TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

 

Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing Individual Tax Account Information

 

 

 

August 28, 2009

 

Reference Number:  2009-20-100

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

August 28, 2009

 

 

MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION
CHIEF TECHNOLOGY OFFICER

 

FROM:                (for)  Michael R. Phillips /s/ Nancy A. Nakamura

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing Individual Tax Account Information (Audit # 200920020)

 

This report presents the results of our review of the Customer Account Data Engine[1] (CADE) Release 4 capabilities.  The overall objectives of this review were to assess the accuracy and completeness of the CADE Release 4 capabilities to enhance the processing of tax return information, determine whether this release provides the intended benefits to the Internal Revenue Service (IRS) and taxpayers, and determine whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases.  This review was part of the Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan coverage under the major management challenge of Modernization of the IRS.

Impact on the Taxpayer

The IRS has developed a strategy for a phased replacement of its computer systems to better support today’s tax laws, policies, and taxpayer needs.  The CADE is a major component of the IRS modernization program.  The modernized CADE database allows the IRS to update taxpayer accounts, support account settlement and maintenance, and process refunds on a daily basis, which will contribute to improved service to taxpayers.  CADE Release 4 is operating effectively to help the IRS provide these improved services to taxpayers.  However, there are security concerns that have not been adequately addressed.

Synopsis

The IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January 2009.  From January through May 2009, the CADE had processed almost 40 million tax returns (approximately 30 percent of all individual tax returns filed) and generated almost $58 billion in refunds.

In addition to new tax law changes, CADE Release 4 added processing for tax returns with a surviving spouse filing status and tax returns for decedent taxpayers.  This release also allows taxpayers to make changes to their last name and accepts the Application for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers.  Further, this release generates notices to taxpayers eligible to receive the Additional Child Tax Credit or informs taxpayers that their refunds will be mailed to them versus electronically deposited.

Our review of CADE Release 4 processing found that some planned capabilities were not completely implemented.  We identified problems with processing tax returns for decedent taxpayers and with the Treasury Offset Program.  When these conditions were recognized by the IRS, it implemented steps to correct these processing problems.

Several planned capabilities for CADE Release 4 were deferred because of other programming priorities.  These capabilities included:  1) maintaining accounts in the CADE after processing the filing of prior year tax returns, 2) processing electronic revenue receipts submitted with original tax returns, 3) establishing an account on the CADE to accept a taxpayer’s estimated tax payment (estimated tax declaration), 4) Criminal Investigation Division refund holds, and 5) credit elections for the current tax year returns.  The IRS decided to defer implementation of processing estimated tax declarations, Criminal Investigation Division refund holds, and credit elections until the development of CADE Release 5.2.  The IRS also informed us that it is reconsidering the plans and requirements for future CADE releases, leaving uncertain the implementation of the processing of prior year tax returns and electronic revenue receipts.

Our review also identified tax returns processed by CADE Release 4 with incomplete information.  Initially, the IRS did not process these tax returns and requested that the taxpayers respond with complete information.  When the taxpayers responded to the IRS, the record of the correspondence received date was not shown on the CADE.  However, the Modernized Database captured the correspondence received date, which showed the updated tax return filing date.  Analysis of the updates showed that returns were filed in a timely manner and any interest payments on tax refunds due to processing delays were properly processed.  However, because the CADE account information did not capture and display the taxpayers’ correspondence received date, there is a potential that subsequent activity by the IRS may result in inappropriate account actions or adjustments.

Subsequent to our review, the IRS informed us that it took actions to resolve the issue of the missing correspondence received date by performing program adjustments that were deployed with CADE Release 4.2 on January 19, 2009.  The IRS is also in the process of correcting accounts previously processed with Release 4.1.

The IRS has taken steps to address all 16 CADE system security vulnerabilities presented in our report, entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities,[2] and has fully resolved 10 of them.  The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy.  Further, we found that the IRS prematurely reported resolution of six vulnerabilities in the Plan of Action and Milestones listing before effective corrective actions were taken.  Three of these six vulnerabilities were not fully resolved as of the date of our review.

Recommendation

The Chief Technology Officer should direct the Cybersecurity organization to take actions that ensure the CADE and mainframe computer system owners appropriately enter and track system vulnerabilities on control systems, including the Plan of Action and Milestones listing and Item Tracking Reporting and Control System, and verify corrective actions are fully implemented before they are considered and reported as resolved.

Response

The IRS agreed with our recommendation.  The Cybersecurity organization will continue to improve the process to ensure that system owners comply with IRS policy to enter and track all system vulnerabilities in IRS control systems.  Management’s complete response to the draft report is included as Appendix VII.

Copies of this report are also being sent to the IRS managers affected by the report recommendation.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

Customer Account Data Engine Release 4 Accurately Processes and Records Tax Return and Tax Account Information, Although Some Planned Capabilities Were Not Implemented

Further Work Is Necessary to Alleviate Known Customer Account Data Engine System Security Vulnerabilities

Recommendation 1:

Appendices

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Customer Account Data Engine Release Capabilities

Appendix V – Customer Account Data Engine System Security Vulnerabilities and Status of Resolution

Appendix VI – Glossary of Terms

Appendix VII – Management’s Response to the Draft Report

 

Abbreviations

 

CADE

Customer Account Data Engine

IRS

Internal Revenue Service

  

Background

 

The CADE is a critical building block in the IRS modernization program that will enable the development of subsequent modernized systems to improve customer service and compliance.

The Customer Account Data Engine[3] (CADE) is a major component of the Internal Revenue Service’s (IRS) modernization program.  It consists of current and planned databases and related applications that work with the IRS Master File system.

