Treasury
Inspector General for Tax Administration
Office of Audit
CUSTOMER ACCOUNT DATA ENGINE RELEASE 4
INCLUDES MOST PLANNED CAPABILITIES AND SECURITY REQUIREMENTS FOR PROCESSING
INDIVIDUAL TAX ACCOUNT INFORMATION
Issued on August 28, 2009
Highlights
Highlights of
Report Number: 2009-20-100 to the
Internal Revenue Service Commissioner for the Wage and Investment Division and Chief
Technology Officer.
IMPACT ON TAXPAYERS
The Internal Revenue Service (IRS)
has developed a strategy for a phased replacement of its computer systems to
better support today’s tax laws, policies, and taxpayer needs. The Customer Account Data Engine (CADE) is a
major component of the IRS modernization program. The modernized CADE database allows the IRS
to update taxpayer accounts, support account settlement and maintenance, and
process refunds on a daily basis, which will contribute to improved service to
taxpayers. CADE Release 4 is operating
effectively to help the IRS provide these improved services to taxpayers. However, there are security concerns that
have not been adequately addressed.
WHY TIGTA DID THE AUDIT
This audit was initiated as part of our Fiscal Year 2009
Annual Audit Plan for reviews of the IRS Modernization Program. The overall objectives of this review were to
assess the accuracy and completeness of the CADE Release 4 capabilities to
enhance the processing of tax return information, determine whether this
release provides the intended benefits to the IRS and taxpayers, and
determine whether the IRS has taken effective actions to correct security
vulnerabilities on prior CADE system releases.
WHAT
TIGTA FOUND
The IRS
completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January
2009. From January through May 2009, the
CADE had processed almost 40 million tax returns (approximately 30 percent of
all individual tax returns filed) and generated almost $58 billion in refunds.
In addition to
new tax law changes, CADE Release 4 added processing for tax returns with a
surviving spouse filing status and tax returns for decedent taxpayers. This release also allows taxpayers to make
changes to their last name, accepts the Application for Automatic Extension of
Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers,
and generates notices to taxpayers eligible to receive the Additional Child Tax
Credit or informs taxpayers that their refunds will be mailed to them versus
electronically deposited.
While the CADE
successfully processed tax returns, some planned capabilities were not
completely implemented. TIGTA also
identified problems with processing tax returns for decedent taxpayers and with
the Treasury Offset Program. When these
conditions were identified, the IRS implemented steps to correct these
processing problems. Also, several
planned capabilities for CADE Release 4 were deferred because of other
programming priorities.
The IRS has
taken steps to address all 16 CADE system security vulnerabilities presented in
our report entitled The Internal Revenue
Service Deployed Two of Its Most Important Modernized Systems With Known
Security Vulnerabilities and has fully resolved 10 of them. The remaining six security vulnerabilities
cannot be resolved until actions are completed to ensure controls are
effectively in place or have been approved as deviations to IRS policy. Further, TIGTA found that the IRS prematurely
reported resolution of six vulnerabilities in the Plan of Action and Milestones listing before effective corrective
actions were taken. Three of these six
vulnerabilities were not fully resolved as of the date of our review.
WHAT TIGTA RECOMMENDED
TIGTA
recommended that the Chief Technology Officer direct the Cybersecurity
organization to take actions that ensure the CADE and mainframe computer system
owners appropriately enter and track system vulnerabilities on control systems,
including the Plan of Action and
Milestones listing and Item Tracking Reporting and Control System, and
verify corrective actions are fully implemented before they are considered and
reported as resolved.
In
their response to the report, IRS officials agreed with the
recommendation. The IRS Cybersecurity
organization plans to continue to improve the process to ensure that system
owners comply with IRS policy to enter and track all system vulnerabilities in
IRS control systems.
READ THE
FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/auditreports/2009reports/200920100fr.html.
Email Address: inquiries@tigta.treas.gov
Phone Number: 202-622-6500
Web Site:
http://www.tigta.gov