Treasury Inspector General for Tax Administration
Office of Audit
THE CUSTOMER ACCOUNT DATA ENGINE 2 DATABASE WAS INITIALIZED; HOWEVER, DATABASE AND SECURITY RISKS REMAIN, AND INITIAL TIMEFRAMES TO PROVIDE DATA TO THREE DOWNSTREAM SYSTEMS MAY NOT BE MET
Final Report issued on September 27, 2012
Highlights of Report Number:† 2012-20-109 to the Internal Revenue Service Chief Technology Officer.
IMPACT ON TAXPAYERS
The overall goals for the Customer Account Data Engine 2 (CADE 2) Program are to process individual taxpayer account data in a modernized environment and provide more timely and accurate data to front-line employees.† A transactional database capable of supporting both tax processing and enterprise-wide data access is a cornerstone of that effort.† In Transition State 1, the IRS will establish the database and processes will be developed to keep the database current with daily account information from the Individual Master File.† The database will be able to provide daily updates to the IRSís key customer service database, the Integrated Data Retrieval System, and it will be able to populate the key compliance analytical database, the Integrated Production Model, with more timely data.† Incomplete, inaccurate, and unsecured data on the CADE 2 database will prevent the IRS from providing quality customer service and could compromise taxpayer data.
WHY TIGTA DID THE AUDIT
The overall objective was to review the CADE 2 database implementation and ensure that the database was secure, accurate, and complete, and that prior weaknesses identified were corrected or mitigated.† This review addresses the major management challenge of Modernization.
WHAT TIGTA FOUND
Our review determined that data integrity testing did not provide assurance that CADE 2 database data are consistently accurate and complete.† Also, the CADE 2 database design has not fully met initialization, daily update, and downstream interface needs.
To address the issues identified during testing, the IRS developed version 2.2 of the CADE 2 database.† The IRS spent up to $22.3 million on database implementation including developing version 2.2 of the CADE 2 database from January through July 2012.† The IRS does not track cost at the development activity level; therefore, TIGTA could not determine the actual cost for version 2.2 of the CADE 2 database.†
Enhanced security is one of the goals of the CADE 2 Program.† CADE 2 database security will be implemented via a role-based access model and the Resource Access Control Facility.† However, vulnerabilities in the JAVA code could result in loss of sensitive taxpayer information, and remediation of identified security weaknesses is ineffective.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Technology Officer:† 1) ensure the CADE 2 Program does not exit Transition State 1 until the CADE 2 database can provide accurate and complete data to the three downstream systems; 2) ensure the database design process follows the Internal Revenue Manual and validate that the database design meets business requirements; 3) realign data validation and testing efforts with business functionality and processes; 4) ensure JAVA code weaknesses are remediated; 5) ensure privileged accounts are documented, administered, monitored, and reviewed in accordance with the Internal Revenue Manual or removed from the system; 6) ensure sample tables and default ports are disabled or removed; and 7) enhance the Online 5081 system.
The IRS agreed with three and partially agreed with one of the seven recommendations and corrective actions are planned.† The IRS disagreed with three recommendations and TIGTA provided comments in the audit report.
E-mail Address: ††TIGTACommunications@tigta.treas.gov
Phone Number:†† 202-622-6500