state of oregonsos.oregon.gov/audits/documents/2018-08.pdf · state of oregon oregon department of...
TRANSCRIPT
SecretaryofStateDennisRichardsonAuditsDivision,DirectorKipMemmott
Report2018–08
StateofOregon
OregonDepartmentofRevenue:GenTaxAccuratelyProcessesTaxReturnsandPayments,butLogicalAccessandDisasterRecoveryProceduresNeedImprovementFebruary2018
SecretaryofStateAuditHighlightsFebruary2018
Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement
Purpose
The purpose of our audit was to review and evaluate key application and general computer controls governing DOR’s GenTax system. We focused on personal income, withholding, and corporate income and excise tax programs.
Key Findings
1. GenTax controls ensure accurate input of tax return and payment information for personal income, withholding, and corporate income and excise tax programs. Additional processing and output controls provide further assurance that GenTax issues appropriate refunds and bills to taxpayers for taxes due.
2. Logical access controls are generally sufficient, but DOR needs to make improvements to ensure managers have enough information to request appropriate access. DOR should also ensure that access remains appropriate for users who change jobs and is removed for users who are terminated.
3. DOR monitors and tracks changes to GenTax to ensure system developers implement only approved program modifications, but better guidance is needed for testing procedures to ensure program modifications meet business needs.
4. DOR does not have sufficient assurance that it could timely restore GenTax in the event of a disaster or major disruption.
5. DOR has not obtained independent verification that the GenTax vendor has implemented appropriate controls over servers at an external data center to provide additional assurance that Oregon data is secure.
Background
The Oregon Department of Revenue replaced its legacy tax systems with GenTax, an integrated tax processing software package. This system processed about $10.3 billion in payments and $1.2 billion in refunds for tax periods ending in 2016.
Report Highlights
The Oregon Department of Revenue (DOR) designed and implemented controls in their GenTax system to provide reasonable assurance that tax return and payment information remains complete, accurate, and valid from input through processing and output. Logical access controls and change management controls are generally sufficient, but some areas need improvement. In addition, existing controls ensure the creation of appropriate backup of GenTax system files, though DOR does not have assurance they could timely restore the system in the event of a disaster or major disruption.
Recommendations
The report includes 11 recommendations to DOR regarding needed improvements to logical access procedures, disaster recovery plans and tests, and independent assurance of controls over servers at an external data center.
SecretaryofState,DennisRichardsonOregonAuditsDivision,KipMemmott,Director
DOR generally agreed with our recommendations. DOR’s response can be found at the end of the report.
About the Secretary of State Audits Division
The Oregon Constitution provides that the Secretary of State shall be, by virtue of his office, Auditor of Public Accounts. The Audits Division performs this duty. The division reports to the elected Secretary of State and is independent of other agencies within the Executive, Legislative, and Judicial branches of Oregon government. The division has constitutional authority to audit all state officers, agencies, boards, and commissions and oversees audits and financial reporting for local governments.
Audit Team
Will Garber, CGFM, MPA, Deputy Director
Teresa Furnish, CISA, Audit Manager
Erika Ungern, CISSP, CISA, Principal Auditor
Sherry Kurk, CISA, Staff Auditor
Sheila Faulkner, Staff Auditor
This report is intended to promote the best possible management of public resources. Copies may be obtained from:
website: sos.oregon.gov/audits
phone: 503‐986‐2255
mail: Oregon Audits Division 255 Capitol Street NE, Suite 500 Salem, Oregon 97310
We sincerely appreciate the courtesies and cooperation extended by officials and employees of the Oregon Department of Revenue during the course of this audit.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 1
Secretary of State Audit Report
Oregon Department of Revenue: GenTax Accurately Processes Tax Returns and Payments, but Logical Access and Disaster Recovery Procedures Need Improvement
Introduction
TheOregonDepartmentofRevenue(DOR)designedandimplementedcontrolsintheirGenTaxsystemtoprovidereasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidfrominputthroughprocessingandoutput.Logicalaccesscontrolsandchangemanagementcontrolsaregenerallysufficient,butsomeareasneedimprovement.Inaddition,existingcontrolsensurethecreationofappropriatebackupofGenTaxsystemfiles,thoughDORdoesnothaveassurancethattheycouldtimelyrestorethesystemintheeventofadisasterormajordisruption.
DORadministersover30taxprograms,includingthestate’spersonalincome,withholding,andcorporateincomeandexcisetaxprograms.
2015‐2017 Revenues by Tax Program
Source: Oregon Department of Revenue 2015‐2017 budget
DORprojected$18.5billiontotaltaxrevenueforthe2015‐17biennium.DORtransfers91.4%ofthisrevenuetotheGeneralFund,3.8%tocounties,and3.1%tootherstateagencies.TheremainingrevenuesupportsDORoperations.ThetaxrevenueDORcollectsiscomprisedof83.8%personal
The Oregon Department of Revenue administers multiple tax programs
2015‐17Revenue
DORprojected$18.5billiontotaltaxrevenueforthe2015‐17biennium.DORtransfers91.4%ofthisrevenuetotheGeneralFund,3.8%tocounties,and3.1%tootherstateagencies.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 2
incometax,5.6%corporatetaxes,3.7%otheremployerandemployeetaxes,2.0%cigarettetaxes,and4.9%fromsmallprogramssuchasinheritancetaxes.
The GenTax system processes tax returns and payments
In2013,DORreceivedinitialprojectfundingandapprovalforitsCoreSystemReplacement(CSR)projecttoimplementGenTax,anintegratedtaxprocessingsoftwarepackage.GenTaxreplacedmostofDOR’slegacycoresystems,whichwerebuiltonagingandobsoletesoftwareapplicationsanddatabasesfromthe1980s.ThetotalcostoftheCSRprojectasreportedinthe2017‐2019Governor’sBudgetwas$78million,includingdebtfundingandpreliminaryplanningphases.