Tax returns, both paper and electronic, are received by the IRS at various Submission Processing sites across the country.  At these sites, the tax return information is input to the IRS return processing computer system, which validates certain taxpayer identifying information and checks the tax returns for mathematical errors.  After the tax return information has been validated and errors have been corrected, the sites send the information to the IRS Computing Centers for posting to the taxpayers’ accounts.  In the past, this account information was posted to the Master File system.

The age and complexity of the Master File system cause inaccuracies and delays in providing service to taxpayers.  Currently, updates to taxpayers’ account information on the Master File, such as posting return information and payments, occur on a weekly basis and some updates require multiple weeks to complete.  Because current data are not available to IRS employees, taxpayers requesting help with their accounts may be given outdated information.  In contrast, the CADE posts information to taxpayers’ accounts on a daily rather than a weekly basis.  Taxpayers whose tax account information is posted to the CADE receive refunds faster, and IRS employees are able to provide improved service to taxpayers because the employees have up-to-date, accurate account information available.

The IRS has developed a strategy for a phased replacement of its computer systems to better support today’s tax laws, policies, and taxpayer needs.  The CADE is being implemented in a series of releases over several years.  The simplest taxpayer accounts were moved to the CADE first, and each successive release adds a more complex segment of taxpayer accounts.  The first CADE release began posting the simplest individual tax returns, the Income Tax Return for Single and Joint Filers With No Dependents (Form 1040EZ), in July 2004.  Subsequent releases have added new capabilities and tax forms.  The subject of this review, CADE Release 4, began posting returns in July 2008 and contained significant additions over the prior releases.

Like all Federal Government agencies, the IRS is required to protect its computer systems by implementing appropriate security controls to ensure the confidentiality, integrity, and availability of sensitive data, as recommended in National Institute of Standards and Technology Special Publication 800-53.[4]  In addition, the IRS is specifically required by Federal law to keep taxpayer data confidential and to prevent unauthorized disclosure or browsing of taxpayer records.  Section 6103 of the Internal Revenue Code[5] prohibits the disclosure of tax returns and tax return information and requires that the storage of such information be secure and the access restricted to only those persons whose duties and responsibilities require access.

In September 2008, we reported[6] that the IRS continued to deploy CADE releases even though known security weaknesses existed in the controls over system access, monitoring of system access, disaster recovery, and sensitive data protection.  As a result, the IRS was jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax information for millions of taxpayers as CADE releases were put into operation.

This review was performed in the Wage and Investment Division CADE Project Office and the Cybersecurity organization in New Carrollton, Maryland, during the period November 2008 through May 2009.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.  This review was part of the Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan coverage under the major management challenge of Modernization of the IRS.  Detailed information on our audit objectives, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Customer Account Data Engine Release 4 Accurately Processes and Records Tax Return and Tax Account Information, Although Some Planned Capabilities Were Not Implemented

The CADE processed almost 40 million tax returns and generated almost $58 billion in refunds from January through May 2009.

The IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in January 2009.  From January through May 2009, the CADE had processed almost 40 million tax returns (approximately 30 percent of all individual tax returns filed) and generated almost $58 billion in refunds.  This is a significant increase over the 30 million tax returns processed in Calendar Year 2008.

In addition to new tax law changes, CADE Release 4 added processing for tax returns with a surviving spouse filing status and tax returns for decedent taxpayers.  Further, this release allows taxpayers to make changes to their last name and accepts the Application for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers.  This release also generates notices to taxpayers eligible to receive the Additional Child Tax Credit or informs taxpayers that their refunds will be mailed to them versus electronically deposited.  Appendix IV provides an overview of the capabilities delivered in each of the CADE releases.

The IRS took appropriate actions to correct CADE processing problems with CADE Release 4.1

The major capabilities added to CADE Release 4.1 included processing tax returns with a surviving spouse filing status with dependent child and tax returns of decedent taxpayers.  Further, Release 4.1 generates the Additional Child Tax Credit Notice to eligible taxpayers who did not claim the full amount of the Child Tax Credit and generates the Electronic Fund Transfer Notice notifying taxpayers that their electronic refund request cannot be honored.  This release also accepts the Treasury Offset Program transactions and processes changes to taxpayer addresses.

We sampled transactions to determine whether the release properly implemented these capabilities for tax return processing and found that these capabilities were generally implemented adequately.  However, we identified the following Release 4.1 processing problems and presented them to CADE project management for resolution.

·        Tax Returns of Decedent Taxpayers The CADE did not always update the decedent taxpayer account to indicate that the taxpayer is deceased.  Specifically, the taxpayer account name line was not always updated indicating the taxpayer was deceased, and the date of death was not always added to the account.  Indicating the taxpayer is deceased on the account name line enables the mail filing requirement associated with the taxpayer to be updated to avoid sending forms to a deceased taxpayer.  Providing the date of death on the account initiates a process to prepare a refund for either a surviving spouse or designated representative as applicable.

When the CADE project team recognized this issue, it implemented corrective actions to resolve the problem.  In addition, the CADE project team reviewed the accounts that were not accurately updated and determined that accounts with an inaccurate mail filing requirement were not affected by the absence of the decedent designation on the taxpayer name line of the tax returns.  However, for accounts that did not include the date of death, some refund checks were inappropriately issued to deceased taxpayers, but none were returned as undeliverable.

·        Treasury Offset Program This program is administered by the Treasury Financial Management Service and will apply a taxpayer’s overpayment to outstanding non-tax child support or Federal agency debt prior to issuing a refund.  Our reviews found that CADE accounts with multiple refunds issued by the IRS on different dates (tax refunds and Economic Stimulus Act of 2008[7] payments) affected by the Treasury Offset Program were correctly paid to the Treasury Financial Management Service.  However, the CADE programming did not allow IRS systems to display the offset of the other Federal debts for taxpayers with multiple refunds.  This condition was presented to the CADE project team and the team implemented corrective actions to resolve the problem.

