TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Improvements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited

 

 

 

September 29, 2006

 

Reference Number:  2006-20-177

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

September 29, 2006

 

 

MEMORANDUM FOR CHIEF INFORMATION OFFICER
CHIEF, MISSION ASSURANCE AND SECURITY SERVICES

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Improvements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited (Audit # 200620003)

 

This report presents the results of our review to determine whether the Internal Revenue Service’s (IRS) modernized systems generate audit logs that are saved and analyzed to detect unauthorized accesses to modernization applications.

Impact on the Taxpayer

Audit trails[1] for the IRS’ modernized systems are not being adequately collected, reviewed, or retained.  Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities.  In addition, fraudulent transactions and intrusions on IRS systems used to administer tax laws could go undetected. 

Synopsis

The IRS has two approaches for collecting audit trails for the computers supporting its Business Systems Modernization effort.  Audit trails for the Customer Account Data Engine (CADE)[2] are stored internally.  Audit trails for all other modernized systems are stored centrally and reviewed in the Security Audit and Analysis System (SAAS).  Neither approach is working effectively.

The IRS is not monitoring audit trails on the CADE.  While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years.  This will place added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE.  We believe CADE transactions are not reviewed because only a limited number of users have permission to access the system.  However, these users have powerful access privileges, which could enable them to steal taxpayer information and take action to disrupt computer operations with little chance of detection.

The SAAS audit trails of user and system activities on modernized systems are not being adequately monitored.  User activity audit trails on modernized systems are not being reviewed by the IRS business units and the Treasury Inspector General for Tax Administration (TIGTA) for two reasons.  First, while audit trail data are being collected by the SAAS, the data are not accurate, reliable, and complete.  We reviewed over 3 million audit trail records and found 48 percent of the places for data required by IRS policy were missing data or contained inaccurate information.  Second, even if the SAAS audit trails were usable, reports and functions for reviewing them are not yet available, making it unlikely SAAS users could identify inappropriate activity on modernized systems.

System activity audit trails are not being adequately reviewed by the Computer Security Incident Response Center,[3] to identify security-related events.  These audit trails have not been delivered timely and have not been completed sufficiently. 

The underlying reason why audit trails on the SAAS are not adequately reviewed is the inadequacy of SAAS system requirements, which are used to identify the System’s features and capabilities.  Although the IRS accepted the SAAS in Fiscal Year 2002, the system requirements are still inadequate because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System.[4]  This replacement has been a TIGTA and IRS priority because the System is aging.  However, until all SAAS users emphasize the need to review audit trail data on modernized systems, sufficient priority will not be given to the development of SAAS audit trails.

Our results indicate the problems with the SAAS we reported[5] in August 2004 have not been adequately addressed, despite claims by the IRS that the SAAS has been functioning.  In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.”  We again reported[6] problems with the SAAS in August 2005.  In its response to that report, the IRS disagreed with our conclusion that audit trails for IRS modernized systems were not functioning.  IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports. 

Recommendations

We recommended the Chief, Mission Assurance and Security Services (MA&SS), establish a review process for CADE audit trails and ensure they are retained.  For the SAAS, the Chief Information Officer should modify modernized system audit trails to comply with SAAS standards and capture information needed by user organizations.  In addition, the Chief, MA&SS, should reassess the user and system requirements for the SAAS, including the control weaknesses identified in this report, and ensure the requirements are assigned a completion date.  Once this is complete, SAAS procedures and processes should be reevaluated to ensure the new SAAS requirements are incorporated.

Response

The IRS agreed with our findings and recommendations.  The MA&SS organization will establish an enterprise process for reviewing the audit trails of all IRS legacy (current) and modernized applications and systems, including CADE audit trails.  In addition, it will establish, in conjunction with the Chief Information Officer, a viable retention policy for CADE audit trails that is consistent with established IRS policies.  For the SAAS, the MA&SS organization will reassess the requirements for SAAS audit trails, including identifying all user requirements and the resulting SAAS system requirements needed to achieve them.  The IRS will provide a Project Plan that includes development of change requests for modification of modernized applications to provide audit trail data to, and in the correct format for, the SAAS based on the reassessed SAAS requirements.  The Plan will include expected implementation dates for each modernization application and will be based on funding and resource availability.  Once SAAS requirements are reassessed, the MA&SS organization will establish procedures to ensure audit trails are properly reviewed and will assign staff to monitor failed audit trail records.  Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment

The IRS provided an implementation date of October 2008 for its corrective action addressing our recommendation to modify modernized system audit trails to comply with SAAS standards and capture information needed by user organizations.  We recognize the difficult task the IRS faces in modifying modernized system audit trails to provide usable information, given their current state.  However, this implementation date will leave the IRS without usable audit trails for more than 2 years.  With this response, the IRS is accepting the risk that unauthorized access to taxpayer information on modernized systems may occur and not be detected.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

