The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning

 

August 2004

 

Reference Number:  2004-20-135

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

August 18, 2004

 

 

MEMORANDUM FOR CHIEF, MISSION ASSURANCE

 

FROM:     Gordon C. Milbourn III /s/ Gordon C. Milbourn III

                 Acting Deputy Inspector General for Audit

 

SUBJECT:     Final Audit Report - The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Audit # 200420026)

 

This report represents the results of our review of the Internal Revenue Service’s (IRS) audit trail system for modernized projects.  The overall objective of this review was to assess the availability of audit trail data used to monitor computer activity on the IRS’ modernized systems. 

In summary, the Security Audit and Analysis System (SAAS) represents the IRS’ solution for audit trail collection and review for both modernized computer systems and the Integrated Data Retrieval System.  The PRIME contractor developed the SAAS as part of the IRS’ modernization efforts.  Conceptually, the SAAS is intended to gather audit trail information from IRS systems and store this information in a central database that IRS management, computer incident response team members, and Treasury Inspector General for Tax Administration (TIGTA) investigators could access.  The SAAS is intended to enable these users to generate reports and create custom queries to detect unauthorized activities and facilitate the reconstruction of events if unauthorized activities occurred.

Currently, the SAAS contains audit trail information from the IRS’ e-Services and Internet Refund Fact of Filing modernized applications.  Additionally, it contains data from the Audit Trail Lead Analysis System used by the TIGTA to detect and investigate unauthorized accesses to taxpayer information (UNAX) by IRS employees. 

However, software performance and functionality problems with the SAAS have prevented users from accessing the SAAS data once it has been collected.  In November 2002, the PRIME contractor delivered the SAAS to the IRS.  The IRS was aware that the SAAS did not meet IRS requirements but formally accepted the system with the caveat that the system deficiencies were to be addressed.  To date, the problems have not been fully resolved.  The IRS should not have accepted the SAAS, knowing that the system did not meet all the software performance and functionality requirements of its users. 

As a result, the ability to detect improper activity on IRS computer systems has been diminished.  Specifically:

·    IRS business units cannot use the SAAS for identifying questionable activities on modernized applications. 

·    The IRS’ Computer Security Incident Response Center cannot use the SAAS for identifying unauthorized intrusions. 

·    The TIGTA cannot use the SAAS for identifying UNAX violations. 

Business unit managers of modernized applications are primarily responsible for identifying questionable activities on their applications.  However, operating procedures for reviewing SAAS data for modernized applications have not been developed.  The Office of Mission Assurance, as the business leader of the SAAS, did not actively assist and facilitate requirements until January 2004.  As a result, even if the SAAS were functioning as intended, the IRS would not be able to effectively review audit trail data. 

Without a functioning audit trail process, the IRS’ ability to detect unauthorized activities on its current modernized systems is lessened.  Future modernization applications will rely solely on the audit trail functions provided through the SAAS.  The inability to detect unauthorized activities is a significant security risk that should weigh heavily on whether future modernization applications should be accredited and implemented.  Not having operating procedures, problems with software performance and functionality, and delays in addressing software problems collectively indicate that the IRS has not devoted sufficient attention to the review of audit trails. 

We recommended that the Chief, Mission Assurance, ensure the SAAS performance and functionality requirements are adequately tested and implemented to perform query and report generation.  Also, SAAS operational procedures (e.g., who will review audit trails, what information is needed, and for what purpose) should be fully developed and finalized so that business units can conduct audit trail reviews of system and user activities in modernized applications.  In addition, periodic compliance reviews should be conducted to ensure business units carry out their roles and responsibilities to review audit trails, and alternatives should be developed for reviewing audit trails for modernized applications in the event the SAAS deficiencies cannot be corrected. 

Management’s Response:  Management concurred with three of our recommendations and partially concurred with one recommendation.  The Office of Mission Assurance will participate in testing the SAAS to help ensure that audit trail information is available and retrievable to detect unauthorized activities, provide operating procedures to help business owners analyze SAAS information, monitor compliance with operating procedures, and enhance its certification procedures for systems and applications to ensure that audit trail procedures are available.  

Management partially agreed with our recommendation to develop alternatives for modernized applications audit trails in the event that SAAS deficiencies cannot be corrected.  The IRS is committed to ensuring that the SAAS contains the necessary storage and processing capability to allow users to retrieve and analyze information.  However, if necessary, the IRS will consider alternative approaches for identifying unauthorized access and intrusion detection for modernization applications that may not contain taxpayer information.  Management’s complete response to the draft report is included as Appendix V. 

Office of Audit Comment:  We are hopeful that the IRS meets its new goal for making the SAAS functional by October 2004.  However, if delays persist, we would encourage the IRS to begin looking for alternatives to the SAAS.  While we still believe our recommendation is worthwhile, we do not intend to elevate our disagreement concerning it to the Department of the Treasury for resolution.

