TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
Improvements Are Needed to
Ensure the Use of Modernization Applications Is Effectively Audited
September 29, 2006
Reference Number: 2006-20-177
This
report has cleared the Treasury Inspector General for Tax Administration
disclosure review process and information determined to be restricted from
public release has been redacted from this document.
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
September 29, 2006
MEMORANDUM
FOR
CHIEF INFORMATION OFFICER
CHIEF,
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Improvements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited (Audit # 200620003)
This report presents the results of our review to determine whether the Internal Revenue Service’s (IRS) modernized systems generate audit logs that are saved and analyzed to detect unauthorized accesses to modernization applications.
Impact on the Taxpayer
Audit trails[1] for the IRS’ modernized systems are not being adequately collected, reviewed, or retained. Consequently, unauthorized access and theft of taxpayer records may be occurring without being detected, possibly resulting in theft of taxpayer identities. In addition, fraudulent transactions and intrusions on IRS systems used to administer tax laws could go undetected.
Synopsis
The IRS has two approaches for collecting audit trails for the computers supporting its Business Systems Modernization effort. Audit trails for the Customer Account Data Engine (CADE)[2] are stored internally. Audit trails for all other modernized systems are stored centrally and reviewed in the Security Audit and Analysis System (SAAS). Neither approach is working effectively.
The IRS is not monitoring audit trails on the CADE. While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years. This will place added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE. We believe CADE transactions are not reviewed because only a limited number of users have permission to access the system. However, these users have powerful access privileges, which could enable them to steal taxpayer information and take action to disrupt computer operations with little chance of detection.
The SAAS audit trails of user and system activities on modernized systems are not being adequately monitored. User activity audit trails on modernized systems are not being reviewed by the IRS business units and the Treasury Inspector General for Tax Administration (TIGTA) for two reasons. First, while audit trail data are being collected by the SAAS, the data are not accurate, reliable, and complete. We reviewed over 3 million audit trail records and found 48 percent of the places for data required by IRS policy were missing data or contained inaccurate information. Second, even if the SAAS audit trails were usable, reports and functions for reviewing them are not yet available, making it unlikely SAAS users could identify inappropriate activity on modernized systems.
System activity audit trails are not being adequately
reviewed by the
The underlying reason why audit trails on the SAAS are not adequately reviewed is the inadequacy of SAAS system requirements, which are used to identify the System’s features and capabilities. Although the IRS accepted the SAAS in Fiscal Year 2002, the system requirements are still inadequate because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System.[4] This replacement has been a TIGTA and IRS priority because the System is aging. However, until all SAAS users emphasize the need to review audit trail data on modernized systems, sufficient priority will not be given to the development of SAAS audit trails.
Our results indicate the problems with the SAAS we reported[5] in August 2004 have not been adequately addressed, despite claims by the IRS that the SAAS has been functioning. In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.” We again reported[6] problems with the SAAS in August 2005. In its response to that report, the IRS disagreed with our conclusion that audit trails for IRS modernized systems were not functioning. IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports.
Recommendations
We recommended the Chief, Mission Assurance and Security
Services (MA&SS), establish a review process for CADE audit trails and
ensure they are retained. For the SAAS,
the Chief Information Officer should modify modernized system audit trails to
comply with SAAS standards and capture information needed by user
organizations. In addition, the Chief, MA&SS,
should reassess the user and system requirements for the SAAS, including the
control weaknesses identified in this report, and ensure the requirements are
assigned a completion date. Once this is
complete, SAAS procedures and processes
should be reevaluated to ensure the new SAAS requirements are incorporated.
Response
The IRS agreed with our findings and recommendations. The MA&SS organization will establish an
enterprise process for reviewing the audit trails of all IRS legacy (current) and
modernized applications and systems, including CADE audit trails. In addition, it will establish, in
conjunction with the Chief Information Officer, a viable retention policy for
CADE audit trails that is consistent with established IRS policies. For the SAAS, the MA&SS organization will
reassess the requirements for SAAS audit trails, including identifying all user
requirements and the resulting SAAS system requirements needed to achieve
them. The IRS will provide a Project Plan
that includes development of change requests for modification of modernized applications
to provide audit trail data to, and in the correct format for, the SAAS based
on the reassessed SAAS requirements. The
Plan will include expected implementation dates for each modernization application
and will be based on funding and resource availability. Once SAAS requirements are reassessed, the MA&SS
organization will establish procedures to ensure audit trails are properly
reviewed and will assign staff to monitor failed audit trail records. Management’s
complete response to the draft report is included as Appendix V.
Office of Audit Comment
The IRS provided an implementation date of October 2008 for its corrective action addressing our recommendation to modify modernized system audit trails to comply with SAAS standards and capture information needed by user organizations. We recognize the difficult task the IRS faces in modifying modernized system audit trails to provide usable information, given their current state. However, this implementation date will leave the IRS without usable audit trails for more than 2 years. With this response, the IRS is accepting the risk that unauthorized access to taxpayer information on modernized systems may occur and not be detected.
