Progress Has Been Made, but Additional Steps Are Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses
September 9, 2009
Reference Number: 2009-20-119
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
September 9, 2009
MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER
DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT
DEPUTY
COMMISSIONER FOR SERVICES AND ENFORCEMENT
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Progress Has Been Made, but Additional Steps Are Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Audit # 200820020)
This
report presents the results of our review to evaluate compliance by Internal
Revenue Service (IRS) management and security staffs in reviewing and certifying
Integrated Data Retrieval System (IDRS)[1]
security reports, which are produced online by the IDRS Online Report Services
(IORS) system, and assess whether corrective actions taken to address our prior
audit findings[2]
were effective. This audit was part of
the Treasury Inspector General for Tax Administration Fiscal Year 2008 Annual
Audit Plan and was part of our statutory requirement to annually review the
adequacy and security of IRS technology.
Impact on the Taxpayer
The IRS requires managers of IDRS users to review and respond to IDRS security reports on the IORS system that present questionable accesses to the taxpayer accounts. While the national averages of certification and timeliness rates have improved, the IRS did not ensure that all IDRS business divisions were completing their responsibilities for reviewing and certifying IDRS security reports. Until additional improvements are made, the IRS cannot ensure that taxpayer accounts on its primary tax account system are being properly protected from unauthorized accesses.
Synopsis
About 50,000 IRS employees access the IDRS to process taxpayer data during the course of their normal work duties. Managers of IDRS users are required to review and certify IDRS security reports on the IORS system on a regular basis to ensure that employee accesses to the IDRS are for valid work reasons. The IRS requires that managers maintain at least a 90 percent certification rate.
During Fiscal Year 2005, only 54 percent of IDRS security reports were certified. During this review, we found that 89 percent of IDRS security reports were certified for Fiscal Year 2008. We attribute this significant improvement to the Cybersecurity organization IDRS Security Program staff’s actions to improve and enhance the IORS system. The IDRS Security Program staff corrected prior system problems that were hindering IDRS managers’ ability to access IDRS security reports. For example, they implemented new systemic features, such as automatic email messages to remind IDRS managers when certifications are due, a “report certification due” box on IORS system report screens that displays any reports that have not been certified and highlights past due reports in red, and weekly reports for distribution by IDRS security officers that list which IDRS managers have and have not completed certifications.
While the national averages of certification and timeliness rates have improved, more needs to be done to ensure that all taxpayer accounts are protected from unauthorized access. Of the total 325,475 security reports requiring certification by IDRS managers in Fiscal Year 2008, 36,493 (11 percent) were not reviewed and certified, potentially allowing improper accesses to go undetected. The lack of reviews for 31,980 of these 36,493 reports can be attributed to 816 IDRS managers who had not met the 90 percent certification rate requirement, which equates to almost 33 percent of all IDRS managers.
The IRS did not complete all
corrective actions recommended in our prior review. Specifically, the IRS did not implement
effective compliance reviews to
ensure IDRS business divisions[3] were complying with IDRS security report
requirements. The IDRS Security Program
staff did not fully implement this recommendation because they had no means for
enforcing IDRS business divisions to comply with IDRS security report
requirements.
We also recommended
in our prior review that IDRS managers be held accountable for their security
report responsibilities. The IRS did not implement this recommendation because the Cybersecurity
organization believed action was no longer needed when the national average of
certification rates improved.
Recommendations
We recommended that the Associate Chief Information Officer,
Cybersecurity, 1) implement compliance
review procedures for IDRS security officers that are designed to monitor and
enforce IDRS business division compliance with security report responsibilities,
2) clarify what level of IRS organizational management should be assigned
the responsibility for providing a response identifying corrective actions that are required for certification rates lower
than 90 percent, 3) biannually provide a list of IDRS managers who have not met their IDRS
security report responsibilities to the IRS business organization executive
responsible for monitoring and enforcing IDRS business division and manager
compliance with IDRS security program policy, and 4) complete plans to
implement an enhancement in the IORS system to capture responses for IDRS
business divisions when corrective actions are required for noncompliance.
The Deputy Commissioner for
Operations Support and the Deputy Commissioner for Services and Enforcement
should ensure IRS business
organizations identify the executives responsible for monitoring and enforcing IDRS
business division compliance with IDRS security program policy and providing a
response identifying corrective actions for certification rates lower than 90
percent.
