PAGE
IRS EPFRA Software Vendor Questionnaire
(Telephone Followup Interview)
OMB ATTACHMENT 4 –
SOFTWARE VENDOR
TELEPHONE SURVEY
RESPONDENT INFORMATION
RESPONDENT ID#... ...1-5
SAMPLE TYPE: Software
Vendors
(n=as
many as possible
from a list
of about 50) 1 ...00
PROJECT-FIELD
TEAM NOTES:
IRS
APPEND FROM LATEST (2010) INDIVIDUAL 1040 RETURN DATA: # returns
e-filed, # vendor-controllable ERCs
RECORD
DATE, TIME & DISPOSITION OF EACH INTERVIEW ATTEMPT: Referred Partial
Data Refused Refused To
Another Collected Com- After After Person Appoint- But
Resp. plete/ One Repeat (Start Respondent ment Will
Not All Data Attempt Attempt Over) Unavailable Set Complete
Collected
1 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
2 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
3 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
4 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
5 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
6 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
7 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
8 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
9 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
10 DATE: TIME: (am) (pm)
1 2 3 4 5 6 7 …00
INTERVIEWER …00
Hello, I’m __________ of Russell Research, an independent national research firm. The Internal Revenue Service recently mailed you a request to participate in an important survey of risks in the electronic tax administration landscape. (if asked “what risks?”, reply with “risks to preparers, taxpayers, software vendors, standards of tax administration, etc.”) In that mailing, the IRS included a paper survey and asked you to complete the survey in advance of a call from Russell Research. I am calling today to collect your responses from the paper survey you received.
Please keep in mind that all of your responses will be completely anonymous. Our call today to collect responses should take about 20 minutes of your time. Do you have your completed survey to refer to during this call? (IF “YES”, GO TO Q1. IF “NO”/”Haven’t completed it yet”/etc., ask…)
May I schedule an appointment for a convenient day and time to call you back, when you would have your survey completed? (IF “yes”, record appointment time in box above. if “NO”/”do not want to participate”/etc., ask…)
The IRS asks that you consider the importance of this survey and would appreciate your time and help with it. Can we set an appointment for about a week from now to give you time to complete the survey? (IF “YES”, RECORD APPOINTMENT TIME IN BOX ABOVE. IF still “NO”/”do not want to participate”/etc., CLOSE WITH…)
Government survey procedures require us to contact you again at a later date to see if you then might be willing to help. Please know that this survey is extremely important and that we are merely following Government survey procedures when we call on you again. (Make only one more attempt to convert this person to completion, then thank them for their time and record as “refused after repeat attempts” in box above.)
Start
of Survey for Those Agreeing to It
(START SURVEY AMONG THOSE AGREEABLE BY READING THIS…) First, thank you very much for agreeing to help the IRS by participating in the survey. We are required by law to provide you the Office of Management and Budget Control Number for this information request. That number is 1545-1432. In addition, if you have any comments about the time estimate to complete the survey or ways to improve the survey, you can write to the IRS. Would you like the address? (IF YES, ADDRESS IS…) IRS Tax Products Coordinating Committee, SE:W:CAR:MP:T:T:SP, 1111 Constitution Ave. NW, Washington, DC 20224. CONTINUE WITH: Please keep in mind that this survey is focused only on Federal individual tax returns using the 1040 family of forms. State, business, and information returns are out of scope. Now that you have your notes and responses from the paper copy of the survey the IRS sent you, let’s begin.
INTERVIEWER/ONLINE PROGRAMMER: KEEP IN MIND THAT, WITH THE SURVEY HAVING BEEN SENT TO THE RESPONDENT BY IRS IN PAPER FORM WITHOUT ANY RESPONSE CHOICES RANDOMIZED, RESPONDENT HAS PRE-ANSWERED QUESTIONS WITH RESPONSES IN EXACTLY THE ORDER SHOWN HERE. STILL, READ ALL CHOICES TO GUIDE RESPONDENT IN PROVIDING ANSWERS.