GenTax,aweb‐based,commercial,off‐the‐shelfproductdevelopedbyFASTEnterprises,isusedby26staterevenueagenciesnationwide,includingOregon.GenTaxusesstandardizedcorecodingwithconfigurationtomeetindividualstaterequirements.
DORimplementedGenTaxinfourmajorrollouts,withthefourthrolloutcompletedinNovember2017.
Source: Oregon Department of Revenue
DORpersonnelcontinuetoworkcloselywithcontractorsfromFASTEnterprisestodevelopandconfigurethesystemtomeetOregon’sspecificneeds,aswellasforproductionsupport.FASTEnterprisespersonnelwillcontinuetoprovideon‐siteoperationalsupportthroughNovember2021,basedonthecurrentcontract.
OtheragenciesarealsoinvolvedwithGenTaxoperationanduse.TheDepartmentofAdministrativeService’s(DAS)statedatacenterhousestheserversonwhichGenTaxoperatesandDASemployeesperformactivitiessuchasbatchmonitoring,serveradministration,andexecutionofbackuproutines.SomeemployeesfromtheOregonEmploymentDepartmentandtheDepartmentofConsumerandBusinessServicesalsohavelimitedaccesstoGenTax,asDORreceivesOregonCombinedPayrollpaymentsthentransfersthemoniestotaxprogramsattheseotheragencies.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 3
OurauditobjectivesweretodeterminewhetherinformationsystemcontrolsatDORgoverningtheGenTaxsystemprovidereasonableassurancethat:
Selectedtaxprogramtransactiondataremaincomplete,accurate,andvalidduringinput,processing,andoutput; Systeminformationisprotectedagainstunauthorizeduse,disclosure,modification,damage,orloss; Changestocomputercodeandconfigurationsaremanagedtoensureintegrityofthesystemandthatonlyapprovedprogrammodificationsareimplemented;and Systemfilesareappropriatelybackedupandcanbetimelyrestoredintheeventofadisasterormajordisruption.
OurreviewoftheGenTaxapplicationfocusedonthepersonalincome,withholding,andcorporateincomeandexcisetaxprogramsfortaxperiodsendingin2016.Wereviewedinputassociatedwithtaxreturnsandpayments,andtheprocessingandoutputactivitiesassociatedwiththisdataentry.Sometestsofcorporatetaxesincludedtaxperiodsduringstatefiscalyear2017,whichendedonJune30,2017.DORimplementedthewithholdingtaxprograminGenTaxinNovember2016,somostofourtestsassociatedwithwithholdingpaymentsusedconverteddata.Testsofrefundscoveredmultipletaxperiods.Together,theareascoveredinthisauditrepresentedapproximately90%ofthe$10.3billioninallocatedpaymentsand98%ofthe$1.2billioninrefundsprocessedfortaxperiodsendingin2016.
WealsoreviewedlogicalaccessovertheGenTaxapplicationandprivilegedaccess1toGenTaxservers.Forchangemanagement,wefocusedonmaintenancechangestoGenTax,asopposedtoprocessesusedformajorprojectrollouts.OurreviewofbackupanddisasterrecoveryfocusedonproceduresatDOR,notthoseoftheDASstatedatacenter,whichexecutesbackuproutinesforGenTaxservers.
WeassessedthereliabilityofGenTaxdatabyreviewingdocumentation,evaluatinghigh‐levelcontrolsoverprocessestoupdatedatabasetables,andinterviewingagencyandcontractorofficialsaboutthedataandsystem.Weobtainedaccesstoabackupdatabasecontainingrelevantdatatablesandperformedqueriestoextractdatafortesting.Weevaluatedinformationinspecifictablesagainstinformationinothertablestoassessdatacompletenessandaccuracy.Inaddition,throughoutourtestingprocedures,wecomparedthedataagainstsourcedocumentationandGenTaxdatafromtheproductionenvironment,asapplicable.We
1DORdefinesprivilegedaccessasanyrights“elevated”beyondwhatthetypicaluserreceives,includingadministrativerightstoservers.
Objective, Scope and Methodology
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 4
determinedthatthedataweresufficientlyreliableforthepurposesofthisauditreport.
WealsoconductedinterviewswithknowledgeableDORstaffandmanagers,observedprocessesandcontrolprocedures,andreviewedrelevantpoliciesandprocedures.Wealsoevaluatedortested:
1.9millionpersonalincometaxreturnsforthe2016taxyear; 3.2millionW‐2recordssubmittedbyemployersfortaxperiodsendingin2016; 0.8million1099Rrecordsfortaxperiodsendingin2016; 3.3millionrefundrecordsforalltaxperiodsinGenTax; 3.6millionpaymentrecordsfortaxperiodsendingin2016; 60corporatetaxreturnsandassociatedpaymentandwithholdingrecordsoutofapopulationof83,297corporatetaxaccountsfortaxperiodsendingbetweenJuly1,2016andJune30,2017;and groups,functionsandaccountinformationassociatedwith1,479GenTaxuseraccounts.
WeusedtheISACApublication“ControlObjectivesforInformationandRelatedTechnology”(COBIT),andtheUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual”(FISCAM)toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems.
Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjectives.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 5
Audit Results: GenTax accurately processes tax returns and payments, but improvements are needed to strengthen logical access and disaster recovery procedures
DORdesignedandimplementedcontrolstoprovidereasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidduringinput,processing,andoutputforthepersonalincome,withholding,andcorporateincomeandexcisetaxprograms.
