In November 2002, Computer Sciences Corp. and a team of IT contractors delivered to the IRS the Security Audit and Analysis System, an application intended to gather audit trail information from IRS systems and store this information in a central database that IRS management, computer incident response team members, and Treasury Inspector General for Tax Administration investigators could access. The IRS and its contractors conceived of the system to let these users generate reports and create custom queries to detect unauthorized activities and also to facilitate the reconstruction of events if unauthorized activities occurred.
However, the Inspector General's audit team found that the system doesn't let users access its data once it's been collected--and that the IRS accepted delivery of the application two years ago despite knowing the audit and analysis system was incomplete. "The IRS shouldn't have accepted the SAAS, knowing that the system didn't meet all the software performance and functionality requirements of its users," the Aug. 18 audit report states.
Problems with the audit and analysis system could ultimately affect the IRS's future modernization efforts. "The inability to detect unauthorized activities is a significant security risk that should weigh heavily on whether future modernization applications should be accredited and implemented," the audit report states.
The audit and analysis system is proving to be a costly misstep in more ways than one, according to the audit report. Auditors determined that the IRS will spend $584,372 in hardware maintenance costs through fiscal 2006 to continue using its Audit Lead Analysis System, called Atlas, an application the SAAS audit and analysis system was to replace. The IRS will spend another $400,000 in fiscal 2004 and 2005 on two employees whose jobs are to support Atlas.
The IRS has accepted several corrective recommendations that the Inspector General's audit team proposed. The IRS's Office of Mission Assurance, for example, will participate in testing SAAS to help ensure that audit trail information is available and retrievable to detect unauthorized activities. Mission Assurance also will provide operating procedures to help users analyze SAAS information, monitor compliance with operating procedures, and improve its certification procedures for systems and applications to ensure that audit trail procedures are available.
The Inspector General's audit team pointed out in its report that it was confident the IRS could and would make the recommended improvements to SAAS by October. If the IRS doesn't meet the deadline, the group will "encourage the IRS to begin looking for alternatives to SAAS," the audit report states.