Office of Audit
Integrated Production Model Increases Data Access Efficiency; However,
Access Controls and Data Validation Could Be Improved
Final Report issued on July 29, 2016
Highlights of Reference Number: 2016-20-058 to the Internal Revenue Service Chief Information Officer.
IMPACT ON TAXPAYERS
The Integrated Production Model (IPM) replaced two similar systems in February 2007. The IPM now provides a single point of access to current and historical core taxpayer data in a centralized repository. The consolidation of systems reduces the need for redundant databases. The accuracy, completeness, and reliability of data on the IPM are essential to the IRS and its tax administration mission.
WHY TIGTA DID THE AUDIT
This audit is included in our Fiscal Year 2016 Annual Audit Plan and addresses the major management challenge of Improving Tax Systems and Online Services. The overall objective of this review was to determine whether the data within the IPM are accurate, complete, and reliable.
WHAT TIGTA FOUND
The IPM system is meeting IRS business needs and has improved the efficiency of data access via a singular data repository that has taken over the processing load of two separate database systems. However, access controls were not documented, and TIGTA was unable to definitively verify that the IPM pulls data from only designated source systems. The overall design of the IPM system allows access controls to be managed by a system external to the IPM database—the Big Data Analytics program. In addition, 14 (77 percent) of 18 IPM source systems reviewed have no validation of data for accuracy, completeness, and reliability. The IPM database acts as a data repository, and there are no controls to validate received data. The IPM assumes that all data received are accurate, complete, and reliable.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Technology Officer: 1) establish updated access authorization documentation for the IPM in each of the source systems; 2) conduct a periodic review of access control lists to verify that all systems are current, authorized, and documented; and 3) implement data validation steps for information pulled into the IPM to ensure that it is accurate, complete, and reliable.
The IRS agreed with two recommendations and disagreed with one recommendation. The IRS agreed to update IPM access authorization documentation and to conduct annual validation of IPM service accounts as part of its filing season update process. The IRS disagreed that additional data validation steps should be implemented for the IPM, stating that appropriate controls are currently in place.
TIGTA maintains the controls currently in place are not sufficient to ensure data reliability in the IPM. Without adequate data validation for the IRS’s core taxpayer data store, undetected errors could result in corrupt data being provided to other applications that support case identification, selection, prioritization, delivery, and reporting.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta