The Comptes Sindicatura has warned of the need to increase the controls of the Valencian Tax Agency (AVT) to avoid the loss of income due to the prescription of files, and also to improve security when granting privileges to access their systems IT, among other aspects that could put data security at risk. This is stated in the audit report of the tax body prepared by the Sindicatura and which indicates, however, that as a whole, “the existing level of control provides a reasonable level of confidence” to guarantee that the transactions and data related to the taxes managed by the Generalitat “are complete, exact, valid and comply with the regulations.”
Regarding the first aspect, the Sindicatura considers insufficient the controls carried out on the activity of the management centers to “mitigate risks such as the prescription of rights and non-compliance with deadlines”. Thus, it points out that the established mechanism is based on a 2010 circular that determines the need to carry out control lists on the files, but does not establish the need to systematically report these lists. A circular that he considers outdated. But, in addition, it also considers the controls implemented in the Tirant computer application to identify the files close to their prescription as insufficient.
On the other hand, the inspection body has also analyzed the security of the ATV’s computer systems, in which it has also found some security deficiencies. Specifically, the most important is that, in his opinion, the levels of access that Tirant users have to taxpayer data are not well defined to guarantee its integrity and confidentiality.
Thus, for example, it emphasizes that there are personnel from external companies that carry out development and maintenance tasks for applications that have the highest level of permissions, as well as some workers from the Agency itself who would not need such access. To this must be added some generic or personal access accounts that have been terminated. Circumstances that, according to the Sindicatura, “represent a high risk to data security and increase the probability of conflicts of segregation of duties, which in turn increases the risk of fraud.”
It is also alerted to the existence of programs with outdated versions, «which are outside the manufacturer’s support period, which increases the chances of a security incident. To this is added that the regulations on backup are still in the draft phase, or that the ATV «does not have a continuity plan, aimed at recovering its activity after the occurrence of a contingency that affects the normal course of its operations. operations”.
The director of the ATV, Sonia Díaz, pointed out that the tax body is already working on solving all the deficiencies of which the Comptes Syndicate alerts, with which they collaborated in carrying out the audit, as he stressed. In addition, he points out that some of the risks that are pointed out “do not even exist in practice.” Thus, for example, he assured that periodic controls are carried out on the files to avoid their prescription, although the 2010 circular on which they are based does not require them. He also recalled that external companies that work for the Agency sign a confidentiality contract, so he considers that there is no risk in data management either.
Even so, Díaz pointed out that from next year a “permanent audit of all the centers” will be implemented and a scorecard is also being prepared to monitor the 65 offices and see what is being done in real time “. In addition, an internal control planning document will be written to improve security. In this sense, Díaz acknowledged that several of these recommendations were already included in the 2019 audit report, but pointed out that the arrival of the pandemic made it necessary to prioritize other actions to facilitate telematic processing and to be able to maintain the service.
An entity still under construction
Sonia Díaz recalled yesterday that the Valencian Tax Agency was established at the beginning of 2019 and had to assume functions, such as the creation of its own IT department, which until then depended on other departments. In this sense, he stressed the effort that has been made in this time to improve all processes, but also pointed out that the Comptes Syndicate itself demands that the body be provided with more resources.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.