4.7.2  Security

Manual Transmittal

August 02, 2012

Purpose

(1) This transmits a revised IRM 4.7.2, Examination Returns Control System (ERCS), Security.

Material Changes

(1) Minor editorial changes have been made throughout this IRM. Also, website addresses and IRM references were reviewed and updated as necessary.

(2) This IRM has been revised throughout to provide clarifications and more in-depth discussions in all areas. Significant changes to this IRM are reflected in the table below:

Reference Description
IRM 4.7.2.1 (2) - (4) Added.
IRM 4.7.2.2 IRM 4.7.2.2, Basic Principles of Security, was removed. It covered the basic principles of IRS security, which are covered in IRM 10.8.2.
IRM 4.7.2.2 Added.
IRM 4.7.2.2.1 Moved to IRM 4.7.2.3.1 and expanded.
IRM 4.7.2.3 This section was removed. It discussed the Taxpayer Browsing Protection Act of 1997 (UNAX) which is covered in IRM 10.5 and IRM 10.8.
IRM 4.7.2.4 This section and its sub-sections were removed. It discussed C2 Security. The current procedures for security are covered in IRM 10.8.
IRM 4.7.2.5.1 This section was moved to IRM 4.7.2.2, revised and expanded.
IRM 4.7.2.5.1 (2) and (3) Deleted. ERCS no longer uses paper Forms 5081.
IRM 4.7.2.5.2 (1) Deleted. These procedures no longer apply.
IRM 4.7.2.5.2 (2) Moved to IRM 4.7.2.2.1 (5), reworded and expanded to include other types of employees who may have ERCS access.
IRM 4.7.2.5.3 Moved to IRM 4.7.2.2.4 and expanded.
IRM 4.7.2.5.4 (1) Deleted. No added value.
IRM 4.7.2.5.4 (2) Separated and moved to IRM 4.7.2.3.2 (5) and (9) and reworded.
IRM 4.7.2.5.4 (3) and (4) Moved to IRM 4.7.2.3.2 (5).
IRM 4.7.2.5.5 Deleted. With the addition of the SEID validation, dummy employee records can no longer be added.
IRM 4.7.2.6 Removed and replaced with IRM 4.7.2.3.4.
IRM 4.7.2.7 Removed and replaced with IRM 4.7.2.3.5
IRM 4.7.2.8 Removed and replaced with IRM 4.7.2.3.3
IRM 4.7.3.1 Added.
IRM 4.7.3.2 Added.

Effect on Other Documents

IRM 4.7.2 dated October 1, 2003 is superseded.

Audience

All ERCS users in Large Business and International (LB&I), Small Business and Self Employed (SB/SE), and National Headquarters employees in Return Preparer Office, Whislteblower Office, and National Research Program.

Effective Date

(08-02-2012)

Karen Schiller
Director, Examination Planning and Delivery
Small Business/Self-Employed

4.7.2.1  (08-02-2012)
Overview

  1. This section discusses ERCS security and procedures for controlling ERCS access.

  2. All ERCS users and their managers should be familiar with this IRM to ensure they are aware of the system security features and the requirements for ERCS access.

  3. For security issues concerning record of tax enforcement results (ROTER) information, see the Section 1204 Website. IRM 1.5, Managing Statistics in a Balanced Measurement System Handbook, provides further guidelines for the appropriate use of statistics by managers and employees.

  4. All ERCS users should be familiar with the unauthorized access of taxpayer accounts (UNAX) requirements including the requirement to complete an annual UNAX certification.

4.7.2.2  (08-02-2012)
ERCS Access

  1. This section discusses the requirements for obtaining and maintaining access to ERCS programs and data including:

    • Meeting the prerequisites.

    • Choosing the Online 5081, Automated Information System User Registration / Change Request.

    • Completing the Online 5081.

    • Setting ERCS login names and passwords.

    • Maintaining ERCS passwords.

    • Requesting a change in login name.