Response
IRS management
agreed with the recommendations. The
Associate Chief Information Officer, Cybersecurity, will 1) develop and
implement compliance review procedures for IDRS security officers, 2) clarify
the responsible level among IRS organizational management for submitting
responses when certification rates are lower than 90 percent, 3) provide, at
least biannually, IRS business organization executives responsible for
monitoring and enforcing IDRS security compliance with a list of IDRS managers
who have not met their IDRS security report responsibilities, and 4) implement an enhancement in the
IORS system to capture responses for IDRS business divisions when corrective
actions are required for noncompliance. In
addition, the Deputy Commissioner for Operations Support and the Deputy
Commissioner for Services and Enforcement will issue a jointly signed memorandum
reiterating IDRS security program policy requirements and will identify
executives responsible for lower compliance rates. Management’s
complete response to the draft report is included as Appendix V.
Copies of
this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you
have questions or Alan Duncan, Assistant Inspector General for Audit (Security
and Information Technology Services), at (202) 622-8510.
Security Report
Certification and Timeliness Rates Have Significantly Improved
Appendices
Appendix
I – Detailed Objectives, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
IDRS |
Integrated Data Retrieval System |
|
IORS |
IDRS Online Reports Services |
|
IRS |
Internal Revenue Service |
It is a Federal
crime for IRS employees to willfully access and view taxpayer accounts for
other than tax administration purposes.
The Taxpayer Browsing Protection Act of 1997[4] made it a criminal offense to access or inspect tax information without proper authorization. This legislation was essentially focused on the Internal Revenue Service (IRS) to ensure its employees access taxpayer data only for official purposes. One of the primary systems used by IRS employees to research and update taxpayer data is the Integrated Data Retrieval System (IDRS). The IDRS is a mission-critical system that contains sensitive information such as taxpayers’ names, Social Security Numbers, birth dates, addresses, filing statuses, exemptions, and income.
Because of the sensitive nature of its data, the IDRS
routinely generates audit trail[5]
information that can be used to detect potential unauthorized accesses to
taxpayer accounts. The IRS refers to the
unauthorized access of taxpayer information as “UNAX” and requires yearly
training to be given to all employees to protect against it. Despite the training and existing security
policies, UNAX violations continue to
be an issue at the IRS. An internal IRS
study reported that 1,191 UNAX cases had been processed by the IRS and the
Treasury Inspector General for Tax Administration from Fiscal Year 2004 to Fiscal
Year 2007.
Prior to November 2003, IDRS
security staffs and managers of IDRS users received IDRS audit trail
information in computer-generated paper reports. To reduce the costs of printing and
distributing these reports and to improve the effectiveness of reporting
results of management reviews, the IRS deployed the IDRS Online Reports
Services (IORS) system, which is a web-based
application that makes IDRS security reports available electronically to
authorized reviewers.
The IORS system notifies managers of IDRS users by email when IDRS security reports are available and when responses to reports are due. Managers of IDRS users are required to review and certify the following security reports on a regular basis to determine that IDRS users are accessing the IDRS for valid work requirements:
The IRS Cybersecurity organization is responsible for overseeing compliance with the IORS system and has direct responsibility over IDRS Security Program staffs located in the IRS campuses.[6] IRS business organizations[7] are responsible for ensuring their IDRS managers comply with IORS system procedures, investigate potential security violations, and take appropriate corrective actions.
In a July 2006 audit report[8] on the IRS’ use of the IORS system, we reported that a majority of IDRS managers were not reviewing or certifying IDRS security reports produced by the IORS system. The IRS Cybersecurity organization and IRS business organizations had not sufficiently emphasized the need for their IDRS managers to review the IDRS security reports produced by the IORS system. In addition, IDRS managers were not held accountable for reviewing the IDRS security reports on a regular basis and the level of emphasis varied among the data security staffs located at the IRS campuses. Further, systemic problems with the IORS system contributed to the low compliance levels. We recommended that the Associate Chief Information Officer, Cybersecurity:
We also recommended that the Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement:
This review was performed at the Cybersecurity organization office in New Carrollton, Maryland, during the period October 2008 through February 2009. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Detailed information on our audit objectives, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Security Report Certification and Timeliness Rates Have Significantly Improved
About 50,000 IRS employees access the IDRS to process taxpayer data during the course of their normal work duties. For monitoring accesses to taxpayer accounts, IRS business organizations are segmented into field or campus units called IDRS business divisions. IDRS users are organized into IDRS units within the IDRS business divisions. Currently, the IRS has established 65 IDRS business divisions that oversee a total of 5,667 IDRS units.[10] IRS business organizations are required to appoint managers responsible for timely reviewing and certifying IDRS security reports for employees in their IDRS units, and identify a point of contact for coordinating overall IDRS security activities for each IDRS business division. For the purpose of monitoring the review and certification of IDRS security reports, the IRS further grouped IDRS business divisions by the 10 IRS campuses. IDRS security officers from the Cybersecurity organization are located at each of the 10 campuses to oversee and monitor the IDRS business divisions affiliated with their campus.