Copies of
this report are also being sent to the IRS managers affected by the report
recommendations. Please contact me at (202)
622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General
for Audit (Information Systems Programs), at (202) 622-8510.
Customer Account Data
Engine Audit Trails Are Not Being Adequately Monitored
Security Audit and
Analysis System Audit Trails Are Not Being Adequately Monitored
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Additional Information on the Security Audit and Analysis System Audit
Trail
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
CADE |
Customer Account Data
Engine |
|
CSIRC |
Computer Security Incident
Response Center |
|
IDRS |
Integrated Data Retrieval
System |
|
I-EIN |
Internet Employer
Identification Number |
|
IFS |
Integrated Financial System |
|
IRFOF |
Internet Refund/Fact of
Filing |
|
IRS |
Internal Revenue Service |
|
MA&SS |
Mission Assurance and
Security Services |
|
MeF |
Modernized e-File |
|
SAAS |
Security Audit and Analysis
System |
|
TIGTA |
Treasury Inspector General
for Tax Administration |
|
UNAX |
Unauthorized accesses and
inspections of taxpayer records |
An audit
trail is a chronological record of system activities that allows for the
reconstruction, review, and examination of a transaction.
Internal
Revenue Service (IRS) procedures state that each of the IRS’ computer
systems is required to collect and maintain adequate audit trail information
and that this information is to be timely reviewed. An audit trail is defined as a chronological record of system activities
that allows for the reconstruction, review, and examination of a transaction
from inception to final results. Audit
trails can also be used to diagnose computer problems because they capture all user and system activities
associated with a transaction and provide documentation that identifies what
has been done.
The National
Institute of Standards and Technology[7] states that audit trails can provide a means
to help accomplish several security-related objectives, including:
·
Individual
accountability – Enables managers to identify and provide information about
users suspected of improper modification of data (e.g., introducing errors into
a database).
·
Reconstruction
of events – Assesses damage to a system by pinpointing how, when, and why
normal operations ceased.
·
Intrusion
detection – Identifies attempts to penetrate a system and gain unauthorized
access.
·
Problem
analysis – Provides online tools to help identify problems other than
intrusions as they occur.[8]
For the IRS, audit trails on modernized systems are also needed to detect unauthorized access attempts, successful accesses of its most critical information, and attacks on its systems. In particular, audit trails are used to identify willful unauthorized accesses and inspections of taxpayer records (UNAX). Identifying UNAX violations became more important with the passage of the Taxpayer Browsing Protection Act of 1997,[9] which states the willful unauthorized access or inspection of taxpayer records is a crime punishable upon conviction by fines, prison terms, and termination of employment.
In addition to identifying UNAX violations, audit trails can be used to identify whether IRS financial information and transactions have been compromised. Such compromise could result in corruption of financial data and limit the IRS’ ability to conduct business. Compromise of financial information could also result in fraudulent transactions, such as unauthorized payments.
However, none of these events can be detected
if audit trails have not been designed to capture key information and are not
retained for a sufficient period of time.
Also, management must have a formal process for reviewing audit trail
reports to effectively respond to system events.
The IRS has two approaches for collecting audit
trails for the computers supporting its Business Systems Modernization
effort. For the Customer
Account Data Engine (CADE), audit trails are stored internally in
the system’s database. The CADE is the
foundation for managing taxpayer accounts in the IRS’ Business Systems
Modernization effort and will eventually house taxpayer accounts and tax return
data for more than 135 million individual and business taxpayers. The CADE will incrementally replace the existing
IRS Master File.[10] The current release of the CADE processes
selected data for over 1.4 million single filers with no dependents who filed
an Income Tax Return for Single Filers and Joint Filers With No Dependents
(Form 1040EZ) in Calendar Year 2005.
Audit trails for all other modernized systems are centralized in the Security Audit and Analysis System (SAAS). See Appendix IV for a list of these systems. The SAAS was initially built by the IRS’ PRIME contractor as part of the Business Systems Modernization effort and was accepted by the IRS in 2002. The SAAS is designed to gather user and system audit trail information from these systems and store this information in a central database that should be accessed and used by the following customers:
This review was performed in the Mission Assurance and Security Services (MA&SS)
organization and the Modernization and Information Technology Services
organization, at the
The IRS is not adequately collecting, reviewing, or retaining audit trail data from its modernized systems. Without adequate processes in these areas, unauthorized accesses or security intrusions could be occurring without being detected.
Customer Account Data Engine Audit Trails Are Not Being Adequately Monitored
The IRS is properly monitoring audit trails to identify attempts by unauthorized persons to access the CADE, and any security violations noted are sent to appropriate management officials for review and certification. However, once a user is authorized to access the CADE, his or her actions are not monitored. The lack of monitoring provides no assurance that an authorized user is accessing CADE data for official business purposes only.
