For those of you who may be interested, the TIGTA (Treas Inspector General for Tax Administration) released its audit report of the IRS' security controls for the administration of the Premium Tax Credit available to taxpayers under the ACA
http://www.treasury.gov/tigta/auditreports/2013reports/201323119fr.pdf


The IRS conducted interagency testing to verify integration, interface, performance, and reliability requirements for major design components of the system. Interagency testing should include validating data formats and transmission, validating software and hardware interoperability, and using manufactured data to invoke user-like work streams in a simulated production environment. Staff in each agency is responsible for repairing defects in their respective systems and keeping the systems operational. The interagency test cases that we analyzed contained user scenarios that were jointly developed by the Centers for Medicare and Medicaid Services (CMS) and the IRS.
The test cases we considered were developed to validate the critical business processes for inbound requests from the CMS and outbound responses from the IRS. For example, a test case could require the submission of a single PTC request from the CMS Federal Exchange, ensure that the correct results are generated on the IRS systems, and verify those results are correctly returned and presented at the CMS Federal Exchange.

We observed that the IT Implementation and Testing organization personnel did not consistently follow appropriate test management procedures. Internal Revenue Manual (IRM) 2.6.1 requires that test cases be developed to support requirements testing. Test cases must specify and document the conditions to be tested and validate that system functions meet customer requirements as translated into a documented functional design. Test cases should also include the requirements being tested to ensure that each requirement is properly tested. During our review, the IRS stated that test cases are mapped to requirements in the requirements traceability matrix to ensure traceability. However, we reviewed five interagency test cases provided by the IT Implementation and Testing organization and found that they did not contain all key requirements that must be tested to verify system capabilities.

The IT Implementation and Testing organization staff explained that testing with another Federal agency, including the HHS, involves new processes, so everyone is learning as the work progresses with ACA systems development. Further, they explained that missing requirements were not included in the test cases because of an IRS decision to restrict certain data during the test case development process from the CMS. However, if requirement numbers and descriptions are not included in test cases, traceability between requirements, test cases, and test results may not be accurate or complete. Based on ourreview, we concluded that the IRS has not applied established systems development controls to verify that the HHS Hub and the IRS portal for ACA effectively transfer data13 as needed by the IRS for calculating the maximum APTC.

Recommendation Recommendation 3: The Chief Technology Officer should update test management procedures to include additional controls and processes to document how traceability between requirements, test cases, and test results will be achieved for interagency testing.

Management’s Response: The IRS agreed with this recommendation. The IRS stated that the ACA Strategic Test Management plan will be updated to formally document how traceability between requirements, test cases, and test results are achieved for testing with external entities.
(pp9&10 of the attached pdf).


An article on this report here:
IRS Needs to Improve Security for Obamacare Tax Credits: December 4, 2013

On top of the other problems associated with the troubled rollout of the federal government’s online health insurance exchange, the Internal Revenue Service is now being urged to strengthen the security for the tax credits it will be providing to help taxpayers afford the cost of the insurance premiums. ..........


Draw your own conclusions.