Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing Individual Tax Account Information
August 28, 2009
Reference Number: 2009-20-100
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
August 28, 2009
MEMORANDUM
FOR
COMMISSIONER, WAGE AND
INVESTMENT DIVISION
CHIEF TECHNOLOGY OFFICER
FROM: (for) Michael R. Phillips /s/ Nancy A. Nakamura
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing Individual Tax Account Information (Audit # 200920020)
This report presents the results of our review of the Customer Account Data Engine[1] (CADE) Release 4 capabilities. The overall objectives of this review were to assess the accuracy and completeness of the CADE Release 4 capabilities to enhance the processing of tax return information, determine whether this release provides the intended benefits to the Internal Revenue Service (IRS) and taxpayers, and determine whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases. This review was part of the Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan coverage under the major management challenge of Modernization of the IRS.
Impact on the Taxpayer
The IRS
has developed a strategy for a phased replacement of its computer systems to
better support today’s tax laws, policies, and taxpayer needs. The CADE is a major component of the IRS
modernization program. The modernized
CADE database allows the IRS to update taxpayer accounts, support account
settlement and maintenance, and process refunds on a daily basis, which will
contribute to improved service to taxpayers.
CADE Release 4 is operating effectively to help the IRS provide these
improved services to taxpayers. However,
there are security concerns that have not been adequately addressed.
Synopsis
The IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January 2009. From January through May 2009, the CADE had processed almost 40 million tax returns (approximately 30 percent of all individual tax returns filed) and generated almost $58 billion in refunds.
In addition to new tax law changes, CADE Release 4 added processing for tax returns with a surviving spouse filing status and tax returns for decedent taxpayers. This release also allows taxpayers to make changes to their last name and accepts the Application for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers. Further, this release generates notices to taxpayers eligible to receive the Additional Child Tax Credit or informs taxpayers that their refunds will be mailed to them versus electronically deposited.
Our review of CADE Release 4 processing found that some planned capabilities were not completely implemented. We identified problems with processing tax returns for decedent taxpayers and with the Treasury Offset Program. When these conditions were recognized by the IRS, it implemented steps to correct these processing problems.
Several planned capabilities for CADE Release 4 were deferred because of other programming priorities. These capabilities included: 1) maintaining accounts in the CADE after processing the filing of prior year tax returns, 2) processing electronic revenue receipts submitted with original tax returns, 3) establishing an account on the CADE to accept a taxpayer’s estimated tax payment (estimated tax declaration), 4) Criminal Investigation Division refund holds, and 5) credit elections for the current tax year returns. The IRS decided to defer implementation of processing estimated tax declarations, Criminal Investigation Division refund holds, and credit elections until the development of CADE Release 5.2. The IRS also informed us that it is reconsidering the plans and requirements for future CADE releases, leaving uncertain the implementation of the processing of prior year tax returns and electronic revenue receipts.
Our review also identified tax returns processed by CADE
Release 4 with incomplete information. Initially,
the IRS did not process these tax returns and requested that the taxpayers
respond with complete information. When the
taxpayers responded to the IRS, the record of the correspondence received date was
not shown on the CADE. However, the Modernized Database captured the correspondence received
date, which showed the updated tax return filing date. Analysis of the updates showed that returns
were filed in a timely manner and any interest payments on tax refunds due to
processing delays were properly processed.
However, because the CADE account information did not capture and
display the taxpayers’ correspondence received date, there is a potential that
subsequent activity by the IRS may result in inappropriate account actions or
adjustments.
Subsequent to our review, the IRS informed us that it took actions to resolve the issue of the missing correspondence received date by performing program adjustments that were deployed with CADE Release 4.2 on January 19, 2009. The IRS is also in the process of correcting accounts previously processed with Release 4.1.
The IRS has taken steps to address all 16 CADE system security vulnerabilities presented in our report, entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities,[2] and has fully resolved 10 of them. The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy. Further, we found that the IRS prematurely reported resolution of six vulnerabilities in the Plan of Action and Milestones listing before effective corrective actions were taken. Three of these six vulnerabilities were not fully resolved as of the date of our review.
Recommendation
The Chief Technology Officer should
direct the Cybersecurity organization to take actions that ensure the CADE and
mainframe computer system owners appropriately enter and track system
vulnerabilities on control systems, including the Plan of Action and Milestones listing
and Item Tracking Reporting and Control System, and verify corrective actions
are fully implemented before they are considered and reported as resolved.
Response
The IRS agreed with our recommendation. The Cybersecurity organization will continue to improve the process to ensure that system owners comply with IRS policy to enter and track all system vulnerabilities in IRS control systems. Management’s complete response to the draft report is included as Appendix VII.
Copies of this report are also being sent to
the IRS managers affected by the report recommendation. Please contact me at (202) 622-6510 if you
have questions or Margaret E. Begg, Acting Assistant Inspector General for
Audit (Security and Information Technology Services), at (202) 622-8510.
Appendices
Appendix
I – Detailed Objectives, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix IV
– Customer Account Data Engine Release Capabilities
Appendix V – Customer
Account Data Engine System Security Vulnerabilities and Status of Resolution
Appendix
VI – Glossary of Terms
Appendix
VII – Management’s Response to the Draft Report
Abbreviations
|
CADE |
Customer Account Data Engine |
|
IRS |
Internal Revenue Service |
The CADE is
a critical building block in the IRS modernization program that will enable the
development of subsequent modernized systems to improve customer service and compliance.
The Customer Account Data Engine[3] (CADE) is a major component of the Internal
Revenue Service’s (IRS) modernization program. It consists of current and planned databases
and related applications that work with the IRS Master File system.