LogicalaccesscontrolsaregenerallysufficienttorestrictGenTaxaccesstoappropriateusers.However,wenotedcontrolsneedstrengtheningtoensuremanagershaveenoughinformationtorequestappropriateaccess.BettercontrolsarealsoneededtoensureongoingaccessremainsappropriateforuserswhochangejobsandtoensureuserswhohaveleftemploymentwithDORorwithotherentitieshavetheiraccessterminatedtimely.
Changemanagementcontrolsprovidesufficientassurancethatallprogrammodificationsreceiveapprovalpriortoimplementation.However,DORneedstodevelopbetterguidancefortestingprocedurestoensureprogrammodificationsmeetbusinessneedsanddonotadverselyaffectotherportionsoftheapplication.
ExistingcontrolsalsoensurethecreationofappropriatebackupsofGenTaxsystemfiles.However,DORdoesnothavesufficientassurancethatthesystemcouldberestoredinatimelymannerintheeventofadisasterormajordisruption.
Further,GenTaxsendssometaxpayerinformationtoservershostedatanexternaldatacenterforfraudanalysis.However,DORhasnotobtainedindependentverificationthattheGenTaxvendorhasimplementedappropriatecontrolsovertheseserverstoprovideadditionalassurancethatOregondataissecure.
Effectiveapplicationcontrolsincludebothmanualandautomatedprocessesthatensure:
Onlycomplete,accurate,andvalidinformationisenteredintoacomputersystem; Dataintegrityismaintainedduringprocessing;and Systemoutputsconformtoanticipatedresults.
WefoundthedesignandimplementationofGenTaxapplicationcontrolsprovidesreasonableassurancethattaxreturnandpaymentinformationremainscomplete,accurate,andvalidduringinput,processing,andoutput.
GenTax application controls ensure proper processing of tax returns and payments
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 6
Wefocusedonthepersonalincome,withholding,andcorporateincomeandexcisetaxprograms.
Input and interface routines provide reasonable assurance that information is complete and accurate
Inputcontrolsshouldbeinplacetoprovidereasonableassurancethatallauthorizedsourcedocumentsandinputfilesarecompleteandaccurate,properlyaccountedfor,andtransmittedinatimelymannerforinputintothecomputersystem.ForGenTax,suchcontrolshelpensurethattaxreturnsandpaymentsreceivedarecompletelyandaccuratelyentered,andassociatedaccountsarecreditedappropriately.
DORreceivestaxreturnsandpaymentsbymailorthroughelectronicmethods,withthemajoritysentelectronically.DORimplementedcontrolstoensuretheaccurateentryforbothtypes.
Themailprocessingcenterreceivespapertaxreturnsandsendsthemtootherbusinessunitsformanualdataentryorscanning.Dataentryprimarilytakesplacethroughseveralintakesystems,whichthensendtheinformationtoGenTaxviainterfacefiles.Toensuretheappropriateentryofreturndata,DORemployeesdoubleenterthedataandperformbatchbalancingtoensuretheyenteredallreturnsreceived.GenTaxproductioncontrolprocessesmonitorinterfacefilesfromintakesystemstoensureappropriatereceiptofallexpectedfiles.
Forpaymentsreceivedbymail,taxpayersidentifywheretoapplytheirpaymentthroughpaymentvouchers.DORemployeesbatch,image,andbalancepaperchecksandcashthroughanintakesystem,whichinterfacestheinformationtothebankandtoGenTax.DOR’sbankingunitbalanceseachbatchtoensureaccurateinputoccurredandreconcilesbankdepositstoGenTax.Iftaxpayersdonotsendpaymentvoucherswiththeirpaperpayments,DOR’smiscellaneouscashunitperformsresearchandcreatesmanualvoucherstoapplythepaymentstotheappropriateaccounts.
ElectronictaxreturnsareprimarilyprocessedthroughtheModernizedeFilesystemthatrunsthroughagatewaywiththeInternalRevenueService(IRS).Taxpayerssubmitreturnselectronicallythroughcommercialtaxsoftware,whichsendstheinformationtotheIRSgateway.TheIRSpackagesthisinformationandsendsittoalocationwhereGenTaxwebservicesretrieve,open,andvalidatethetaxreturns.GenTaxsendsanacknowledgmentbacktotheIRStoindicatewhetherthereturnwasacceptedorrejected.TheIRSthenprovidesthisinformationtothesoftwarevendor,whichshouldnotifytaxpayers,whoareresponsibleforcorrectingandresubmittingtheirreturnifitwasrejected.
DORmainlyreceiveselectronicpaymentsthroughAutomatedClearingHouse(ACH)paymentprocesses.TaxpayersinitiateACHpayments,whichmustincludespecificinstructionsonhowtoapplythepayment.DORcontrolstheseACHpaymentsprimarilythroughinterfacemonitoringandbyrequiringpaymentheaderstomeetacceptedformats.GenTaxrejects
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 7
incorrectlyformatteddata.Inaddition,DORperformsmonthlyreconciliationsbetweenGenTaxandOregonStateTreasurydatatoensurethatACHandotherpaymentsmatch.
Automated processing routines accurately verify and edit returns and payments
DORdesignedandimplementedcontrolsthatprovidereasonableassurancethatGenTaxcorrectsoridentifiesreturnandpaymenterrorsandroutesthemtoemployeestoreviewandtakeactionbeforefurtherprocessingoccurs.
Bestpracticesindicateproceduresshouldbeestablishedfordataprocessingtohelpassurethatdataareprocessedcompletelyandaccurately,thatdataretainsvalidity,andthatappropriatedataconfidentialityismaintainedduringprocessing.Expectedcontrolsincludeapplyingeditandvalidationchecksofdata,suspendingtransactionswitherrorsfromfurtherprocessinguntilcorrected,andmonitoringautomatedroutinestoensureinformationiscompletelyprocessed.
Afterreceivingsubmittedreturnsandpayments,GenTaxvalidatestheinput,appliesprocessingeditstoensuretheymeetexpectedformatsandtaxrules,andpoststhemtotaxpayeraccountsasneeded.IfGenTaxidentifiesanerror,differentactionsoccurdependingonthetypeoferrorencountered.Forreturnsprocessing,GenTaxautomaticallyfixessomeerrors,suchasmathmistakes,andthencontinuesprocessingthereturn.OthererrorscausethereturnorpaymenttobesuspendedforreviewbyDORemployees.GenTaxplacessuspendeditemsintoworkqueues,whichDORmanagersusetosetprioritiesandreviewwhethersuspendeditemsarebeingresolved.
Inaddition,GenTaxusesaseriesofriskrulestoidentifypotentiallyfraudulentpersonalincometaxreturns.ThisprocesspreventsareturnfromfurtherprocessinguntilGenTaxreceivesadditionalinformationthatallowsthereturntopasstherules,orDORemployeesmanuallyreleasethereturn.Thismaydelaytheprocessingofrefunds,butallowsDORtotakeactionssuchasverifyingwithholdingorverifyingthetaxpayer’sidentity.
OurtestsofdatashowedGenTaxappropriatelyprocessedtaxreturns.Forexample,weconcludedGenTax:
Appropriatelycalculatedtaxesduebasedonthetaxableamountidentifiedonthereturnorasadjustedfromotherreturnprocessingroutines; Verifiedthatdeductions,credits,andexemptionsforpersonalincometaxreturnswereappropriatelyappliedandforthecorrectamounts,includingthoseforthestandarddeduction,personalexemptions,federaltaxliabilityamount,earnedincomecredits,andthecorrectuseofstandardoritemizeddeductions;
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 8
Checkedthatdependenttotalsforpersonalincometaxreturnswereappropriateandthatthosewhowereclaimedasdependentsdidnotinturnclaimdependentsontheirtaxreturn;and Appliedmatheditstoensuretotalsusedtocalculatetaxes,refunds,andtax‐to‐paywereappropriate.
GenTax and DOR employees verify that withholding reported by taxpayers matches external records
WeconcludedthatGenTaxandDORemployeesreasonablyensureincometaxwithholdingclaimedbypersonalincometaxpayersontheirtaxreturnsmatcheswithholdingrecordssubmittedbyemployers.
EmployerssubmitW‐2sand1099stoDORtoreporttaxeswithheldfromtheiremployees’paychecks.Whenfilingtaxreturns,personalincometaxpayersreporttheamountofwithholdingandsubmitW‐2sand1099sassupport.GenTaxperformsmatchingroutinestoevaluatewhethertheclaimedwithholdingmatcheswhatwasreportedbytheemployer.IfGenTaxcannotmatchtherecordsaccordingtobusinessrules,thereturnishelduntilDORreceivesadditionalinformationoraDORemployeemanuallyreleasesit.
WeconfirmedtheeffectivenessofGenTax’smatchingroutinesandDORprocedurestoverifywithholdingmanuallybycomparingW‐2sand1099ssubmittedbyemployerstothewithholdingclaimedbypersonalincometaxpayersontheirtaxreturns.Basedonourreview,weconcludedthatover99.7%ofpersonalincometaxreturnsreportedwithholdingthatwasadequatelysupportedbyW‐2sand1099s.
Duringourtesting,weidentified3,427Form40returns,or0.2%ofthesereturns,representingonly0.04%ofwithholdingsforthesereturns,wherethetaxpayerclaimednowithholding,butW‐2and1099recordssubmittedbyemployersshowedwithholdingforthetaxpayer.DORmanagersnotedthatGenTaxwasnotconfiguredtoreviewwithholdingwhenthetaxpayerdoesnotclaimit.Asaresult,thesetaxpayersdidnotreceivecreditfortheirwithholdingpayments.AccordingtoDOR,taxpayershavetheresponsibilitytofileaccuratetaxreturns.Inthesecases,thetaxpayermadeanerror,andcouldamendtheirreturnsifmadeawareoftheerror.However,DORdoesnotissueanycorrespondencetotaxpayersinformingthemthatwithholdingexistedthattheydidnotreportontheirtaxreturn.
Batch and interface monitoring ensure complete processing
GenTaxprocessesnightlybatchesandinterfacefilesautomaticallyandgeneratesreportsoralertstoidentifyerrors.DORhasimplementedcontrolstomonitorandresolvebatchandinterfaceerrors.Thesecontrolshelpensurethaterrorsaredetectedandresolvedsothattaxreturnsandpaymentsareprocessedtimelyandaccurately.WhileDORhasnotbeentrackingresolutionofallinterfaceerrorstoensureresolutionandtoidentifyrepetitiveerrors,ithasdevelopedplanstobeginthistypeoftracking.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 9
Duringdataprocessing,transactionsmayfailtoprocesscompletelyoraccuratelyduetoerrorsorinconsistenciesinthedataorsysteminterruptions.Toidentifytheseinstances,organizationsshouldmonitorbatchprocessingandinterfaceswithothersystemstoensurethereceiptandprocessingofalltransactions.
GenTaxperformsmostprocessingduringnightlybatchprocessing2jobs.DORestablishedparametersforthesebatchprocessesandproductioncontrolattheDASstatedatacenterexecutesandmonitorsthem.Ifabatchprocessfails,GenTaxgeneratesaneventrecordknownasaninterventiontologtheprocessinerror,theserveronwhichitoccurred,andwhentheerroroccurred.Dependingonthebusinessrulesestablishedforaparticularerror,theinterventionmaycausetheentireprocessingcycletostop,requiringmanualactiontoresolvetheerrorandrestartprocessing.However,GenTaxusuallyallowsprocessingtocontinuewithouthaltingtheprocessingcycle.DORmonitorsinterventionsdailyandassignsthemtodevelopersforinvestigation.