·        Processing the Filing of Prior Year Tax Returns Planned capabilities for CADE Release 4.1 included processing prior year returns (filed for Tax Year 2003 and later) for taxpayers meeting certain filing conditions.  Requirements for processing the eligible prior year tax returns did not consider processing routines to capture account information on the Taxpayer Information File for potential account adjustment activity by the Integrated Data Retrieval System.  Currently, these processing routines prevent prior year returns from being maintained on the CADE system and require transfer of the taxpayer account to the Individual Master File for processing.

The IRS determined that modifications to the CADE program to allow processing of the prior year tax returns would involve very complex and extensive programming changes.  Because of the additional programming necessary and the anticipated small volume of prior year returns, the IRS decided to defer implementation of this capability until the development of CADE Release 5.  Subsequently, the IRS informed us that it is reconsidering the plans and requirements for future CADE releases, leaving the implementation of the capability to fully process and retain prior year returns with the CADE uncertain.  Our review determined that this capability involved a relatively small number of taxpayer accounts.  Through April 17, 2009, 24,561 taxpayers filed 25,058 prior year tax returns that could not be maintained on the CADE and were transferred to the Individual Master File for processing.

·        Missing Correspondence Received Date – Our review identified tax returns processed by CADE Release 4 that originally had incomplete information and required the IRS to correspond with the taxpayer.  Initially, the IRS did not process these tax returns and requested that the taxpayers respond with complete information.  When taxpayers responded to the IRS, the record of the correspondence received date was not shown on the CADE.  However, the Modernized Database captured the correspondence received date, which showed the updated tax return filing date.

Analysis of the updates showed that returns were filed in a timely manner and any interest payments on tax refunds due to processing delays were properly processed.  However, because the CADE account information did not capture and display the taxpayers’ correspondence received date, there is a potential that subsequent activity by the IRS may result in inappropriate account actions or adjustments.

Management Action:  Subsequent to our review of the returns with incomplete information, the IRS informed us that it took actions to resolve the issue of the missing correspondence received date by performing program adjustments that were deployed with CADE Release 4.2 on January 19, 2009.  The IRS is also in the process of correcting accounts previously processed with Release 4.1.

Other programming priorities prevented the implementation of some planned capabilities for CADE Release 4.2

The major capabilities added to CADE Release 4.2 included processing applications for extensions to file tax returns, updating account with taxpayer name changes, and generating notices to taxpayers of the potential to claim the Earned Income Credit.  Also, capabilities include accepting full payment of the balance due on tax returns, some estimated tax payments, and payments received with extensions of time to file tax returns.  The IRS also enhanced the CADE balance and control processing for tax payments and the ability to determine the presence of penalty and debit interest situations.  Returns with penalty and debit interest should not be recorded in the CADE.  Instead, the transaction and the taxpayer’s account should be restored to the Individual Master File.  Further, this release processes the Economic Stimulus Payment/Recovery Rebate Credit.[8]  Based on our sampled transactions and the documentation reviewed, we determined that the release properly implemented these capabilities for tax return processing.  However, we identified the following Release 4.2 development and processing problems.

·        Revenue Receipt Transactions – The planned CADE capabilities for Release 4.2 included acceptance of revenue receipt transactions resulting from remittances received in full payment with original tax returns, estimated tax payments and declarations, and payments received with requests for extension of time to file.  Our review found that tax returns filed with electronic remittances processed through the Electronic Federal Tax Payment System could not be processed by the CADE.

Electronic remittances processed through the Electronic Federal Tax Payment System require a routine to capture account information on the Taxpayer Information File for potential account adjustment activity by the Integrated Data Retrieval System.  Similar to the problems discussed previously in processing filings of prior year returns, these processing routines prevent the accounts from being eligible for CADE processing and require processing by the Individual Master File.  Through May 15, 2009, almost 5.4 million taxpayers filed tax returns with a remittance through the CADE, which included more than 703,000 (13 percent) electronic remittances processed through the Electronic Federal Tax Payment System.  Virtually all of the returns with electronic remittances originally accepted for CADE processing required transfer to the Individual Master File to be able to accept the tax account information and process the payment.

The IRS determined that modifications to the CADE program to allow processing of electronic remittances would involve programming changes in coordination with the Electronic Federal Tax Payment System.  As discussed previously, the IRS informed us that it is reconsidering the plans and requirements for future CADE releases.  As a result, the implementation of the CADE capability to process remittances received with original tax returns using the Electronic Federal Tax Payment System is uncertain.

Further, because of other programming priorities, the capability for the CADE to process certain estimated tax payments was also deferred.  This capability has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.

·        Criminal Investigation Division Refund Hold The Criminal Investigation Division Electronic Fraud Detection System processes tax returns in parallel with the CADE and the Individual Master File.  When this System detects a suspicious tax return, the refund issuance is suspended until the circumstances about its propriety are resolved.  Because of other programming priorities, the capability for the CADE to perform the Criminal Investigation Division refund hold has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.

·        Credit Election Processing Because of other programming priorities, the capability for the CADE to process tax credit elections on current year tax returns has been deferred to CADE Release 5.2, scheduled for deployment in January 2010.