Tax returns, both paper and
electronic, are received by the IRS at various Submission Processing sites
across the country. At these sites, the
tax return information is input to the IRS return processing computer system,
which validates certain taxpayer identifying information and checks the tax
returns for mathematical errors. After
the tax return information has been validated and errors have been corrected,
the sites send the information to the IRS Computing Centers for posting to the
taxpayers’ accounts. In the past, this
account information was posted to the Master File system.
The age and complexity of the
Master File system cause inaccuracies and delays in providing service to
taxpayers. Currently, updates to
taxpayers’ account information on the Master File, such as posting return information and payments, occur on a weekly basis and some updates require multiple
weeks to complete. Because current data
are not available to IRS employees, taxpayers requesting help with their
accounts may be given outdated information.
In contrast, the CADE posts information to taxpayers’ accounts on a
daily rather than a weekly basis.
Taxpayers whose tax account information is posted to the CADE receive
refunds faster, and IRS employees are able to provide improved service to
taxpayers because the employees have up-to-date, accurate account information
available.
The
IRS has developed a strategy for a phased replacement of its computer systems
to better support today’s tax laws, policies, and taxpayer needs. The CADE is being implemented in a series of releases over several
years. The simplest taxpayer accounts
were moved to the CADE first, and each successive release adds a more complex
segment of taxpayer accounts. The first
CADE release began posting the simplest individual tax returns, the Income Tax Return for Single and Joint Filers With No
Dependents (Form 1040EZ), in July 2004. Subsequent
releases have added new capabilities and tax forms. The subject of this review, CADE Release 4,
began posting returns in July 2008 and contained significant additions over the
prior releases.
Like all Federal Government agencies, the IRS is required to protect its computer systems by implementing appropriate security controls to ensure the confidentiality, integrity, and availability of sensitive data, as recommended in National Institute of Standards and Technology Special Publication 800-53.[4] In addition, the IRS is specifically required by Federal law to keep taxpayer data confidential and to prevent unauthorized disclosure or browsing of taxpayer records. Section 6103 of the Internal Revenue Code[5] prohibits the disclosure of tax returns and tax return information and requires that the storage of such information be secure and the access restricted to only those persons whose duties and responsibilities require access.
In September 2008, we reported[6] that the IRS continued to deploy CADE releases even though known security weaknesses existed in the controls over system access, monitoring of system access, disaster recovery, and sensitive data protection. As a result, the IRS was jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax information for millions of taxpayers as CADE releases were put into operation.
This
review was performed in the Wage and Investment Division CADE Project Office
and the Cybersecurity organization in New Carrollton, Maryland, during the
period November 2008 through May 2009.
We conducted this performance audit in accordance with generally
accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings
and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. This review was part of the Treasury
Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan
coverage under the major management challenge of Modernization of the IRS. Detailed information on our audit objectives,
scope, and methodology is presented in Appendix I. Major contributors to the report are listed
in Appendix II.
Customer Account Data Engine Release 4 Accurately Processes and Records Tax Return and Tax Account Information, Although Some Planned Capabilities Were Not Implemented
The CADE
processed almost 40 million tax returns and generated almost $58 billion in
refunds from January through May 2009.
The IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January 2009. From January through May 2009, the CADE had processed almost 40 million tax returns (approximately 30 percent of all individual tax returns filed) and generated almost $58 billion in refunds. This is a significant increase over the 30 million tax returns processed in Calendar Year 2008.
In addition to new
tax law changes, CADE Release 4 added processing for tax returns with a
surviving spouse filing status and tax returns for decedent taxpayers. Further, this release allows taxpayers to make
changes to their last name and accepts the Application for Automatic Extension
of Time To File U.S. Individual Income Tax Return (Form 4868) filed by
taxpayers. This release also generates
notices to taxpayers eligible to receive the Additional Child Tax Credit or
informs taxpayers that their refunds will be mailed to them versus
electronically deposited. Appendix IV
provides an overview of the capabilities delivered in each of the CADE
releases.
The IRS took appropriate actions to correct CADE processing problems with CADE Release 4.1
The major capabilities added to CADE Release 4.1 included
processing tax returns with a surviving spouse filing status with dependent
child and tax returns of decedent taxpayers.
Further, Release 4.1 generates the Additional Child Tax Credit Notice to eligible taxpayers who did not
claim the full amount of the Child Tax Credit and generates the Electronic Fund
Transfer Notice notifying taxpayers that their electronic refund request cannot
be honored. This release also accepts
the Treasury Offset Program
transactions and processes changes to taxpayer addresses.
We sampled transactions to determine whether the release properly implemented these capabilities for tax return processing and found that these capabilities were generally implemented adequately. However, we identified the following Release 4.1 processing problems and presented them to CADE project management for resolution.
· Tax Returns of Decedent Taxpayers – The CADE did not always update the decedent taxpayer account to indicate that the taxpayer is deceased. Specifically, the taxpayer account name line was not always updated indicating the taxpayer was deceased, and the date of death was not always added to the account. Indicating the taxpayer is deceased on the account name line enables the mail filing requirement associated with the taxpayer to be updated to avoid sending forms to a deceased taxpayer. Providing the date of death on the account initiates a process to prepare a refund for either a surviving spouse or designated representative as applicable.
When the CADE project team recognized this issue, it implemented corrective actions to resolve the problem. In addition, the CADE project team reviewed the accounts that were not accurately updated and determined that accounts with an inaccurate mail filing requirement were not affected by the absence of the decedent designation on the taxpayer name line of the tax returns. However, for accounts that did not include the date of death, some refund checks were inappropriately issued to deceased taxpayers, but none were returned as undeliverable.