Customer Account Data Engine Audit Trails Are Not Being Adequately Monitored

Recommendations 1 and 2:

Security Audit and Analysis System Audit Trails Are Not Being Adequately Monitored

Recommendation 3:

Recommendations 4 and 5:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Additional Information on the Security Audit and Analysis System Audit Trail

Appendix V – Management’s Response to the Draft Report

 

 

Abbreviations

 

CADE

Customer Account Data Engine

CSIRC

Computer Security Incident Response Center

IDRS

Integrated Data Retrieval System

I-EIN

Internet Employer Identification Number

IFS

Integrated Financial System

IRFOF

Internet Refund/Fact of Filing

IRS

Internal Revenue Service

MA&SS

Mission Assurance and Security Services

MeF

Modernized e-File

SAAS

Security Audit and Analysis System

TIGTA

Treasury Inspector General for Tax Administration

UNAX

Unauthorized accesses and inspections of taxpayer records

 

 

Background

 

An audit trail is a chronological record of system activities that allows for the reconstruction, review, and examination of a transaction.

Internal Revenue Service (IRS) procedures state that each of the IRS’ computer systems is required to collect and maintain adequate audit trail information and that this information is to be timely reviewed.  An audit trail is defined as a chronological record of system activities that allows for the reconstruction, review, and examination of a transaction from inception to final results.  Audit trails can also be used to diagnose computer problems because they capture all user and system activities associated with a transaction and provide documentation that identifies what has been done.

The National Institute of Standards and Technology[7] states that audit trails can provide a means to help accomplish several security-related objectives, including:

·         Individual accountability – Enables managers to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database).

·         Reconstruction of events – Assesses damage to a system by pinpointing how, when, and why normal operations ceased.

·         Intrusion detection – Identifies attempts to penetrate a system and gain unauthorized access.

·         Problem analysis – Provides online tools to help identify problems other than intrusions as they occur.[8]

For the IRS, audit trails on modernized systems are also needed to detect unauthorized access attempts, successful accesses of its most critical information, and attacks on its systems.  In particular, audit trails are used to identify willful unauthorized accesses and inspections of taxpayer records (UNAX).  Identifying UNAX violations became more important with the passage of the Taxpayer Browsing Protection Act of 1997,[9] which states the willful unauthorized access or inspection of taxpayer records is a crime punishable upon conviction by fines, prison terms, and termination of employment.

In addition to identifying UNAX violations, audit trails can be used to identify whether IRS financial information and transactions have been compromised.  Such compromise could result in corruption of financial data and limit the IRS’ ability to conduct business.  Compromise of financial information could also result in fraudulent transactions, such as unauthorized payments.

However, none of these events can be detected if audit trails have not been designed to capture key information and are not retained for a sufficient period of time.  Also, management must have a formal process for reviewing audit trail reports to effectively respond to system events.

The IRS has two approaches for collecting audit trails for the computers supporting its Business Systems Modernization effort.  For the Customer Account Data Engine (CADE), audit trails are stored internally in the system’s database.  The CADE is the foundation for managing taxpayer accounts in the IRS’ Business Systems Modernization effort and will eventually house taxpayer accounts and tax return data for more than 135 million individual and business taxpayers.  The CADE will incrementally replace the existing IRS Master File.[10]  The current release of the CADE processes selected data for over 1.4 million single filers with no dependents who filed an Income Tax Return for Single Filers and Joint Filers With No Dependents (Form 1040EZ) in Calendar Year 2005.

Audit trails for all other modernized systems are centralized in the Security Audit and Analysis System (SAAS).  See Appendix IV for a list of these systems.  The SAAS was initially built by the IRS’ PRIME contractor as part of the Business Systems Modernization effort and was accepted by the IRS in 2002.  The SAAS is designed to gather user and system audit trail information from these systems and store this information in a central database that should be accessed and used by the following customers:

  • Managers from the IRS business units, who should review user audit trails for questionable activities of their employees on IRS modernized systems, by reviewing the transactions from those systems.  Potential UNAX violations and fraudulent transactions are forwarded to the Treasury Inspector General for Tax Administration (TIGTA) for investigation.
  • TIGTA investigators, who are responsible for detecting and investigating UNAX violations in accordance with the Taxpayer Browsing Protection Act of 1997.  The TIGTA uses various techniques to analyze audit trail data to identify potential UNAX violations. 
  • The Computer Security Incident Response Center (CSIRC)[11], which should review system audit trail data generated by operating systems, databases, and applications of modernized systems to detect and respond to computer security incidents targeting the IRS’ enterprise information technology assets.

This review was performed in the Mission Assurance and Security Services (MA&SS) organization and the Modernization and Information Technology Services organization, at the Enterprise Computing Center – Martinsburg,[12] in Kearneysville, West Virginia, and in the MA&SS organization in Lanham, Maryland, during the period October 2005 through March 2006.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The IRS is not adequately collecting, reviewing, or retaining audit trail data from its modernized systems.  Without adequate processes in these areas, unauthorized accesses or security intrusions could be occurring without being detected.