Further Work Is Necessary to Alleviate Known Customer Account Data Engine System Security Vulnerabilities

Our report entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities identified 16 security vulnerabilities in the CADE system environment.  The IRS has taken steps to address all 16 of the reported vulnerabilities and has fully resolved 10 of them.  The remaining six security vulnerabilities cannot be resolved until actions are completed to ensure controls are effectively in place or have been approved as deviations to IRS policy.  Appendix V presents the previously reported security vulnerabilities with the CADE system and the status of their resolution.

Oversight to track the status of vulnerabilities until resolution needs improvement in the “Plan of Action and Milestones” listing

IRS policy specifies that all computer system weaknesses from any valid source should be entered in the Plan of Action and Milestones listing.  IRS system owners must track the status of the resolution of all weaknesses and verify that each weakness is corrected before reporting the item as resolved on the listing.

The IRS is required to quarterly submit to the Department of the Treasury and the Office of Management and Budget a Plan of Action and Milestones listing system weaknesses.  The Office of Management and Budget uses the information to assess the agency’s progress in alleviating system weaknesses, monitor the Federal Government’s ability to implement the Federal Information Security Management Act of 2002,[9] and make budgetary decisions.  Inaccurate or incomplete Plan of Action and Milestones listing information affects the Office of Management and Budget’s ability to obtain an accurate status of IRS security weakness remediation.

Of the 16 previously reported vulnerabilities, 13 were directly related to National Institute of Standards and Technology Special Publication 800-53 system controls that are required to be tracked in the Plan of Action and Milestones listings.  The remaining three vulnerabilities were privacy weaknesses, which the IRS tracks in the Item Tracking Reporting and Control System.  We found that the IRS prematurely reported resolution of 6 of the 13 vulnerabilities in the Plan of Action and Milestones listings before effective corrective actions were taken.  Three of these six vulnerabilities were not fully resolved as of the date of this report.

In addition, we found three additional weaknesses related to the disaster recovery process that the IRS is not tracking in the Plan of Action and Milestones listings.

·        Training of disaster recovery personnel was not adequate.  During September 2008 disaster recovery testing, the IRS determined that cross-training and knowledge transfer was needed to ensure the Memphis Computing Center staff could reinstall the CADE in the event the Martinsburg Computing Center staff and/or the PRIME contractor were not available.

·        The CADE system’s disaster recovery plan did not include sufficient detail, listed some steps out of order, and did not contain all steps needed to restore the CADE system.  During the September 2008 disaster recovery testing, the IRS determined that the plan still needed improvement to document all required steps in the proper sequence to allow appropriate execution.  This issue was previously reported during the 2007 disaster recovery testing.

·        A complete recovery of the data on the mainframe computer is not feasible until hardware capacity is increased.  During the September 2008 disaster recovery testing, the IRS determined that additional capacity was needed to restore all applications residing on the mainframe computer.  This issue was previously reported during the 2007 disaster recovery testing.

The IRS Cybersecurity organization does not monitor system owners’ compliance with IRS policy to track all system vulnerabilities in the Plan of Action and Milestones listings.  Further, it does not monitor system owners’ compliance with IRS policy to verify that weaknesses are corrected before reporting them as resolved on the Plan of Action and Milestones listing.  The Government Accountability Office also reported[10] in January 2009 that the IRS lacked an effective corrective action verification process to ensure it had taken the necessary actions to correct security weaknesses found in information systems.

Inadequate monitoring of vulnerabilities in the Plan of Action and Milestones listing and prematurely reporting vulnerabilities as resolved may decrease managerial attention to unresolved problems, prevent allocation of resources required to fix problems, and lead to delays in correcting vulnerabilities.  Inaccurate Plan of Action and Milestones listing information prevents the Office of Management and Budget from obtaining an accurate status of the IRS’ security weaknesses.

Recommendation

Recommendation 1:  The Chief Technology Officer should direct the Cybersecurity organization to take actions that ensure the CADE and mainframe computer system owners a) appropriately enter and track system vulnerabilities on control systems, including the Plan of Action and Milestones listing and the Item Tracking Reporting and Control System, and b) verify corrective actions are fully implemented before they are considered and reported as resolved.

Management’s Response:  The IRS agreed with our recommendation.  The Cybersecurity organization will continue to improve the process to ensure that system owners comply with IRS policy to enter and track all system vulnerabilities in IRS control systems.

 

Appendix I

 

Detailed Objectives, Scope, and Methodology

 

The overall objectives of this review were to assess the accuracy and completeness of the CADE[11] Release 4 capabilities to enhance the processing of tax return information, determine whether this release provides the intended benefits to the IRS and taxpayers, and determine whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases.  To accomplish our objectives, we:

I.                    Determined whether new requirements included in Release 4.1 accurately posted tax return information to the CADE.  Specifically, we determined whether the CADE:

A.     Accepts tax returns with a surviving spouse filing status with dependent child.

B.     Accurately processes the tax returns of decedent taxpayers.

C.     Accurately generates the Additional Child Tax Credit Notice to eligible taxpayers who did not claim the full amount of Child Tax Credit.

D.     Accurately generates the Electronic Fund Transfer Notice notifying taxpayers that their electronic refund request cannot be honored.

E.      Processes the filing of prior year tax returns.

F.      Accepts the Treasury Offset Program transactions from the Accept and Route Transactions application.

G.     Processes changes to addresses.

II.                 Determined whether new requirements included in Release 4.2 accurately posted tax return information to the CADE.  Specifically, we determined whether the CADE:

A.     Accepts revenue receipt transactions and generates applicable math error notices.

B.     Revenue Receipt Balance and Control processing has been updated to accommodate Revenue Receipt transactions deployed with Release 4.2.

C.     Accurately processes Applications for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868).

D.     Accepts last name changes from taxpayers through tax return filings, the receipt of Estimated Tax for Individuals (Form 1040-ES), or the National Account Profile file.