Please estimate the number of tax returns that your firm files by each of the following customer types. (read choices & Enter NUMBER for each item.)
# RETURNS
Taxpayers ______
Tax Professionals who are not Franchisees ______
Tax Professionals who are Franchisees ______
White label customers (e.g., for others to brand as their own and resell) ______
(DO NOT OFFER AS CHOICE, BUT CLICK IF:) Do not make or sell tax preparation software x
IF respondent does not make or sell tax preparation software, thank and close.
ASK Q2 only of VENDORS with “1” or higher for “taxpayers” in q1.
How do your taxpayer customers initially install your software? Please estimate the proportion of taxpayer software installed in 2010 by each of the following methods. Do not include subsequent software updates. (read choices & Enter percent response for each item; must total 100%.)
PERCENT
Online only (e.g., Software-as-a-Service/SaaS, web client) ______
Download and install onto user’s computer ______
Install from physical media onto user’s computer ______
Ask Q3 THROUGH Q4 ONLY of VENDORS WITH “1” or higher for EITHER OF THE “tax professional” ANSWERS in q1.
How do your tax professional customers initially install your software? Please estimate the proportion of tax professional software installed in 2010 by each of the following methods. Do not include subsequent software updates. (read choices & Enter percent response for each item; must total 100%.)
PERCENT
Online only (e.g., Software-as-a-Service/SaaS, web client) ______
Download and install onto user’s computer ______
Install from physical media onto user’s computer ______
In what ways does your firm’s tax professional software allow users to transmit (e-file) their clients’ returns? Can they…(Read CHOICES & click all that apply.)
Use your firm’s transmission (e-file) capability built into the software
Use another firm’s transmission capability (Probe) Whose?
Use your firm’s software to create a return file but transmit it directly to IRS themselves
Other (specify)
ask all:
Following are some definitions which we would like you to keep in mind when answering subsequent questions. Let’s carefully review these definitions.
Accuracy Software correctly applies tax law, correctly represents the taxpayer’s tax liability, and correctly formats return.
Reliability Software and transmission (e-file) systems are available and operating consistently.
Security Reasonable safeguards protecting personally identifiable information (PII).
Privacy Appropriately use and disclosure of personally identifiable information (PII).
Burden Tax law, guidance, filing requirements, process, tools, and information present a challenge in bringing software to market.
Based upon the above definitions, how would your firm rank the following risks to tax administration due to the use of tax software, where 1 is the greatest risk and 5 is the least? (let respondent offer rank for each item. Enter rank.)
RANK
Accuracy ______
Burden ______
Privacy ______
Reliability ______
Security ______
How does your firm manage its security program? Is it…(Read choices & CLICK only one answer.)
Managed by designated security lead (e.g., Chief Information Security Officer)
Managed by committee (e.g., personnel from security, compliance and legal)
No security program
Other (SPECIFY)
How often do you review and update your internal security policies (e.g., standards, controls)? Do you…(read choices & CLICK ONLY ONE ANSWER.)
Update quarterly
Update semi-annually
Update annually
Do not update
Do not have security policies
How does your firm use security controls in its environment? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following. (read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Authorization and
access
(e.g., access approvals, privileges, and
deactivation)
Identification and
authentication
(e.g., password complexity, account lockout,
CAPTCHA)
Separation/segregation of duties
Audit and accountability
(e.g., monitoring and logging)
Physical security
(e.g.,
card entry, surveillance, guards)
Network security
(e.g.,
antivirus/malware, firewall, vulnerability scans)
Destruction and disposal of
data
(e.g., document shredders, disk wiping, locked
bins)
Personnel (e.g., background checks)
Other (SPECIFY)
Where is your customers’ personally identifiable information (PII) stored in your firm’s environment? Is it stored in…(read choices & CLICK ALL THAT APPLY.)
