IRS' modernization needs better tracking, IG says

IG report on tracking audit trails

The Internal Revenue Service does a poor job of monitoring audit trails for the computers supporting its Business Systems Modernization project, according to an inspector general report.

The Treasury Inspector General for Tax Administration said the IRS is not checking audit trails on the Customer Account Data Engine because only a limited number of users have permission to access the system. The IG expects CADE’s workload to increase from processing 1.4 million returns in 2005 to processing 135 million in 2012, according to the Sept. 29 report.

CADE currently stores a small number of taxpayer records, and only 39 IRS and IG employees and contractors have access to the information.

“However, these users have powerful access privileges, which could enable them to steal taxpayer information and take action to disrupt computer operations with little chance of detection,” the report states.

Audit trails for all other modernized systems are stored centrally and reviewed in the Security Audit and Analysis System. But SAAS’ information is in accurate or unreliable, the IG reports.

“We reviewed over 3 million audit trail records and found 48 percent of the places for data required by IRS policy were missing data or contained inaccurate information,” the IG report states.

Moreover, SAAS’ reports are unavailable for reviewing system usage, which blocks the IRS and the IG from monitoring user activities. It is unlikely SAAS users could identify inappropriate use on modernized systems, the report states.

The IG recommends that the chief of Mission Assurance and Security Services create a review process for CADE audit trails and make sure it is used. The chief should also reassess SAAS’ requirements to make sure collected data is valid, according to the report.

For SAAS, the chief information officer should change system audit trails to comply with standards and capture the correct information.