E.      Has returned control of taxpayer accounts to the current processing environment for those accounts identified to receive a penalty or debit interest.

F.      Accurately processes the Economic Stimulus Payment/Recovery Rebate Credit.[12]

G.     Accurately generates the non-math error notice to taxpayers with qualifying children of potential Earned Income Credit.

III.               Determined whether the IRS has taken effective actions to correct security vulnerabilities on prior CADE system releases.  Specifically, we:

A.     Assessed the current status of the 16 security vulnerabilities identified during the audit on CADE Releases 2.2 and 3.1 security controls.[13]

B.     Assessed the adequacy of corrective actions implemented on security vulnerabilities identified during the audit on CADE Releases 2.2 and 3.1 security controls.

Validity and reliability of data from computer-based systems

We obtained individual tax return data processed by the CADE and stored on the Modernized Database.  We compared the data to information processed and stored in the Individual Master File.  We used the tax return identification number as the control to validate the accuracy of the matching of the tax return information stored on the Modernized Database and the Individual Master File.  The data were sufficiently reliable to perform our audit analyses.

Analysis of CADE tax return samples

Tables 1 and 2 present the tax return information populations and samples we used to analyze taxpayer account information processed by CADE Releases 4.1 and 4.2.  Our reviews involved analyses of Calendar Years 2008 and 2009 U.S. Individual Income Tax Returns (Form 1040 and Form 1040A) and Income Tax Returns for Single and Joint Filers With No Dependents (Form 1040EZ) filed and recorded to the CADE from July 2008 through April 2009.  We used random sampling to ensure that each account had an equal chance of being selected, which enabled us to obtain sufficient evidence to support our results.

Table 1:  Sample Selection of CADE Release 4.1 Forms 1040, 1040A, and 1040EZ Filed From July Through December 2008

CADE Release 4.1 Capability Tested

Population

Sample Size

Surviving Spouse Tax Returns

5

5

Decedent Tax Returns

2,708

70

Additional Child Tax Credit Notice

8

8

Electronic Fund Transfer Refund Notice

1,068

64

Prior Year Tax Returns

2,867

40

Treasury Offset Program

1,773

66

Changes to Address Processing

1,479,905

80

Source:  Treasury Inspector General for Tax Administration extract of tax return account data from the CADE and
 the Individual Master File for the period July through December 2008.

Detailed Sample Parameters:

·        Surviving Spouse Tax Returns – We selected five individual income tax returns filed as a surviving spouse [widow(er) with dependent child] filing status that had posted to the CADE from July through October 2008.

·        Decedent Tax Returns – We selected 70 individual income tax returns filed as a decedent return (1 or both taxpayers deceased) that had posted to the CADE from July through November 2008.

·        Additional Child Tax Credit Notice We selected eight individual income tax returns that had posted to the CADE from August through October 2008 and were issued an Additional Child Tax Credit Notice informing the taxpayer of potential credit to be claimed.

·        Electronic Fund Transfer Refund Notice We selected 64 individual income tax returns that had posted to the CADE from August through October 2008 and were issued an Electronic Fund Transfer Refund Notice informing the taxpayer that a paper refund check will be issued instead of an electronic refund.

·        Prior Year Tax Returns – We selected 40 individual income tax returns filed as prior year returns (Calendar Years 2005 and 2006) that had posted to the CADE from July through October 2008.

·        Treasury Offset Program We selected 66 individual income tax returns that had posted to the CADE from July through October 2008 and had been identified by the IRS to have their refund reduced due to an outstanding child support or Federal agency debt.

·        Changes to Address Processing We selected 80 individual taxpayer accounts with address changes processed by the CADE from July through December 2008.

Table 2:  Sample Selection of CADE Release 4.2 Forms 1040, 1040A, and 1040EZ Filed From January Through April 2009

CADE Release 4.2 Capability Tested

Population

Sample Size

Revenue Receipt Transactions

159,961

220

Revenue Receipt Balance and Control

192,632

192,632

Extension of Time to File

8,942

60

Last Name Changes

93,036

150

Generation of Earned Income Credit Notice

4,791

70

Economic Stimulus Payment/
Recovery Rebate Credit

15,574

64

Source:  Treasury Inspector General for Tax Administration extract of tax return account data from the CADE
 and the Individual Master File for the period January through April 2009.

Detailed Sample Parameters:

·        Revenue Receipt Transactions – We selected 220 individual income tax accounts with remittances received with original returns, estimated tax payments and declarations, and requests for extension of time to file that had posted to the CADE from January through March 2009.

·        Revenue Receipt Balance and Control – We selected 192,632 revenue receipt transactions that had posted to the CADE from January through March 2009 and compared the total dollar amounts to the CADE balance and control reports.

·        Extension of Time to File – We selected 60 individual income tax accounts with extensions of time to file that had posted to the CADE from January through March 2009.

·        Last Name ChangesWe selected 150 individual taxpayer accounts with last name changes processed by the CADE from January through March 2009.

·        Generation of Earned Income Credit Notice – We selected 70 individual income tax returns with Earned Income Tax Credit notices generated by the CADE from February through April 2009.

