PAGE
Preview Of The Survey
OMB ATTACHMENT 3 –
SOFTWARE VENDOR SURVEY
PRE-ALERT PACKET
SURVEY PREVIEW
ntroductionThank you for participating in this important survey. Please complete this survey preview in advance of the telephone call from Russell Research and then have it available for that call. It will reduce the amount of time that the call takes. Keep in mind that all of your responses will be completely anonymous.
Please also keep in mind that this survey is focused only on Federal individual tax returns using the 1040 family of forms. State, business, and information returns are out of scope.
Note: the survey contains ALL-CAP INSTRUCTIONS to guide you in the completion of the survey. Please read each instruction carefully.
First, please estimate the number of tax returns that your firm files by each of the following customer types.
# RETURNS
Taxpayers ______
Tax Professionals who are not Franchisees ______
Tax Professionals who are Franchisees ______
White label customers (e.g., for others to brand as their own and resell) ______
Check the box to the right if your firm does not make or sell tax preparation software
IF
your firm does not make or sell tax preparation software, no need to
continue. please note this to the russell interviewer who calls to
collect your information. thank you for your willingness to help.
if you entered a “1” or higher for “taxpayers” in q1, please answer q2. if not, skip to instructions for q3.
How do your taxpayer customers initially install your software? Please estimate the proportion of taxpayer software installed in 2010 by each of the following methods. Do not include subsequent software updates. (THE TOTAL OF ALL OF YOUR RESPONSES MUST EQUAL 100%.)
PERCENT
Online only (e.g., Software-as-a-Service/SaaS, web client) ______
Download and install onto user’s computer ______
Install from physical media onto user’s computer ______
IF YOU ENTERED A “1” OR HIGHER FOR EITHER OF THE TWO “TAX PROFESSIONAL” ANSWERS IN Q1 ABOVE,
PLEASE ANSWER Qs 3 AND 4 below. otherwise, SKIP TO INSTRUCTIONS FOR Q5 on the next page.
How do your tax professional customers initially install your software? Please estimate the proportion of tax professional software installed in 2010 by each of the following methods. Do not include subsequent software updates. (THE TOTAL OF ALL OF YOUR RESPONSES MUST EQUAL 100%.)
PERCENT
Online only (e.g., Software-as-a-Service/SaaS, web client) ______
Download and install onto user’s computer ______
Install from physical media onto user’s computer ______
In what ways does your firm’s tax professional software allow users to transmit (e-file) their clients’ returns? Can they…(check OR ENTER all that apply.)
Use your firm’s transmission (e-file) capability built into the software
Use another firm’s transmission capability and if so, whose?
Use your firm’s software to create a return file but transmit it directly to IRS themselves
Other (enter & check answer)
REGARDLESS OF YOUR PRECEDING ANSWERS, CONTINUE with Q5.
Following are some definitions which we would like you to keep in mind when answering subsequent questions. Please carefully review these definitions.
Accuracy Software correctly applies tax law, correctly represents the taxpayer’s tax liability, and correctly formats return.
Reliability Software and transmission (e-file) systems are available and operating consistently.
Security Reasonable safeguards protecting personally identifiable information (PII).
Privacy Appropriately use and disclosure of personally identifiable information (PII).
Burden Tax law, guidance, filing requirements, process, tools, and information present a challenge in bringing software to market.
Based upon the above definitions, how would your firm rank the following risks to tax administration due to the use of tax software, where 1 is the greatest risk and 5 is the least? (RANK ORDER ALL ITEMS.)
RANK
Accuracy ______
Burden ______
Privacy ______
Reliability ______
Security ______
How does your firm manage its security program? Is it…(CHECK ONLY ONE ANSWER.)
Managed by designated security lead (e.g., Chief Information Security Officer)
Managed by committee (e.g., personnel from security, compliance and legal)
No security program
Other (enter & check answer)
How often do you review and update your internal security policies (e.g., standards, controls)? Do you…(CHECK ONLY ONE ANSWER.)
Update quarterly
Update semi-annually
Update annually
Do not update
Do not have security policies
How does your firm use security controls in its environment? Using the response scale below, please indicate your firm’s performance for each of the following. (check ONLY ONE ANSWER on each row.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Authorization and
access
(e.g., access approvals, privileges, and
deactivation)
Identification and
authentication
(e.g., password complexity, account lockout,
CAPTCHA)
Separation/segregation of duties
Audit and accountability
(e.g., monitoring and logging)
Physical security
(e.g.,
card entry, surveillance, guards)
Network security
(e.g.,
antivirus/malware, firewall, vulnerability scans)
Destruction and disposal of
data
(e.g., document shredders, disk wiping, locked
bins)
Personnel (e.g., background checks)
Other (enter & check answer)
Where is your customers’ personally identifiable information (PII) stored in your firm’s environment? Is it stored in…(check ALL THAT APPLY.)
