Treasury Inspector General for Tax Administration
Office of Audit
ACCESS CONTROLS FOR THE AUTOMATED INSOLVENCY SYSTEM NEED IMPROVEMENT
Issued on May 16, 2011
Highlights of Report Number: 2011-20-046 to the Internal Revenue Service Commissioner for the Small Business/Self-Employed Division and the Chief Technology Officer.
IMPACT ON TAXPAYERS
Bankruptcy petitions filed in Federal courts were up 32 percent in Calendar Year 2009 compared to Calendar Year 2008. The Internal Revenue Service (IRS) receives notification of a bankruptcy case because taxpayers are required to list their creditors and liabilities when filing for bankruptcy protection. The IRS inputs the taxpayers’ sensitive information into its Automated Insolvency System (AIS) to track the legal requirements for dealing with the taxpayers and to protect the Government’s financial interest. Unauthorized access to the AIS could jeopardize taxpayers’ legal rights.
WHY TIGTA DID THE AUDIT
This audit was initiated because the Small Business/Self-Employed Division requested that TIGTA review the access controls for the AIS. The objective of the review was to determine whether the IRS implemented access controls for the AIS to protect taxpayers’ personal data and to ensure the Government’s interest is protected when taxpayers file for bankruptcy.
WHAT TIGTA FOUND
Although some AIS access controls are in place, such as the automatic lockout control and password complexity settings, other required access controls have not been implemented or are not operating effectively.
TIGTA found many IRS employees have excessive privileges on the AIS. The excessive privileges are due to two primary reasons. First, managers did not ensure duties were adequately segregated among employees to prevent and detect unauthorized activities. The second reason is due to the inadequate role-based access control scheme that was developed for the AIS. The inadequate access control scheme causes managers to inadvertently
grant unneeded, excessive AIS privileges to employees.
TIGTA also found IRS managers and user administrators were not following the requirement to use the Online 5081 system to authorize and revoke access to the AIS. In addition, some significant actions taken on bankruptcy cases are not logged and reported in the AIS Manager Review screen to allow managers to detect errors and inappropriate activities.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Directors, Collection Policy, Campus Filing and Payment Compliance, and Advisory, Insolvency, and Quality, Small Business/Self-Employed Division, 1) identify incompatible duties and implement policies to segregate those duties; 2) issue a memorandum to Insolvency office managers requiring them to adhere to the new policy when assigning duties and approving AIS access rights; 3) define and document user requirements for the AIS based on employee job functions and position descriptions and submit these requirements to the Applications Development office in a formal work request; and 4) issue a memorandum to managers emphasizing the requirement to use the Online 5081 system to authorize, revoke, and review employees’ AIS access authorizations.
TIGTA also recommended that the Associate Chief Information Officer, Applications Development, 1) ensure application developers have read-only access to the AIS, 2) develop software to systemically create and assign passwords for new AIS users, and 3) create a role-based access control scheme for the AIS.
The IRS agreed with the recommendations and stated it had already taken two corrective actions. The IRS initiated a work request to develop a self-service password reset and auto generation feature for the AIS. In addition, the User Administrator privilege was removed from the Developer privilege level.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Email Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500
Web Site: http://www.tigta.gov