4.7.2.2.1  (08-02-2012)
Meeting the Prerequisites

  1. A background check must be completed on the employee requesting ERCS access prior to approving his or her Online 5081 request. If the term of duty for the employee (including interns and volunteers) is not long enough for a background check to be completed, then he/she should not be given ERCS access.

  2. Employees must have completed a UNAX Briefing and UNAX Certification prior to being given access to ERCS data. The employee's manager is responsible for ensuring this has been completed prior to signing the Online 5081.

  3. Employees hired into a position requiring ERCS access are granted access on the approval of their managers and the Audit Information Management System (AIMS)/ERCS support staff. These positions include:

    • Exam group managers in LB&I and SB/SE and their clerical staff.

    • Territory Managers (TM)s and Area Directors in SB/SE and their clerical staff.

    • TMs, Directors of Field Operations (DFO)s, and Industry Directors in LB&I and their clerical staff.

    • Planning and Special Programs (PSP) managers and selected members of their staff.

    • Technical Services (TS) managers and selected members of their staff.

    • Joint Committee Review (JCR) managers and their clerical staff.

    • Examination Quality Measurement Staff (EQMS) managers and their clerical staff.

    • Quality Measures and Analysis (QMA) managers and their clerical staff.

    • LB&I Quality Measurement System (LQMS) managers and their clerical staff.

    • Centralized Case Processing (CCP) managers and selected members of their staff.

    • Return Preparer's Office (RPO) managers and their clerical staff.

    • AIMS/ERCS support personnel.

    • Headquarters (HQ) ERCS analysts.

      Note:

      An employee detailed into a position above or temporarily acting for an employee in a position above may also be granted access for the duration of the detail or acting assignment.

  4. Interns, volunteers, and Co-operative Education students may be given ERCS access, if hired (or in the case of volunteers, accepted) for a position where ERCS access is required to accomplish their official duties.

  5. An employee may be granted access on the approval of his or her manager and the HQ ERCS analyst if there is justification that access is needed in order to perform the user's official duties. These employees include the following:

    • SB/SE and LB&I HQ analysts.

    • National Research Program (NRP) analysts.

    • Treasury Inspector General for Tax Administration (TIGTA) employees.

  6. Managers should ensure that their employees are only given ERCS access if their job requires it. Managers should also ensure access is removed timely when the employee no longer requires ERCS access to perform his or her job.

4.7.2.2.2  (08-02-2012)
Choosing the Online 5081

  1. To obtain access to ERCS employees must complete an Online 5081. Employees may need to complete more than one Online 5081 for ERCS if permission is needed in more than one area or in both LB&I and SB/SE. If the employee requires more than one Online 5081 for ERCS, the first one should be submitted within the user's support area and the user should wait until given a login and password to the system before submitting additional requests. There is an exception for HQ analysts, NRP analysts, and TIGTA employees. Refer to IRM 4.7.2.2.2 (5) for Online 5081 procedures for these employees.

  2. ERCS users are supported by the AIMS/ERCS staff located in the user's local area or CCP campus, with the exception of employees in International Individual Compliance (IIC), Fraud/Bank Secrecy Act (BSA), RPO, and TIGTA. IIC, Fraud/BSA and RPO have their own AIMS/ERCS support staff, respectively. TIGTA employees are supported by the area or campus where their access has been granted. Refer to the AIMS-ERCS Personnel Listing by State for contact information.

  3. It is important to select the correct Online 5081 ERCS sub-application because each one is routed to the local AIMS/ERCS personnel for approval and the creation of the user's ERCS employee record and permissions. The following chart shows all the ERCS sub-applications for requesting ERCS access. Except for HQ analysts, NRP analysts and TIGTA employees, the following chart should be used to determine a user's initial Online 5081 selection for ERCS access.