DORalsomonitorsinterfacesintoGenTax.GenTaxproducesadailyreportthatidentifieseachinterfaceprocessedthatdayandidentifieserrorsencountered,includingpersonnelassignedtoresolvetheerror.WeconcludedmostinterfacefailuresoccurbecauseGenTaxdidnotprocessafile,whichcanbeappropriateiftherewerenorecordsforthespecificinterfaceforthatday.Interfacesthatprocessbutexperienceothererrorsgenerateinterventions,whichpersonneltrackseparately.
Mostinterventionsareresolvedquickly,butsomerequireadditionalmanualactions,andmayrequireresolutionofanunderlyingissuetopreventfuturereoccurrences.Ourreviewfound97.5%ofallinterventionsloggedinGenTaxwereresolvedwithinthreedays.Atthetimeofourreview,alltheinterventionsstillopenweretrackedonaspreadsheetwithmosttiedtoopenservicetickets.
Ourreviewofaselectionofdailyinterfacereportsshowedthatmanagementhadassignedadeveloperorananalysttoreviewallidentifiedmissingfilesanderrors.DORhasnotbeendocumentingresolutionofmissinginterfacefilestoensuretheywereallresolved,butbeganplanningtodevelopaprocessforthistrackingattheendofouraudit.Betterdocumentationofinterfaceerrorscouldhelpidentifypossiblepatternsandensureappropriateresolutionforallmissingfiles.
GenTax issued accurate refunds and bills for taxes due
GenTaxcontrolsprovidedsufficientassurancethattaxpayersreceivedaccuraterefunds.Inaddition,GenTaxissuedaccuratebillsfortaxowedaccordingtoDOR’sbusinessrules.
2Batchprocessingistheexecutionofaseriesofjobsinacomputersystemwithoutmanualintervention.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 10
Basedontheprocessingofpaymentsandtaxreturns,GenTaxautomaticallyproducesmultipleoutputs,includingrefundsandcorrespondencetotaxpayers,suchasnoticestotaxpayerswhodidnotpaythefulltaxdue.Aspartofthisprocess,GenTaxautomaticallycalculatestheamountsandanyassociatedinterestorpenaltiesrelatedtotherefundorthebilling.
Wetestedthebillingprocessandconcluded:
Correspondencetotaxpayersincludedaccuratetaxdueandinterestandpenaltycalculations; Correspondencetotaxpayerswassentaccordingtotheexpectedschedule;and Billstagesforcollectionsactionswerestartedaccordingtotheexpectedschedule.
Ifthecombinationofreturnsandpaymentsindicatesarefundisdue,GenTaxautomaticallygeneratesarefundrecordandappliesaseriesofriskrulesthatdeterminethelevelofapprovalrequiredfortherefundtobeprocessed.Mostrefundsareautomaticallyapproved,buthigher‐riskrefundsneedapprovalbyDORemployeesthroughuptothreelevelsofreview.
Ourtestingofrefundsshowed:
Refundamountswereappropriatelycalculated; Allissuedrefundswereapproved;and High‐riskrefundswereapprovedatappropriatelevels,perriskrules,andbydifferentindividualsateachlevel.
GenTaxlogicalaccesscontrolsaregenerallysufficient,butDORshouldmakeimprovementstoensuretheenforcementofsegregationofduties,thatmanagershavesufficientinformationtorequestappropriateaccess,andthatongoingaccessremainsappropriateforuserswhochangejobsorisremovedforterminatedemployees.Inaddition,DORneedstomonitortheactionsofuserswithprivilegedaccesstoGenTaxservers.
Accesstocomputersystemsshouldberestrictedtoeachuser’sindividualjobrequirementsforviewing,adding,oralteringinformation.Managementshouldperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.Userswhonolongerneedaccessshouldhavetheiraccessrightsterminatedtimely.Inaddition,organizationsshouldspecificallymonitortheactionsofuserswithelevatedaccess,suchassecurityadministrators,toprovideadditionalaccountability.
GenTax logical access controls are generally sufficient but could be improved
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 11
Logical access controls are generally sufficient for most access
GenTaxlogicalaccesscontrolsaregenerallysufficienttoensureusersareuniquelyidentifiableandappropriatelyauthenticated,andthatmostaccessisappropriate.
DOR’sproceduresgenerallyensurethataccessisappropriatelyrestrictedandthatactionstakentiebacktoauniqueindividualwhoperformedthataction.Forexample:
Managersrequestaccessfortheiremployees,whichisthengrantedbyaseparategroupofindividuals; Uniqueusernamesareusedtoallowusersandtheiractionstobeidentified; GenTaxaccesstotheproductionenvironmentisautomaticallydisabledafter120daysofnon‐use; GenTaxmaintainslogsofuseractivitiesthatmaybereviewediftherearepotentialproblemsidentified,suchasapotentialviolationofprivacypolicies; GenTaxautomaticallyendsusersessionsafteraperiodofinactivity;and UsersarelockedoutofGenTaxafteraspecifiednumberoffailedloginattempts.
Access and segregation of duties documentation needs improvement
Aspartofgrantingappropriateaccess,systemownersshouldidentifyandpreventgrantingaccesstoincompatibletransactions.Forexample,thesameusershouldnotbeabletocreateandapproveapayment.Inaddition,thoserequestingaccessshouldhaveinstructionstoensuretheyfullyunderstandwhichaccessrightstheyarerequesting.
GenTaxusesrole‐basedlogicalaccesswith153groupsattachedtooneormoreof415definedfunctions.ManagersshouldrequestaccessfortheirusersbasedonthegroupsasdocumentedwithinGenTax.
