Treasury Inspector General for Tax Administration

Office of Audit

CUSTOMER ACCOUNT DATA ENGINE RELEASE 4 INCLUDES MOST PLANNED CAPABILITIES AND SECURITY REQUIREMENTS FOR PROCESSING INDIVIDUAL TAX ACCOUNT INFORMATION

Issued on August 28, 2009

Highlights

Highlights of Report Number:  2009-20-100 to the Internal Revenue Service Commissioner for the Wage and Investment Division and Chief Technology Officer.

IMPACT ON TAXPAYERS

The Internal Revenue Service (IRS) has developed a strategy for a phased replacement of its computer systems to better support today’s tax laws, policies, and taxpayer needs.  The Customer Account Data Engine (CADE) is a major component of the IRS modernization program.  The modernized CADE database allows the IRS to update taxpayer accounts, support account settlement and maintenance, and process refunds on a daily basis, which will contribute to improved service to taxpayers.  CADE Release 4 is operating effectively to help the IRS provide these improved services to taxpayers.  However, there are security concerns that have not been adequately addressed.

WHY TIGTA DID THE AUDIT

This audit was initiated as part of our Fiscal Year 2009 Annual Audit Plan for reviews of the IRS Modernization Program.  The overall objectives of this review were to assess the accuracy and completeness of the CADE Release 4 capabilities to enhance the processing of tax return information, determine whether this release provides the intended benefits to the IRS and taxpayers, and determine whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases.

WHAT TIGTA FOUND

The IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January 2009.  From January through May 2009, the CADE had processed almost 40 million tax returns (approximately 30 percent of all individual tax returns filed) and generated almost $58 billion in refunds.

In addition to new tax law changes, CADE Release 4 added processing for tax returns with a surviving spouse filing status and tax returns for decedent taxpayers.  This release also allows taxpayers to make changes to their last name, accepts the Application for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers, and generates notices to taxpayers eligible to receive the Additional Child Tax Credit or informs taxpayers that their refunds will be mailed to them versus electronically deposited.

While the CADE successfully processed tax returns, some planned capabilities were not completely implemented.  TIGTA also identified problems with processing tax returns for decedent taxpayers and with the Treasury Offset Program.  When these conditions were identified, the IRS implemented steps to correct these processing problems.  Also, several planned capabilities for CADE Release 4 were deferred because of other programming priorities.

The IRS has taken steps to address all 16 CADE system security vulnerabilities presented in our report entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities and has fully resolved 10 of them.  The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy.  Further, TIGTA found that the IRS prematurely reported resolution of six vulnerabilities in the Plan of Action and Milestones listing before effective corrective actions were taken.  Three of these six vulnerabilities were not fully resolved as of the date of our review.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer direct the Cybersecurity organization to take actions that ensure the CADE and mainframe computer system owners appropriately enter and track system vulnerabilities on control systems, including the Plan of Action and Milestones listing and Item Tracking Reporting and Control System, and verify corrective actions are fully implemented before they are considered and reported as resolved.

In their response to the report, IRS officials agreed with the recommendation.  The IRS Cybersecurity organization plans to continue to improve the process to ensure that system owners comply with IRS policy to enter and track all system vulnerabilities in IRS control systems.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:  http://www.treas.gov/tigta/auditreports/2009reports/200920100fr.html.

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov