TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
Increased Managerial Attention
Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee
Accesses
July 24, 2006
Reference Number: 2006-20-111
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
July 24, 2006
MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT
DEPUTY COMMISSIONER FOR SERVICES AND ENFORCEMENT
FROM: Michael R. Phillips /s/ Michael r. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Audit # 200520034)
This report represents the results of our review to determine whether Internal Revenue Service (IRS) management and security staffs were adequately reviewing online Integrated Data Retrieval System (IDRS) reports to detect unauthorized accesses to taxpayer accounts.
Synopsis
The IDRS is a mission critical system containing sensitive information such as taxpayers’ names, Social Security Numbers, birth dates, addresses, filing statuses, exemptions, and income. This System is used by IRS employees to research and update taxpayer data. Because of the sensitive nature of its data, the IDRS routinely generates audit trail[1] information. The IRS and Treasury Inspector General for Tax Administration use the audit trail information to identify unauthorized accesses to taxpayer accounts, thus ensuring employees who violate the Taxpayer Browsing Protection Act of 1997[2] are identified and appropriate employee actions are taken.
In 2002, the IRS incrementally deployed the IDRS Online Reports Services (IORS) system[3] to reduce the costs of printing and distributing paper reports of IDRS audit trail information to IRS personnel responsible for identifying unauthorized accesses. However, audit trail information from the IORS system was not always being reviewed and investigated to detect unauthorized accesses and noncompliance with security controls.
A majority of IRS managers are not reviewing IDRS Security Reports. As a result, IRS employees may be browsing their spouses’ or other employees’ tax accounts with little chance of detection.
Although 9 of the 10 campus[4] data security staffs carried out their security-related responsibilities for reviewing IDRS Security Reports using the IORS system, a majority of business unit managers are not performing their responsibilities to investigate potential unauthorized accesses to IDRS accounts and noncompliance with security controls. As a result, employees may be browsing their spouses’ or other employees’ tax information with little chance of detection. In addition, employees may be knowingly or unknowingly violating current security procedures that could enable unauthorized persons to access sensitive taxpayer information. For instance, during one of our site visits, ****3(d)****
Using the IORS system, IRS business unit managers are responsible for reviewing and certifying four IDRS Security Reports. On average, only 42 percent of IRS business unit managers certified their IDRS Security Reports in September 2005. Individual campus certification rates[6] ranged from a high of 75 percent to a low of 15 percent, and only 36 percent of these certifications were performed timely. The Mission Assurance and Security Services (MA&SS) organization and IRS business unit management have not sufficiently emphasized the need for business unit managers to review the IDRS Security Reports produced by the IORS system. In addition, managers were not held accountable for reviewing the IDRS Security Reports on a regular basis, and the level of emphasis varied among the data security staffs located at the IRS campuses.
Due to the low certification rates nationally, we have little confidence that IRS managers are detecting potential unauthorized accesses of taxpayer information by employees. Additionally, the IRS cannot ensure employees are complying with the security controls established to protect the IDRS.
During
our visits to the IRS Campuses in Brookhaven, New York, and Austin, Texas, we
found the compliance levels were directly affected by the amount of emphasis
provided by the local data security staffs.
For example, the data security
staff at the Brookhaven Campus made the effort to communicate with employees at
the Campus and in the Area Offices, provide local IORS system users with
training and awareness information, and notify senior business unit managers
when subordinate managers did not review IDRS Security Reports timely. As a result, the certification rate was 75
percent. Conversely, the Austin Campus
was not providing adequate emphasis over the IORS system program, and its
compliance rate was only 15 percent.
Systemic problems with the IORS system also contributed to the low levels of compliance. These problems hindered business unit managers from adequately reviewing and timely identifying potential unauthorized accesses to employees’ and their spouses’ accounts and noncompliance with security controls on the IDRS. For example, certain IORS system users were unable to retrieve IDRS Security Reports, and slow response times hindered business unit managers’ reviews of IDRS Security Reports.
The IRS paid a contractor $2.4 million over 3 years to develop the IORS system and took incremental delivery of it in 2002, although the IORS system did not completely meet the IRS’ requirements. Additional system enhancements to address deficiencies were to be made in the next version of the IORS system, originally scheduled for deployment in December 2005. However, the MA&SS organization determined the contractor was unable to develop the new version of the IORS system according to the IRS’ needs, and the contract, which expired in September 2005, was not renewed.
Recommendations
We recommended the Chief, MA&SS, (1) emphasize to the IRS business units the need to review electronic IDRS Security Reports using the IORS system and (2) eliminate the requirement to certify the monthly Security Profile Report[7] to reduce managerial burden. Additionally, we recommended the Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement ensure business unit managers’ operational review requirements are updated to include a step to validate the certification of IDRS Security Reports. Business unit managers should then be held accountable for meeting their security-related responsibilities.
