Treasury Inspector General for Tax Administration

Office of Audit

THE CUSTOMER ACCOUNT DATA ENGINE 2 DATABASE WAS INITIALIZED; HOWEVER, DATABASE AND SECURITY RISKS REMAIN, AND INITIAL TIMEFRAMES TO PROVIDE DATA TO THREE DOWNSTREAM SYSTEMS MAY NOT BE MET

Highlights

Final Report issued on September 27, 2012

Highlights of Report Number:† 2012-20-109 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The overall goals for the Customer Account Data Engine 2 (CADE 2) Program are to process individual taxpayer account data in a modernized environment and provide more timely and accurate data to front-line employees.† A transactional database capable of supporting both tax processing and enterprise-wide data access is a cornerstone of that effort.† In Transition State 1, the IRS will establish the database and processes will be developed to keep the database current with daily account information from the Individual Master File.† The database will be able to provide daily updates to the IRSís key customer service database, the Integrated Data Retrieval System, and it will be able to populate the key compliance analytical database, the Integrated Production Model, with more timely data.† Incomplete, inaccurate, and unsecured data on the CADE 2 database will prevent the IRS from providing quality customer service and could compromise taxpayer data.

WHY TIGTA DID THE AUDIT

The overall objective was to review the CADE 2 database implementation and ensure that the database was secure, accurate, and complete, and that prior weaknesses identified were corrected or mitigated.† This review addresses the major management challenge of Modernization.

WHAT TIGTA FOUND

Our review determined that data integrity testing did not provide assurance that CADE 2 database data are consistently accurate and complete.† Also, the CADE 2 database design has not fully met initialization, daily update, and downstream interface needs.

To address the issues identified during testing, the IRS developed version 2.2 of the CADE 2 database.† The IRS spent up to $22.3 million on database implementation including developing version 2.2 of the CADE 2 database from January through July 2012.† The IRS does not track cost at the development activity level; therefore, TIGTA could not determine the actual cost for version 2.2 of the CADE 2 database.†

Enhanced security is one of the goals of the CADE 2 Program.† CADE 2 database security will be implemented via a role-based access model and the Resource Access Control Facility.† However, vulnerabilities in the JAVA code could result in loss of sensitive taxpayer information, and remediation of identified security weaknesses is ineffective.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer:† 1) ensure the CADE 2 Program does not exit Transition State 1 until the CADE 2 database can provide accurate and complete data to the three downstream systems; 2) ensure the database design process follows the Internal Revenue Manual and validate that the database design meets business requirements; 3) realign data validation and testing efforts with business functionality and processes; 4) ensure JAVA code weaknesses are remediated; 5) ensure privileged accounts are documented, administered, monitored, and reviewed in accordance with the Internal Revenue Manual or removed from the system; 6) ensure sample tables and default ports are disabled or removed; and 7) enhance the Online 5081 system.

The IRS agreed with three and partially agreed with one of the seven recommendations and corrective actions are planned.† The IRS disagreed with three recommendations and TIGTA provided comments in the audit report.

http://www.treas.gov/tigta/auditreports/2012reports/201220109fr.html.†

E-mail Address: ††TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Website:†† http://www.tigta.gov