Wefoundthedocumentationformostgroupsprovidedgeneralinformationaboutthetypesofactionsavailableforusebysomeoneinthegroup.Somegenericgroupsallowedaccesstomultipleviewonlyfunctionsthatweconcludedrepresentedanappropriatedescription.However,thedescriptionsofasmallnumberofgroupsdidnotidentifythefunctionsincludedinthatgroup.
Inaddition,DORmanagersindicatedthattheydiscussedsegregationofdutiesconsiderationswhendevelopingtherolesandgroupstopreventthecombinationofincompatibleduties.However,DORdidnotdevelopdocumentationidentifyingincompatibleroles.
Wealsonotedmanagersvariedinhowtheyrequestedaccess.Somerequestedgroups,whileothersspecifiedfunctionsorageneraltypeofaccesswithoutspecifyinggrouporfunction.Whilemostfunctionsallowing
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 12
theabilitytoaddormodifydatawereassociatedwithonlyonegroup,somehadmultiplepossiblegroups.
Withoutsufficientdefinition,documentation,andguidancetomanagersandaccessadministrators,managersmayinadvertentlyrequestaccessforusersthatexceedswhatisrequiredtoperformjobduties.Inaddition,withoutdocumentationofincompatibleroles,managersmayinadvertentlyrequestaccesstoincompatibleduties,resultinginimpropersegregationofduties.
Termination of access was not always timely
DORhasnotadequatelyensuredthatGenTaxaccessendspromptlyafteremployeesleaveDOR.Managersshouldrequestremovalofaccesswhenemployeesleave,butDOR’sreviewprocessdoesnotensurethattimelyaccessterminationoccurs.
Organizationsshouldremovetheaccessrightsofallemployees,contractors,andthird‐partyuserstosysteminformationuponterminationoftheiremployment,contract,oragreement.Failuretoremoveaccesstimelyincreasestheriskthatinappropriateactivitymayoccur.
WhenemployeesleaveDOR,managersshouldrequestremovalofGenTaxaccess.Programcoordinatorsreviewreportsofterminatedemployeesagainstalistofaccessrequeststoevaluatewhethermanagershadrequestedaccesstobeterminated.However,thisprocesstakesplaceapproximatelyoncepermonth,withnosetscheduleforthereview.Inaddition,thereviewonlyevaluatesrequests,withoutverifyingthataccesswasremoved.
InadditiontoaccessforDORemployees,DORgrantslimitedGenTaxaccesstosomeemployeesfromtheDepartmentofConsumerandBusinessServices(DCBS)andtheOregonEmploymentDepartment(OED).ADORemployeecontactstheseagenciesmonthlytoaskwhetherusersstillrequireaccess.However,otherexternalpartners,suchasDASorFASTemployees,alsohaveaccesstoGenTaxbutDORmanagershavenoformalregularreviewprocesstoensuretheaccessisstillrequired.
Wereviewedthelogicalaccessaccountsof162userswhoseemploymentwithDOR,DCBS,orOEDhadendedandevaluatedwhethertheiraccesswastimelyremoved.Wefound11usersretainedtheiraccessformorethan31daysaftertermination,indicatingmanagersdidnotalwaysrequesttimelyremovalofaccess,andthemanualreviewprocesseswerenoteffective.
WealsofoundthreeDORemployees,twoOEDemployeesandoneexternalvendorwhonolongerrequiredaccesstoGenTaxretainedactiveGenTaxgroupaccesseventhoughtheiraccountsweredisabled.Whiletheseuserscouldnolongerlogin,notendingthegroupaccesscouldresultininappropriateaccessiftheuserweretoregainGenTaxaccess.Forexample,usersmayleaveDORandlaterreturninadifferentrolewheretheiraccessshouldbemorerestricted.Ifemployeesresponsibleforsettingupthe
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 13
renewedaccessdonotnoticethatpreviousgroupsremainactive,theymayinadvertentlygrantexcessiveaccess.
Manager review of access is not formally required
DORpolicydoesnotrequiremanagerstoperformperiodicreviewsofaccessprovidedtousersandDORdoesnothaveprocessesinplaceformanagerstoperformordocumentadhocreviews.
Bestpracticesindicatethatsystemownersshouldperiodicallyreviewandconfirmusers’accessrightstoensuretheyremainappropriate.
AlthoughDORofficialsindicatedthatmanagerswhorequestlogicalaccesstoGenTaxshouldperiodicallyreviewtheaccessprovided,theyhavenotdevelopedwrittenproceduresforthisreview,andthereisnorequirementdefinedinthelogicalaccesspolicy.Theseweaknessesincreasetheriskthatuserswillhavemoreaccesstothesystemthantheyneedtoperformtheirduties,whichcouldresultinthecompromiseofthesystemoritsdata.
Weevaluatedaccessgrantedtousersineightgroupsthatprovidedspecializedabilities,suchastheabilitytoapproverefundsatdifferentlevels.Therewere206userswithaccesstoatleastoneofthesegroups.Ofthese,wefound19userswithinappropriateaccessfortheuser’scurrentrole.Mostofthesewereduetotheuserhavingchangedpositionswithoutappropriateupdatestotheiraccess.Forothers,theuserhadaccesstoperformfunctionsinGenTaxthattheydidnotroutinelyperform,and,whenquestioned,managersindicatedtheaccesswasinappropriateandshouldberemoved.
Inaddition,wespecificallyreviewedaccesstofiveGenTaxgroupsprovidedto10businessusersassignedtotheGenTaxprojectteam.Threeoftheseusershadtheabilitytoadd,delete,andmodify,whichwasnotrequiredfortheircurrentroleontheprojectteam.Thisaccessappearedtobeanartifactoftheaccesstheywouldhavehadintheirbusinessunitspriortojoiningtheprojectteam.Inaddition,sixmembersoftheprojectteamhadvirtuallyunlimitedaccesstoGenTaxproductionfunctions,withtheabilitytoperformactionssuchasapprovinghigh‐riskrefunds.DORmanagementremovedthisabilitywhenweidentifiedthisissue.