    ERCS Online 5081 Sub-applications

    Online 5081 ERCS Sub-application Location of User Business Operating Division of User Access needed for returns in
    ERCS-TCC-LB&I-OGDEN CCP Ogden Campus SB/SE - CCP CCP in Ogden
    ERCS-TCC-SBSE-CINCY CCP Cincinnati Campus SB/SE - CCP CCP in Cincinnati
    ERCS-TCC-SBSE-MEMPHIS CCP Memphis Campus SB/SE - CCP CCP in Memphis
    ERCS-TCC-SBSE-AREA 201-NORTH ATLANTIC Connecticut, Maine, Massachusetts, New Hampshire, New York, Rhode Island, Vermont SB/SE Area 201
    ERCS-TCC-SBSE-AREA 202-CENTRAL Kentucky, Michigan, New Jersey, Ohio, Pennsylvania, West Virginia SB/SE Area 202
    ERCS-TCC-SBSE-AREA 203-SOUTH ATLANTIC Delaware, District of Columbia, Florida, Maryland, North Carolina, South Carolina, Virginia SB/SE Area 203
    ERCS-TCC-SBSE-AREA 204-MIDWEST Illinois, Indiana, Iowa, Kansas, Minnesota, Missouri, Nebraska, North Dakota, South Dakota, Wisconsin SB/SE Area 204
    ERCS-TCC-SBSE-AREA 205-GULF STATES Alabama, Arkansas, Georgia, Louisiana, Mississippi, Oklahoma, Tennessee, Texas SB/SE Area 205
    ERCS-TCC-SBSE-AREA 206-WESTERN Alaska, Arizona, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming SB/SE Area 206
    ERCS-TCC-SBSE-AREA 207-CALIFORNIA California SB/SE Area 207
    ERCS-TCC-SBSE-AREA 212-EMPLOYMENT Various SB/SE - Employment Tax Area 212
    ERCS-TCC-SBSE-AREA 213-ESTATE & GIFT Various SB/SE - Estate & Gift Area 213
    ERCS-TCC-SBSE-AREA 214-EXCISE Various SB/SE - Excise Area 214
    ERCS-TCC-SBSE-AREA 217 BSA/FRAUD Various SB/SE - Fraud/BSA Area 217 (Fraud or BSA)
    ERCS-TCC-SBSE-AREA 218 RPO Various RPO Area 218 (RPO)
    ERCS-TCC-LB&I 201-NORTH ATLANTIC Connecticut, Maine, Massachusetts, New Hampshire, New York, Rhode Island, Vermont LB&I LB&I
    ERCS-TCC-LB&I 202-CENTRAL Kentucky, Michigan, New Jersey, Ohio, Pennsylvania, West Virginia LB&I LB&I
    ERCS-TCC-LB&I 203-SOUTH ATLANTIC Delaware, District of Columbia, Florida, Maryland, North Carolina, South Carolina, Virginia LB&I LB&I
    ERCS-TCC-LB&I 204-MIDWEST Illinois, Indiana, Iowa, Kansas, Minnesota, Missouri, Nebraska, North Dakota, South Dakota, Wisconsin LB&I LB&I
    ERCS-TCC-LB&I 205-GULF STATES Alabama, Arkansas, Georgia, Louisiana, Mississippi, Oklahoma, Tennessee, Texas LB&I LB&I
    ERCS-TCC-LB&I 206-WESTERN Alaska, Arizona, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming LB&I LB&I
    ERCS-TCC-LB&I 207-CALIFORNIA California LB&I LB&I
    ERCS-TCC-LB&I 315-INTERNATIONAL Various (including Puerto Rico) LB&I Area 315 (International)

  4. Once a user has an ERCS login and password, if access is needed for another area or Business Operating Division (BOD), subsequent Online 5081s should be completed. Some examples where multiple Online 5081s may be needed are:

    • A SB/SE secretary in Area 201 backs up an LB&I group located in the same office during time input. The secretary would need an Online 5081 for ERCS-TCC-SBSE-AREA 201-NORTH ATLANTIC and ERCS-TCC-LB&I 201-NORTH ATLANTIC.

    • A TS employee assigns returns in Area 202, Excise, and LB&I. The employee would need an Online 5081 for ERCS-TCC-SBSE-AREA 202-CENTRAL, ERCS-TCC-SBSE-AREA 214-EXCISE, and ERCS-TCC-LB&I 202-CENTRAL.

