Most Internal Revenue Service Applications Do Not Have Sufficient Audit Trails to Detect Unauthorized Access to Sensitive Information

The Chief Information Officer should ensure that the Cybersecurity function, the Privacy, Governmental Liaison and Disclosure office, and application owners develop and implement a methodology to identify and annually update the inventory of all applications that store or process taxpayer data and PII for the purpose of detecting improper cyber activities and to reconstruct events for potential criminal investigations. Furthermore, audit trail records for the applications should be included in the SAAS.

The Chief Information Officer should obtain the list of 13 applications with an ACR that references the obsolete IRM, conduct a revalidation of the auditable events, and issue an AU Deficiency Memorandum to the application owner, if needed, to require an ACR update to comply with the current list of auditable events. In addition, ensure that revalidations are conducted annually as required.

The Chief Information Officer should ensure that application audit trail deficiencies are properly tracked on a POA&M, thus ensuring compliance with the FISMA, IRM policy, and the Office of Management and Budget annual guidance.

The Chief Information Officer should ensure that the IRM policy and the AU Deficiency Memorandum template document clearly and consistently communicate each stakeholder's responsibilities to ensure that the appropriate actions are taken, records are properly updated, and the narrative in the POA&M is reflective of the issues indicated in the AU Deficiency Memorandum within 60 calendar days.

The Chief Information Officer should establish a process improvement so application owners timely create the POA&Ms when audit trail deficiencies are identified. This recommendation also addresses a similar repeat finding from the Fiscal Year 2015 audit report previously mentioned.