DOR does not monitor the activities of privileged users
DORdoesnothaveaprocesstomonitortheactivityofGenTaxprivilegedusers.Privilegedaccessenablesanindividualtotakeactionsthatmayaffectcomputingsystems,networkcommunication,systemanduserfiles,applicationdata,anduseraccounts,includingthecreationanddeletionofaccounts.
Statewideinformationsecuritystandardsindicatethatagenciesshallrequireserverstologsecurityevents.3Inaddition,controlsshouldexistto
3Securityeventsincludeactionsthatcouldalterthesecurityofasystem,suchaspolicychangesorthecreationofanaccessgroupwithelevatedprivileges.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 14
monitortheuseofsensitiveorprivilegedaccountstoensureonlyapprovedactionsoccur.
DORfollowsproceduresestablishedbyDAStorequestprivilegedaccesstoGenTaxservers.ThisaccesshasbeengrantedtomultiplepersonnelatDAS,aswellastoindividualsatDOR.Securitypersonnelperiodicallymonitoraccessassignmentstothegroupsallowingprivilegedaccesstoensuretheyremainappropriate.Additionally,DORmanagersreportedtheymaintainlogsofadministratoractivities.
However,thereisnocurrentprocessinplacetomonitorthoselogs.FailuretomonitortheactivitiesofprivilegedusersincreasestheriskthatunauthorizedactionmaycompromiseGenTaxanditsdata.
Controlsaregenerallysufficienttoensurethatdevelopersimplementonlyapprovedprogrammodifications.However,DORneedstoprovideadditionalguidanceontestingprocedurestoensureprogrammodificationsmeetbusinessneedsanddonotadverselyaffectotherportionsoftheapplication.
DOR staff tracks changes and sufficiently controls software versions
DORemployeesadequatelytrackchangestoGenTaxcomputercodeandusesoftwaretoensuredifferentversionsofcomputercodearecontrolled.Thissoftwareensuresthesameuserwhomadethechangecannotpromotethesoftwarecodetotheproductionenvironment.
Organizationsshouldhaveformalchangemanagementprocessesandprocedurestohandleallrequestsforchangestoapplications.Theseproceduresshouldensurethatorganizationsevaluate,approve,andtrackrequestspriortoimplementation,andthenreviewthemagainstplannedoutcomesfollowingimplementation.Thismitigatestheriskofinstabilityordamagetodataintheproductionenvironmentbyprovidingassurancethatdeveloperspromoteonlyapprovedchangestoproduction.
DORhasimplementedanddocumentedcontrolstoassess,track,andevaluatechangerequests,andhowDORwillmakecorrections,changes,andenhancementstoGenTaxcomputercode.Forexample,DOR:
FormallydefinedresponsibilitiesfortheGenTaxbusinessandsupportteams; ImplementedatrackingtooltologandtrackallGenTaxchanges; Developedprocessestodocument,review,prioritizeandauthorizenewsolutionrequests(SQRs)forimpactandeffort; Developedprocessestoevaluateandapprovecompletedchanges,includingrequirementstocomparemodifiedcodetoexistingcode;
Change management controls are generally strong, but better guidance is needed for testing
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 15
DevelopedprocessestorollbackandreworkanSQRifthereisafailureduringanystageofchange; Implementedautomatedcontrolswhichrequireatleasttwolevelsofapprovalpriortopromotingthemodifiedcodetoproduction;and Implementedautomatedcontrolstopreventtheemployeewhodevelopedthecodefrompromotingittoproduction.
Documentation of test expectations needs improvement
DORpersonnelresponsibleforensuringcodeorsystemchangesmeetusers’needshaveminimalguidanceonteststoperformanddocumentationrequirements.Asaresult,itissometimesunclearwhattestsDORperformedandwhethertheyweresufficienttoensurethesolutionmeetsbusinessneeds.
Bestpracticesindicateorganizationsshouldestablishtestplansthatdefineroles,responsibilities,andsuccesscriteria.Suchplansshouldconsidertheriskofsystemfailureandimplementationerrors,andshouldincluderequirementsforperformance,stress,usability,pilot,andsecuritytesting.
DORprovidessomeguidanceregardingtestingofSQRchanges.Itincludesgeneraldescriptionsofthetypeoftestingdevelopersandbusinessanalystsshouldperform.Thebusinessanalystsareresponsibleandaccountableforreviewingeachrequest,verifyingtheproblemorenhancement,gatheringbusinessrequirements,proposingorconfirmingasolution,developingandperformingfunctionalanduseracceptancetests,maintainingandprovidingtraining,andcoordinatinglegislativefiscalimpactrequests.
However,businessanalystshavelittleguidanceorcriteriatomeettheseresponsibilitiesandensureadequatetestinganddocumentationoccur.Inparticular,DORhasnotdevelopedstandardtestplanformatsforroutinechanges,orspecifiedtherequiredlevelofdocumentationoftestsperformedandtheirresults.Wealsonotedinconsistenciesinthelevelofdocumentationforchangerequests.WeconcludedthiswaspartlyduetotheabsenceofdocumentedguidanceandstandardplansandpartlyduetochangestotherequirementsassociatedwithSQRsasDORshiftedfocusfromtheprojecttooperations.
Lackofguidanceorcriteriadocumentingthetypesoftestplansrequiredfordifferentchangesmayresultinchangesnotmeetingtheneedsofthebusinessusers.
ControlsaresufficienttoensurethatDORappropriatelybacksupGenTaxsystemfiles.However,DORdoesnothaveassurancethattheycouldtimelyrestoreGenTaxintheeventofadisasterormajordisruption.