  5. HQ analysts, NRP analysts and TIGTA employees must complete an Online 5081 for ERCS-TCC-HQ ANALYSTS (ERCS) prior to requesting any other ERCS Online 5081 sub-application. This ERCS sub-application is routed to the HQ ERCS analyst for approval. The HQ ERCS analyst will contact the employee to determine what level of access and permissions are needed, and then will inform the employee which subsequent Online 5081 ERCS sub-application to submit. The HQ analyst will alert the AIMS/ERCS support staff in the areas impacted, and let them know that ERCS access has been granted.

  6. Information for Online 5081 sub-applications for Statistical Sampling Inventory Validation (SSIVL), Discoverer and AIMS/ERCS personnel are discussed in IRM 4.7.10, AIMS/ERCS Staff. See AIMS, ERCS, SETTS, and Discoverer Personnel Listing for Headquarters for contact information for the HQ analysts who support these programs.

4.7.2.2.3  (08-02-2012)
Completing the Online 5081

  1. The Online 5081 for new users must contain sufficient information for the AIMS/ERCS analyst to add the employee's permissions on ERCS as this document serves as the official record of the user's approved level of access. The following information should be included in the Special Instructions Box, either by the employee or the employee's manager when the manager approves the request:

    1. AIMS Assignee Code (AAC) or AACs - The Primary Business Code (PBC), Secondary Business Code (SBC), and Employee Group Code (EGC) combination the user needs permission for in order to run reports, update records, apply time, etc. These three codes make up the AIMS Assignee Code).

    2. Permission type - The permission types consist of read, write, approval and second level approval. All users are given read permission. In general, clerical employees are given write permission, managers are given approval permission and TMs are given second level approval permission.

      Note:

      There are two situations where a TM may be required to approve work. One, a manager requisitions a return, transfers or closes a return generating an AMSOC, or updates the statute on a return. Two, an acting manager approving updates for the group, bumps a return in his or her inventory up to the TM for approval. (Acting managers cannot approve work if the return is in their own inventory.)

    3. User type - (Group, PSP, Review (Technical Services), Sample Review, CCP, Territory, DFO, Area, or Industry). The user type determines the menu options the user sees.

    4. Length of Access - If the user only needs temporary access, the end date should be noted on the Online 5081.

4.7.2.2.4  (08-02-2012)
Setting ERCS Login Names and Passwords

  1. Every ERCS user is given an eight character login name consisting of the user's first initial, middle initial, first four characters of the last name and a two digit location code. If the user does not have a middle name, an x is substituted. If the user's last name is shorter than four characters, the subsequent letters of the user's first name or the letter x can be used to make up the remaining characters. The location code is used to set the user's default printer group when the user is added to the system. The user may change the printer group via the Change Printer Group option from the ERCS Login Menu screen. The list of ERCS location codes used to set the login names and printer groups are listed below:

    ERCS Location Codes for Login Names and Printer Groups

    Location Location Code
    Maine, Massachusetts, New Hampshire, Vermont 04
    Connecticut, Rhode Island 06
    Brooklyn, New York 11
    Manhattan, New York 13
    Upstate New York 16
    Cincinnati Campus 17
    New Jersey 22
    Pennsylvania 23
    Ogden Campus 29
    Ohio 31
    Southern California 33
    Indiana 35
    Illinois 36
    Michigan 38
    Iowa, Nebraska, Wisconsin 39
    Minnesota, North Dakota, South Dakota 41
    Kansas, Missouri 43
    Memphis Campus 49
    Delaware, Maryland 52
    Virginia, West Virginia 54
    North Carolina, South Carolina 56
    Georgia 58
    North Florida 59
    Kentucky, Tennessee 62
    South Florida 65
    Alabama, Louisiana, Mississippi 72
    Arkansas, Oklahoma 73
    South Texas 74
    North Texas 75
    Houston, Texas 76
    Central California 77
    Colorado, Idaho, Montana, Utah, Wyoming 84
    Arizona, Nevada, New Mexico 86
    Alaska, Hawaii, Oregon, Washington 91
    Northern California 94
    Los Angeles 95
    District of Columbia, Puerto Rico 98

  2. Users are systemically prompted to change their password when accessing ERCS for the first time and after their password has been unlocked or reset by a system administrator. The system prompts users to change their password every 90 days thereafter.

