The Internal Revenue Service in recent years has made many advancements in the online service sector, installing helpful applications to aid individual taxpayers. But a new audit shows that if an unauthorized user manages to get into the system, many times the applications are unable to show investigators where those intruders went.
The audit results come from the Treasury Inspector General for Tax Administration, or TIGTA. This latest audit was a follow-up on a previous study of the audit trail capabilities of online IRS applications.
While TIGTA gives the IRS credit for implementing solutions to address weakness in its audit trail policies, procedures and guidance, this latest study shows more work remains to be done.
“Implemented audit trail solutions are not effective, and the IRS continues to have challenges with ensuring that all applications are providing complete and accurate audit trails for monitoring and identifying unauthorized access and for other investigative purposes,” the Inspector General writes.
What did the TIGTA audit request?
TIGTA’s 27-page report says the IRS couldn’t provide its auditors with an accurate inventory of all the applications that store or process taxpayer data as well as Personally Identifiable Information (PII). Auditors believe such an inventory is critical as a baseline for all applications that need to be monitored for potential unauthorized access.
The report adds that the applications are required to provide audit trail records to an electronic repository that is set up for investigative purposes.
What were the TIGTA audit findings?
The TIGTA audit showed that a total of 67 IRS online applications should be monitored for unauthorized access.
“Of these 67 applications, TIGTA determined that six (9 percent) applications were providing accurate and complete audit trails, 30 (45 percent) applications were providing incomplete and inaccurate audit trails, and 31 (46 percent) applications were not providing any audit trails to the repository,” the report states.
In addition, not all applications with audit trail deficiencies were being tracked and monitored as required. This could allow unresolved deficiencies to persist indefinitely.
What are TIGTA's recommendations?
TIGTA’s audit reports recommends that the Chief Information Officer of the IRS should:
- ensure that a methodology is developed and implemented to identify and annually update the inventory of all applications that store or process taxpayer and Personally Identifiable Information for the purpose of detecting improper cyber activities and to reconstruct events for potential criminal investigations;
- ensure that audit trail deficiencies are properly tracked and monitored as required;
- ensure the internal policy and the Audit Trail Deficiency Memorandum template document clearly and consistently communicate each stakeholder’s responsibilities to ensure that the appropriate actions are taken when security weaknesses have been identified.
In its response, the IRS agreed to properly track audit trail deficiencies, clearly and consistently communicate stakeholders’ responsibilities, and to document process improvements.
However, the agency also said it does not plan to clearly identify which applications use Personally Identifiable Information for purposes of detecting improper activities and to reconstruct events for potential criminal investigations.