·        Economic Stimulus Payment/Recovery Rebate Credit We selected 64 individual income tax returns with a Recovery Rebate Credit being claimed that had posted to the CADE in January and February 2009.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services)

Scott A. Macfarlane, Director

Edward A. Neuwirth, Audit Manager

Michael A. Garcia, Senior Auditor

Jody Kitazono, Senior Auditor

Beverly Tamanaha, Senior Auditor

Suzanne Westcott, Auditor

Arlene Feskanich, Senior Information Technology Specialist

Richard Hillelson, Information Technology Specialist

Martha Stewart, Information Technology Specialist

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Chief Information Officer  OS:CTO

Deputy Commissioner, Wage and Investment Division  SE:W

Associate Chief Information Officer, Applications Development  OS:CTO:AD

Director, Customer Account Services, Wage and Investment Division  SE:W:CAS

Director, Strategy and Finance, Wage and Investment Division  SE:W:S

Director, Submission Processing, Wage and Investment Division  SE:W:CAS:SP

Chief, Performance Improvement, Wage and Investment Division  SE:W:S:PI

Director, Test Assurance and Documentation  OS:CTO:AD:TAD

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

            Chief Technology Officer  OS:CTO

Commissioner, Wage and Investment Division  SE:W

Associate Chief Information Officer, Applications Development  OS:CTO:AD

Senior Operations Advisor, Wage and Investment Division  SE:W:S

Director, Program Oversight  OS:CTO:SM:PO

Chief, GAO/TIGTA/Legislative Implementation Branch  SE:S:CLD:PSP:GTL

 

Appendix IV

 

Customer Account Data Engine Release Capabilities

 

The IRS is implementing the CADE in a series of releases[14] over several years.  Table 1 describes the capabilities implemented in Releases 1 and 2.

Table 1:  CADE Release 1 and Release 2 Capabilities

CADE Release

Start of Processing

Capabilities Added for Each Release

Release 1.1

July 2004

Form 1040EZ for single filers and joint filers with no dependents.

Single filing status only.

Release 1.2

January 2005

Tax law changes for filing season.

Release 1.3.2

January 2006

Forms 1040 and 1040A with no dependents and no attachments or schedules.

Address changes on returns.

Release 2.1

September 2006

Returns with Head of Household filing status.

Returns with Schedules A, B, and R.

Returns with limited name changes.

United States Postal Service address change updates.

Release 2.2

March 2007

Form 1040EZ-T.

Returns with Married Filing Jointly and Married Filing Separately filing statuses.

Credit for Federal Telephone Excise Tax paid.

Source:  The IRS Applications Development organization.

Form 1040 – U.S. Individual Income Tax Return

Form 1040A – U.S. Individual Income Tax Return

Form 1040EZ – Income Tax Return for Single and Joint Filers With No Dependents

Form 1040EZ-T – Request for Refund of Federal Telephone Excise Tax

Schedule A (Form 1040) – Itemized Deductions

Schedule B (Form 1040) – Interest and Ordinary Dividends

Schedule R (Form 1040) – Credit for the Elderly or the Disabled

The IRS initially planned to implement 17 requirements for Release 3 and divided the requirements delivery into 2 subreleases, Releases 3.1 and 3.2.  Table 2 presents the capabilities for Release 3.1, which was completed in October 2007.

Table 2:  CADE Release 3.1 Capabilities

Capability

Description

Date Deployed

Disaster Area Designation

Adds the processing necessary to accept Disaster Area transactions.  Maintains all information necessary to determine disaster start and end dates and to change business rules as necessary based on requirements gathering.

 

August 9, 2007

Add Indicator to Legacy Account Formatted File Online Entity to Show Account Is “In Transit”

Adds an indicator to the balance section of the entity on the Legacy Account Formatted File Online showing that an account is “in transit” when it has been sent to the Individual Master File from the CADE.

August 9, 2007

Validate Module Balance When Updating Tax Modules on Legacy Account Formatted File Online

Validates the CADE account balance and updates the Legacy Account Formatted File Online.

August 9, 2007

Enterprise Application Integration Broker

Develops or provides address change services to support online requests originated from the IRS Enterprise Application Integration Broker.

October 1, 2007

Source:  The IRS Wage and Investment Division and the Modernization and Information Technology Services Applications Development organization.

The IRS completed Release 3.2 in February 2008.  Table 3 presents the capabilities for Release 3.2.

Table 3:  CADE Release 3.2 Capabilities

Capability

Description

Date Deployed

Issuance of
Math Error Notices

Sends notifications to taxpayers when discrepancies are found during tax return processing.

January 14, 2008

Child and Dependent Care Expenses (Form 2441) Credit

Processes information from taxpayers who have filed Form 1040/Form 2441 or
Form 1040A/Child and Dependent Care Expenses for Form 1040A Filers
(Schedule 2) to take the credit for child and dependent care expenses.

February 11, 2008

Earned Income Credit (Schedule EIC)

Processes Form 1040/1040A with
Schedule EIC.  Uses the Earned Income Tax Credit information to identify those eligible tax returns that have Earned Income Tax Credit-qualifying dependents.

February 11, 2008

Dependent Database Interface

Expands capabilities to allow the CADE to accept all dependents and to process the Earned Income Tax Credit.

February 11, 2008

Split Refunds

Provides taxpayers with the ability to deposit their electronic refunds from tax returns into multiple checking, savings, and/or retirement accounts.

February 25, 2008

Source:  The IRS Wage and Investment Division and the Modernization and Information Technology Services Applications Development organization.

On February 13, 2008, the President signed the Economic Stimulus Act of 2008,[15] which provided taxpayers with payments of up to $600 for individuals and $1,200 for couples.  This relief was available to everyone with adjusted gross income less than $75,000 for single individuals and $150,000 for married couples filing jointly.  The payments were phased out for taxpayers above those income thresholds.  Everyone eligible for this relief was also eligible to receive an additional $300 per child.

The IRS added the ability to issue economic stimulus payments through the CADE on April 21, 2008.  The first payments through the CADE were issued on April 28, 2008.

