamil Nadu , Uttar Pradesh , West Bengal , Karnataka , Jharkhand , Rajasthan.
EDUCATE AND TRAIN USERS
Page 58
Assessment
Training needs analysis needs to be a dynamic and continuing process, in context of software like AST, which is changing continuously.
The end users require a basic familiarity with computers and need to work on
the Forms/Developer interface when working on AST. Relevance of training
on “Windows” and “Office” in the context of AST could not be established.
The inadequacies in the process of identification of training needs have limited
the usefulness of the system and benefits from the system have not accrued, as
they should.
Audit found that the targets of training i.e. the users were generally not satisfied with the training and wanted more exposure to the features of the AST
System.
Recommendation
36.
The department should carry out detailed training needs analysis for
various categories of users of the system. Training modules may accordingly be got prepared including refresher trainings;
37.
When buying off the shelf trainings, the linkage between the training and
actual job requirement should be clearly established.
EDUCATE AND TRAIN USERS
Page 59
Training Organization
Description
Based on the identified needs, management should define the target groups,
identify and appoint trainers, and organize timely training sessions. Training
alternatives should also be investigated (internal or external location, in-house
trainers or third-party trainers, etc.).
Control
Notes
General training on software and application training on AST was being
conducted by the following agencies.
•
•
•
•
•
•
•
NCC
RCC
NADT
RTIs
MSTU
CIT (CO)
In house Training
There was no clear division of responsibility for imparting training by each of
these agencies/methods. The target group was not clearly defined or
categorized properly. None of these agencies could clearly specify their target
client for training.
Training on software like Microsoft Windows and Microsoft Office was
outsourced to NIIT. For training on ITD applications in general and AST in
particular, the user manuals were used as the training material. Training on ITD
application was for duration of three days. The system was being run in an adhoc trial and error method in many locations. The users often faced problems
in working with AST and solved these by contacting RCC over the telephone
or otherwise32.
It was observed that although training was imparted to the assessing officers,
their supporting staff had remained untrained. Training to the ministerial staff
has started only recently.
The software version being used for training was an older version due to several changes having been made to the software.
32
West Bengal
EDUCATE AND TRAIN USERS
Page 60
Management
Response
Initially imparting of training was the responsibility of NCC and the three
RCCs. It was then outsourced to NIIT and then to SSI. A training infrastructure
was also set up at NADT, RTIs and MSTUs for actual delivery of training.
Training was provided to all assessment officers and one staff member. Imparting of more training inputs is an ongoing process.
Assessment
The method, effect, usefulness and duration of the training on AST were not
found adequate. Most of the Assessing officers themselves felt that they needed
further training, by way of refresher courses etc. Consequently users were not
fully aware of the features of the AST software.
Training at all levels including the ministerial level were inadequate. Training
on an older version of the software has meant that the usefulness is limited.
Audit found that the multiplicity of agencies has led to a blurring of efforts and
less efficient targeting.
Recommendation
38.
Training needs should be properly identified at all levels and training
imparted in an effective, organized and useful manner.
MANAGE THIRD PARTY SERVICES
Page 61
Supplier Interfaces & Owner Relationships
Description Management should ensure that all third-party providers' services are properly
identified and that the technical and organisational interfaces with suppliers are
documented.
The customer organisation management should appoint a relationship owner
who is responsible for ensuring the quality of the relationships with third
parties.
Control
Notes
Third party services were used for the data entry of returns all over the country
in 2003 with instructions given to the Chief Commissioners of all regions to
outsource data entry so that processing of all returns was completed by the end
of the financial year. Funds were placed at the disposal of the concerned CCITs
and they were authorised to use the funds at their discretion. The letter through
which the directions were conveyed to the Chief Commissioners did not outline
the interface with supplier adequately. The relationship owner was not clearly
identified with responsibilities divided between the administrative and systems
setup.
Management Response
The time limit for processing of returns was reduced to one year by the Finance
Act of 2001, and the Kelkar Committee recommended that backlog of
processing of returns be cleared within four months. An in-house committee
was set up, and the Board decided to outsource data entry of returns for
processing to act on the recommendation of the Kelkar Committee and take
into account the shortening of the legal time limit for processing. Detailed
guidelines were laid down for the Chief Commissioners which included the
requirements for security, confidentiality and non disclosure.
Assessment
There were no coherent policy regarding identification of the areas where third
party service providers should interface with the organization. No details as to
the deliberations of an internal committee were provided to audit. The
instructions issued to Chief Commissioners’ regarding outsourcing of data
entry was inadequate and did not lay down guidelines for critical issues of
confidentiality, non disclosure, accountability etc. Funds were placed at the
disposal of the Chief Commissioners’ without detailed and specific guidelines
as to their use.