The IRS requires that managers of IDRS units maintain at least a 90 percent certification rate for their IDRS security reports. In addition, managers must certify weekly IDRS security reports within 14 calendar days and monthly IDRS security reports within 28 calendar days for the certifications to be considered as timely.
During this review, we found that the national averages of certification
and timeliness rates for IDRS security reports have significantly improved
since our last review. Figure 1 presents
a comparison of the average certification and timeliness rates for the 10
campuses for Fiscal Year 2005 that were compiled by the Cybersecurity organization
IDRS Security Program staff during our prior review, and the average rates for
the 10 campuses for Fiscal Year 2008 compiled by the Cybersecurity organization
IDRS Security Program staff during this review.
Figure 1: IRS Campus Security Report Certification and
Timeliness Rates
|
|
Certification Rate |
Timeliness Rate |
||
|
IRS Campus |
Fiscal Year 2005 |
Fiscal Year 2008 |
Fiscal Year 2005 |
Fiscal Year 2008 |
|
1. |
80% |
90% |
61% |
78% |
|
2. |
41% |
73% |
26% |
60% |
|
3. |
16% |
74% |
9% |
63% |
|
4. Brookhaven |
88% |
98% |
68% |
92% |
|
5. |
40% |
85% |
23% |
69% |
|
6. |
42% |
94% |
26% |
82% |
|
7. |
59% |
91% |
35% |
80% |
|
8. |
33% |
94% |
19% |
83% |
|
9. |
78% |
97% |
55% |
87% |
|
10. |
38% |
87% |
26% |
72% |
|
Averages |
54% |
89% |
37% |
77% |
Source: Cybersecurity organization IDRS Security Program
staff. Data were extracted using queries
of the IORS system.
We attribute the
improvements in the certification and timeliness rates to corrections and
enhancements made by the IRS to the IORS system. In response to our prior review recommendations,
the IDRS Security Program staff corrected IORS system problems that had hindered
IDRS managers’ ability to access IDRS security reports and were contributing to
low certification and timeliness rates. In
addition, the IDRS Security Program staff implemented system
enhancements that further improved IDRS managers’ compliance with completing
their security report requirements, including:
Not All IDRS Business Divisions Are Complying With Requirements for Reviewing Security Reports to Protect Against Unauthorized Employee Accesses to Taxpayer Accounts
In Fiscal
Year 2008, 36,493 security reports were not reviewed and certified, potentially
allowing improper access to taxpayer accounts to go undetected.
While the national averages of certification and timeliness rates for IDRS security reports has significantly improved, with the certification compliance rate getting close to the 90 percent, more needs to be done to ensure that all taxpayer accounts are protected from unauthorized access. The rates for some of the individual IDRS business divisions did not meet the certification and timeliness requirements. Of the total 325,475 security reports requiring certification by IDRS managers in Fiscal Year 2008, 36,493 (11 percent) were not reviewed and certified, potentially allowing improper accesses to taxpayer accounts to go undetected. Further analysis of the 36,493 reports identified that 32 of the 65 IDRS business divisions had certification rates that were lower than 90 percent for Fiscal Year 2008. The lack of reviews for 31,980 of these 36,493 reports can be attributed to 816 IDRS managers who had not met the 90 percent certification rate requirement, which equates to 32.7 percent of all IDRS managers. Fifty-seven of the 65 IDRS business divisions had at least 1 IDRS manager who did not meet the 90 percent certification rate requirement. Appendix IV presents the certification and timeliness rates for all 65 IDRS business divisions for Fiscal Year 2008.
