Department of Revenue
Information Technology Security Controls
Financial Audit Division Report 13-04
Released February 28, 2013
The Department of Revenue generally had adequate internal controls to ensure that it protected databases containing tax-related information from unauthorized modification and viewing and to ensure that changes made to GenTax and its supporting infrastructure were authorized. However, the department had the following internal control deficiencies:
- The Department of Revenue had not completed some elements of a comprehensive security plan for GenTax, as required by its standard.
- The Department of Revenue did not adequately monitor changes to GenTax and its supporting infrastructure to ensure they complied with the department’s plan.
- The Department of Revenue had not clearly documented expectations for its review of reports that tracked changes to or viewing of data within the database or changes to the database structure.
- The Department of Revenue had not implemented adequate controls to prevent and detect some inappropriate access to servers and databases supporting GenTax.
- The Department of Revenue had not finalized its documentation of security configuration baseline standards for infrastructure supporting GenTax.
Audit Objective and Scope
The audit objective was to determine whether the Department of Revenue had adequate information technology controls, as of November 2012, to protect databases containing taxpayer information from unauthorized modification or viewing and to ensure that changes made to GenTax and its supporting infrastructure were authorized.