Centralized server environment(s)
Decentralized server environment(s)
Distributed (e.g., external hard drives, backup tapes and other portable media)
Computer workstation (e.g., desktop, laptop)
How does your firm use data security safeguards in its environment? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following...(read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Customers’ personally
identifiable information (PII) is
encrypted at rest (e.g.,
stored in database, stored in file)
Customers’ personally
identifiable information (PII) is
encrypted in transit (e.g.,
Secure Socket Layer (SSL))
Customers’ personally
identifiable information (PII) is
de-identified when used in
non-production environments
(e.g., anonymized,
sanitized)
ASK Q11 only of VENDORS with “1” or higher for “Tax Professionals who are Franchisees” IN Q1.
How does your firm use security safeguards at franchisee locations? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following. (read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Tax Professional
software includes option to encrypt
data at rest on
franchisee’s computer
Tax Professional
software includes option to encrypt
data in transit within
franchisee’s network
Tax Professional
software automatically installs mandatory
updates or will not
operate unless latest version installed
Tax Professional
software does not install/operate unless
franchisee’s
computer meets security requirements
ASK ALL:
How does your firm use secure software development practices? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following...(read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Peer source code reviews
Source code vulnerability assessment (e.g., static analysis)
Software security testing (e.g., dynamic analysis)
Source code version control
software
(e.g., Microsoft Team Foundation Server, Visual
SourceSafe)
Other (SPECIFY)
How does your firm ensure business continuity? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following...(read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Business continuity plan for
dependent vendor failure
(e.g., power, internet,
payments)
Business continuity plan for
physical infrastructure
(e.g., disaster recovery for data center
facility)
Business continuity plan for staff relocation
Business continuity plan for
key staff loss
(e.g., succession planning)
Operations center geographically dispersed from backup center
Backup/secondary center accommodates full operational load
Provide adequate capacity for filing season peak load
What is the acceptable recovery time for unplanned service outages? Using the scale provided in the paper survey sent to you, please indicate the acceptable recovery time for each of the outage types below. (Read choices & CLICK only one answer per item.)
Less than 1-8 9-24 2-6 1 or more
1 hour Hours Hours Days Weeks
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
How many test cases do you run to validate software accuracy (e.g., correctly applies tax law, correctly represents the taxpayer’s tax liability) for each of the following types of software? (READ CHOICES & Enter NUMBER for each item, even if “0”.)
NUMBER
Taxpayer software ______
Tax professional software ______
For your preparation software, which of the following types of testing do you perform? (read choices & CLICK ALL THAT APPLY.)
Integration
Performance
Quality Assurance
Regression
System
Unit/application
Usability
Other (SPECIFY)
Do not perform testing
For your transmission (e-file) capability, which of the following types of testing do you perform? (read choices & CLICK ALL THAT APPLY.)
Integration
Performance
Quality Assurance
Regression
System
Unit/application
Usability
Other (SPECIFY)
Do not perform testing
How do you notify customers of software updates? Do you… (read choices & CLICK ALL THAT APPLY.)
Email instructions on updating the software
Post notice on the firm and/or product website
Message through social media (e.g., Twitter)
Trigger the tax software to automatically install and activate update
Prompt within the software to install and activate update
Distribute software updates for scheduled installation
Use remote access to install and activate update
Stop accepting returns from older software products
Other (SPECIFY)
Do not notify customers of product updates
From January 15 to April 15, 2010, how many times did you update your software? (Enter NUMBER, then ask Q20 if 1 or more.)
NUMBER
Any reason (total number of updates) ______
Given that a software update can be driven by more than one reason, how many of these updates were due to…(read choices & Enter NUMBER for each item, even if “0”. NOTE THAT one update can be due to multiple reasons, so it is ok to have ‘double counting’ among reasons, but no item should exceed THE total NUMBER in q19.)
NUMBER
Final forms/instructions released by IRS ______
Customer feedback (e.g., user interface design changes) ______
New functionality ______
Bug fixes to existing functionality ______
Business rule updates (e.g., calculations) ______
Other (SPECIFY) ______
Other (SPECIFY) ______
Other (SPECIFY) ______
How does your firm manage its privacy program? Is it…(Read choices & CLICK only one answer.)
Managed by designated privacy lead (e.g., Chief Privacy Officer)
Managed by designated security lead (e.g., Chief Information Security Officer)
Managed by committee (e.g., personnel from security, compliance and legal)
No privacy program
Other (SPECIFY)
How often do you review and update your internal privacy policies (e.g., classifying PII, acceptable usage)? (read choices & CLICK ONLY ONE ANSWER.)
Update quarterly
Update semi-annually
Update annually
Do not update
Do not have policy
How do you provide your customers with your firm’s consumer privacy policy? Is the policy…(read choices & CLICK ALL THAT APPLY.)
Posted on firm website
Posted on software website
Displayed at time of software installation
Included in retail packaging
Emailed to the customer
Mailed to the customer
Provided to the customer in person
Do not provide policy to customers
Do not have a privacy policy
How does your firm require training for its personnel? Using the scale provided in the paper survey sent to you, please indicate how your firm requires the following training. (read choices & CLICK all that apply PER ITEM.)
Require
Require More Often
Do Not at Time Require than
Require Of Hire Annually Annually
Development (i.e., secure coding practices)
Security (e.g., safeguards and IT controls)
Privacy (e.g., policy compliance)
How does your firm manage customer consent? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following...(read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Using and
Internally
Not Planning Using Using and Using and and
Using or To but Not Internally Externally Externally Don’t
Considering Use Validated Validated Validated Validated Know
Privacy policy designates a
point of contact, email, phone,
and address the customer may
contact
Software products prompt the
customer with a consent
option (e.g., opt in or opt out for
data use and disclosure)
Email communications to the
customer include a consent
option (e.g., unsubscribe, opt in or
opt out)
Customer manages consent
options by indicating
preferences online (e.g., My Account
settings)
Utilize internal software to
manage customer
preferences (e.g., bulk email marketing,
subscription mgmt)
Other (SPECIFY)
The next series of questions is going to focus on future situations. Consider all your software products and all your customers. We are going to ask for your opinion regarding the chance of these potential situations occurring and the proportion of returns that would be affected if they were to occur.
Do you think the following may occur to your firm in the next two years? Using the scale provided in the paper survey sent to you, please rate the chance of occurrence from 1%, 25%, 50%, 75%, and 99%, with 1% being Extremely Low Chance and 99% being Extremely High Chance. (read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Extremely Extremely
Low Low Moderate High High
Chance Chance Chance Chance Chance
1% 25% 50% 75% 99%
Software error (e.g., improper tax law application, computation)
Software inconsistency (e.g., identical inputs result in different outputs)
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
Improper use or disclosure of
PII due to internal cause
(e.g., insider theft,
destruction)
Improper use or disclosure of
PII due to external cause
(e.g., hacking and intrusion,
malware, lost/stolen laptop)
Lack of notice and consent (e.g., choice to opt in/out)
Lack of transparency (e.g., written privacy policy)
We talked about chance, now let’s address effect.
If the following were to occur, what proportion of your firm’s returns would be affected? Using the scale provided in the paper survey sent to you, please rate the proportion of returns affected from 1%, 25%, 50%, 75%, and 99%, with 1% being Extremely Low Proportion and 99% being Extremely High Proportion. (read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Extremely Extremely
Low Low Moderate High High
Proportion Proportion Proportion Proportion Proportion
1% 25% 50% 75% 99%
Software error (e.g., improper tax law application, computation)
Software inconsistency (e.g., identical inputs result in different outputs)
Preparation outage (i.e., customers can’t use software to complete return)
Transmission outage (i.e., customers can’t e-file completed returns with IRS)
Download outage (i.e., customers can’t download software or updates)
Customer service outage (i.e., customers can’t use online or phone help)
Improper use or disclosure of
PII due to internal cause
(e.g., insider theft,
destruction)
Improper use or disclosure of
PII due to external cause
(e.g., hacking and intrusion,
malware, lost/stolen laptop)
Lack of notice and consent (e.g., choice to opt in/out)
Lack of transparency (e.g., written privacy policy)
Now we will talk about incidents your firm has actually experienced.