  3. Passwords should be at least eight characters long and consist of at least one uppercase letter, one lowercase letter, one number and one special character. Most special characters are valid, but "@" or "#" cannot be used. The system may allow them when changing a password, but it will not allow them when logging on.

  4. Every user must log onto ERCS at least once every 45 days or his or her ERCS account will be locked. Once the user's ERCS account is locked, the user has an additional 15 days to contact the help desk, get the account unlocked and log into ERCS.

  5. If a user's account is locked for non-use and the user fails to take the necessary steps to get the account unlocked and log in before the 60 day period is up, the user will be removed from ERCS. To get re-instated, the user must submit an Online 5081 for delete and follow-up with an Online 5081 for add after the first Online 5081 has been processed.

  6. ERCS users are responsible for protecting their password. It should never be shared.

4.7.2.2.5  (08-02-2012)
Maintaining ERCS Passwords

  1. ERCS passwords are locked after three unsuccessful attempts to enter a password or after 45 days of non-use. Users have three options to get an ERCS locked or forgotten password reset.

    • Contact the Help Desk by phone at 866-7-HELP-4-U. Then press "2" for IT services. Then select "#" for password issues.

    • Submit an OS Get Services ticket. Select Report an Issue, then select "Passwords," and then select "ERCS."

    • Submit a Password Reset request via Online 5081. Users should select the ERCS Online 5081 sub-application from the area where the user is located. See the ERCS Online 5081 Sub-applications table in IRM 4.7.2.2.2 (3) for a list of ERCS sub-applications. User's should not select the Online 5081 sub-applications ERCS-TCC-HQ ANALYSTS or ERCS-TCC-AREA MNGRS, ANALYSTS, ASSTS to request a password reset. These Online 5081s are not routed to an ERCS system administrator. Only an ERCS system administrator can reset an ERCS password.

    Note:

    The quickest way to get an ERCS password reset is to contact the help desk either by phone or by submitting a ticket.

4.7.2.2.6  (08-02-2012)
Requesting a Change in Login Name

  1. When a user has a name change it may be preferable to change the ERCS login name. However, a login name does not need to be changed if a user changes locations.

  2. A change in login name must be coordinated with the local AIMS/ERCS staff to minimize the user's downtime on ERCS. The preferred method to change a login name is to use the Modify option on the Online 5081 system. The Online 5081 will be associated with the user's new login name. The Online 5081 will be routed to the SA to change the ERCS system and to the local AIMS/ERCS staff to change the user's employee record and permissions. If the user has more than one Online 5081 for ERCS access, the local AIMS/ERCS analyst can advise the user if there is a need to submit more than one for the login name change.

4.7.2.3  (08-02-2012)
Security Features of ERCS

  1. In addition to numerous program validation and consistency checks to ensure the data is valid, ERCS security is assured by:

    1. Limited system and data access to ensure information is provided on a need-to-know basis.

    2. Audit trail generation and review of users' activities.

    3. Electronic managerial approval of certain actions.

  2. This section includes the following topics:

    • ERCS employee records.

    • Permissions.

    • Employee audit security.

    • Audit trails.

    • Audit trail review.

4.7.2.3.1  (08-02-2012)
ERCS Employee Records

  1. ERCS interfaces with the Corporate Authoritative Directory Service (CADS) to download employee information (Social Security Number (SSN) and Standard Employee Identifier (SEID)) into the ERCS database. Only data for SB/SE and LB&I employees is downloaded. When an employee record is added to ERCS, the user enters the employee's SEID. It is validated against the downloaded employee data from CADS. If a user is unable to add a new employee to ERCS because the employee's SEID is not accepted, the user should contact the local AIMS/ERCS staff for assistance. Refer to the AIMS-ERCS Personnel Listing by State for contact information.