To complete development of the next version of the IORS
system, we recommended the Chief,
MA&SS, place priority on hiring a new contractor and prioritize and address
the systemic weaknesses within a reasonable time period.
Response
The IRS agreed with three of the four recommendations in our report and disagreed with one. To ensure IDRS Security Reports are reviewed in the future, the IRS will implement a process to monitor and review the compliance rate of IRS business units. Actions will be taken to require all IRS business units to include the results of MA&SS organization quarterly compliance reports in all management operational reviews to identify and enforce consequences for noncompliance. The IRS will address all the systemic weaknesses connected with the IORS system and will obtain contractual support to ensure all weaknesses are corrected. The IRS disagreed with our recommendation that certification of the monthly Security Profile Report be eliminated, due to the length of time between the quarterly and monthly reporting periods. Management’s complete response to the draft report is included as Appendix IV.
Office of Audit
Comment
In our discussion draft
report, we initially recommended the IRS eliminate the quarterly Security
Profile Report because the IRS already had a requirement to certify the monthly
versions of this Report. During the
closing conference on the discussion draft report, MA&SS organization representatives
requested that we instead recommend eliminating the monthly Security Profile
Report, to reduce the burden to IRS managers.
We concurred with the request and revised our recommendation accordingly. Management’s disagreement with this
recommendation is contradictory to what was discussed at our closing
conference. We continue to believe the
IRS should take whatever actions are needed to ensure the security and privacy
of taxpayer data on the IDRS.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Systemic Problems Are
Hindering Management Reviews for Unauthorized Accesses to Taxpayer Accounts
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix IV
– Management’s Response to the Draft Report
Abbreviations
IDRS Integrated Data Retrieval System
IORS IDRS Online Reports Services
IRS Internal
Revenue Service
MA&SS Mission Assurance and
Security Services
TIGTA Treasury Inspector
General for Tax Administration
UNAX Unauthorized Access
to Taxpayer Information
The Taxpayer Browsing Protection Act of 1997[8] made it a criminal offense to access or inspect tax information without proper authorization. A person convicted of any such violation shall be dismissed and be subject to a fine of up to $1,000, imprisonment of not more than 1 year, or both. This legislation was essentially focused on the Internal Revenue Service (IRS) to ensure its employees access taxpayer data only for official purposes. One of the main systems used by IRS employees to research and update taxpayer data is the Integrated Data Retrieval System (IDRS). The IDRS is a mission critical system that contains sensitive information such as taxpayers’ names, Social Security Numbers, birth dates, addresses, filing statuses, exemptions, and income.
The IDRS Online Reports Services system is a web-based application that provides business unit managers and data security staffs online access to IDRS Security Reports based on the IDRS audit trail information.
Because of the sensitive nature of its data, the IDRS routinely generates audit trail[9] information that can be used to detect potential unauthorized accesses to taxpayer accounts. The IRS refers to the unauthorized access of taxpayer information as UNAX and provides yearly training to all employees to protect against it. Data security staffs located in the 10 IRS campuses[10] and business unit managers located throughout IRS offices must investigate accesses to employees’ and their spouses’ accounts to determine whether the accesses were made for business reasons. In addition, business unit managers should review audit trail information to detect noncompliance with security controls. For example, multiple failed attempts to access an account could indicate an unauthorized person was attempting to guess a password to gain access to sensitive data. Business unit managers should also review audit trail information to ensure employees have access to only the computer command codes[11] they need to carry out their business responsibilities.
For many years, IRS data security staffs and business unit managers received IDRS audit trail information in computer-generated paper reports. To reduce the costs of printing and distributing these reports and to improve the effectiveness of reporting results of management reviews, the IRS deployed the IDRS Online Reports Services (IORS) system in 2003. The IORS system gives business unit managers the ability to retrieve, review, and comment on IDRS Security Reports electronically. The IORS system report content is used to identify authorized IDRS users who are attempting to perform unauthorized accesses, unauthorized attempts to access the IDRS, and users who need additional training because of repeated errors that could compromise the security of the System. Business unit managers can also use the IORS system to request archived IDRS Security Reports for data analyses and to initiate and approve IDRS security forms.
The
Mission Assurance and Support Services (MA&SS) organization is responsible
for overseeing compliance with the IORS system and has direct responsibility
over data security staffs located in the IRS campuses. Business
units are responsible for ensuring their managers comply with IORS system procedures
by investigating potential security violations and taking appropriate
corrective actions. The
data security staffs in each campus also monitor business unit managers in the
campuses and the offices supported by those campuses to ensure IDRS Security Reports
produced by the IORS system are properly reviewed. For example, the IRS Campus in Brookhaven,
New York, is responsible for monitoring the Boston Area Office.[12]
In addition to IRS
monitoring of the IDRS, the Treasury Inspector General for Tax Administration
(TIGTA) Office of Investigations Strategic Enforcement Division conducts
comprehensive proactive reviews of IDRS audit trail information to identify
other unauthorized accesses, such as unauthorized accesses of tax information
of celebrities, political figures, and employees’ neighbors, former spouses,
and relatives. Over the past 2 fiscal
years, the TIGTA initiated 990 UNAX cases.
All of the reviews of IDRS audit trail information performed by the IRS
and the TIGTA should provide assurance that employees who violate the Taxpayer Browsing
Protection Act of 1997 are identified and appropriate employee actions are
taken.
This review was
performed at the Brookhaven and
A majority of IRS managers are not reviewing IDRS Security Reports. As a result, IRS employees may be browsing their spouses’ or other employees’ tax accounts with little chance of detection.
The data security staffs in 9 of the 10 campuses carried out their security-related responsibilities for reviewing IDRS Security Reports produced by the IORS system. However, a majority of business unit managers are not performing their responsibilities to investigate potential unauthorized accesses to IDRS accounts and noncompliance with security controls. As a result, employees may be browsing their spouses’ or other employees’ tax accounts with little chance of detection. During 1 of our site visits, we found ****3(d)**** a clear violation of the UNAX program. In addition, employees may be knowingly or unknowingly violating current security procedures that could enable unauthorized persons to access sensitive information.
IRS business unit managers are responsible for reviewing and certifying the following four IDRS Security Reports using the IORS system.
· Sensitive Access Report – Issued weekly; identifies IRS employees who have accessed another employee’s or an employee’s spouse’s tax accounts. The IRS requires business unit managers to determine whether employees made these accesses for work-related reasons. Business unit managers must take appropriate steps, including research on the IDRS and review of case assignment files, to identify the employees’ reasons for the accesses. If needed, business unit managers may also interview the employees.
· Security Violations Report – Issued weekly; identifies unsuccessful logon attempts and employees who left their computers without logging off. Business unit managers should discuss these violations with their employees to determine whether unauthorized persons were trying to guess their passwords and whether the employees need additional training on using the IDRS.
· IDRS Security Profile Reports (2 reports) – Issued monthly and quarterly; identify employees’ capabilities on the IDRS and attempted accesses to taxpayer accounts using unauthorized command codes. Business unit managers should review these Reports to ensure employees only have the access capabilities they need to perform their responsibilities and to determine whether all attempted accesses to taxpayer accounts using unauthorized command codes were unintentional errors.
The IRS requires business unit managers to review and certify the weekly IDRS Security Reports within 14 calendar days of receipt and the monthly and quarterly Security Profile Reports within 28 calendar days of receipt. The IORS system determines whether business unit managers are responding timely to the Security Reports and sends email notifications to managers who have not responded within the specified period.
For September 2005, only 42 percent of IRS business unit managers certified their IDRS Security Reports. Individual campus certification rates for September 2005 ranged from a high of 75 percent to a low of 15 percent. Only 36 percent of these certifications were performed timely. Figure 1 presents the compliance levels for each of the 10 IRS campuses. The results for each campus include the certification and timeliness rates for all IRS offices supported by the data security staffs in the campuses.
Figure 1: National IORS System
Compliance Levels
|
IRS Campus |
Certification Rate |
Timeliness Rate |
|
1. Andover |
53% |
47% |
|
2. Atlanta |
33% |
28% |
|
3. Austin |
15% |
13% |
|
4. Brookhaven |
75% |
69% |
|
5. Cincinnati |
34% |
29% |
|
6. Fresno |
35% |
29% |
|
7. Kansas City |
50% |
40% |
|
8. |
24% |
19% |
|
9. |
66% |
57% |
|
10. Philadelphia |
34% |
31% |
|
Averages |
42% |
36% |
Source:
September 2005 compliance levels based on
the MA&SS organization’s analyses.[13]
The certification rates and timeliness rates were consistently low for the four IDRS Security Reports that business unit managers are required to review. Figure 2 reflects the September 2005 compliance levels for the four Reports.
Figure 2: IORS System Compliance Levels by Report
|
Security Report Type |
Certification
Rate |
Timeliness
Rate |
|
1. Weekly Sensitive
Access |
46% |
34% |
|
2. Weekly Security
Violations |
50% |
39% |
|
3. Monthly Security
Profile |
40% |
40% |
|
4. Quarterly Security
Profile |
32% |
32% |
|
Averages |