IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information
AIMD-93-34
Published: Sep 22, 1993. Publicly Released: Sep 22, 1993.
Skip to Highlights
Highlights
GAO reviewed the Internal Revenue Service's (IRS) computerized information system controls as part of its audit of IRS fiscal year 1992 financial statements.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to limit access authorizations for individual employees to only those computer programs and data needed to perform their duties and periodically review these authorizations to ensure that they remain appropriate. |
IRS revised its "Internal Revenue Manual" to strengthen the instructions that limit access levels and privileges and strengthen management's review of access controls and computer access activity. IRS issued guidelines to all field offices reinforcing management's responsibility to review and approve employees' access from demand terminals. All regions are completing a review of all user profiles and are planning to review on a yearly basis. GAO believes that more action is needed to sufficiently control access activity. GAO is reviewing computer access in general as part of its IRS security review.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to monitor efforts to develop a computerized capability for reviewing Integrated Data Retrieval System user access activity to ensure that it is effectively implemented. | IRS implemented the Electronic Audit Research Log (EARL) for reviewing user activity on the Integrated Data Retrieval System (IDRS), which is used for accessing and adjusting taxpayer accounts. EARL allows IRS managers to review IDRS audit trails of users to identify potential inappropriate accesses to taxpayer information. The Chief Information Officer and the Regional Commissioners receive regular briefings on the project's progress reports provided by the project manager. However, the audit trails provided by EARL are too voluminous for IRS managers to use as an effective tool for identifying inappropriate accesses. The limited functionality of the EARL system does not provide for...
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to establish procedures for reviewing the access activity of unit security representatives. |
IRS has revised its Law Enforcement Manual II(10)71, the "IDRS Security Handbook," to require regular management review of the IDRS security officer activity, which includes unit security representatives. In addition, the annual Service-wide Operating Plan included a requirement for management reviews of IDRS security officer activity.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to use the security features available in the Martinsburg Computing Center (MCC) and Philadelphia Service Center (PSC) operating system software to enhance system and data integrity, especially regarding controls over tapes containing taxpayer data. |
IRS has implemented some of the recommended security features at the Martinsburg Computing Center. According to IRS officials, it is implementing these features in Philadelphia. Work in the next fiscal year is planned in Philadelphia. This will include an assessment of the status of this recommendation. Computer security at Martinsburg and other facilities was discussed in AIMD-97-49, and AIMD is using this vehicle to follow up on those recommendations.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to require that programs developed and modified at IRS headquarters be controlled by a program librarian responsible for: (1) protecting such programs from unauthorized changes, including recording the time, date, and programmer for all software changes; and (2) archiving previous versions of programs. |
Computer security issues at Martinsburg were discussed in AIMD-97-49, and AIMD has determined that this recommendation has not been implemented.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to establish procedures requiring that all computer program modifications be considered for independent quality assurance review. |
IRS revised its "Internal Revenue Manual 2600," "Systems Testing Branch Procedures," to include the requirement that all computer program modifications be considered for independent quality assurance review.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to formally analyze MCC computer applications to ensure that critical applications have been properly identified for purposes of disaster recovery. |
IRS completed a formal analysis of its Martinsburg Computer Center (MCC) and Detroit Computer Center (DCC) computer applications to identify the mission-critical applications (MCA) necessary for the continuity of IRS operations following a contingency or disaster. As a result of the analysis, IRS found that the originally approved list of MCAs has changed. One MCA was added to the list for MCC recovery; and one was deleted and two were added to the list for DCC recovery. On January 28, 1994, the Chief Information Officer approved the updated list of MCAs for the Martinsburg and Detroit Computer Centers' disaster recovery plans.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to test the disaster recovery plan prior to the end of 1993, as planned. |
The original IRS plan to test its disaster recovery plan before the end of 1993, was delayed because IRS lacked sufficient recovery resources. In April 1994, IRS executed an interagency agreement with the General Services Administration to provide commercial hotsite recovery services for the Martinsburg and Detroit Computing Centers. IRS conducted the test of the disaster recovery plan at the commercial site in 1994, and in 1995. Testing of disaster recovery at the service centers has been limited. GAO will continue to evaluate this area as part of its IRS security review.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer and the regional commissioners, as appropriate, to monitor service center practices regarding the development, documentation, and modification of locally developed software to ensure that such software use is adequately controlled. | IRS' National Office Systems Control Point task force recommended an action plan for updating guidelines for the control of locally developed software programs and applications. The task force developed a handbook that contains (1) the detailed requirements that are now included in "Internal Revenue Manual 2780," "Systems Control," and (2) the four current National Office Standard Operating Procedures. IRS has also required that these practices be monitored through the use of the annual Readiness Reviews. In the 1995 readiness review guidelines, IRS has included various questions and testing of software change controls to ensure compliance with the IRM 2780, and the standard operating...
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Director, PSC, to review the current card key access system to ensure that only users who need access to the facilities protected by the system have access and that authorized users each have only one unique card key. |
GAO's review at PSC in 2002, showed that IRS has not implemented sufficient controls to ensure that only users who need access to sensitive facilities have access.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Director, PSC, to establish physical controls to protect computers with access to sensitive data that are not protected by software access controls. |
IRS implemented locking devices on systems console terminals, but this method caused extensive system problems. As a result, IRS pursued two other software solutions. It purchased security software to provide access control, and developed (in-house) a console security software product to provide console access control. Both solutions were fully implemented by late 1994.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Computer backupsComputer securityConfidential communicationsDisaster recoveryFraudInformation systemsInternal controlsManagement information systemsRecords managementSoftware