    Note:

    Beginning in October 2012, employee information for RPO employees will be added to the CADS download.

  2. Employee records are usually added by the secretary in the group, but they can also be added by the manager or by a secretary in another group if the user has write permission for the AAC. Employee records can also be added by the local AIMS/ERCS staff.

  3. The information on the ERCS employee record should be entered accurately and completely. Any changes to the record should be updated as soon as they are known. ERCS employee data is used to:

    • Verify a user is authorized to access ERCS.

    • Determine if an employee is required to charge technical time.

    • Validate the employee's AAC during inventory assignment.

    • Determine if the employee should have access to the Managerial Approval menu option.

    • Determine if an employee's actions require managerial approval.

    • Protect an employee's tax return from unauthorized access.

    • Determine who should receive employee audit security alerts.

    • Determine if the employee's tax return can be audited in the area.

    • Create the ERCS audit trails.

  4. ERCS employee records should be inactivated when the employee leaves the Service or transfers within the Service to a non-ERCS position. The user should enter the inactivation date as the first day the employee is no longer an ERCS employee or user. The login name should not be removed from the ERCS employee record when an employee record is inactivated. It is a link to the ERCS audit trails.

  5. When an employee record is inactivated, the employee's permission records are updated to end on the employee's inactivation date.

  6. If an employee acts for his or her manager, the employee's permission records should be granted with a beginning date and an ending date covering the acting assignment. If the acting assignment ends early, the permission records should be deleted when the acting assignment is over. But the employee's employee record should remain active.

4.7.2.3.2  (08-02-2012)
Permissions

  1. ERCS uses a combination of access records, permission records, and programming to restrict a user's access to taxpayer and employee data to the lowest level while granting the user the access needed in order to perform his or her official duties.

  2. Access records are not needed in order to run the ERCS Main Menu.

  3. Access records for running the following menu options from the ERCS Login Menu are granted via Online 5081. These access records are added by the ERCS HQ analyst:

    • AIMS/ERCS Analyst Menu

    • Check Mail

    • AIMS Download

    • SETTS (Summary Examination Time Transmission System)

    • User Administration

    • Security

  4. Access records for SSIVL are granted via Online 5081 and are added by the SSIVL HQ analyst and the SSIVL coordinators. They give users the ability to run selected menu options from the ERCS Login Menu such as:

    • SSIVL

    • SSIVL for CCP

    • User Administration

  5. Permission records are added by the AIMS/ERCS staff. Managers can also delegate approval permissions for acting managers in the group as long as the acting manager has an active login and password to the system. Managers should delegate temporary approval permissions to a technical employee who is serving as an acting group manager. The approval permissions should only be as long as the acting assignment.

  6. Permission records determine what menu options are available to a user within the ERCS Main Menu. They also give users the ability to run reports, update employee records and returns, input time, and approve work.

  7. Permission records are granted to users based on user type and permission type. The nine user types include:

    • PSP

    • Group

    • Territory

    • DFO

    • Area/Industry

    • Review

    • Sample Review

    • CCP

    • Admin

  8. The Admin user type is given to the AIMS/ERCS staff. It allows the user to change user type to any type of user, thus allowing the AIMS/ERCS staff to support their end-users. For more information about the menu options available to each user type, see the Main Menu chapter of the ERCS Technical Reference Manual (TRM).

  9. The permission types are read, write, and first or second level managerial approval. Managerial approval can also be restricted so the user may only approve updates by return. Permissions records are based on AACs. For example, a group manager may be given read and first level approval permissions for the group's AAC. A CCP user in Memphis may be given read and write permission for returns in Memphis CCP.

  10. For more information about permission types, see the Utility Permission Programs chapter of the ERCS TRM.

  11. ERCS programs use the user's permission records with the ERCS national status code files to restrict access based on the status code on the return. For example, a group user may only update returns in a group status. CCP users may only update returns in a CCP status. See Document 6036 for a list of status codes used by examination.

  12. For permanent permission changes within the same area, the user is required to submit a Modify Application Profile request via the Online 5081. A temporary or emergency permission change within the same area may be granted by the user's AIMS/ERCS analyst. The request should be made by a manager via e-mail, memorandum (documentation to be determined locally), or Online 5081. For emergency permissions not covered in these instructions, contact the HQ ERCS analyst.

  13. If an employee is suspended from active duty the manager should either input a delete Online 5081 for the employee's ERCS access or a modify Online 5081 to delete the employee's permissions during the time of the suspension.

4.7.2.3.3  (08-02-2012)
Employee Audit Security

  1. ERCS provides special security features for employee returns under audit. Alerts are generated when any of the following events occur:

    1. A user enters his or her SSN or the SSN of a spouse (if a joint return was filed).

    2. The source code on a return was changed to or from Source Code 46, Employee Returns.

    3. The "Employee Audit" indicator was toggled on a return.

    4. An unauthorized user attempted to access an employee audit return.

    5. The attempted addition of an employee audit return to ERCS for an employee who should not be audited in the area where the employee is located.

  2. Employee audit returns are not included on reports and screens if the user is not authorized to see the data. Users are not notified when an alert is generated.

  3. Not all alerts are an indication the user is doing something inappropriate. For example, alerts may be generated when a user accesses an employee audit return by taxpayer identification number (TIN), and the program finds one tax period assigned to the user and one tax period controlled in another group or function. Some alerts are an indication of inappropriate access, as when a user enters his or her own SSN.

  4. For more information about employee audit security features refer to the Security chapter of the ERCS TRM.

4.7.2.3.4  (08-02-2012)
Audit Trails

  1. An ERCS audit trail is a record of an event initiated by a user or program on the ERCS server. The event can be anything from execution of a program to accessing or changing data. Audit trails can be used to research when changes were made to data, and to determine who input or approved the changes. Audit trails can also detect potential unauthorized access or suspicious activities.

  2. ERCS captures audit trail information for the following events:

    • Addition or deletion of taxpayer records.

    • Modification and managerial approval for selected updates to return information.

    • Research of taxpayer records.

    • Addition of employee records.

    • Modification of selected employee information.

    • Addition, deletion or modification of ERCS permissions.

    • User access to the ERCS Main Menu.

    • Selected events regarding employee returns under audit.

  3. The event information captured in an ERCS audit trail includes, but is not limited to the following:

    • The time and date of the event.

    • The program or user identification.

    • The type of activity (add, update, research, etc.)

    • The data that was accessed or changed.

    • The program that was executed.

  4. Audit trail information may be accessed from special ERCS menus by AIMS/ERCS analysts, the HQ ERCS analyst, and designated system security officers. Managers should consult their local AIMS/ERCS staff for assistance if information from an ERCS audit trail is needed. TIGTA employees should consult the HQ ERCS analyst if ERCS audit trail information is needed. For more information about ERCS audit trails refer to the Read Audit Trails section of the Utility Miscellaneous Programs chapter of the ERCS TRM. For information about the responsibilities of the AIMS/ERCS staff regarding the ERCS audit trails, see IRM 4.7.10, Examination Returns Control System (ERCS), AIMS/ERCS Staff.

4.7.2.3.5  (08-02-2012)
Audit Trail Review

  1. All modernized systems are required to send their system and program audit trails to an audit trails tool for review. The Security Audit and Analysis System (SAAS) is an audit trails tool designed to meet the IRS’ audit trail needs for modernized computer systems that contain taxpayer data, like ERCS. SAAS aids the IRS and TIGTA in detecting potential unauthorized accesses to IRS systems.

  2. ERCS audit trails are scheduled to be sent to SAAS starting in January 2013.

  3. Security specialists from Cybersecurity are responsible for performing the review of audit trails sent to SAAS.

  4. Until the ERCS application audit trails are sent to SAAS, SB/SE Examination, as the business owner of ERCS, has the responsibility to perform weekly reviews of the ERCS audit trails and to report findings to the appropriate officials.

  5. Refer to IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities, for more information including actions to take for suspected security incidents.


More Internal Revenue Manual