The IRS continues to have challenges protecting taxpayer data, and especially ensuring that its various applications provide complete and accurate audit trails, according to the Treasury Inspector General for Tax Administration (TIGTA). TIGTA issued a report that highlights IRS shortcomings and challenges, titled Most Internal Revenue Service Applications Do Not Have Sufficient Audit Trails to Detect Unauthorized Access to Sensitive Information (TIGTA Rep’t No. 2020-20-033).
The new report is an update of a 2015 TIGTA audit that found similar issues with the IRS’s protection of taxpayer data. Audit trails have been a challenge for the IRS since at least 1997, and while the Service has made some progress in implementing solutions to address audit trail problems, TIGTA says the solutions are not effective.
In the report, TIGTA found the IRS could not provide an accurate inventory of all applications that store or process taxpayer data and personally identifiable information (PII), which refers to taxpayer, financial, or employee information that identifies a taxpayer or entity. This inventory is critical as a baseline for all applications that need to be monitored for potential unauthorized access by employees and cybercriminals. These applications are required to provide audit trail records to a repository used for investigations.
During the audit, TIGTA determined that the IRS had 67 applications that should have been monitored for unauthorized access, but only six applications (9%) were providing accurate and complete audit trails, 30 (45%) were providing incomplete and inaccurate audit trails, and 31 (46%) were not providing any audit trails.
TIGTA also found that not all applications with audit trail deficiencies were being tracked and monitored as required, allowing unresolved deficiencies to persist. TIGTA also concluded that inconsistencies between internal policy and the Audit Trail Deficiency Memorandum may contribute to the untimely documentation of planned corrective actions for information technology security weaknesses identified by internal or external evaluations.
TIGTA made five recommendations for improvement, four of which the IRS agreed with and one of which it partially agreed with.
Recommendation No. 1: TIGTA recommended that the IRS’s chief information officer (CIO) should ensure that the Cybersecurity function, the Privacy, Governmental Liaison, and Disclosure office, and application owners develop and implement a method to annually update the inventory of IRS applications that store and process taxpayer and PII data to ensure that it can detect unauthorized access and can reconstruct any cybersecurity breaches for referral to the IRS Criminal Investigation unit. TIGTA also recommended that the applications’ audit trail records should be included in the Security Audit and Analysis System (SAAS).
The IRS partially agreed with this recommendation because it is currently replacing the SAAS, but promised to audit and track the records in a new centralized system. It agreed to have the Cybersecurity office partner with the Privacy, Governmental Liaison, and Disclosure office to revise the current Privacy Impact Management System to better identify applications that store, process, or transact federal tax information to detect improper cyber access and enable criminal prosecution if needed. It agreed to do this at least annually.
Recommendation No. 2: TIGTA recommended that the CIO should obtain a list of the 13 IRS applications that refer to obsolete Internal Revenue Manual (IRM) sections, correct the reference to reflect current policy, conduct revalidations against a list of auditable events, and issue Audit Trail Deficiency Memorandums to application owners at least annually. The IRS agreed with this recommendation.
Recommendation No. 3: TIGTA recommended that the CIO should ensure that application audit trail deficiencies are properly tracked in a Plan of Action and Milestones as required by the Federal Information Security Modernization Act of 2014, IRS procedure, and Office of Management and Budget policy. The IRS agreed with this recommendation.
Recommendation No. 4: TIGTA recommended that the CIO should ensure that the IRM policy and Audit Trail Deficiency Memorandums clearly and consistently communicate each stakeholder’s responsibilities and that actions are taken within 60 days by updating the Plan of Action and Milestones. The IRS agreed with this recommendation and pointed out that its policy complied with the National Institute of Standards and Technology and Treasury audit trail controls.
Recommendation No. 5: The final TIGTA recommendation is a repeat from the 2015 report. It recommended that the IRS modify its standard operating procedure process improvements to ensure that application owners act promptly to create Plans of Action and Milestones when audit trail deficiencies are identified. The IRS also agreed with this recommendation.
— Sally P. Schreiber, J.D., (Sally.Schreiber@aicpa-cima.com) is a JofA senior editor.