In the last two years, how many times has your firm actually experienced each of the following incidents in your production environment, regardless of whether or not you recovered from them? (read choices & Enter NUMBER for each item, EVEN IF “0”.)
NUMBER
Software error (e.g., improper tax law application, computation error) ______
Software inconsistency (e.g., identical inputs resulted in different outputs) ______
Preparation outage (i.e., customers can’t use software to complete return) ______
Transmission outage (i.e., customers can’t e-file completed returns with IRS) ______
Download outage (i.e., customers can’t download software or updates) ______
Customer service outage (i.e., customers can’t use online or phone help) ______
Improper use or disclosure of PII due to internal cause (e.g., insider theft, destruction) ______
Improper use or disclosure of PII due to external cause (e.g., hacking and intrusion, malware, lost/stolen laptop) ______
Other (SPECIFY) ______
In the last two years, how many times has your firm actually experienced each of the following causes of incidents in your production environment, regardless of whether or not you recovered from them? (read choices & Enter NUMBER for each item, EVEN IF “0”.)
NUMBER
Loss of power or cooling ______
Loss of network or internet ______
Hardware failure (e.g., server, computer, storage) ______
Software failure (e.g., crash, error, bug) ______
Security breach, cybercrime, or other malicious act ______
Fire or natural disaster ______
Other (SPECIFY) ______
How does your firm address incident response? Using the scale provided in the paper survey sent to you, please indicate your firm’s performance for each of the following…(read choices & CLICK ONLY ONE ANSWER PER ITEM.)
Doing and
Internally
Not Planning Doing Doing and Doing and and
Doing or To but Not Internally Externally Externally Don’t
Considering Do Validated Validated Validated Validated Know
Identify appropriate personnel (e.g., contact list, response team)
Have feasible plan of action
(e.g., response strategy, defined procedure)
Have tracking
capabilities
(e.g., incident ticket created and
escalated)
Categorize incident (e.g., severity, assessment)
Use forensic techniques
(e.g.,
system logs, intrusion detection logs)
Have physical resources
(e.g., redundant storage, standby systems, backup
services)
Document and preserve evidence
Notify proper external
agencies (e.g., comply with federal
and/or state security
breach notification laws)
Assess damage and cost (e.g., valuation)
Review and update policies after incident
How do you anticipate and accommodate the effects of late tax law changes in your software? Do you…(read choices & CLICK ALL THAT APPLY.)
Code software to account for multiple legislative outcomes
Quickly iterate software changes
Consult IRS draft forms or instructions
Contact IRS personnel for guidance
Use information from industry and professional affiliations (e.g., CERCA, NACTP)
Use in-house legislative analysis
Use third party legislative analysis (e.g., CCH, BNA)
Other (SPECIFY)
Consider the activities in the previous question. On average over the last two years, please estimate the full time equivalent hours directly associated with incorporating late tax law changes in your software. (Read & CLICK only one answer.)
Less than 520 hours
520 to 1039 hours
1040 to 2079 hours
2080 to 4160 hours
More than 4160 hours
No hours
Using the scale provided in the paper survey sent to you, please rate your agreement that the following are sufficient…(read choices & CLICK ONLY ONE ANSWER per item.)
Strongly Strongly
Disagree Disagree Neutral Agree Agree
Bulletins
Tax forms, schedules, and instructions
Transmission file requirements
E-file acknowledgements
Error reject codes
E-file privacy and security standards
Please share any additional comments or concerns.
Thank you for taking the time to fill out our survey. We rely on your feedback to help us improve our services. Your input is greatly appreciated.
| File Type | application/msword |
| File Title | EPFRA Software Vendor Survey |
| Author | MITRE |
| Last Modified By | mdsloa00 |
| File Modified | 2010-10-27 |
| File Created | 2010-10-27 |