The work of the income tax department is highly sensitive in nature and
outsourcing of core departmental functions is risk factor which needs to be
recognized and controlled.
MANAGE THIRD PARTY SERVICES
Page 62
It is recommended that the Income Tax Department
Recommendation
39. Prepare a policy document on the nature and kind of services that can be
outsourced to third parties;
40.
Lay down detailed guidelines regarding hiring of third party services; and
41.
For any major outsourcing as significant as data entry of returns, have a
well-defined responsibility and accountability statement.
Third Party Contracts
Description
Management should define specific procedures to ensure that for each
relationship with a third-party service provider a formal contract is defined
and agreed upon.
Control
Notes
There was no stated specific policy regarding the contract with the third
party service provider. General conditions of contracts were not specified in
requisite detail. The letter addressed to all CCITs on the subject of
outsourcing of data entry for processing of returns, very briefly addressed
the issues of security, confidentiality and non disclosure etc. No model
contract was sent as a guidance while entering into the actual contracts.
Management The policy for outsourcing was laid down in a letter to all CCITs dated 20th
November 2002 which required agreements to be entered into with the
Response
proper clauses.
Assessment There was no uniformity or clarity on the matter of third party contracts and
there was a lack of guidelines on the specific issues to be covered in the
contracts. Sensitive matters of security, accountability as well as
ensuring correctness of data entry were not appropriately addressed. The
Chief Commissioners entered into different contracts as per their own
discretion with no standardised contract specifications set down.
Recommendation
42.
A model contract should be worked out incorporating all the
concerns of the Department that need to be considered while
outsourcing activities. The relationship owner entering into the
contract should be specified.
MANAGE THIRD PARTY SERVICES
Page 63
Security Relationships
Description
With regard to relationships with third-party service providers, management
should ensure that security agreements (e.g., non-disclosure agreements) are
identified and explicitly stated and agreed to, and conform to universal
business standards in accordance with legal and regulatory requirements,
including liabilities.
Control Notes The income tax return of an assessee is a sensitive document therefore it is
necessary for the department to ensure that the relationship with the third
party service provider is adequately safeguarded by appropriate provisions
to maintain the confidentiality of the data in the return. In the absence of
agreements entered into with the vendor, audit could not ascertain whether
all issues regarding confidentiality/security of data were clearly addressed.
In one case it was observed that the data were entered using the user-id of
the departmental staff.33 The Department did not maintain details of data
entry outsourced.
Management Clear and common guidelines were set down for outsourcing. The “Scheme
for Outsourcing of Data Entry of returns” addresses these issues.
Response
Assessment
The income tax return of an entity is confidential information in the hands
of the Income Tax department. However the department did not ensure that
the relationship with the third party service provider was adequately
safeguarded by appropriate provisions in the contract and supporting
processes in a standardized manner. The guidelines provided were sketchy
and inadequate.
Further, the use of departmental staff login as access to the system by third
party agents with the Roles and Privileges of the staff results not only in
security lapse but also in the possibility of the data already entered by the
staff being changed.
Recommendation
33Tamil
44.
Security issues should be identified, explicitly stated and agreed to.
Necessary guidelines for this should be issued.
Nadu: Data entry of returns was outsourced and the data were entered using the user-id
of the departmental staff. Details of data entry outsourced were not maintained.
CONCLUSION
Page 65
The AST system which is one of the biggest initiatives of the IT processes of the Income Tax
Department, has been found to have several process weaknesses which have considerably limited
the usefulness of the system. Although the initiative commenced in 1993 only 58% of the
intended users have been brought onto the system so far.
The planning for the system identification and acquisition was weak and feasibility studies,
whether technical or economic, were not done before undertaking the project. This lack of
planning has meant that there are integration issues with other ITD applications and prior period
data of the department. There is low user awareness about the features of the system and
consequent non utilization of functionalities other than those for processing and rectification.
The system has required several changes since inception indicating weaknesses in design, and
testing. There was no method of impact assessment for these changes. Certain controls which
were available in the manual environment are not functioning effectively in the computerized
system. There is an unacceptable level of manual overrides which affects the output integrity of
the system.
Problems were noticed in inputs, outputs and data processing integrity. The system does not
evaluate the integrity of input and output data as well as that of data processing. Lack of adequate
technical manpower affected operational efficiency.
There was no overall policy or detailed procedures to be followed on outsourcing and relations
with third parties which lead to lack of uniformity and clarity on this critical issue.
