Treasury Inspector General for Tax Administration
Office of Audit
CUSTOMER ACCOUNT DATA ENGINE 2
(cade 2): System Requirements and Testing Processes NEED IMPROVEMENTS
Issued on September 28, 2012
Highlights of Report Number: 2012-20-122 to the Internal Revenue Service Chief Technology Officer.
IMPACT ON TAXPAYERS
The implementation of Customer Account Data Engine 2 (CADE 2) daily processing allows the IRS to process tax returns for individual taxpayers more quickly by replacing existing weekly processing. The CADE 2 system also provides a centralized database of individual taxpayer accounts, allowing IRS employees to view tax data online and provide timely responses to taxpayers. The successful implementation of the CADE 2 system should significantly improve service to taxpayers and enhance IRS tax administration.
WHY TIGTA DID THE AUDIT
The overall objective was to determine whether the CADE 2 Transition State 1 testing activities were performed in accordance with applicable policies and procedures. This review addresses the major management challenge of Modernization of the IRS.
WHAT TIGTA FOUND
The IRS initiated testing of the CADE 2 system, reduced the risks to the filing season by implementing independent contractor recommendations, and performed simulated exercises to identify potential issues that could occur during the filing season. However, improvements are needed in key controls and processes for requirements management, testing processes, and developer security testing.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Technology Officer ensure test cases and other appropriate documentation are properly developed for infrastructure requirements; all infrastructure documentation includes complete traceability to the requirements being tested and the testing results; IRS testers obtain and maintain documentation to verify test results; test execution practices are consistent; all security requirements and corresponding test cases are identified and sufficiently traced, managed, and tested; all database issues identified by Vulnerability Detection Scans are resolved or an action plan is developed with specific corrective actions and time periods; and all issues identified by Source Code Security Review scans are resolved and an action plan is developed with specific corrective actions and time periods prior to the code being placed into service.
In management’s response to the report, the IRS disagreed or partially disagreed with three of TIGTA’s eight recommendations. The IRS disagreed with developing an enterprise-wide program level Requirements Traceability Verification Matrix (RTVM) and policy. TIGTA believes an enterprise-wide approach is needed to strengthen oversight of traceability controls.
The IRS also disagreed with the recommendation that RTVMs are prepared during the test Initiation Phase. However, as discussed with CADE 2 officials, TIGTA’s report refers to both Requirements Traceability Matrix and RTVM as “RTVM.”
Further, the IRS stated that automated tools are not always needed for control of requirements and test case management for Information Technology systems development. TIGTA maintains that use of one suite of integrated automated tools would provide needed control over volumes of requirements and test cases for IRS systems, including the monumental CADE 2 system development program.
Lastly, the IRS stated that additional CADE 2 documentation is not needed to ensure complete traceability of requirements to test results. Specifically, the IRS believes that adequate documentation already exists with Government Equipment Lists and environmental checklists. However, while this documentation does verify that infrastructure components have been acquired and implemented, it does not verify that all CADE 2 processing requirements have been tested.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500