Although the Chief, Mission Assurance, agreed with most of our recommendations, the response stated that the SAAS met all defined requirements and passed all tests.  As we noted in the report, the IRS accepted the SAAS in November 2002, although it was aware that reports for detecting unauthorized access could not be generated in a production environment.  Later in the response, the Chief, Mission Assurance, recognized that the SAAS is not expected to be functional until October 2004. 

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510. 

Table of Contents

Background

The Security Audit and Analysis System Was Accepted Although It Did Not Meet Performance Requirements

Recommendations 1 and 2:

Procedures for Reviewing Audit Trails on the Security Audit and Analysis System Have Not Been Developed

Recommendations 3 and 4:

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measures

Appendix V – Management’s Response to the Draft Report

 

Background

Even the best controls designed to prevent improper computer activity can be circumvented with the proper expertise.  Hackers, and particularly disgruntled employees and contractors who already have access to a system, may attempt to circumvent the Internal Revenue Service (IRS) controls to gain access to sensitive information or to vandalize computer data and processing.  To help minimize these risks, Federal Government agencies are required to run and review audit trails routinely to detect improper activity. 

The Department of the Treasury procedures require that audit trails be sufficient in detail to facilitate the reconstruction of events if unauthorized activity or a malfunction occurs or is suspected.  These procedures also state that designated personnel must review audit trails at least weekly for systems that contain sensitive information.  The IRS’ procedures require that, at a minimum, audit trails must include sufficient information to establish what events occurred, when the events occurred, and who (or what) caused them. 

Conceptually, the Security Audit and Analysis System (SAAS) was intended to meet the IRS’ audit trail needs for both modernized computer systems and the Integrated Data Retrieval System (IDRS).  The SAAS was to collect key information necessary to detect improper activities and to reconstruct events for potential criminal investigations and store it in a central database warehouse so that authorized users could generate reports and create custom queries. 

The PRIME contractor developed the SAAS for the IRS.  The intended users of the SAAS include:

·    IRS management to review questionable activities on its systems. 

·    The IRS’ Computer Security Incident Response Center (CSIRC) to detect and respond to computer security incidents targeting the IRS’ enterprise information technology assets. 

·    The Treasury Inspector General for Tax Administration (TIGTA) to detect and investigate unauthorized accesses to taxpayer information (UNAX) by IRS employees.  Although the TIGTA is a user of the SAAS system, IRS management is primarily responsible for the review and analysis of audit trail information. 

This review was performed in the Offices of the Chief Information Officer and the Chief, Mission Assurance, at the IRS National Headquarters and in New Carrollton, Maryland, during the period December 2003 through March 2004.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II. 

The Security Audit and Analysis System Was Accepted Although It Did Not Meet Performance Requirements  

In November 2002, the PRIME contractor delivered the SAAS to the IRS.  The SAAS is collecting and storing audit trail information from some IRS applications into the database warehouse. 

A number of these records are from the Audit Trail Lead Analysis System (ATLAS) that obtains and analyzes audit trail information from the IDRS.  The SAAS also contains audit trail information from the IRS’ e-Services and Internet Refund Fact of Filing (IRFoF) modernized applications and audit trails from various security devices (e.g., firewalls and intrusion detection systems).  As of January 2004, the database warehouse contained an estimated 9 billion records. 

However, none of the users can query the information and generate reports because of SAAS software performance and functionality problems.  The IRS was aware that the SAAS did not meet IRS requirements but formally accepted the system with the caveat that the system deficiencies were to be addressed.  Specifically, the IRS noted that the SAAS could not yet produce reports currently available in the ATLAS and that query response times would have to match the ATLAS response times.  The IRS should not have accepted the SAAS, knowing that the system did not meet all the software performance and functionality requirements of its users. 

The functionality and software performance problems of the SAAS prevent the IRS business units from using it for identifying questionable activities on modernized applications.  New applications such as e-Services and IRFoF are highly sensitive since the applications will allow taxpayers and practitioners access to tax account information.  Without a review of audit trail data, suspicious activities could go undetected on these systems. 

Future modernization applications will also rely on the audit trail functions provided through the SAAS.  Not having an effective audit trail review process is a significant security weakness that should weigh heavily on whether to accredit future modernization applications.  Examples of applications that will provide key tax administration processes in the future include the Customer Account Data Engine, Custodial Accounting Project, and the Integrated Financial System. 

In addition, the functionality and software problems of the SAAS prevent the CSIRC from using it for identifying unauthorized intrusions.  The CSIRC is responsible for identifying unauthorized intrusions into the IRS’ computer system.  Currently, it carries out this responsibility by reviewing audit trails from various systems and security devices. 

