Success Notification Overlay
Failure Notification Overlay
The Office of Missouri State Auditor

Scott Fitzpatrick

Auditor Logo Tom Schweich

Report No. 2011-56
September 2011
Complete Report
Findings in the audit of the Department of Revenue, Taxation Division Security Controls

Background
This audit reviewed security and other internal controls established and managed by the Department of Revenue (DOR), Taxation Division and the Office of Administration, Information Technology Services Division (OA-ITSD). The OA-ITSD provides technical support to the DOR, Taxation Division, which is responsible for collecting Missouri taxes and administering state tax laws. The section of OA-ITSD responsible for supporting the DOR is referred to as the ITSD in this summary and report.

Service Level Agreement
The DOR and the OA-ITSD do not have a current written agreement adequately documenting the terms of the partnership between the two entities. The memorandum of understanding, in place since 2006, is not up-to-date and lacks critical information, such as defining: operational responsibilities for each organization, qualitative or quantitative measures of services to be provided, or responsibilities for third-party software, backup, disaster recovery and continuity planning.

The OA-ITSD did not have a contract for disaster recovery facilities for some critical mainframe resources, including certain Taxation Division systems, for almost a year. Instead of renewing the existing disaster recovery contract when it expired in June 2010, the OA-ITSD decided to explore other more cost-effective options, but it took eleven months to get the new disaster recovery capability in place, leaving the state vulnerable in the interim in the event of a disaster.

The DOR has not told ITSD how long the Taxation Division systems could be down before significant losses would occur. ITSD needs this information to determine whether the current recovery plan is sufficient. In addition, the ITSD has not conducted recovery testing to ensure that backups are complete and accurate and contain all data necessary to recover critical systems in the event of a disaster.

User Account Management
The ITSD database administrators are able to add, edit or delete data directly in the DOR, Taxation Division databases without management review, which increases the risk of unauthorized changes going undetected. Such direct database revisions are not subject to system validation and edit checks.

DOR and ITSD do not periodically review user access rights to the network or the DOR, Taxation Division systems and data. DOR security policies require division directors to review reports of user access at least twice a year, but we were told by a DOR official this review is not conducted. When we reviewed user accounts with access to DOR systems, we discovered 24 former employees still had active user accounts (one of whom left the DOR in 2001); 9 accounts were active in the system but not assigned to specific users; and 807 active user accounts had not been accessed in over 90 days, calling into question whether these users continue to need this access.

As noted in our 2003 and 2006 reports, the ITSD maintains unassigned user accounts for DOR systems (2,700 at the time of the present audit), which increases the risk of unauthorized access to confidential data. The DOR also lacks a policy for granting system access to temporary employees.

Risk Assessment Program
The DOR lacks a comprehensive risk assessment and management program. A risk assessment helps identify potential threats, vulnerabilities and weaknesses and determines what steps should be taken to prevent losses.

Browsing of Taxpayer Records
Although the DOR uses security controls to limit access to tax systems, management does not have procedures in place to monitor employee access to ensure only appropriate access to tax return information is occurring.

In the areas audited, the overall performance of this entity was Good.*

American Recovery and Reinvestment Act 2009 (Federal Stimulus)
Not applicable.

*The rating(s) cover only audited areas and do not reflect an opinion on the overall operation of the entity. Within that context, the rating scale indicates the following:

Excellent:
The audit results indicate this entity is very well managed. The report contains no findings. In addition, if applicable, prior recommendations have been implemented.

Good:
The audit results indicate this entity is well managed. The report contains few findings, and the entity has indicated most or all recommendations have already been, or will be, implemented. In addition, if applicable, many of the prior recommendations have been implemented.

Fair:
The audit results indicate this entity needs to improve operations in several areas. The report contains several findings, or one or more findings that require management's immediate attention, and/or the entity has indicated several recommendations will not be implemented. In addition, if applicable, several prior recommendations have not been implemented.

Poor:
The audit results indicate this entity needs to significantly improve operations. The report contains numerous findings that require management's immediate attention, and/or the entity has indicated most recommendations will not be implemented. In addition, if applicable, most prior recommendations have not been implemented.

Complete Audit Report
Missouri State Auditor's Office
moaudit@auditor.mo.gov