Customer Account Data Engine Audit Trails Are Not Being Adequately Monitored

The IRS is properly monitoring audit trails to identify attempts by unauthorized persons to access the CADE, and any security violations noted are sent to appropriate management officials for review and certification.  However, once a user is authorized to access the CADE, his or her actions are not monitored.  The lack of monitoring provides no assurance that an authorized user is accessing CADE data for official business purposes only.

While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years, as shown in Table 1.  This growth places added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE.  If the IRS cannot review audit trail information for the current volume of returns, its ability to adequately and effectively review audit trails will diminish when the volume increases in future years.

Table 1:  Estimated Number of Returns to Be Processed by the CADE

Year

Estimated Number of Returns

Year

Estimated Number of Returns

2005

1,423,417 (Actual)

2009

70 million

2006

4 million

2010

90 million

2007

33 million

2011

100 million

2008

50 million

2012

135 million

Source:  Customer Relationship Management Executive Steering Committee, approved
October 18, 2005.

The IRS has not emphasized the need to monitor audit trails on the CADE because it is updated primarily through input of data from other IRS systems.  Consequently, only a limited number of users have direct access to the CADE application.  The CADE is currently accessible by only 39 persons including IRS computer personnel, contractors, and TIGTA personnel.  However, these users have powerful access privileges that could enable them to steal taxpayer information with little chance of detection.  By not reviewing user transactions in the CADE’s audit trails, the IRS cannot be assured that security violations are not occurring.

Also, CADE audit trails are not being sufficiently retained.  Currently, audit trails are retained for 30 calendar days, a retention period based on available storage space.  In comparison, SAAS audit trail data are required to be retained for 6 years.

We previously identified the CADE audit trail review and retention issues in our August 2005 report,[13] but at that time, CADE audit trails were retained for only 1 to 2 calendar days and were not being reviewed.  We recommended CADE audit trail data be retained and reviewed to detect unauthorized accesses.  The IRS disagreed with this recommendation, stating that log and audit files used by CADE system programmers are established for recovery and diagnostic purposes and do not capture data related to unauthorized access.  In response, we commented that we continue to believe audit trail information for the CADE should be retained and reviewed.  The CADE contains tax information for over 1.4 million returns that could be accessed by some IRS employees for unauthorized purposes, potentially resulting in identity thefts.  Therefore, audit trail information must be maintained to comply with Department of the Treasury requirements.

Recommendations

Recommendation 1:  To ensure CADE audit trails are reviewed, the Chief, MA&SS, should establish a review process for CADE audit trails.  Such a process will aid in current reviews and position the IRS to perform future reviews when the amount of taxpayer information residing in the CADE is significantly larger.

Management’s Response:  IRS management agreed with this recommendation.  The MA&SS organization will establish an enterprise process for reviewing the audit trails of all IRS legacy (current) and modernized applications and systems, including CADE audit trails.

Recommendation 2:  To ensure CADE audit trails are sufficiently retained, the Chief, MA&SS, and the Chief Information Officer should establish a viable retention policy for CADE audit trails, mirroring, where possible, that of other systems with taxpayer information.

Management’s Response:  IRS management agreed with this recommendation.  The MA&SS organization, in conjunction with the Chief Information Officer, will establish a viable retention policy for CADE audit trails that is consistent with established IRS policies governing records management and retention standards for systems with taxpayer information.

Security Audit and Analysis System Audit Trails Are Not Being Adequately Monitored

The three primary users of the SAAS (the IRS business units, TIGTA, and CSIRC) are performing either no reviews or limited reviews of user and system activity on modernized systems, as recorded in the systems’ audit trails.  As a result, possible UNAX violations, other inappropriate accesses, or security intrusions may be occurring without being identified.

An underlying reason for the lack of reviews is inadequate requirements for the SAAS, which are used to identify features and capabilities for the System.  SAAS requirements have not been adequately identified because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System, which is currently used by the TIGTA to identify potential UNAX violations on the Integrated Data Retrieval System (IDRS).[14]  The replacement of the Audit Trail Lead Analysis System has been a TIGTA and IRS priority because the System is aging.  Until all SAAS users emphasize the need to review modernized system audit trails, sufficient priority will not be given to the development of SAAS audit trails.

Our results indicate the problems with the SAAS we reported[15] in August 2004 have not been adequately addressed despite claims by the IRS that the SAAS has been functioning.  In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.”  In August 2005, we again reported[16] problems with the SAAS.  In their response to that report, IRS management disagreed with our conclusion that audit trails for IRS modernized systems were not functioning.  IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports.

IRS business units and the TIGTA are not reviewing user activity on modernized systems

The IRS business units and the TIGTA are not reviewing SAAS user audit trails, which document a user’s actions on modernized systems.  Specifically:

  • IRS bus