Effective
compliance reviews were not implemented
IRS policy requires executives of business organizations
with IDRS business divisions that do not have at least a 90 percent
certification rate for their IDRS security reports to provide to the IDRS
Security Program staff within 14 calendar days a response that identifies the
nature and date of the actions to be taken to correct any deficiencies
associated with the review and certification of security reports.
Based on the low certification and timeliness rates found during our prior review, we recommended that the IRS conduct periodic compliance reviews to ensure IDRS business divisions carried out their IDRS security report responsibilities. During this review, we found that the IRS had not yet implemented effective compliance reviews for monitoring IDRS business division compliance with IDRS policy.
The IDRS Security Program staff had taken some steps to implement this recommendation. In April 2006, they began to generate a quarterly report that listed the certification and timeliness rates for each of the 10 campuses. The staff shared this report with the IDRS Security Issues Committee that included representatives from the various IRS business organizations. However, in mid-2007, the IDRS Security Program staff discontinued providing this quarterly report to the campuses because it was not getting distributed further. The quarterly report was not effective for informing IDRS business divisions of their certification and timeliness rates because the rates for individual IDRS business divisions were rolled up to the campus level. In addition, the IDRS Security Issues Committee members were serving as liaisons for their business organizations and not as monitors at the IDRS business division level.
In November 2006, the
However, the draft procedures did not instruct the IDRS
security officers on what actions to take when IDRS managers did not complete
their responsibilities. Also, the draft
procedures did not instruct IDRS security officers to monitor IDRS business division
certification and timeliness rates to determine those that had a lower than a 90
percent certification rate that required a response identifying the corrective
actions they would take to improve compliance. For the 32 IDRS business divisions with
certification rates lower than 90 percent, we found that none had provided a
response identifying corrective actions.
The IDRS Security Program staff had not completed actions to implement compliance review procedures and was not enforcing the requirement for responses for IDRS business divisions with a lower than 90 percent certification rate for the following reasons:
When IDRS managers do not complete certification of security reports in a timely manner, the IRS has no assurance that taxpayer accounts are being properly protected and potential unauthorized accesses to taxpayer data by employees are being identified.
Manager accountability was not implemented
Our prior review
found that IDRS managers were not being held accountable for their IDRS
security report responsibilities. We
recommended that the IRS update the operational review requirements for its managers
to include a step to timely certify all IORS security reports and to hold
managers accountable for meeting their security-related responsibilities.
The National Institute
of Standards and Technology Special Publication 800-100[11] describes the information security
governance practices that are critical for ensuring the security of enterprise
information assets. One of these
critical practices is that individuals who are responsible for information
security within the agency should be held accountable for their actions or lack
of actions.
To
address our recommendation, in Fiscal Year 2007, the IRS updated the self-assessment[12] that managers complete annually
to include a step for IDRS managers to certify that they have completed their
IDRS security report reviews. While the
self-assessment may increase awareness of their IDRS security report responsibilities,
it does not hold IDRS managers accountable if they do not comply with them.
The IRS
had also planned to issue a memorandum signed jointly by the Deputy
Commissioner for Operations Support and the Deputy Commissioner for Services
and Enforcement to IRS Commissioners and Chiefs requiring that all IRS business
organizations identify and enforce disciplinary consequences for noncompliance
with reviewing and certifying IDRS security reports. However, in June 2007, the IRS recorded an
overall certification rate of 87 percent with a timeliness rate of 73 percent
(up from a certification rate of 54 percent with a timeliness rate of 37
percent in Fiscal Year 2005). Based on
the improvement in the national averages of certification and timeliness rates,
the IRS Cybersecurity organization determined that no further action was needed
to address manager accountability. As a
result, the aforementioned joint memorandum was not issued. Consequently, the IRS did not identify or implement
disciplinary consequences for IDRS managers who do not complete review and
certification of IDRS security reports in a timely manner.
While certification
and timeliness rates have improved, the rate of improvement has slowed. As discussed previously, 816 (32.7 percent) of IDRS managers did not meet the 90 percent
certification rate requirement for security reports in Fiscal Year 2008. This contributed to 32 of 65
IDRS business divisions having certification rates lower than 90 percent in
Fiscal Year 2008; however, none of the divisions had provided a response
identifying corrective actions. IRS business organizations had not
identified executives to be responsible for monitoring and enforcing compliance
with IDRS security policy and for providing the response identifying corrective
actions for certification rates lower than 90 percent.