Department stated that AST was a legacy system and that technological upgradation and
extension issues would be addressed in Phase III of computerization. The Department agreed to
examine the issues raised by audit and stated that it may consider the possibility of revising the
software as part of the Business Process Reengineering effort.
New Delhi
Dated
( SUDHA KRISHNAN)
Principal Director of Receipt Audit
(Direct Taxes)
Countersigned
New Delhi
Dated
( VIJAYENDRA N. KAUL)
Comptroller and Auditor General of India
APPENDIX ‘A’
Page 67
Table 1
Stations
Cases not processed due to absence
of PAN
Number
Hyderabad
62825
Chennai
19553
Mumbai
72187
Ranchi
189
Rajkot
10458
Chandigarh
65860
Jaipur
Kolkata
Delhi
115166
621
7218
Bangalore
44818
Allahabad
39524
TOTAL
438419
APPENDIX ‘A’
Page 68
Table 2
Stations
Returns not processed as barred by
limitation u/s 153
Number
Hyderabad
16481
Chennai
24211
Mumbai
171427
Ranchi
4772
Rajkot
4521
Chandigarh
17472
Jaipur
18138
Kolkata
40808
Delhi
74378
Bangalore
28845
Allahabad
6364
TOTAL
407417
APPENDIX ‘A’
Page 69
Table 3
Stations
Hyderabad
List of Original Returns
Proessed after filing of Revised
Returns
Number
8527
Chennai
26419
Mumbai
87803
Ranchi
4091
Rajkot
5787
Chandigarh
10283
Jaipur
42452
Kolkata
24959
Delhi
71634
Bangalore
28254
Allahabad
3112
TOTAL
313321
APPENDIX ‘A’
Page 70
Table 4
Manual Over-riding of the AST
System
Station
Number
Hyderabad
51366
Chennai
68786
Mumbai
292047
Ranchi
2909
Rajkot
40141
Chandigarh
36227
Jaipur
Kolkata
Delhi
103885
56508
278644
Bangalore
48288
Allahabad
19867
TOTAL
998668
APPENDIX B
Page 71
Table 1
Station
Cases where the total of all Heads of
Income is not equal to Gross Total Income
Number
Hyderabad
169
Chennai
631
Mumbai
17848
Ranchi
87
Rajkot
16
Chandigarh
62
Jaipur
Kolkata
109
1118
Delhi
981
Bangalore
100
Allahabad
26
TOTAL
20664
APPENDIX B
Page 72
Table 2
Station
Cases where section wise Chapter VIA deduction
are not equal to Total Deductions
Number
Hyderabad
6
Chennai
1
Mumbai
56
Ranchi
10
Chandigarh
14
Jaipur
2
Kolkata
5
Delhi
51
Bangalore
39
Allahabad
12
TOTAL
196
APPENDIX B
Page 73
Table 3
Station
Cases
where
returned
Income is not equal to Gross
total Income less Deductions
Number
Hyderabad
442075
Chennai
846582
Mumbai
2491839
Ranchi
157108
Rajkot
232720
Chandigarh
428936
Jaipur
556303
Kolkatta
244283
Delhi
1493191
Banaalore
765895
Allahabad
159392
TOTAL
7818324
APPENDIX B
Page 74
Table 4
Station
Cases where returned income is not equal
to Income taxed at normal rates plus
Income taxed at special rates
Number
Hyderabad
11238
Chennai
28415
Mumbai
645292
Ranchi
1559
Rajkot
25211
Chandigarh
29006
Jaipur
16009
Kolkata
35412
Delhi
70317
Bangalore
168876
Allahabad
4191
TOTAL
1035526
APPENDIX C
Page 75
Table 1: Interest calculation u/s 234A, 234B, 234C
(figures are in crores)
State
Mistake in calculation
Hyderabad
1.36
Chennai
0.51
Ranchi
0.09
Rajkot
0.14
Chandigarh
0.20
Jaipur
0.94
Kolkata
0.24
Delhi
Allahabad
15.14
0.06
18.68
APPENDIX C
Page 76
Table 2: Interest calculation u/s 244A
State
No. of cases with mistakes
Hyderabad
172347
Chennai
342121
Ranchi
54190
Rajkot
63960
Chandigarh
Mumbai
162445
1214655
Jaipur
187764
Kolkata
446215
Delhi
831095
Bangalore
225190
Allahabad
62220
3762202
APPENDIX C
Page 77
Table 3: Calculation of tax u/s 115JB
State
No of cases with errors
Hyderabad
135
Chennai
212
Mumbai
1766
Ranchi
5
Rajkot
43
Chandigarh
56
Jaipur
64
Kolkata
Delhi
501
1213
Bangalore
169
Allahabad
5
4169
Download