While the CADE currently stores and processes only a small fraction of all taxpayer returns, its workload is expected to greatly increase in the next few years, as shown in Table 1. This growth places added importance on the IRS’ ability to monitor accesses to the sensitive taxpayer records stored in the CADE. If the IRS cannot review audit trail information for the current volume of returns, its ability to adequately and effectively review audit trails will diminish when the volume increases in future years.
Table 1: Estimated Number of Returns to Be Processed by
the CADE
|
Year |
Estimated Number of Returns |
Year |
Estimated Number of Returns |
|
2005 |
1,423,417 (Actual) |
2009 |
70 million |
|
2006 |
4 million |
2010 |
90 million |
|
2007 |
33 million |
2011 |
100 million |
|
2008 |
50 million |
2012 |
135 million |
Source: Customer Relationship
Management Executive Steering Committee, approved
October 18, 2005.
The IRS has not emphasized the need to monitor audit trails on the CADE because it is updated primarily through input of data from other IRS systems. Consequently, only a limited number of users have direct access to the CADE application. The CADE is currently accessible by only 39 persons including IRS computer personnel, contractors, and TIGTA personnel. However, these users have powerful access privileges that could enable them to steal taxpayer information with little chance of detection. By not reviewing user transactions in the CADE’s audit trails, the IRS cannot be assured that security violations are not occurring.
Also, CADE audit trails are not being sufficiently retained. Currently, audit trails are retained for 30 calendar days, a retention period based on available storage space. In comparison, SAAS audit trail data are required to be retained for 6 years.
We previously identified the CADE audit trail review and retention issues in our August 2005 report,[13] but at that time, CADE audit trails were retained for only 1 to 2 calendar days and were not being reviewed. We recommended CADE audit trail data be retained and reviewed to detect unauthorized accesses. The IRS disagreed with this recommendation, stating that log and audit files used by CADE system programmers are established for recovery and diagnostic purposes and do not capture data related to unauthorized access. In response, we commented that we continue to believe audit trail information for the CADE should be retained and reviewed. The CADE contains tax information for over 1.4 million returns that could be accessed by some IRS employees for unauthorized purposes, potentially resulting in identity thefts. Therefore, audit trail information must be maintained to comply with Department of the Treasury requirements.
Recommendations
Recommendation 1: To ensure CADE audit trails are reviewed, the Chief, MA&SS, should establish a review process for CADE audit trails. Such a process will aid in current reviews and position the IRS to perform future reviews when the amount of taxpayer information residing in the CADE is significantly larger.
Management’s Response: IRS management agreed with this recommendation. The MA&SS organization will establish an enterprise process for reviewing the audit trails of all IRS legacy (current) and modernized applications and systems, including CADE audit trails.
Recommendation 2: To ensure CADE audit trails are sufficiently retained, the Chief, MA&SS, and the Chief Information Officer should establish a viable retention policy for CADE audit trails, mirroring, where possible, that of other systems with taxpayer information.
Management’s
Response: IRS management agreed with this
recommendation. The
MA&SS organization, in conjunction with the Chief Information Officer, will
establish a viable retention policy for CADE audit trails that is consistent
with established IRS policies governing records management and retention
standards for systems with taxpayer information.
Security Audit and Analysis System Audit Trails Are Not Being Adequately Monitored
The three primary users of the SAAS (the IRS business units, TIGTA, and CSIRC) are performing either no reviews or limited reviews of user and system activity on modernized systems, as recorded in the systems’ audit trails. As a result, possible UNAX violations, other inappropriate accesses, or security intrusions may be occurring without being identified.
An underlying reason for the lack of reviews is inadequate requirements for the SAAS, which are used to identify features and capabilities for the System. SAAS requirements have not been adequately identified because much of the SAAS development effort to date has been focused on replacement of the Audit Trail Lead Analysis System, which is currently used by the TIGTA to identify potential UNAX violations on the Integrated Data Retrieval System (IDRS).[14] The replacement of the Audit Trail Lead Analysis System has been a TIGTA and IRS priority because the System is aging. Until all SAAS users emphasize the need to review modernized system audit trails, sufficient priority will not be given to the development of SAAS audit trails.
Our results indicate the problems with the SAAS we reported[15] in August 2004 have not been adequately addressed despite claims by the IRS that the SAAS has been functioning. In April 2005, the IRS responded to questions from the Senate Appropriations Committee that the “SAAS is effectively managing audit trail data for modernization systems.” In August 2005, we again reported[16] problems with the SAAS. In their response to that report, IRS management disagreed with our conclusion that audit trails for IRS modernized systems were not functioning. IRS management explained the SAAS receives and processes audit trail transactions daily from several modernization applications and the data could be accessed through queries or reports.
IRS business units and the TIGTA are not reviewing user activity on modernized systems
The IRS business units and the TIGTA are not reviewing SAAS user audit trails, which document a user’s actions on modernized systems. Specifically: