The Customer Account Data Engine (CADE) will provide the foundation for managing all taxpayer accounts and will replace existing tax processing systems. The Account Management Services (AMS) will provide faster and improved access by employees to taxpayer account data. However, TIGTA found that security weaknesses in controls over sensitive data protection, system access, monitoring of system access, and disaster recovery have continued to exist even though key phases of the CADE and the AMS have been deployed. The report concludes that as a result, the IRS is jeopardizing the confidentiality, integrity, and availability of an increasing volume of tax information for millions of taxpayers as these systems are put into operation.

"The IRS continues to struggle with security vulnerabilities in its modernized systems. It recognizes, as we all do, the inherent risk in any IT system," commented J. Russell George, Inspector General, Treasury Inspector General for Tax Administration. "In the case of the CADE and AMS the Service was aware of, and even self-identified, these weaknesses. This is very troublesome."

TIGTA found that the IRS has established policies and procedures for security and privacy requirements, but it did not follow those guidelines during the planning and design phases for both systems. The report also found that IRS officials did not carry out their responsibilities for ensuring the identified weaknesses had been fully addressed prior to deployment.

TIGTA identified some of these vulnerabilities in prior audit reports on the CADE and other modernization projects. To remedy the vulnerabilities identified in the current report, TIGTA recommended several solutions, including that IRS officials consider all security vulnerabilities which affect the overall security of these systems before implementation.

IRS officials generally agreed with TIGTA’s recommendations.