Centralized server environment(s)
Decentralized server environment(s)
Distributed (e.g., external hard drives, backup tapes and other portable media)
Computer workstation (e.g., desktop, laptop)
How does your firm use data security safeguards in its environment? Using the scale below, please indicate your firm’s performance for each of the following…(check ONLY ONE ANSWER on each row.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Customers’ personally
identifiable information (PII) is
encrypted at rest (e.g.,
stored in database, stored in file)
Customers’ personally
identifiable information (PII) is
encrypted in transit (e.g.,
Secure Socket Layer (SSL))
Customers’ personally
identifiable information (PII) is
de-identified when used in
non-production environments
(e.g., anonymized,
sanitized)
IF YOU ANSWERED “1” OR higher for “Tax Professionals who are Franchisees” IN Q1 ON PAGE 1,
ANSWER Q11. OTHERWISE, SKIP TO THE INSTRUCTIONS ABOVE Q12.
How does your firm use security safeguards at franchisee locations? Using the scale below, please indicate your firm’s performance for each of the following. (check ONLY ONE ANSWER on each row.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Tax Professional
software includes option to encrypt
data at rest on
franchisee’s computer
Tax Professional
software includes option to encrypt
data in transit within
franchisee’s network
Tax Professional
software automatically installs mandatory
updates or will not
operate unless latest version installed
Tax Professional
software does not install/operate unless
franchisee’s
computer meets security requirements
REGARDLESS OF YOUR PRECEDING ANSWERS, CONTINUE with Q12.
How does your firm use secure software development practices? Using the scale below, please indicate your firm’s performance for each of the following...(check ONLY ONE ANSWER on each row.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Peer source code reviews
Source code vulnerability assessment (e.g., static analysis)
Software security testing (e.g., dynamic analysis)
Source code version control
software
(e.g., Microsoft Team Foundation Server, Visual
SourceSafe)
Other (enter & check answer)
How does your firm ensure business continuity? Using the scale below, please indicate your firm’s performance for each of the following...(check ONLY ONE ANSWER on each row.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Business continuity plan for
dependent vendor failure
(e.g., power, internet,
payments)
Business continuity plan for
physical infrastructure
(e.g., disaster recovery for data center
facility)
Business continuity plan for staff relocation
Business continuity plan for
key staff loss
(e.g., succession planning)
Operations center geographically dispersed from backup center
Backup/secondary center accommodates full operational load
Provide adequate capacity for filing season peak load
What is the acceptable recovery time for unplanned service outages? Using the time scale below, please indicate the acceptable recovery time for each of the outage types below. (check ONLY ONE ANSWER on each row.)
Less than 1-8 9-24 2-6 1 or more
1 hour Hours Hours Days Weeks
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
How many test cases do you run to validate software accuracy (e.g., correctly applies tax law, correctly represents the taxpayer’s tax liability) for each of the following types of software? (Enter a number for each item, even if “0”.)
NUMBER
Taxpayer software ______
Tax professional software ______
For your preparation software, which of the following types of testing do you perform? (check ALL THAT APPLY.)
Integration
Performance
Quality Assurance
Regression
System
Unit/application
Usability
Other (enter & check answer)
Do not perform testing
For your transmission (e-file) capability, which of the following types of testing do you perform? (check ALL THAT APPLY.)
Integration
Performance
Quality Assurance
Regression
System
Unit/application
Usability
Other (enter & check answer)
Do not perform testing
How do you notify customers of software updates? Do you…(check ALL THAT APPLY.)
Email instructions on updating the software
Post notice on the firm and/or product website
Message through social media (e.g., Twitter)
Trigger the tax software to automatically install and activate update
Prompt within the software to install and activate update
Distribute software updates for scheduled installation
Use remote access to install and activate update
Stop accepting returns from older software products
Other (enter & check answer)
Do not notify customers of product updates
From January 15 to April 15, 2010, how many times did you update your software? (Enter number below.)
NUMBER
Any reason (total number of updates) ______
IF YOUR ANSWER TO Q19 WAS “1” OR MORE, PLEASE ANSWER Q20. OTHERWISE, SKIP TO Q21.
