Report: IRS can't access security data

"The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning"

An Internal Revenue Service database that collects information but cannot deliver it to users raises questions about the tax agency's modernization plans, according to a recent audit by the Treasury Inspector General for Tax Administration.

As the IRS finally brings modern systems online — including the Customer Account Data Engine, the Integrated Financial System and the Custodial Accounting Project — the lack of an effective audit trail review would "be a significant security weakness that should weight significantly on whether to accredit future modernization applications," the report states.

The Security Audit and Analysis System (SAAS) is intended to replace the current system that keeps track of when IRS financial data is accessed — a necessary tool for fending off hacker attacks or detecting unauthorized internal access.

But even though the audit database can collect records, bad software performance and functionality problems prevent users from querying the information and generating reports, according to the inspector general. As a result, IRS business units can't use the system to identify possibly malicious actions aimed at updated applications, according to auditors.

Since its delivery in November 2002 by Computer Sciences Corp., the security analysis system has collected audit trail information for the IRS' e-Services and Internet Refund Fact of Filing applications. Both initiatives are part of the agency's $10 billion upgrade of its tax-processing technology.

Auditors charge that agency officials knowingly accepted a defective product — an allegation that Daniel Galik, the IRS' chief of mission assurance, disputes in the agency's official response. "The SAAS met all defined requirements and passed all tests," he wrote.

Citing security concerns, CSC officials declined to comment on the report.

Treasury Department officials also state that problems with the audit system went undetected for almost a year because the IRS' Computer Security Incident Response Center never wrote a help-desk ticket describing the database's defects. The center is responsible for thwarting hacker intrusions into IRS networks, but "apparently, the [center] has not been using the SAAS since the November 2002 system delivery date," the report states.

The IRS will spend $776,000 through the next fiscal year on labor and maintenance for the legacy audit system, according to the report. However, IRS officials said steps are under way to correct the database's failures.

Testing of audit trails from updated applications were set to begin this month, and functioning logs will be online by October, according to agency officials.

"Early tests look as if they're on track for completion," said Peggy Begg, assistant inspector general for audit.

Officials said they are establishing internal ownership over the audit trails to ensure that data is reviewed. Periodic compliance reviews will start in March 2005, they said.

IRS officials rejected the auditors' recommendation that the agency develop full-fledged alternatives to the security audit system in case delays continue with the database. Agency officials are committed "to ensuring that SAAS supports the business and security requirements for sensitive systems," the agency's written response states.