· Treasury Offset Program – This program is administered by the Treasury Financial Management Service and will apply a taxpayer’s overpayment to outstanding non-tax child support or Federal agency debt prior to issuing a refund. Our reviews found that CADE accounts with multiple refunds issued by the IRS on different dates (tax refunds and Economic Stimulus Act of 2008[7] payments) affected by the Treasury Offset Program were correctly paid to the Treasury Financial Management Service. However, the CADE programming did not allow IRS systems to display the offset of the other Federal debts for taxpayers with multiple refunds. This condition was presented to the CADE project team and the team implemented corrective actions to resolve the problem.
· Processing the Filing of Prior Year Tax Returns – Planned capabilities for CADE Release 4.1 included processing prior year returns (filed for Tax Year 2003 and later) for taxpayers meeting certain filing conditions. Requirements for processing the eligible prior year tax returns did not consider processing routines to capture account information on the Taxpayer Information File for potential account adjustment activity by the Integrated Data Retrieval System. Currently, these processing routines prevent prior year returns from being maintained on the CADE system and require transfer of the taxpayer account to the Individual Master File for processing.
The IRS determined that modifications to the CADE program to allow processing of the prior year tax returns would involve very complex and extensive programming changes. Because of the additional programming necessary and the anticipated small volume of prior year returns, the IRS decided to defer implementation of this capability until the development of CADE Release 5. Subsequently, the IRS informed us that it is reconsidering the plans and requirements for future CADE releases, leaving the implementation of the capability to fully process and retain prior year returns with the CADE uncertain. Our review determined that this capability involved a relatively small number of taxpayer accounts. Through April 17, 2009, 24,561 taxpayers filed 25,058 prior year tax returns that could not be maintained on the CADE and were transferred to the Individual Master File for processing.
· Missing Correspondence Received Date – Our review identified tax returns processed by CADE Release 4 that originally had incomplete information and required the IRS to correspond with the taxpayer. Initially, the IRS did not process these tax returns and requested that the taxpayers respond with complete information. When taxpayers responded to the IRS, the record of the correspondence received date was not shown on the CADE. However, the Modernized Database captured the correspondence received date, which showed the updated tax return filing date.
Analysis
of the updates showed that returns were filed in a timely manner and any
interest payments on tax refunds due to processing delays were properly
processed. However, because the CADE
account information did not capture and display the taxpayers’ correspondence
received date, there is a potential that subsequent activity by the IRS may
result in inappropriate account actions or adjustments.
Management Action: Subsequent to our review of the returns with incomplete information, the IRS informed us that it took actions to resolve the issue of the missing correspondence received date by performing program adjustments that were deployed with CADE Release 4.2 on January 19, 2009. The IRS is also in the process of correcting accounts previously processed with Release 4.1.
Other programming priorities prevented the implementation of some planned capabilities for CADE Release 4.2
The major capabilities added to CADE Release 4.2 included processing applications for extensions to file tax returns, updating account with taxpayer name changes, and generating notices to taxpayers of the potential to claim the Earned Income Credit. Also, capabilities include accepting full payment of the balance due on tax returns, some estimated tax payments, and payments received with extensions of time to file tax returns. The IRS also enhanced the CADE balance and control processing for tax payments and the ability to determine the presence of penalty and debit interest situations. Returns with penalty and debit interest should not be recorded in the CADE. Instead, the transaction and the taxpayer’s account should be restored to the Individual Master File. Further, this release processes the Economic Stimulus Payment/Recovery Rebate Credit.[8] Based on our sampled transactions and the documentation reviewed, we determined that the release properly implemented these capabilities for tax return processing. However, we identified the following Release 4.2 development and processing problems.
· Revenue Receipt Transactions – The planned CADE capabilities for Release 4.2 included acceptance of revenue receipt transactions resulting from remittances received in full payment with original tax returns, estimated tax payments and declarations, and payments received with requests for extension of time to file. Our review found that tax returns filed with electronic remittances processed through the Electronic Federal Tax Payment System could not be processed by the CADE.
Electronic remittances processed through the Electronic Federal Tax Payment System require a routine to capture account information on the Taxpayer Information File for potential account adjustment activity by the Integrated Data Retrieval System. Similar to the problems discussed previously in processing filings of prior year returns, these processing routines prevent the accounts from being eligible for CADE processing and require processing by the Individual Master File. Through May 15, 2009, almost 5.4 million taxpayers filed tax returns with a remittance through the CADE, which included more than 703,000 (13 percent) electronic remittances processed through the Electronic Federal Tax Payment System. Virtually all of the returns with electronic remittances originally accepted for CADE processing required transfer to the Individual Master File to be able to accept the tax account information and process the payment.
The IRS determined that modifications to the CADE program to allow processing of electronic remittances would involve programming changes in coordination with the Electronic Federal Tax Payment System. As discussed previously, the IRS informed us that it is reconsidering the plans and requirements for future CADE releases. As a result, the implementation of the CADE capability to process remittances received with original tax returns using the Electronic Federal Tax Payment System is uncertain.
Further, because of other programming priorities, the capability for the CADE to process certain estimated tax payments was also deferred. This capability has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.
· Criminal Investigation Division Refund Hold – The Criminal Investigation Division Electronic Fraud Detection System processes tax returns in parallel with the CADE and the Individual Master File. When this System detects a suspicious tax return, the refund issuance is suspended until the circumstances about its propriety are resolved. Because of other programming priorities, the capability for the CADE to perform the Criminal Investigation Division refund hold has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.
· Credit Election Processing – Because of other programming priorities, the capability for the CADE to process tax credit elections on current year tax returns has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.