The IRS completed Release 4.1 in July 2008.  Table 4 presents the capabilities for Release 4.1.

Table 4:  CADE Release 4.1 Capabilities

Capability

Description

Date Deployed

Surviving Spouse

Processes tax returns with a surviving spouse filing status [widow(er) with dependent child].  A qualifying taxpayer may use this filing status only on the tax return for 2 years following the tax year of the death of the spouse, provided there are one or more dependent children.  This filing status benefits the surviving taxpayer, in that they will be able to use the joint tax table after the death of a spouse.

July 28, 2008

Decedents

Processes the tax returns of decedent taxpayers.  The release updates the account name line indicating that the taxpayer is deceased and updates the mail filing requirement associated with the taxpayer to avoid sending forms to deceased taxpayers.  The release records the taxpayer’s date of death and prepares a refund for either a surviving spouse or designated representative as applicable.

July 28, 2008

Changes to Address Processing

Updates account addresses and ZIP codes.

July 28, 2008

Additional Child Tax Credit Notice

Generates a notice to the taxpayer in the event the taxpayer was not able to claim the full amount of Child Tax Credit and is eligible for the Additional Child Tax Credit.

July 28, 2008

Electronic Fund Transfer Notice

Generates a notice to alert taxpayers whenever an electronic refund is changed to a paper check.

July 28, 2008

Treasury Offset Program

Applies a taxpayer’s overpayment to outstanding non-tax child support or Federal agency debt prior to crediting an overpayment to a future tax or making a refund.

July 28, 2008

Source:  The IRS Wage and Investment Division and the Modernization and Information Technology Services Applications Development organization.

The IRS completed Release 4.2 in January 2009.  Table 5 presents the capabilities for Release 4.2.

Table 5:  CADE Release 4.2 Capabilities

Capability

Description

Date Deployed

Revenue Receipt Transactions

Accepts Revenue Receipt transactions resulting from remittances received with original returns, estimated tax payments and declarations, and payments received with requests for extension of time to file.

January 19, 2009

Revenue Receipt Balance and Control

The balancing and reconciliation of data within the CADE include three major components:  initialization (the transfer of taxpayer account data from existing IRS systems to the modernized CADE system); daily processing (the editing, processing, and record keeping of all transactions); and weekly processing (external and internal balancing of all processing and transactions for the week).

January 19, 2009

Extension to File Tax Returns

Processes Application for Automatic Extension of Time To File U.S. Individual Income Tax Return (Form 4868).  If taxpayers cannot meet the tax return filing deadline they can request an extension to the due date of their tax return using Form 4868.

January 19, 2009

Last Name Changes

Establishes a new process to update taxpayers’ names for CADE accounts.

January 19, 2009

Penalty and Interest Potential

Identifies taxpayers subject to a penalty or debit interest resulting from the timeliness of payments made with or prior to filing their tax returns.  These returns should not be recorded in the CADE.  Instead, the transaction and the taxpayer’s account should be restored to the Individual Master File.

January 19, 2009

Potential to Claim the Earned Income Credit

Generates a notice to inform taxpayers with qualifying child(ren) of the potential to claim the Earned Income Credit.

January 19, 2009

Source:  The IRS Wage and Investment Division and the Modernization and Information Technology Services Applications Development organization.

 

Appendix V

 

Customer Account Data Engine System Security Vulnerabilities and Status of Resolution

 

 

Security Vulnerability

Vulnerability Status

1

The CADE[16] Disaster Recovery Plan and the Information Technology Contingency Plan had not been sufficiently tested.

Resolved.  While testing occurred in 2007 and 2008, the testing identified deficiencies that the mainframe computer system owner should be tracking in the Plan of Action and Milestones listing.

2

Backup tapes from the offsite storage facility were not tested at the original site or alternative site.

Resolved.  Problems with backup tapes during 2007 testing were resolved during 2008 testing.

3

CADE personally identifiable information backed up on tapes, disks, and compact discs, and data shared with external agencies, were not encrypted.

Resolved.  IRS implemented encryption for backup data and data shared externally in April 2008.

4

The CADE did not have the ability to identify and process all error codes.

Resolved.  Inconsistencies in design documents where this issue was identified were resolved in May 2008.

5

Interconnection Security Agreements were not in place or did not contain complete and current interface information.

Resolved.  Deficiencies in the agreements were resolved in March 2008.

6

Malicious code protection was not implemented.

Resolved.  However, the IRS mainframe computer system security plan needs improvement to adequately describe how the system implements malicious code protection.

7

Unauthorized access to personally identifiable information could occur in mainframe computer memory, disk space, and tapes because the data were not removed before the media were reused.

Resolved.  However, the CADE privacy impact assessment needs improvement to correct inaccurate and incomplete information.  The CADE project team hired a privacy engineer to address ongoing privacy risks.

8

Security events and unauthorized access to taxpayer accounts by privileged CADE users were not captured.

Resolved.  Reported as resolved prematurely in the IRS mainframe computer Plan of Action and Milestones listing on October 15, 2007.  A new audit logging tool was installed on March 9, 2009.

9

Contractors could make changes to system configuration settings without notice, approval, or security checks.

Resolved.  Reported as resolved prematurely in the CADE Plan of Action and Milestones listing on
June 7, 2007.  Improper privileges for two contractors were not revoked until March 2008.

10

The CADE development staff did not test security features before releasing the application code.

Resolved.  Reported as resolved prematurely in the CADE Plan of Action and Milestones listing on
January 10, 2008.  The CADE developer performed security testing for CADE Release 4.2 in
September 2008.

11

Vulnerability scans of the mainframe computer on which the CADE resides identified one high-risk failure and several configurations that were not sufficient for protecting taxpayer data.  These vulnerabilities were not corrected.

Unresolved.  Reported as resolved prematurely in the IRS mainframe computer Plan of Action and Milestones listing on October 15, 2007.  While the high-risk failure associated with the Mainframe Policy Checker was resolved in January 2009, a process is not in place for ensuring vulnerabilities reported by all required recurring scans are reviewed, mitigated, or monitored in the Plan of Action and Milestones listings.

12

The CADE did not employ an application-specific vulnerability scanning tool.

Unresolved.  Reported as resolved prematurely in the CADE Plan of Action and Milestones listing on
March 20, 2008.  The first application-specific scan was run in February 2009; however, a process is not in place for ensuring vulnerabilities reported by all recurring required scans are reviewed, mitigated, or monitored in
Plan of Action and Milestones listings.

13

The system did not automatically terminate a session after 15 minutes of inactivity.

Unresolved.  Reported as resolved prematurely in the IRS mainframe computer Plan of Action and Milestones listing on October 15, 2007.  When the system owner cannot comply with IRS policy, an approved deviation must be obtained from the Cybersecurity organization.

14

Personally identifiable information data were transmitted in clear text within Computing Centers.

Unresolved.  This vulnerability is documented in the IRS program-level Plan of Action and Milestones listing.  However, the use of nonsecure transmission protocols requires the mainframe computer system owner to obtain an approved deviation.

15

The CADE did not have adequate controls to ensure that minimal amounts of personally identifiable information required for the particular CADE release were collected, stored, transferred, and processed.

Unresolved.  The CADE project team hired a privacy engineer to address ongoing privacy risks.  The IRS is tracking this privacy vulnerability in the Item Tracking Reporting and Control System.

16

The CADE used live data in more than 18 test environments for application development testing, but the system owner did not properly describe how the CADE will acquire, use, and dispose of the live data.

Unresolved.  The CADE project team hired a privacy engineer to address ongoing privacy risks.  The IRS is tracking this privacy vulnerability in the Item Tracking Reporting and Control System.

Source:  CADE project personnel in the Enterprise Operations, Modernization and Information Technology Services
Security Engineering, and Office of Privacy organizations.

 

Appendix VI

 

Glossary of Terms

 

Term

Definition

Computing Centers

Support tax processing and information management through a data processing and telecommunications infrastructure.

Customer Account Data Engine (CADE)

A major component of the IRS modernization program.  The CADE consists of current and planned databases and related applications that work with the IRS Master File system.

Dependent Database

A screening mechanism to score and select incoming tax returns based on questionable dependent claims.

Earned Income Credit

A tax credit for certain people who work and have income under established limits.

Electronic Federal Tax Payment System

A tax payment system provided free by the U.S. Department of the Treasury to pay Federal taxes electronically via the Internet or telephone.

Enterprise Application Integration Broker

A commercial, off-the-shelf solution used to enable communication and data transformations among systems and applications.

Filing Season

The period from January through mid-April when most individual income tax returns are filed.

Forms 1040, 1040A, and 1040EZ

The series of IRS forms that include individual income tax returns.

Individual Master File

The IRS database that maintains transactions or records of individual tax accounts.

Integrated Data Retrieval System

The IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.

Item Tracking Reporting and Control System

An information system used to track and report on issues, risks, and action items in the modernization effort.

Legacy Account Formatted File Online

A database containing CADE-processed tax information.

Malicious Code

Software designed to infiltrate or damage a computer system without the owner’s informed consent.

Master File

The IRS database that stores various types of taxpayer account information.  This database includes individual, business, and employee plans and exempt organizations data.

Modernized Database

A relational database that stores tax return information processed by the CADE.

National Institute of Standards and Technology

A non-regulatory Federal agency, within the Department of Commerce, responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all Federal Government agency operations and assets.

Notice

A computer-generated message resulting from an analysis of the taxpayer’s account.

Plan of Action and Milestones

A requirement for managing the security weaknesses pertaining to a specific application or system.  In addition to noting weaknesses, each Plan of Action and Milestones item details steps that need to be taken to correct or reduce any weaknesses, as well as resources required to accomplish task milestones and a correction timeline.

PRIME contractor

The Computer Sciences Corporation is the PRIME contractor, which heads an alliance of leading technology companies brought together to assist with the IRS’ efforts to modernize its computer systems and related information technology.

Release

A specific edition of software.

Requirement

A formalization of a need and statement of a capability or condition that a system must have or meet to satisfy a contract, standard, or specification.

Submission Processing Site

IRS campuses that process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.

Taxpayer Information File

The Integrated Data Retrieval System’s major database.

ZIP Code

The Zoning Improvement Plan instituted by the United States Postal Service to facilitate mail handling and delivery.

 

Appendix VII

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.


[1] See Appendix VI for a glossary of terms.

[2] Reference Number 2008-20-163, dated September 24, 2008.

[3] See Appendix VI for a glossary of terms.

[4] Recommended Security Controls for Federal Information Systems, Revision 1, published December 2006.

[5] 26 U.S.C. Section (§) 6103.

[6] The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).

[7] Pub. L. 110-185, 122 Stat. 613.

[8] Pub. L. No. 110-185, 122 Stat. 613.

[9] Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).

[10] Information Security:  Continued Efforts Needed to Address Significant Weaknesses at IRS (GAO-09-136, dated January 2009).

[11] See Appendix VI for a glossary of terms.

[12] Pub. L. No. 110-185, 122 Stat. 613.

[13] The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).

[14] See Appendix VI for a glossary of terms.

[15] Pub. L. No. 110-185, 122 Stat. 613.

[16] See Appendix VI for a glossary of terms.