The Internal Revenue Service (IRS) uses IBM’s Multiple Virtual Storage (MVS) operating system for many of its mission critical, tax processing systems. We examined the controls on two of these systems: the Masterfile system, which serves as the platform for the primary processing of all taxpayer accounts, and the Automated Collection System/Integrated Collection program development system (ACS/ICS), which is used to develop and test the IRS’ computer system for collecting delinquent taxes. Because the MVS operating system is used on IRS computers that maintain over 206 million taxpayer accounts, its implementation must be closely controlled and monitored.

The objective of this review was to determine if selected general controls of the MVS operating system were implemented to provide system security, safeguard sensitive data, and ensure efficient use of system resources.

Generally, the controls of the two MVS operating systems we reviewed were adequate to provide system security and to safeguard sensitive data. We determined, however, that system resources could be better used if extraneous files were removed from the systems.

System resources were adequately protected and controls over program files and libraries containing operating system files assured that only authorized personnel had access to these significant system resources. In addition, the MVS operating system was implemented in a manner that provided IRS with necessary management information. Specifically, we found:

In some instances, IRS systems programmers took immediate action and made changes on-line based on our verbal recommendations for improving system control settings.

Our review of the Masterfile and ACS/ICS systems identified a significant number of files that were uncataloged (not maintained or recognized by the MVS facility for organizing files) or miscataloged (contained in one disk unit and "labeled" as being in another). On the taxpayer account processing system, we found that over 8 percent of the over 10,600 files on the disk units containing important system set-up files were uncataloged or miscataloged. On the development system, 25 percent of the over 37,000 files on the system were uncataloged or miscataloged. Allowing extraneous files to remain on the system wastes valuable storage space. Furthermore, extraneous files present a system security risk since they may be altered to support unauthorized activities.

The Chief Information Officer should develop procedures to periodically examine system storage space to identify extraneous data files and programs, and to ensure that they are removed from the systems.

Management’s Response: IRS management has implemented the Hierarchical Storage Manager, which ages off and archives data files that have not been used. Also, batch jobs that eliminate uncataloged data files have been instituted as part of weekly housekeeping batch runs.