To enhance its ability to detect unauthorized intrusions, the CSIRC had planned to store intrusion detection system logs from multiple locations on the SAAS.  However, functionality and software performance problems prevent the CSIRC from querying the intrusion detection data on the SAAS.

The PRIME contractor was not aware of this problem until almost a year after it delivered the SAAS because the CSIRC had not submitted a help-desk ticket describing the problems in accessing the database warehouse.  Apparently, the CSIRC had not been using the SAAS since the November 2002 system delivery date. 

The SAAS software performance and functionality problems also prevent the TIGTA from using the SAAS for identifying UNAX violations.  The ATLAS was developed to obtain and analyze audit trail information from the IRS’ most used legacy system (IDRS) for updating and maintaining taxpayer accounts.  The TIGTA’s Office of Investigations (OI) is the primary user of the ATLAS and uses it to identify potential unauthorized accesses of taxpayer information by IRS employees.  Once the SAAS became functional, the IRS had planned to discontinue its use of the ATLAS. 

However, the ATLAS is aging and, in the interim, significant funds must be expended to keep the system operational until the SAAS can become functional.  The IRS contracted for hardware maintenance support covering Fiscal Years 2004 through 2006 for the ATLAS totaling approximately $584,000.  Additionally, the IRS has allocated 2 employees in its spending plans for Fiscal Years 2004 and 2005, representing approximately $400,000 in labor costs, to maintain the ATLAS (see Appendix IV for details on these costs).  If the ATLAS fails, the TIGTA would lose its primary system for identifying unauthorized accesses by IRS employees.  However, once the SAAS becomes operational, the resources expended to maintain the ATLAS can be used to support other IRS initiatives. 

Since the SAAS was accepted and deployed by the IRS, the TIGTA OI, with strong support from the Office of Mission Assurance, has continued to report its inability to use the SAAS.  Numerous meetings have since been held with the PRIME contractor and the IRS to discuss this issue.

Recommendations  

The Chief, Mission Assurance, should ensure:

1.      The SAAS performance and functionality requirements are adequately tested and implemented so that the IRS and the TIGTA can perform queries and generate audit trail reports. 

Management’s Response:  Management agreed with this recommendation.  The IRS and the PRIME contractor have developed a schedule that includes requirements for testing and evaluating audit trail capabilities for the IDRS and modernized applications.  Testing for modernized application audit trails is scheduled to begin in August 2004 and be completed by October 31, 2004.  The Office of Mission Assurance will participate in the testing to help ensure that users can access and retrieve audit trail information. 

2.      Alternatives are developed for reviewing audit trails for modernized applications in the event the SAAS deficiencies cannot be corrected. 

Management’s Response:  Management partially agreed with our recommendation.  The IRS maintained it has conducted sufficient testing to accept that the current SAAS approach is an effective approach for supporting Security and Business Organization requirements for identifying unauthorized access and intrusion detection.  However, if necessary, management will consider alternative approaches for reviewing modernized applications that do not contain taxpayer information.  The IRS is ready to commit additional resources to ensure the success of the SAAS.

Office of Audit Comment:  We are hopeful that the IRS meets its new goal for making the SAAS functional by October 2004.  However, if delays persist, we would encourage the IRS to begin looking for alternatives to the SAAS.   

Procedures for Reviewing Audit Trails on the Security Audit and Analysis System Have Not Been Developed

To date, procedures for audit trail reviews using the SAAS have not been finalized beyond the general security policies, roles, and responsibilities.  In addition, specific roles and responsibilities (i.e., who will use the application, for what information, and for what purpose) have not yet been established.  

At the time the SAAS was deployed, the PRIME contractor advised the IRS that many of the procedures for using the SAAS were not clear.  The transition plan provided by the PRIME contractor identified necessary steps the IRS needed to take. 

One step called for the IRS to “review, revise/establish security processes, policies and procedures.”  The IRS responded, “… security policies are in place” and provided no more support for this effort.  The PRIME contractor also indicated that the IRS’ current policies and procedures did not provide the details necessary to adequately analyze audit trails. 

The PRIME contractor also indicated that ownership responsibilities for SAAS functions such as collecting audit trail data, generating and reviewing security reports, and determining who should have access to the SAAS had not been defined. 

Business unit managers of modernized applications are primarily responsible for identifying questionable activities on their applications.  However, to ensure consistency and that security requirements are met, the Office of Mission Assurance (the business leader of the SAAS) should take an active role by facilitating requirements analysis and definition, and defining policy, roles, and responsibilities. 

