IRS Information Systems:

Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information

AIMD-93-34: Published: Sep 22, 1993. Publicly Released: Sep 22, 1993.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Internal Revenue Service's (IRS) computerized information system controls as part of its audit of IRS fiscal year 1992 financial statements.

GAO found that: (1) IRS does not adequately restrict access to taxpayer data to those computer support staff who need it and does not adequately monitor the activities of employees who are authorized to read and change taxpayer files; (2) there are no adequate controls to ensure that IRS uses only authorized versions of its computer programs; (3) unauthorized software changes could impair the reliability of all data processed, result in costly processing errors and destruction of programs and data, and hinder prevention and detection of fraudulent acts; (4) IRS ability to maintain taxpayer accounts during an interruption in operations may be impeded because the capacity of the computers at its backup site is not adequate to run all of the critical applications at the same time; and (5) IRS has not tested the effectiveness of its revised disaster recovery plan.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: IRS implemented the Electronic Audit Research Log (EARL) for reviewing user activity on the Integrated Data Retrieval System (IDRS), which is used for accessing and adjusting taxpayer accounts. EARL allows IRS managers to review IDRS audit trails of users to identify potential inappropriate accesses to taxpayer information. The Chief Information Officer and the Regional Commissioners receive regular briefings on the project's progress reports provided by the project manager. However, the audit trails provided by EARL are too voluminous for IRS managers to use as an effective tool for identifying inappropriate accesses. The limited functionality of the EARL system does not provide for automated searches of the audit trails. As a result, IRS managers must manually search the audit trails EARL provides.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to monitor efforts to develop a computerized capability for reviewing Integrated Data Retrieval System user access activity to ensure that it is effectively implemented.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: IRS has revised its Law Enforcement Manual II(10)71, the "IDRS Security Handbook," to require regular management review of the IDRS security officer activity, which includes unit security representatives. In addition, the annual Service-wide Operating Plan included a requirement for management reviews of IDRS security officer activity.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to establish procedures for reviewing the access activity of unit security representatives.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Not Implemented

    Comments: IRS has implemented some of the recommended security features at the Martinsburg Computing Center. According to IRS officials, it is implementing these features in Philadelphia. Work in the next fiscal year is planned in Philadelphia. This will include an assessment of the status of this recommendation. Computer security at Martinsburg and other facilities was discussed in AIMD-97-49, and AIMD is using this vehicle to follow up on those recommendations.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to use the security features available in the Martinsburg Computing Center (MCC) and Philadelphia Service Center (PSC) operating system software to enhance system and data integrity, especially regarding controls over tapes containing taxpayer data.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Not Implemented

    Comments: Computer security issues at Martinsburg were discussed in AIMD-97-49, and AIMD has determined that this recommendation has not been implemented.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to require that programs developed and modified at IRS headquarters be controlled by a program librarian responsible for: (1) protecting such programs from unauthorized changes, including recording the time, date, and programmer for all software changes; and (2) archiving previous versions of programs.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: IRS revised its "Internal Revenue Manual 2600," "Systems Testing Branch Procedures," to include the requirement that all computer program modifications be considered for independent quality assurance review.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to establish procedures requiring that all computer program modifications be considered for independent quality assurance review.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Implemented

    Comments: IRS completed a formal analysis of its Martinsburg Computer Center (MCC) and Detroit Computer Center (DCC) computer applications to identify the mission-critical applications (MCA) necessary for the continuity of IRS operations following a contingency or disaster. As a result of the analysis, IRS found that the originally approved list of MCAs has changed. One MCA was added to the list for MCC recovery; and one was deleted and two were added to the list for DCC recovery. On January 28, 1994, the Chief Information Officer approved the updated list of MCAs for the Martinsburg and Detroit Computer Centers' disaster recovery plans.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to formally analyze MCC computer applications to ensure that critical applications have been properly identified for purposes of disaster recovery.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: The original IRS plan to test its disaster recovery plan before the end of 1993, was delayed because IRS lacked sufficient recovery resources. In April 1994, IRS executed an interagency agreement with the General Services Administration to provide commercial hotsite recovery services for the Martinsburg and Detroit Computing Centers. IRS conducted the test of the disaster recovery plan at the commercial site in 1994, and in 1995. Testing of disaster recovery at the service centers has been limited. GAO will continue to evaluate this area as part of its IRS security review.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to test the disaster recovery plan prior to the end of 1993, as planned.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: IRS' National Office Systems Control Point task force recommended an action plan for updating guidelines for the control of locally developed software programs and applications. The task force developed a handbook that contains (1) the detailed requirements that are now included in "Internal Revenue Manual 2780," "Systems Control," and (2) the four current National Office Standard Operating Procedures. IRS has also required that these practices be monitored through the use of the annual Readiness Reviews. In the 1995 readiness review guidelines, IRS has included various questions and testing of software change controls to ensure compliance with the IRM 2780, and the standard operating procedures. GAO will continue to evaluate this area as part of its IRS security review.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to monitor service center practices regarding the development, documentation, and modification of locally developed software to ensure that such software use is adequately controlled.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Not Implemented

    Comments: GAO's review at PSC in 2002, showed that IRS has not implemented sufficient controls to ensure that only users who need access to sensitive facilities have access.

    Recommendation: The Commissioner of Internal Revenue should direct the Director, PSC, to review the current card key access system to ensure that only users who need access to the facilities protected by the system have access and that authorized users each have only one unique card key.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: IRS revised its "Internal Revenue Manual" to strengthen the instructions that limit access levels and privileges and strengthen management's review of access controls and computer access activity. IRS issued guidelines to all field offices reinforcing management's responsibility to review and approve employees' access from demand terminals. All regions are completing a review of all user profiles and are planning to review on a yearly basis. GAO believes that more action is needed to sufficiently control access activity. GAO is reviewing computer access in general as part of its IRS security review.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to limit access authorizations for individual employees to only those computer programs and data needed to perform their duties and periodically review these authorizations to ensure that they remain appropriate.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Closed - Implemented

    Comments: IRS implemented locking devices on systems console terminals, but this method caused extensive system problems. As a result, IRS pursued two other software solutions. It purchased security software to provide access control, and developed (in-house) a console security software product to provide console access control. Both solutions were fully implemented by late 1994.

    Recommendation: The Commissioner of Internal Revenue should direct the Director, PSC, to establish physical controls to protect computers with access to sensitive data that are not protected by software access controls.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 26, 2016

Sep 15, 2016

Sep 14, 2016

Sep 8, 2016

Jun 29, 2016

Jun 22, 2016

Jun 10, 2016

Jun 9, 2016

Jun 2, 2016

May 25, 2016

Looking for more? Browse all our products here