Summary

Section 20.21(2)(g), Florida Statutes, provides that the Department of Revenue (Department) is responsible for tax processing, including receipts processing, tax returns processing, license registration, and taxpayer registration.  Among the systems used by the Department for tax processing are the System for Unified Taxation (SUNTAX) and the Imaging Management System (IMS). 

The Department integrated the administration of all taxes into SUNTAX, a single, unified tax system.  IMS is used by the Department as a front-end system to initiate the process of tax collection and tax return processing.

Our audit focused on evaluating selected information technology (IT) controls applicable to SUNTAX and IMS, including related interfaces with other systems during the period October 2008 through January 2009 and selected actions through February 5, 2009.  We also determined the status of corrective actions regarding prior audit findings disclosed in our report No. 2008‑097.  The results of our audit are summarized below:

Finding No. 1:         Contrary to Section 119.071(5)(a)2.a., Florida Statutes, the Department used employee social security numbers (SSNs) without specific authorization in law or without having established the imperative need to use the SSN for the performance of its duties and responsibilities as prescribed by law.

Finding No. 2:        As similarly noted in our report No. 2008-097, former employee and contractor access privileges in SUNTAX and the network had not been removed in a timely manner.

Finding No. 3:        We noted an instance where a user had inappropriate access privileges to SUNTAX.  In addition, as similarly noted in our report No. 2008-097, controls related to the authorization of IMS user access needed improvement.

Finding No. 4:        Certain user identifications (IDs) and passwords were being shared by Department employees.

Finding No. 5:        In addition to the matters discussed in Finding Nos. 1 through 4 and 10, certain Department security controls were deficient.  Some of the issues were also included in our report No. 2008‑097.

Finding No. 6:        As similarly noted in our report No. 2008-097, program change controls over SUNTAX and IMS needed improvement.

Finding No. 7:        The Department lacked effective procedures for addressing data errors generated during the load process of data into SUNTAX.

Finding No. 8:        A programming error existed within the approval process for compromise waivers.

Finding No. 9:        Off-site backup procedures needed improvement.

Finding No. 10:      The Department’s written IT procedures needed improvement.

Management's response is included in the report as Exhibit - A.