As a result of the delays in defining operating procedures, the IRS business units still will not be in a position to effectively review audit trails, even if the SAAS performance issues are fully resolved.  During our review, in January 2004, the Office of Mission Assurance provided additional procedures for certain manager reports and acknowledged that additional procedures for modernized applications still need to be defined. 

Not having operating procedures, problems with software performance and functionality, and delays in addressing software problems collectively indicate that the IRS has not devoted sufficient attention to the review of audit trails.  Consequently, improper activities on IRS modernized applications could go undetected.  

Recommendations

The Chief, Mission Assurance, should ensure: 

3.      The SAAS operating procedures (e.g., who will review audit trails, what information is needed, and for what purpose) are fully developed and finalized so that business units can conduct effective and efficient audit trail reviews of modernized applications. 

Management’s Response:  IRS management agreed with this recommendation.  The Office of Mission Assurance is implementing a two-phased plan to provide business organizations and security personnel access to modernized applications audit trail data through the SAAS and will identify procedures in conjunction with business owners to help ensure that unauthorized activities are detected.  The Office of Mission Assurance will also enhance its certification procedures for systems and applications to ensure that audit trail procedures are available.

4.      Periodic compliance reviews are conducted once the SAAS is functional to ensure the CSIRC and business unit managers carry out their roles and responsibilities to review audit trails. 

Management’s Response:  IRS management agreed with this recommendation.  The Office of Mission Assurance will initiate compliance reviews on modernized applications within 120 days of their initial operating capability dates.  According to current schedules, these reviews are scheduled to begin in March 2005. 

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

Our overall objective was to assess the availability of audit trail data used to monitor computer activity on the Internal Revenue Service’s (IRS) modernized systems.  To accomplish the objective, we:  

I.                    Determined whether the IRS had a system in place to monitor modernized systems and whether the system collected sufficient data. 

A.     Reviewed and evaluated the IRS policies, procedures, and documentation, including documentation prepared by the PRIME contractor applicable to the Security Audit and Analysis System (SAAS). 

B.     Identified information that should be captured in audit trails and determined if modernized systems currently in production were collecting the appropriate audit trail data. 

C.     Determined whether any mitigating controls were in place for audit trails on modernized systems. 

II.                 Determined whether audit trails were being monitored to detect improper activities by employees, contractors, and registered/unregistered users. 

A.     Interviewed the SAAS project manager and planned users of the SAAS and identified user efforts to use the SAAS for its intended purposes. 

B.     Determined whether modernized audit trails were being reviewed using the SAAS and whether any improper activity was identified using the system. 

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Stephen R. Mullins, Director

Theodore W. Grolimund, Audit Manager

David J. Brown, Senior Auditor

Anthony D. Knox, Senior Auditor

Louis Lee, Senior Auditor

George L. Franklin, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief Information Officer  OS:CIO

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Associate Chief Information Officer, Information Technology Services  OS:CIO:I

Director, Internal Management Systems  OS:CIO:I:B:IM

Acting Director, Portfolio Management  OS:CIO:R:PM

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Management Controls  OS:CFO:AR:M

Audit Liaisons:

Chief, Mission Assurance  OS:MA

Associate Chief Information Officer, Business Systems Modernization  OS:CIO:B

Manager, Program Oversight and Coordination Office  OS:CIO:R:PM

 

Appendix IV

 

Outcome Measures

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  These benefits will be incorporated into our Semiannual Report to the Congress. 

Type and Value of Outcome Measure:

·        Funds Put to Better Use – Potential; $584,372 (see page 2).

Methodology Used to Measure the Reported Benefit:

During our review we noted that the Audit Lead Analysis System (ATLAS) was to be replaced by the Security Audit and Analysis System (SAAS).  Since the SAAS is not functioning as intended, the Internal Revenue Service (IRS) has had to contract for hardware maintenance support covering Fiscal Years 2004 through 2006 for the ATLAS.

ATLAS Hardware Maintenance Costs:

Fiscal Year 2004            $181,770

Fiscal Year 2005            $194,494

Fiscal Year 2006            $208,108

Total                            $584,372

Once the SAAS becomes operational, the funds expended to maintain the ATLAS could be used to support other IRS initiatives. 

Type and Value of Outcome Measure:

·        Inefficient Use of Resources – Potential; $400,000 (see page 2).

Methodology Used to Measure the Reported Benefit:

During our review we noted that the ATLAS was to be replaced by the SAAS.  Since the SAAS is not functioning as intended, the IRS has allocated 2 full-time equivalent (FTE) employees ($200,000 in labor costs) in its spending plans for Fiscal Years 2004 and 2005 to continue the support of the ATLAS.  This represents a total of $400,000 ($200,000 * 2) in labor costs for the 2 years.  Once the SAAS becomes operational, the employee resources expended to maintain the ATLAS could potentially be used to support other IRS initiatives.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.