IRS unauthorized access audits deficient, finds TIGTA


Despite required, annual unauthorized access training at the Internal Revenue Service, the Treasury Inspector General for Tax Administration investigates approximately 400 access violations per year. Tracking down violations is difficult due to the agency's deficient security audit and analysis system, finds a Sept. 20 TIGTA report (.pdf), which wasn't released publicly until Nov. 6.

"Investigations may be difficult or impossible to accomplish" using the current system, write report authors.

The system serves as IRS's enterprise solution to address audit trail weaknesses, but audit trail data is incomplete and inconsistent. Trail logs were also missing some auditable events and related data elements.

As part of the audit, TIGTA observed unauthorized users accessing IRS systems. Not only did the auditing system fail to record all events and data elements variable fields contained long strings of useless information, and timestamps were inconsistent.

The agency mandates an authoritative time server be used to properly sequence transactions recorded in audit trails.

"However, the IRS policy is vague, and the IRS has been unable to provide detailed procedures regarding how this policy is supposed to be implemented," write report authors.

What's more, agency personnel were unable to tell auditors the proper time zone for the timestamp or the authoritative time server, according to the report.

Insufficient audit trail data hinders investigations of unauthorized access to taxpayer information and IRS management's ability to enforce access policies, says TIGTA. The agency also shouldn't rely on the inadequate system to address the computer security material weakness related to audit trails until the system is improved to capture key audit trail data, write report authors.

TIGTA recommends the enterprise security audit trail office improve processes to test audit trail data, update the audit plan templates to identify the location of information on audit log testing and stakeholder comments, and clarify timestamp procedures and make them readily available to application owners.

The IRS agreed with auditors' recommendation that it improve processes to test audit trail data, but did not agree that validation should be completed before final office approval of audit plans, that templates should be updated or that timestamp guidance needs revision.

For more:
- download the report, 2012-20-099 (.pdf)

Related Articles:
Patch management lacking at IRS
Competency database helps retention, says TIGTA
IRS challenged by identity theft

Filed Under