Washington: The Internal Revenue Service (IRS) is developing a centralized electronic data repository to help implement the Affordable Care Act (ACA). When complete, the Coverage Data Repository (CDR) will be the IRS’s sole authoritative source of tax-related ACA data for healthcare-related functions and services.
A new report from the Treasury Inspector General for Tax Administration (TIGTA) found that planned interagency testing for the CDR with the Federal and State Exchanges was not completed. As of November 21, 2014, the IRS had only received data from three States. Subsequent to the audit review, the IRS received additional data, but it still had not yet received all Exchange Periodic Data submissions from the Exchanges as of January 20, 2015, the start of the 2015 Filing Season.
The overall objective of the audit was to determine how systems development risks for the CDR Project were being mitigated and whether established business and information technology requirements were being met. Specifically, TIGTA evaluated CDR testing processes, including interagency, release-level, and project-level functional testing controls as well as security and audit trail controls.
TIGTA found that interagency testing with the Federal and State Exchanges was not completed. Release-level testing was completed but not prior to initiating interagency testing with the Centers for Medicare and Medicaid Services. During project-level testing, system developers did not always demonstrate CDR functionality to business owners and did not maintain complete records verifying business participation. The CDR was deployed before security risk assessments were completed. Further, the CDR Application Audit Plan was not implemented as needed to support the IRS’s program and policy to mitigate risks for unauthorized access to taxpayers’ records.
“It is imperative that the IRS ensures that all its information technology projects, including those associated with the implementation of the Affordable Care Act, are capable of performing the tasks they are designed to perform,” said J. Russell George, Treasury Inspector General for Tax Administration.
TIGTA recommended that the Chief Technology Officer 1) ensure that interagency testing with the Exchanges is completed, 2) ensure that future ACA projects complete release-level testing before starting interagency testing, 3) verify that CDR 2.0 functionality has been adequately demonstrated to ACA business owners, 4) ensure that sufficient evidence is maintained to verify adequate business owner participation, 5) ensure that authorizing officials evaluate and accept CDR risks prior to deployment, and 6) ensure that the CDR Application Audit Plan is completed, approved, sufficiently tested, and implemented.
The IRS agreed with two of TIGTA’s recommendations but did not concur with recommendations to strengthen systems testing practices nor with TIGTA’s assessment of the process applied to demonstrate and verify system functionality for the CDR. Because the IRS plans to rely on the CDR as its sole authoritative source for all ACA data, TIGTA maintains that improvements are needed to ensure adequate risk mitigation practices in each of these areas.