Given that a software update can be driven by more than one reason, how many of these updates were due to…(Enter a number for each item BELOW – even if “0”. SINCE one update can be due to multiple reasons, the total of your responses may exceed the number in Q19 – but the number for any one item should not exceed THE total in q19.)
NUMBER
Final forms/instructions released by IRS ______
Customer feedback (e.g., user interface design changes) ______
New functionality ______
Bug fixes to existing functionality ______
Business rule updates (e.g., calculations) ______
Other (enter others here and then answer) ______
Other (enter others here and then answer) ______
Other (enter others here and then answer) ______
REGARDLESS OF YOUR PRECEDING ANSWERS, PLEASE ANSWER ALL QUESTIONS FROM THIS POINT FORWARD.
How does your firm manage its privacy program? Is it…(CHECK only one answer.)
Managed by designated privacy lead (e.g., Chief Privacy Officer)
Managed by designated security lead (e.g., Chief Information Security Officer)
Managed by committee (e.g., personnel from security, compliance and legal)
No privacy program
Other (enter & check answer)
How often do you review and update your internal privacy policies (e.g., classifying PII, acceptable usage)? (CHECK ONLY ONE ANSWER.)
Update quarterly
Update semi-annually
Update annually
Do not update
Do not have policy
How do you provide your customers with your firm’s consumer privacy policy? Is the policy… (CHECK ALL THAT APPLY.)
Posted on firm website
Posted on software website
Displayed at time of software installation
Included in retail packaging
Emailed to the customer
Mailed to the customer
Provided to the customer in person
Do not provide policy to customers
Do not have a privacy policy
How does your firm require training for its personnel? Using the scale below, please indicate how your firm requires the following training. (CHECK all that apply PER ROW.)
Require
Require More Often
Do Not at Time Require than
Require Of Hire Annually Annually
Development (i.e., secure coding practices)
Security (e.g., safeguards and IT controls)
Privacy (e.g., policy compliance)
How does your firm manage customer consent? Using the response scale below, please indicate your firm’s performance for each of the following...(CHECK ONLY ONE ANSWER PER ROW.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Privacy policy designates a
point of contact, email, phone,
and address the customer may
contact
Software products prompt the
customer with a consent
option (e.g., opt in or opt out for
data use and disclosure)
Email communications to the
customer include a consent
option (e.g., unsubscribe, opt in or
opt out)
Customer manages consent
options by indicating
preferences online (e.g., My Account
settings)
Utilize internal software to
manage customer
preferences (e.g., bulk email marketing,
subscription mgmt)
Other (enter & check answer)
The next series of questions is going to focus on future situations. Consider all your software products and all your customers. We are going to ask for your opinion regarding the chance of these potential situations occurring and the proportion of returns that would be affected if they were to occur.
Do you think the following may occur to your firm in the next two years? Using the scale below, please rate the chance of occurrence from 1%, 25%, 50%, 75%, and 99%, with 1% being Extremely Low Chance and 99% being Extremely High Chance. (CHECK ONLY ONE ANSWER PER ROW.)
Extremely Extremely
Low Low Moderate High High
Chance Chance Chance Chance Chance
1% 25% 50% 75% 99%
Software error (e.g., improper tax law application, computation)
Software inconsistency (e.g., identical inputs result in different outputs)
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
Improper use or disclosure of
PII due to internal cause
(e.g., insider theft,
destruction)
Improper use or disclosure of
PII due to external cause
(e.g., hacking and intrusion,
malware, lost/stolen laptop)
Lack of notice and consent (e.g., choice to opt in/out)
Lack of transparency (e.g., written privacy policy)
The survey has asked about chance, now let’s address effect.
If the following were to occur, what proportion of your firm’s returns would be affected? Using the scale below, please rate the proportion of returns affected from 1%, 25%, 50%, 75%, and 99%, with 1% being Extremely Low Proportion and 99% being Extremely High Proportion. (check ONLY ONE ANSWER PER row.)
Extremely Extremely
Low Low Moderate High High
Proportion Proportion Proportion Proportion Proportion
1% 25% 50% 75% 99%
Software error (e.g., improper tax law application, computation)
Software inconsistency (e.g., identical inputs result in different outputs)
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
Improper use or disclosure of
PII due to internal cause
(e.g., insider theft,
destruction)
Improper use or disclosure of
PII due to external cause
(e.g., hacking and intrusion,
malware, lost/stolen laptop)
Lack of notice and consent (e.g., choice to opt in/out)
Lack of transparency (e.g., written privacy policy)
Now the survey will ask about incidents that your firm has actually experienced.
In the last two years, how many times has your firm actually experienced each of the following incidents in your production environment, regardless of whether or not you recovered from them? (Enter A NUMBER FOR EACH ITEM, EVEN IF “0”.)
NUMBER
Software error (e.g., improper tax law application, computation error) ______
Software inconsistency (e.g., identical inputs resulted in different outputs) ______
Preparation outage (i.e., customers can’t use software to complete return) ______
Transmission outage (i.e., customers can’t e-file completed returns with IRS) ______
Download outage (i.e., customers can’t download software or updates) ______
Customer service outage (i.e., customers can’t use online or phone help) ______
Improper use or disclosure of PII due to internal cause (e.g., insider theft, destruction) ______
Improper use or disclosure of PII due to external cause (e.g., hacking and intrusion, malware, lost/stolen laptop) ______
Other (enter others here and then answer) ______
In the last two years, how many times has your firm actually experienced each of the following causes of incidents in your production environment, regardless of whether or not you recovered from them? (Enter A NUMBER FOR EACH ITEM, EVEN IF “0”.)
NUMBER
Loss of power or cooling ______
Loss of network or internet ______
Hardware failure (e.g., server, computer, storage) ______
Software failure (e.g., crash, error, bug) ______
Security breach, cybercrime, or other malicious act ______
Fire or natural disaster ______
Other (enter others here and then answer) ______
How does your firm address incident response? Using the scale below, please indicate your firm’s performance for each of the following…(check ONLY ONE ANSWER PER row.)
Doing and
Internally
Not Planning Doing Doing and Doing and and
Doing or To but Not Internally Externally Externally Don’t
Considering Do Validated Validated Validated Validated Know
Identify appropriate personnel (e.g., contact list, response team)
Have feasible plan of action
(e.g., response strategy, defined procedure)
Have tracking
capabilities
(e.g., incident ticket created and
escalated)
Categorize incident (e.g., severity, assessment)
Use forensic techniques
(e.g.,
system logs, intrusion detection logs)
Have physical resources
(e.g., redundant storage, standby systems, backup
services)
Document and preserve evidence
Notify proper external
agencies (e.g., comply with federal
and/or state security
breach notification laws)
Assess damage and cost (e.g., valuation)
Review and update policies after incident
How do you anticipate and accommodate the effects of late tax law changes in your software? Do you…(check ALL THAT APPLY.)
Code software to account for multiple legislative outcomes
Quickly iterate software changes
Consult IRS draft forms or instructions
Contact IRS personnel for guidance
Use information from industry and professional affiliations (e.g., CERCA, NACTP)
Use in-house legislative analysis
Use third party legislative analysis (e.g., CCH, BNA)
Other (enter and check answer)
Consider the activities in the previous question. On average over the last two years, please estimate the full time equivalent hours directly associated with incorporating late tax law changes in your software. (check only one answer.)
Less than 520 hours
520 to 1039 hours
1040 to 2079 hours
2080 to 4160 hours
More than 4160 hours
No hours
Using the scale provided below, please rate your agreement that the following are sufficient…(check ONLY ONE ANSWER per row.)
Strongly Strongly
Disagree Disagree Neutral Agree Agree
Bulletins
Tax forms, schedules, and instructions
Transmission file requirements
E-file acknowledgements
Error reject codes
E-file privacy and security standards
Please share any additional comments or concerns.
Thank you for taking the time to fill out this survey. Please keep your completed survey handy for the telephone call from Russell Research. Having the completed survey available for that call will reduce the amount of time the call takes.
Thank you for volunteering to participate in our survey. The Paperwork Reduction Act requires that the IRS display an OMB control number on all public information requests. The OMB Control Number for this study is 1545-1432. The time estimated for participation is 8 minutes. If you have any comments regarding the time estimates associated with this study or suggestions on making this process simpler, please write to the, Internal Revenue Service, Tax Products Coordinating Committee, SE:W:CAR:MP:T:T:SP, 1111 Constitution Ave. NW, Washington, DC 20224.
| File Type | application/msword |
| File Title | EPFRA Software Vendor Survey |
| Author | MITRE |
| Last Modified By | mdsloa00 |
| File Modified | 2010-10-27 |
| File Created | 2010-10-27 |