Further Work Is Necessary to Alleviate Known Customer Account
Data Engine System Security Vulnerabilities
Our report entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities identified 16 security vulnerabilities in the CADE system environment. The IRS has taken steps to address all 16 of the reported vulnerabilities and has fully resolved 10 of them. The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy. Appendix V presents the previously reported security vulnerabilities with the CADE system and the status of their resolution.
Oversight to track the status of vulnerabilities until resolution needs improvement in the “Plan of Action and Milestones” listing
IRS policy specifies that all computer system weaknesses from any valid source should be entered in the Plan of Action and Milestones listing. IRS system owners must track the status of the resolution of all weaknesses and verify that each weakness is corrected before reporting the item as resolved on the listing.
The IRS is required to quarterly submit to the Department of the Treasury and the Office of Management and Budget a Plan of Action and Milestones listing system weaknesses. The Office of Management and Budget uses the information to assess the agency’s progress in alleviating system weaknesses, monitor the Federal Government’s ability to implement the Federal Information Security Management Act of 2002,[9] and make budgetary decisions. Inaccurate or incomplete Plan of Action and Milestones listing information affects the Office of Management and Budget’s ability to obtain an accurate status of IRS security weakness remediation.
Of the 16 previously reported vulnerabilities, 13 were directly related to National Institute of Standards and Technology Special Publication 800-53 system controls that are required to be tracked in the Plan of Action and Milestones listings. The remaining three vulnerabilities were privacy weaknesses, which the IRS tracks in the Item Tracking Reporting and Control System. We found that the IRS prematurely reported resolution of 6 of the 13 vulnerabilities in the Plan of Action and Milestones listings before effective corrective actions were taken. Three of these six vulnerabilities were not fully resolved as of the date of this report.
In addition, we found three additional weaknesses related to the disaster recovery process that the IRS is not tracking in the Plan of Action and Milestones listings.
·
Training of disaster recovery personnel was not
adequate. During September 2008 disaster
recovery testing, the IRS determined that cross-training and knowledge transfer
was needed to ensure the
· The CADE system’s disaster recovery plan did not include sufficient detail, listed some steps out of order, and did not contain all steps needed to restore the CADE system. During the September 2008 disaster recovery testing, the IRS determined that the plan still needed improvement to document all required steps in the proper sequence to allow appropriate execution. This issue was previously reported during the 2007 disaster recovery testing.
· A complete recovery of the data on the mainframe computer is not feasible until hardware capacity is increased. During the September 2008 disaster recovery testing, the IRS determined that additional capacity was needed to restore all applications residing on the mainframe computer. This issue was previously reported during the 2007 disaster recovery testing.
The IRS Cybersecurity organization does not monitor system owners’ compliance with IRS policy to track all system vulnerabilities in the Plan of Action and Milestones listings. Further, it does not monitor system owners’ compliance with IRS policy to verify that weaknesses are corrected before reporting them as resolved on the Plan of Action and Milestones listing. The Government Accountability Office also reported[10] in January 2009 that the IRS lacked an effective corrective action verification process to ensure it had taken the necessary actions to correct security weaknesses found in information systems.
Inadequate monitoring of vulnerabilities in the Plan of Action and Milestones listing and prematurely reporting vulnerabilities as resolved may decrease managerial attention to unresolved problems, prevent allocation of resources required to fix problems, and lead to delays in correcting vulnerabilities. Inaccurate Plan of Action and Milestones listing information prevents the Office of Management and Budget from obtaining an accurate status of the IRS’ security weaknesses.
Recommendation
Recommendation 1: The Chief Technology Officer should direct the Cybersecurity organization to take actions that ensure the CADE and mainframe computer system owners a) appropriately enter and track system vulnerabilities on control systems, including the Plan of Action and Milestones listing and the Item Tracking Reporting and Control System, and b) verify corrective actions are fully implemented before they are considered and reported as resolved.
Management’s Response: The IRS agreed with
our recommendation. The Cybersecurity
organization will continue to improve the process to ensure that system owners
comply with IRS policy to enter and track all system vulnerabilities in IRS
control systems.
Appendix I
Detailed Objectives, Scope, and Methodology
The overall objectives of this review were to assess the accuracy and completeness of the CADE[11] Release 4 capabilities to enhance the processing of tax return information, determine whether this release provides the intended benefits to the IRS and taxpayers, and determine whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases. To accomplish our objectives, we:
I. Determined whether new requirements included in Release 4.1 accurately posted tax return information to the CADE. Specifically, we determined whether the CADE:
A. Accepts tax returns with a surviving spouse filing status with dependent child.
B. Accurately processes the tax returns of decedent taxpayers.
C. Accurately generates the Additional Child Tax Credit Notice to eligible taxpayers who did not claim the full amount of Child Tax Credit.
D. Accurately generates the Electronic Fund Transfer Notice notifying taxpayers that their electronic refund request cannot be honored.
E. Processes the filing of prior year tax returns.
F. Accepts the Treasury Offset Program transactions from the Accept and Route Transactions application.
G. Processes changes to addresses.
II. Determined whether new requirements included in Release 4.2 accurately posted tax return information to the CADE. Specifically, we determined whether the CADE:
A. Accepts revenue receipt transactions and generates applicable math error notices.
B. Revenue Receipt Balance and Control processing has been updated to accommodate Revenue Receipt transactions deployed with Release 4.2.
C. Accurately processes Applications for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868).
D. Accepts last name changes from taxpayers through tax return filings, the receipt of Estimated Tax for Individuals (Form 1040-ES), or the National Account Profile file.
E. Has returned control of taxpayer accounts to the current processing environment for those accounts identified to receive a penalty or debit interest.
F. Accurately processes the Economic Stimulus Payment/Recovery Rebate Credit.[12]
G. Accurately generates the non-math error notice to taxpayers with qualifying children of potential Earned Income Credit.
III. Determined whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases. Specifically, we:
A. Assessed the current status of the 16 security vulnerabilities identified during the audit on CADE Releases 2.2 and 3.1 security controls.[13]
B. Assessed the adequacy of corrective actions implemented on security vulnerabilities identified during the audit on CADE Releases 2.2 and 3.1 security controls.
Validity and reliability of data from computer-based systems
We obtained individual tax return data processed by the CADE and stored on the Modernized Database. We compared the data to information processed and stored in the Individual Master File. We used the tax return identification number as the control to validate the accuracy of the matching of the tax return information stored on the Modernized Database and the Individual Master File. The data were sufficiently reliable to perform our audit analyses.
Analysis of CADE tax return samples
Tables 1 and 2 present the tax return information populations and samples we used to analyze taxpayer account information processed by CADE Releases 4.1 and 4.2. Our reviews involved analyses of Calendar Years 2008 and 2009 U.S. Individual Income Tax Returns (Form 1040 and Form 1040A) and Income Tax Returns for Single and Joint Filers With No Dependents (Form 1040EZ) filed and recorded to the CADE from July 2008 through April 2009. We used random sampling to ensure that each account had an equal chance of being selected, which enabled us to obtain sufficient evidence to support our results.
Table 1: Sample Selection of CADE Release 4.1 Forms 1040, 1040A, and 1040EZ Filed From July Through December 2008
|
CADE Release 4.1 Capability Tested |
Population |
Sample Size |
|
Surviving Spouse Tax Returns |
5 |
5 |
|
Decedent Tax Returns |
2,708 |
70 |
|
Additional Child Tax
Credit Notice |
8 |
8 |
|
Electronic Fund Transfer Refund Notice |
1,068 |
64 |
|
Prior Year Tax Returns |
2,867 |
40 |
|
Treasury Offset Program |
1,773 |
66 |
|
Changes to Address Processing |
1,479,905 |
80 |
Source: Treasury Inspector General for Tax
Administration extract of tax return account data from the CADE and
the Individual Master File for the
period July through December 2008.
Detailed Sample Parameters:
·
Surviving Spouse Tax
Returns – We selected five individual income tax returns filed as a surviving spouse
[widow(er) with dependent child] filing status that had posted to the CADE from
July through October 2008.
·
Decedent Tax Returns – We selected 70
individual income tax returns filed as a decedent return (1 or both taxpayers
deceased) that had posted to the CADE from July through November 2008.
·
Additional Child
Tax Credit Notice – We
selected eight individual income tax returns that had posted to the CADE from August
through October 2008 and were issued an Additional Child Tax Credit Notice
informing the taxpayer of potential credit to be claimed.
·
Electronic Fund Transfer Refund Notice – We selected 64
individual income tax returns that had posted to the CADE from August through October
2008 and were issued an Electronic Fund
Transfer Refund Notice informing the taxpayer that a paper refund check
will be issued instead of an electronic refund.
·
Prior Year Tax Returns – We selected 40
individual income tax returns filed as prior year returns (Calendar Years 2005
and 2006) that had posted to the CADE from July through October 2008.
·
Treasury Offset Program – We selected 66
individual income tax returns that had posted to the CADE from July through October
2008 and had been identified by the IRS to have their refund reduced due to an
outstanding child support or Federal agency debt.
·
Changes to Address Processing – We selected 80
individual taxpayer accounts with address changes processed by the CADE from July
through December 2008.
Table 2: Sample Selection of CADE Release 4.2 Forms
1040, 1040A, and 1040EZ Filed From January Through April 2009
|
CADE Release 4.2 Capability Tested |
Population |
Sample Size |
|
Revenue Receipt Transactions |
159,961 |
220 |
|
Revenue Receipt Balance and Control |
192,632 |
192,632 |
|
Extension of Time to File |
8,942 |
60 |
|
Last Name Changes |
93,036 |
150 |
|
Generation of Earned Income Credit Notice |
4,791 |
70 |
|
Economic Stimulus Payment/ |
15,574 |
64 |
Source: Treasury Inspector General for Tax
Administration extract of tax return account data from the CADE
and the Individual Master File for the period
January through April 2009.
Detailed Sample Parameters:
·
Revenue Receipt Transactions – We selected 220
individual income tax accounts with remittances received with original returns,
estimated tax payments and declarations, and requests for extension of time to
file that had posted to the CADE from January through March 2009.
·
Revenue Receipt Balance and Control – We selected
192,632 revenue receipt transactions that had posted to the CADE from January through
March 2009 and compared the total dollar amounts to the CADE balance and
control reports.
·
Extension of Time
to File – We selected 60 individual income tax accounts with extensions of time
to file that had posted to the CADE from January through March 2009.
·
Last Name Changes – We selected 150
individual taxpayer accounts with last name changes processed by the CADE from January
through March 2009.
·
Generation of Earned Income Credit Notice – We selected 70
individual income tax returns with Earned Income Tax Credit notices generated
by the CADE from February through April 2009.
· Economic Stimulus Payment/Recovery Rebate Credit – We selected 64 individual income tax returns with a Recovery Rebate Credit being claimed that had posted to the CADE in January and February 2009.
Appendix II
Major Contributors to This Report
Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services)
Scott A. Macfarlane, Director
Edward A. Neuwirth, Audit Manager
Michael A. Garcia, Senior Auditor
Jody Kitazono, Senior Auditor
Beverly Tamanaha, Senior Auditor
Suzanne Westcott, Auditor
Arlene Feskanich, Senior Information Technology Specialist
Richard Hillelson, Information Technology Specialist
Martha Stewart, Information Technology Specialist
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy
Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Chief Information Officer OS:CTO
Deputy Commissioner, Wage and Investment Division SE:W
Associate Chief Information Officer, Applications Development OS:CTO:AD
Director, Customer Account Services, Wage and Investment Division SE:W:CAS
Director, Strategy and Finance, Wage and Investment Division SE:W:S
Director, Submission Processing, Wage and Investment Division SE:W:CAS:SP
Chief, Performance Improvement, Wage and Investment Division SE:W:S:PI
Director, Test Assurance and Documentation OS:CTO:AD:TAD
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Technology Officer OS:CTO
Commissioner, Wage and Investment Division SE:W
Associate Chief Information Officer, Applications Development OS:CTO:AD
Senior Operations Advisor, Wage and Investment Division SE:W:S
Director, Program Oversight OS:CTO:SM:PO
Chief, GAO/TIGTA/Legislative
Implementation Branch SE:S:CLD:PSP:GTL
Appendix IV
Customer Account Data Engine Release Capabilities
The IRS is implementing the CADE in a series of releases[14] over several years. Table 1 describes the capabilities implemented
in Releases 1 and 2.
Table 1: CADE Release 1 and
Release 2 Capabilities
|
CADE Release |
Start of Processing |
Capabilities Added for Each Release |
|
Release
1.1 |
July
2004 |
Form 1040EZ for single filers and joint
filers with no dependents. Single filing status only. |
|
Release 1.2 |
January
2005 |
Tax law changes for filing season. |
|
Release
1.3.2 |
January
2006 |
Forms 1040 and 1040A with no dependents
and no attachments or schedules. Address changes on returns. |
|
Release
2.1 |
September
2006 |
Returns with Head of Household filing status. Returns with Schedules
A, B, and R. Returns with limited
name changes. United States Postal Service address
change updates. |
|
Release
2.2 |
March
2007 |
Form 1040EZ-T. Returns
with Married Filing Jointly and Married Filing Separately filing statuses. Credit for Federal
Telephone Excise Tax paid. |
Source: The IRS
Applications Development organization.
Form
1040 –
Form
1040A –
Form
1040EZ – Income Tax Return for Single and Joint Filers With No Dependents
Form
1040EZ-T – Request for Refund of Federal Telephone Excise Tax
Schedule
A (Form 1040) – Itemized Deductions
Schedule
B (Form 1040) – Interest and Ordinary Dividends
Schedule
R (Form 1040) – Credit for the Elderly or the Disabled
The IRS initially planned to implement 17 requirements for Release 3 and
divided the requirements delivery into 2 subreleases, Releases 3.1 and
3.2. Table 2 presents the capabilities
for Release 3.1, which was completed in October 2007.
Table 2: CADE Release 3.1 Capabilities
|
Capability |
Description |
Date Deployed |
|
Disaster
Area Designation |
Adds
the processing necessary to accept Disaster Area transactions. Maintains all information necessary to
determine disaster start and end dates and to change business rules as
necessary based on requirements gathering. |
August 9, 2007 |
|
Add
Indicator to Legacy Account Formatted File Online Entity to Show Account Is
“In Transit” |
Adds
an indicator to the balance section of the entity on the Legacy Account
Formatted File Online showing that an account is “in transit” when it has
been sent to the Individual Master File from the CADE. |
August 9, 2007 |
|
Validate
Module Balance When Updating Tax Modules on Legacy Account Formatted File
Online |
Validates
the CADE account balance and updates the Legacy Account Formatted File
Online. |
August 9, 2007 |
|
|
Develops
or provides address change services to support online requests originated
from the IRS Enterprise Application Integration Broker. |
October 1, 2007 |
Source: The IRS Wage and Investment Division and the
Modernization and Information Technology Services Applications Development
organization.
The IRS completed Release 3.2 in February
2008. Table 3 presents the capabilities
for Release 3.2.
Table 3: CADE Release 3.2
Capabilities
|
Capability |
Description |
Date
Deployed |
|
Issuance of |
Sends notifications to
taxpayers when discrepancies are found during tax return processing. |
January
14, 2008 |
|
Child and Dependent
Care Expenses (Form 2441) Credit |
Processes information
from taxpayers who have filed Form 1040/Form 2441 or |
February
11, 2008 |
|
Earned Income Credit (Schedule
EIC) |
Processes Form
1040/1040A with |
February
11, 2008 |
|
Dependent Database
Interface |
Expands capabilities
to allow the CADE to accept all dependents and to process the Earned Income
Tax Credit. |
February
11, 2008 |
|
|
Provides taxpayers
with the ability to deposit their electronic refunds from tax returns into
multiple checking, savings, and/or retirement accounts. |
February
25, 2008 |
Source: The IRS
Wage and Investment Division and the Modernization and Information Technology
Services Applications Development organization.
On February 13, 2008,
the President signed the Economic Stimulus Act of 2008,[15] which provided taxpayers with payments
of up to $600 for individuals and $1,200 for couples. This relief was available to everyone with adjusted
gross income less than $75,000 for single individuals and $150,000 for married
couples filing jointly. The payments
were phased out for taxpayers above those income thresholds. Everyone
eligible for this relief was also eligible to receive an additional $300 per
child.
The IRS added the ability to issue economic stimulus payments through the
CADE on April 21, 2008. The first
payments through the CADE were issued on April 28, 2008.
The IRS completed Release 4.1 in July
2008. Table 4 presents the capabilities
for Release 4.1.
Table 4: CADE Release 4.1
Capabilities
|
Capability |
Description |
Date
Deployed |
|
Surviving Spouse |
Processes tax returns
with a surviving spouse filing status [widow(er) with dependent child]. A qualifying taxpayer may use this filing
status only on the tax return for 2 years following the tax year of the death
of the spouse, provided there are one or more dependent children. This filing status benefits the surviving
taxpayer, in that they will be able to use the joint tax table after the
death of a spouse. |
July
28, 2008 |
|
Decedents |
Processes the tax
returns of decedent taxpayers. The release
updates the account name line indicating that the taxpayer is deceased and updates
the mail filing requirement associated with the taxpayer to avoid sending
forms to deceased taxpayers. The
release records the taxpayer’s date of death and prepares a refund for either
a surviving spouse or designated representative as applicable. |
July
28, 2008 |
|
Changes to Address
Processing |
Updates account addresses
and ZIP codes. |
July
28, 2008 |
|
Additional Child Tax
Credit Notice |
Generates a notice to
the taxpayer in the event the taxpayer was not able to claim the full amount
of Child Tax Credit and is eligible for the Additional Child Tax Credit. |
July
28, 2008 |
|
Electronic Fund
Transfer Notice |
Generates a notice to
alert taxpayers whenever an electronic refund is changed to a paper check. |
July
28, 2008 |
|
Treasury Offset Program |
Applies a taxpayer’s overpayment to outstanding non-tax child support or Federal agency debt prior to crediting an overpayment to a future tax or making a refund. |
July
28, 2008 |
Source: The IRS
Wage and Investment Division and the Modernization and Information Technology
Services Applications Development organization.
The IRS completed Release 4.2 in January 2009. Table 5 presents the capabilities for Release
4.2.
Table 5: CADE Release 4.2
Capabilities
|
Capability |
Description |
Date
Deployed |
|
Revenue Receipt
Transactions |
Accepts Revenue
Receipt transactions resulting from remittances received with original
returns, estimated tax payments and declarations, and payments received with
requests for extension of time to file. |
January
19, 2009 |
|
Revenue Receipt
Balance and Control |
The balancing and
reconciliation of data within the CADE include three major components: initialization (the transfer of taxpayer
account data from existing IRS systems to the modernized CADE system); daily
processing (the editing, processing, and record keeping of all transactions);
and weekly processing (external and internal balancing of all processing and
transactions for the week). |
January
19, 2009 |
|
Extension to File Tax
Returns |
Processes Application
for Automatic Extension of Time To File |
January
19, 2009 |
|
Last Name Changes |
Establishes a new
process to update taxpayers’ names for CADE accounts. |
January
19, 2009 |
|
Penalty and Interest Potential |
Identifies taxpayers
subject to a penalty or debit interest resulting from the timeliness of
payments made with or prior to filing their tax returns. These returns should not be recorded in the CADE. Instead, the transaction and the taxpayer’s
account should be restored to the Individual Master File. |
January
19, 2009 |
|
Potential to Claim the Earned Income Credit |
Generates a notice to inform taxpayers with qualifying child(ren) of the potential to claim the Earned Income Credit. |
January
19, 2009 |
Source: The IRS
Wage and Investment Division and the Modernization and Information Technology
Services Applications Development organization.
Appendix V
Customer Account Data Engine
System Security Vulnerabilities and Status of Resolution
|
|
Security Vulnerability |
Vulnerability
Status |
|
1 |
The CADE[16] Disaster Recovery Plan and the Information
Technology Contingency Plan had not been sufficiently tested. |
Resolved. While testing occurred in 2007 and 2008,
the testing identified deficiencies that the mainframe computer system owner
should be tracking in the Plan of Action and
Milestones listing. |
|
2 |
Backup tapes
from the offsite storage facility were not tested at the original site or
alternative site. |
Resolved. Problems with backup tapes during 2007
testing were resolved during 2008 testing. |
|
3 |
CADE
personally identifiable information backed up on tapes, disks, and compact
discs, and data shared with external agencies, were not encrypted. |
Resolved. IRS implemented encryption for backup data
and data shared externally in April 2008. |
|
4 |
The CADE did
not have the ability to identify and process all error codes. |
Resolved. Inconsistencies in design documents where
this issue was identified were resolved in May 2008. |
|
5 |
Interconnection
Security Agreements were not in place or did not contain complete and current
interface information. |
Resolved. Deficiencies in the agreements were
resolved in March 2008. |
|
6 |
Malicious code
protection was not implemented. |
Resolved. However, the IRS mainframe computer system
security plan needs improvement to adequately describe how the system
implements malicious code protection. |
|
7 |
Unauthorized
access to personally identifiable information could occur in mainframe
computer memory, disk space, and tapes because the data were not removed
before the media were reused. |
Resolved. However, the CADE privacy impact assessment
needs improvement to correct inaccurate and incomplete information. The CADE project team hired a privacy engineer
to address ongoing privacy risks. |
|
8 |
Security
events and unauthorized access to taxpayer accounts by privileged CADE users
were not captured. |
Resolved. Reported as resolved prematurely in the IRS
mainframe computer Plan of Action and
Milestones listing on October 15,
2007. A new audit logging tool was
installed on March 9, 2009. |
|
9 |
Contractors
could make changes to system configuration settings without notice, approval,
or security checks. |
Resolved. Reported as resolved prematurely in the
CADE Plan of Action and Milestones listing on |
|
10 |
The CADE
development staff did not test security features before releasing the
application code. |
Resolved. Reported as resolved prematurely in the
CADE Plan of Action and Milestones listing on |
|
11 |
Vulnerability
scans of the mainframe computer on which the CADE resides identified one
high-risk failure and several configurations that were not sufficient for
protecting taxpayer data. These
vulnerabilities were not corrected. |
Unresolved. Reported as resolved prematurely in the IRS
mainframe computer Plan of Action and
Milestones listing on October 15,
2007. While the high-risk failure
associated with the Mainframe Policy Checker was resolved in January 2009, a
process is not in place for ensuring vulnerabilities reported by all required
recurring scans are reviewed, mitigated, or monitored in the Plan of Action and Milestones listings. |
|
12 |
The CADE did
not employ an application-specific vulnerability scanning tool. |
Unresolved. Reported as resolved prematurely in the
CADE Plan of Action and Milestones listing on |
|
13 |
The system did
not automatically terminate a session after 15 minutes of inactivity. |
Unresolved. Reported as resolved prematurely in the IRS
mainframe computer Plan of Action and
Milestones listing on October 15,
2007. When the system owner cannot
comply with IRS policy, an approved deviation must be obtained from the
Cybersecurity organization. |
|
14 |
Personally
identifiable information data were transmitted in clear text within Computing
Centers. |
Unresolved. This vulnerability is documented in the IRS
program-level Plan of Action and
Milestones listing. However, the use of nonsecure transmission
protocols requires the mainframe computer system owner to obtain an approved
deviation. |
|
15 |
The CADE did
not have adequate controls to ensure that minimal amounts of personally
identifiable information required for the particular CADE release were
collected, stored, transferred, and processed. |
Unresolved. The CADE project team hired a privacy
engineer to address ongoing privacy risks.
The IRS is tracking this privacy vulnerability in the Item
Tracking Reporting and Control System. |
|
16 |
The CADE used
live data in more than 18 test environments for application development
testing, but the system owner did not properly describe how the CADE will
acquire, use, and dispose of the live data. |
Unresolved. The CADE project team hired a privacy
engineer to address ongoing privacy risks.
The IRS is tracking this privacy vulnerability in the Item
Tracking Reporting and Control System. |
Source: CADE project personnel in the
Security Engineering, and Office of Privacy organizations.
Appendix VI
|
Term |
Definition |
|
Computing Centers |
Support
tax processing and information management through a data processing and
telecommunications infrastructure. |
|
Customer Account Data Engine (CADE) |
A major component of the IRS modernization program. The CADE consists of current and planned
databases and related applications that work with the IRS Master File system. |
|
Dependent Database |
A screening mechanism to score and
select incoming tax returns based on questionable dependent claims. |
|
Earned
Income Credit |
A tax credit for certain people who work and have income under established limits. |
|
Electronic
Federal Tax Payment System |
A tax payment system provided free by the U.S. Department of the Treasury to pay Federal taxes electronically via the Internet or telephone. |
|
|
A commercial, off-the-shelf solution
used to enable communication and data transformations among systems and applications. |
|
Filing Season |
The period from January through mid-April when most individual
income tax returns are filed. |
|
Forms 1040, 1040A, and 1040EZ |
The series of IRS forms that include individual income tax
returns. |
|
Individual Master File |
The IRS database that maintains
transactions or records of individual tax accounts. |
|
Integrated Data Retrieval System |
The IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records. |
|
Item
Tracking Reporting and Control System |
An information system used to track and report on issues, risks,
and action items in the modernization effort. |
|
Legacy Account Formatted File Online |
A database containing CADE-processed tax information. |
|
Malicious
Code |
Software designed to infiltrate or damage a computer system without the owner’s informed consent. |
|
Master
File |
The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data. |
|
Modernized
Database |
A relational database that stores tax return information processed by the CADE. |
|
National |
A non-regulatory Federal agency, within the Department of Commerce, responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all Federal Government agency operations and assets. |
|
Notice |
A computer-generated message
resulting from an analysis of the taxpayer’s account. |
|
Plan of Action and Milestones |
A requirement for managing the security weaknesses pertaining to a specific application or system. In addition to noting weaknesses, each Plan of Action and Milestones item details steps that need to be taken to correct or reduce any weaknesses, as well as resources required to accomplish task milestones and a correction timeline. |
|
PRIME contractor |
The Computer Sciences Corporation is the PRIME contractor, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology. |
|
Release |
A specific edition of software. |
|
Requirement |
A formalization of
a need and statement of a capability or condition that a system must have or
meet to satisfy a contract, standard, or specification. |
|
Submission Processing Site |
IRS campuses that
process paper and electronic submissions, correct errors, and forward data to
the Computing Centers for analysis and posting to taxpayer accounts. |
|
Taxpayer
Information File |
The Integrated Data
Retrieval System’s major database. |
|
ZIP Code |
The Zoning Improvement Plan instituted by the United
States Postal Service to facilitate mail handling and delivery. |
Appendix VII
Management’s Response to the Draft Report
The response was
removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.
[1] See Appendix VI for a glossary of terms.
[2] Reference Number 2008-20-163, dated September 24, 2008.
[3] See Appendix VI for a glossary of terms.
[4] Recommended Security Controls for Federal Information Systems, Revision 1, published December 2006.
[5] 26 U.S.C. Section (§) 6103.
[6] The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).
[7] Pub. L. 110-185, 122 Stat. 613.
[8] Pub. L. No. 110-185, 122 Stat. 613.
[9] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).
[10] Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS (GAO-09-136, dated January 2009).
[11] See Appendix VI for a glossary of terms.
[12] Pub. L. No. 110-185, 122 Stat. 613.
[13] The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).
[14] See Appendix VI for a glossary of terms.
[15] Pub. L. No. 110-185, 122 Stat. 613.
[16] See Appendix VI for a glossary of terms.