Because the IORS system tracks certification and timeliness data,
the IDRS Security Program staff can generate a list of IDRS managers who have
not met security report review requirements and provide this information to IRS
business organizations to assist their monitoring and remediation of noncompliant
IDRS managers. Strengthening IDRS
managers’ accountability for timely certification of IORS system security reports
will increase the number of IDRS managers reviewing and certifying IDRS
security reports, which will provide assurance that employees are accessing
IDRS tax data for official purposes.
Recommendations
The Associate Chief Information Officer, Cybersecurity,
should:
Recommendation
1: Implement compliance review procedures for IDRS security officers that are
designed to monitor and enforce IDRS business division compliance with security
report responsibilities and ensure that responses are obtained when corrective
actions are required for noncompliance.
Management’s Response: The IRS agreed with this recommendation. The IRS Cybersecurity organization has assembled a team to develop compliance review procedures for IDRS security officers and will work with the IDRS business divisions to finalize and implement these procedures.
Recommendation 2: Clarify what level
of IRS business organizational management should be assigned the responsibility
for providing a response identifying corrective actions that are required for certification rates lower than 90 percent.
Management’s Response: The IRS agreed with this recommendation. The IRS Cybersecurity organization will work with the IDRS business divisions to clarify the responsible level among IRS business organizational management and will update IRS policy accordingly.
Recommendation 3: Biannually provide a list of IDRS managers
who have not met their IDRS security report responsibilities to the IRS
business organization executive responsible for monitoring and enforcing IDRS
business division and manager compliance with IDRS security program policy.
Management’s Response: The IRS agreed with this recommendation. The IRS Cybersecurity organization will, at least biannually, provide IRS business organization executives responsible for monitoring and enforcing IDRS security program compliance with a list of IDRS managers who have not met their IDRS security report responsibilities.
Recommendation 4: Complete plans to implement an enhancement in the IORS system to capture responses for IDRS business divisions when corrective actions are required for noncompliance.
Management’s Response: The IRS agreed with this recommendation. The IRS Cybersecurity organization will implement an enhancement in the IORS system to capture required responses from IDRS business division management and will update IRS policy to require the use of this IORS enhancement.
The Deputy Commissioner for
Operations Support and the Deputy Commissioner for Services and Enforcement
should:
Recommendation 5: Ensure IRS business organizations identify the executives responsible for monitoring and enforcing IDRS business division compliance with IDRS security program policy and providing a response identifying corrective actions for certification rates lower than 90 percent.
Management’s Response: The IRS agreed with this recommendation. A meeting will be held with IRS executive leadership to disseminate information on IRS noncompliance with IDRS security program policy. Executives responsible for providing a response when certification rates are lower than 90 percent will be identified. In addition, a jointly signed memorandum from the Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement will be issued to division commissioners and functional chiefs reiterating the requirement to review and certify IDRS security reports maintained in the IORS system.
Appendix I
Detailed Objectives, Scope, and Methodology
The overall objectives of this review were to evaluate compliance
by IRS management and security staffs in reviewing and certifying IDRS[13]
security reports, which are produced online by the IORS system, and assess
whether corrective actions taken to address our prior audit findings[14]
were effective.
To accomplish our
objectives, we:
I. Determined whether IRS business organizations are reviewing and certifying IDRS security reports using the IORS system in compliance with Internal Revenue Manual Section 10.8.34.
A. Determined how the Cybersecurity organization compiles and validates the accuracy of the certification and timeliness rate information.
B. Obtained the most current quarterly certification rate information, including the timeliness of the certifications, maintained by the IORS system and distributed quarterly by the Cybersecurity organization to IRS business organizations.
C. Determined whether the Cybersecurity organization obtained written responses from executives of business organizations with lower than a 90 percent certification rate in accordance with IRS policy.
D. Determined whether other monitoring or reporting corrective actions had been taken and whether they were effective.
II. Determined whether IRS business organization managers’ operational review requirements were updated to include a requirement for timely certification of IORS system-related reports as well as consequences for noncompliance, in order to hold managers accountable for meeting their security-related responsibilities.
III. Determined whether the IORS system had been modified to address previously reported systemic problems, including system access issues, software problems, and management oversight issues.