GenTax may not be timely or completely recovered in the event of a disaster
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 16
Restoringcomputerapplicationsafteradisasterorseriousdisruptionrequiressignificantadvanceplanning,coordination,andtesting.Thisstrategyshouldensurethecopyingofallcriticalcomputerfilestoanoff‐sitelocationasfrequentlyasneededtomeetbusinessrequirements.Organizationsshouldalsodocumentdisasterrecoveryproceduresinadisasterrecoveryplanandperiodicallytesttheplantoensureeffectiveness.
DOR’sGenTaxserversresideattheDASstatedatacenter.DASandDORshareresponsibilityforrecoveringthesesystemsintheeventofaseriousdisruption.
WeevaluatedDOR’sprocessforbackingupGenTax,includingbackupfrequency,notificationforbackupsuccessorfailure,recoverypriorityofbusinesscriticaltasks,andwhetherornotbackupsaretestedonaperiodicbasis.WefoundDORhasaprocessinplacetoensurethatGenTaxsystemfilesarebackeduplocallyandisverifyingthatrequiredfilesarebeingbackeduptooff‐sitestorage.However,DORhasnottestedtheprocesstorestoretheGenTaxapplicationanddatafilesusingtheoff‐sitebackups.
Inaddition,wenotedthatDORhasnotdevelopedadisasterrecoveryplanforGenTaxforincorporationintotheiragencywidebusinesscontinuityplan.Becauseofthis,DORdoesnothaveassurancethatitcouldrestorethesystemanditsdataintheeventofamajordisruptionoroutage.
ThelackofadisasterrecoveryplanispartiallyduetothestatusofGenTaxasanewcomputersystemforDOR.DORwasalsointheprocessofupdatingtheiragencywidebusinesscontinuityplanduringtheaudit,astheexistingversionwascreatedbeforeGenTaxwasimplemented.DORindicateditwasworkingonupdatingtheplantoincludeGenTax.
DORhasnotgainedindependentassurancethatFASTDataServiceshasimplementedappropriatecontrolsoverserversatanexternaldatacenterhousingOregonpersonalincometaxdata.
Bestpracticesindicatethatwheninformationisprocessedbyexternalinformationsystems,organizationsshouldverifythatrequiredsecuritycontrolsonthoseexternalsystemsareappropriate.Thisverificationcanbeachievedbythird‐party,independentassessmentsofthosecontrols.Entitiesprovidingsuchassuranceshouldbeindependentoftheorganizationswhosecontrolsarebeingassessed.Wehavenotedthistobeanemergingissueinmanyorganizationsusingexternalentitiestohostorprocesstheirdata.Currently,therearenoDORpoliciesdevelopedtoaddresssecurityrequirementsforthistypeofservice.
Aspartofpersonalincometaxreturnprocessing,DORutilizesservicesprovidedbyFASTDataServices,which,alongwithFASTEnterprises,isa
DOR has not obtained independent assurance of FAST Data Services controls
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 17
subsidiaryofFASTLP.GenTaxsendsencryptedOregonpersonalincometaxreturndatatoserversatanexternaldatacenterwhereFASTDataServicesanalyzesthemandassignsariskscore.FASTDataServicesownsandmaintainstheservers.DORdidnotobtainindependentverificationthatthecontrolsgoverningtheseserversareinplaceandfunctioningasdesigned.
DORsecurityprofessionalsstatedtheydiscussedthesecuritymeasuresinplacewithFASTDataServicessecuritypersonnelandweresatisfiedwiththestatedcontrols.DORalsoobtainedamemofromFASTDataServicesthatoutlineswhattheyreferenceaswell‐definedmethodsandbestpracticestoensuredataissecure.Ourreviewofthisdocumentdidnotrevealanyweaknesses,andwesawnoindicationthatthevendorhasnotimplementedthestatedcontrols.However,DORdidnotrequestanindependentsecurityreviewtoprovideindependentassurancethattheinternalcontrolsandpracticesidentifiedbythevendorfunctionasintended.AnindependentreviewoftheorganizationwouldprovideadditionalassurancetoDORthatOregondataissecure.
Report Number 2018‐08 February 2018 DOR GenTax IT Controls Page 18
Recommendations:
Toimproveapplicationcontrols,werecommendDORmanagement:
1. Considernotifyingtaxpayersclaimingnowithholdingifwithholdingrecordsarefound;and
2. Implementcontrolstotrackandanalyzehowinterfacefilefailuresareresolved.
Tostrengthenlogicalaccesscontrols,werecommendDORmanagement:
3. IdentifyanddocumentwhichGenTaxrolesshouldnotbecombinedwithothers;
4. FullydocumentGenTaxgroupsandfunctionsandensuremanagershavereceivedinstructionsonhowtorequestaccess;
5. Improveprocedurestoensureuseraccessisremovedtimelyandcompletelywhennolongerneeded;
6. UpdatepolicytorequireperiodicmanagerreviewoflogicalaccessgrantedtoGenTaxanddevelopamechanismtoenforceanddocumentthereview;and
7. Implementmonitoringoflogstoidentifyinappropriateactivitytakenbyserveradministrators.
Tostrengthenchangemanagementprocedures,werecommendmanagement:
8. Developmorespecificguidanceforindividualstestingsystemchangestoensurethatallelementsareappropriatelyconsidered.
Tostrengthendisasterrecoveryprocedures,werecommendmanagement:
9. DevelopandmaintainawrittendisasterrecoveryplanforGenTax;and
10. Periodicallytestbackupsstoredoff‐sitetoensuretheycanbeusedtorestoreGenTaxfullyintheeventofamajordisruptionoroutage.
Toprovideadditionalassurancethatpersonalincometaxdataisprotected,werecommendmanagement:
11. RequestanindependentsecurityreviewofcontrolsoverserversoperatedbyFASTDataServices.