The Internal Revenue Services recorded some security holes as closed and tests as successfully performed when in fact they were not, according to a newly released Treasury Inspector General for Tax Administration report.

The report, dated May 26 but not released publically until July 19, studies the tax agency's Modernized e-File system, the IRS's in-progress next generation online electronic tax return filing system.

The IRS released MeF version 6.1 in February and began processing individual tax forms for the first time with it. The rollout was far from trouble-free, however; during its first three weeks of operation, the system rejected 23 percent of individual tax returns.

Though TIGTA says it can't establish a direct relationship between the high rejection rate and number of failed tests, it notes that a committee that made the final decision about whether to turn on version 6.1 had access to a "System Integration and Test End of Test Completion Report." The report summary stated that no tests had failed and only eight test cases had defect reports, when according to the appendix of that same report, 34 tests had failed and 120 test cases contained defect reports.

"The IRS did not provide an explanation for the conflicts between the final report and the supporting documentation," TIGTA auditors state.

The report recommends that future releases be deployed only after full testing has been completed, a recommendation the IRS rejects. In his official response to the audit, IRS Chief Technology Officer Terry Millholland says its milestone readiness review process is sufficient to make a go or no-go decision.

TIGTA stands by its recommendation, stating that it questions whether the approving committee "had sufficient and timely information to make an informed risk-based decision for deploying MeF Release 6.1."

Auditors also found conflicting information about resolved security vulnerabilities. For example, the IRS reported 10 of 13 known security vulnerabilities closed by December 2008. But in January 2010, it then said that only two of those 13 vulnerabilities were in fact resolved, and identified two additional MeF security vulnerabilities. Tracking the resolution of cybersecurity vulnerabilities has been an ongoing problem at the IRS, the report states; IRS officials told TIGTA auditors they will better track weaknesses.

For more:
- download the TIGTA report (2010-20-041) (.pdf)

Related Articles:
IRS IT investments fall short on Clinger-Cohen requirement, says IG report
IRS needs better grip on contractors with taxpayer data access, says TIGTA
Prisoners fraudulently claim $9.1 million in homebuyer tax credits