A. Reviewed system change documentation to determine the corrections implemented and interviewed the IORS Project Manager to determine whether any ongoing problems were contributing to noncompliance in reviewing and certifying IORS system security reports.
B. Determined whether systemic corrective actions were effective in increasing compliance with reviewing and certifying IORS system security reports by interviewing IORS system users to solicit their opinions regarding the effectiveness of systemic changes made since the time of our last audit.
Appendix II
Major Contributors to This Report
Margaret
E. Begg, Acting Assistant Inspector General for Audit (Security and Information
Technology Services)
Kent
Sagara, Acting Director
Carol
Taylor, Audit Manager
Jody
Kitazono, Senior Auditor
Louis Lee, Senior Auditor
Appendix III
Commissioner C
Office of the
Commissioner – Attn: Chief of Staff C
Chief Information Officer OS:CTO
Associate Chief Information Officer, Cybersecurity OS:CTO:C
Director, Cybersecurity Programs and Policies OS:CTO:C:PP
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal
Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Technology Officer OS:CTO
Chief Information Officer OS:CTO
Associate Chief Information Officer, Cybersecurity OS:CTO:C
Appendix IV
IDRS Business Division Security Report Certification and Timeliness
Rates for Fiscal Year 2008
|
|
IDRS Business Division |
Total Reports |
Certification Rate |
Timeliness Rate |
|
1 |
****(3d)**** |
12 |
0.00% |
0.00% |
|
2 |
****(3d)**** |
456 |
42.11% |
31.58% |
|
3 |
****(3d)**** |
361 |
49.86% |
44.88% |
|
4 |
****(3d)**** |
7,122 |
63.70% |
50.82% |
|
5 |
****(3d)**** |
6,013 |
66.42% |
57.51% |
|
6 |
****(3d)**** |
2,795 |
67.33% |
51.06% |
|
7 |
****(3d)**** |
4,306 |
67.56% |
47.91% |
|
8 |
****(3d)**** |
323 |
68.11% |
48.92% |
|
9 |
****(3d)**** |
9,978 |
70.53% |
56.30% |
|
10 |
****(3d)**** |
11,533 |
74.41% |
42.73% |
|
11 |
****(3d)**** |
5,933 |
74.46% |
63.16% |
|
12 |
****(3d)**** |
7,686 |
74.82% |
53.93% |
|
13 |
****(3d)**** |
1,778 |
75.08% |
64.74% |
|
14 |
****(3d)**** |
517 |
75.82% |
67.70% |
|
15 |
****(3d)**** |
10,162 |
76.04% |
68.02% |
|
16 |
****(3d)**** |
2,652 |
78.05% |
64.14% |
|
17 |
****(3d)**** |
10,040 |
78.39% |
64.76% |
|
18 |
****(3d)**** |
6,645 |
79.71% |
67.71% |
|
19 |
****(3d)**** |
4,970 |
81.63% |
64.14% |
|
20 |
****(3d)**** |
406 |
82.02% |
71.72% |
|
21 |
****(3d)**** |
3,167 |
82.70% |
71.87% |
|
22 |
****(3d)**** |
12 |
83.33% |
83.33% |
|
23 |
****(3d)**** |
3,213 |
84.72% |
78.49% |
|
24 |
****(3d)**** |
1,822 |
85.24% |
68.44% |
|
25 |
****(3d)**** |
6,696 |
87.11% |
63.35% |
|
26 |
****(3d)**** |
32 |
87.50% |
53.13% |
|
27 |
****(3d)**** |
8,952 |
87.63% |
74.22% |
|
28 |
****(3d)**** |
342 |
88.01% |
71.05% |
|
29 |
****(3d)**** |
11,419 |
88.41% |
73.87% |
|
30 |
****(3d)**** |
3,176 |
88.85% |
82.75% |
|
31 |
****(3d)**** |
1,883 |
89.54% |
84.12% |
|
32 |
****(3d)**** |
4,496 |
89.72% |
82.89% |
|
33 |
****(3d)**** |
72 |
90.28% |
84.72% |
|
34 |
****(3d)**** |
7,460 |
91.26% |
80.32% |
|
35 |
****(3d)**** |
360 |
91.39% |
65.00% |
|
36 |
****(3d)**** |
9,768 |
91.55% |
80.88% |
|
37 |
****(3d)**** |
6,089 |
91.72% |
85.90% |
|
38 |
****(3d)**** |
3,888 |
92.34% |
85.19% |
|
39 |
****(3d)**** |
2,208 |
92.62% |
82.97% |
|
40 |
****(3d)**** |
12,076 |
93.42% |
82.06% |
|
41 |
****(3d)**** |
2,893 |
93.61% |
91.09% |
|
42 |
****(3d)**** |
1,831 |
93.72% |
91.32% |
|
43 |
****(3d)**** |
663 |
93.97% |
82.50% |
|
44 |
****(3d)**** |
2,395 |
94.28% |
76.95% |
|
45 |
****(3d)**** |
2,846 |
94.34% |
87.43% |
|
46 |
****(3d)**** |
8,415 |
94.58% |
81.82% |
|
47 |
****(3d)**** |
7,243 |
95.32% |
89.69% |
|
48 |
****(3d)**** |
418 |
95.69% |
87.80% |
|
49 |
****(3d)**** |
489 |
95.71% |
86.09% |
|
50 |
****(3d)**** |
3,759 |
96.38% |
89.78% |
|
51 |
****(3d)**** |
13,609 |
96.70% |
86.00% |
|
52 |
****(3d)**** |
2,430 |
97.65% |
72.10% |
|
53 |
****(3d)**** |
4,422 |
98.12% |
94.41% |
|
54 |
****(3d)**** |
3,568 |
98.35% |
88.31% |
|
55 |
****(3d)**** |
9,321 |
98.37% |
95.39% |
|
56 |
****(3d)**** |
3,003 |
98.60% |
96.17% |
|
57 |
****(3d)**** |
12,188 |
99.38% |
90.36% |
|
58 |
****(3d)**** |
557 |
99.46% |
91.02% |
|
59 |
****(3d)**** |
11,776 |
99.60% |
94.74% |
|
60 |
****(3d)**** |
11,976 |
99.66% |
89.91% |
|
61 |
****(3d)**** |
11,204 |
99.87% |
84.09% |
|
62 |
****(3d)**** |
15,340 |
99.89% |
89.31% |
|
63 |
****(3d)**** |
13,028 |
99.97% |
97.36% |
|
64 |
****(3d)**** |
1,014 |
100.00% |
96.55% |
|
65 |
****(3d)**** |
268 |
100.00% |
89.55% |
|
|
Total/Averages |
325,475 |
89% |
77% |
Source: Cybersecurity organization IDRS Security Program
staff. Data were extracted using queries
of the IORS system.
Appendix V
Management’s Response to the Draft Report
The response was
removed due to its size. To see the
response, please go to the Adobe PDF version of the report on the TIGTA Public
Web Page.
[1] IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[2] Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Reference Number 2006-20-111, dated July 24, 2006).
[3] IDRS business divisions are segments of IRS business organizations aligned to facilitate monitoring of taxpayer account accesses.
[4] 26 U.S.C.A. Sections 7213, 7213A, 7431 (West Supp. 2003).
[5] An audit trail is a chronological record of system activities that allows for the reconstruction, review, and examination of a transaction from inception to final results.
[6] The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.
[7] IRS business organizations include the Criminal Investigation, Large and Mid-Size Business, Small Business/Self-Employed, Tax Exempt and Government Entities, and Wage and Investment Divisions; the Offices of Appeals and Chief Counsel; the Taxpayer Advocate Service; and the Agency-Wide Shared Services and Communications and Liaison functions.
[8] Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Reference Number 2006-20-111, dated July 24, 2006).
[9] IDRS business units are segments of IRS business organizations aligned to facilitate monitoring of taxpayer account accesses.
[10] Although not part of the IRS, the Treasury Inspector General for Tax Administration is included as 1 of the 65 IDRS business units because its employees may require access to the IDRS as part of their job responsibilities.
[11] Information Security Handbook: A Guide for Managers, published October 2006.
[12] IRS managers annually complete the Self-Assessment Tool for Managers to provide operational review information pursuant to the Federal Managers’ Financial Integrity Act of 1982, 31 U.S.C. Sections 1105, 1113, 3512 (2000).
[13] IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[14] Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized Employee Accesses (Reference Number 2006-20-111, dated July 24, 2006).
[15] IRS Computing Centers support tax processing and information management through a data processing and telecommunications infrastructure.