THE IRS IS COMING! THE IRS IS COMING! PREPARING FOR YOUR IRS AUDIT WITH OTHER STATE’S EXPERIENCE AND BEST PRACTICES

Hello everyone and welcome to our live web talk. The IRS is coming! The IRS is coming! Preparing for your IRS audit with other state's experiences and best practices. Thank you for joining us.

At any time, you may adjust your audio using any computer volume settings that you have. On the right-hand side of your screen, you see a Q&A window. You like to submit a question? Type your question in the small text box at the bottom, and when you're finished, click the send button. You may do this at any time during our presentation. All questions that you submit are only seen by our presenters today. Questions will be responded to in the order in which they were received and will be addressed at the end of our presentation. However, please note that due to time constraints, our speakers may not respond to all the questions submitted.

At this time, I'd also like all of you to notice on your screen that we are asking you to go ahead and interact rather with a polling question. So at this time what we'd like you to do is, if you are joining the web talk as a group from a site, please enter the number of people at your site into the box and click the submit button. I'll give everyone just a moment or two to do that. And again at this time we're giving everyone time to fill in their web talk site information. If you've just joined us and are joining the web talk as a group from a site, please enter the number of people at your site into the box and click on the submit button. We do appreciate all of our responses from our attendee sites.

This time I'd like to introduce Laura Roth, our moderator for today's web talk. Turn things over to her to get us started. So Laura, welcome.

Laura: Thank you, thank you very much. Good morning everyone, or good afternoon, whatever the case may be, and welcome to today's NCSEA web talk. The IRS is coming! The IRS is coming! Preparing for your IRS audit and other state's experiences and best practices, also known as the 1075 IRS OCSE Safeguard Review.

As the gentleman said, my name is Laura Roth, and I will be your moderator today. As a former Child-Support director, I experienced a number of IRS audits for both compliance and security. Now as a vendor, I have governmental agencies safeguard their data through technology with the help of my company. CGI, the company I work for, provide security and system compliance to our customers at all levels of government: federal, state and local. FTI security is a big big business and evolves constantly, requiring governmental agencies and staff to stay on their toes and take notice of the experiences that others are having. Thus NCSEA felt that it was a timely opportunity to host a web talk on this important topic. 

Now we have a dynamic set of speakers today for today's webcast, speakers who bring vast experience from different sides of the IRS process. As you know, experiencing an IRS audit is frightening, makes you anxious, causes you kind of the fear of unknown. But the professionals that we have speaking today 
will share their stories, suggestions, and best practices to help you make your next experience with the IRS a better informed one.

Our first speaker today is Scott Hale. Scott is the manager at OCSE responsible for federal collections, enforcement, and special matching programs, all the fun jobs. Scott has been involved in Child-Support for 25 years, including 19 years at OCSE. Scott is the lead at OCSE for IRS Safeguard and Disclosure. Today Scott will share with you what it looks like to have the audits that's conducted at OCSE, something I didn't know coming in to this web talk preparation, that OCSE actually is audited as well, and he will also share with you what OCSE can do to provide states who are going through this process help and assistance. Scott will also be joined by the OCSE Senior Security Engineer, Derek Cullum.

And then next we will hear from Ashley Dexter, Deputy Director of the great state of Kansas. Ashley has been in Child Support for 15 years and oversees the audit and compliance processes in Kansas. Ashley will share Kansas experience with the IRS audit, the prep her state does ahead of time, and how they have successfully reduced findings in her state through preparation for the audit itself and constant focus on compliance in between audits. 

Our third speaker is Scott Reese from my home state of Washington. Scott is the Chief of Information Technology at Washington State Department of Child Support Services. Scott has been in Child-Support for only two years, but as you will hear him explain, he has been involved in phases of the IRS audit for most of that time after spending many years in public assistance programs and the health benefit exchange, all programs with strict compliance and safeguard requirements. Scott will share kind of an IT perspective surrounding the IRS audit process and Washington state's progress in overcoming more than 400 findings.

Now each speaker welcomes your questions. So please feel free to type them into the box here on the web talk screen. At the end of the presentation, we will go through them and get them answered for you. So without further ado, let's get started. 

Scott Hale from OCSE.

Scott Hale: Hi everyone. My name is Scott Hale. I am, as Laura said, I'm the manager for the federal collection and enforcement programs. I really appreciate the opportunity to talk to you about our audit from this year and what we learned and hopefully share some of our best practices and lessons learned that can help you in your future IRS audits.

So the title here: The IRS is coming, the IRS is coming! We also included preparing for your IRS review before, during, and after. I thought about that. I'm like, well, preparing for your IRS audit, you're only preparing for it for a certain amount of time. But anyone who's been involved with IRS audits know that you're always preparing whether they're two months away, two years away, or they just left the building a week ago. So we thought that was sort of a way to get it out there that you're always preparing for an IRS audit.

Joining me today here at OCSE is Derek Cullum. Derek Cullum is, as Laura mentioned, my senior security engineer. Derek's gonna chime in on a few of my slides that I'm going through here. So we'll talk to Derek here in just a second. Derek's also gonna try to keep me honest with my time so that I don't run into Ashley or Scott's time later on. So he will give me the hook if that's the case. 

Moving to the next slide. This is IRS OCSE Safeguard Review Overview. Our last review, as I mentioned, was this year April 2017. Our previous one was April 2014. I think that's pretty consistent across the board as far as agency reviews, that they happen every three years. I will tell you I've been involved in this process for a long time. Seven, 10 years ago, there was some inconsistency in the safeguard review process where these audits were not necessarily being conducted every three years or reports were not being provided timely or as prescribed. I believe, at least in our observation here, that that has significantly improved in recent years and that we've noticed that the 
audit process and the scheduling, getting the reports, et cetera, all of that has improved significantly over the last few years as far as we've seen. 

So looking at this slide, the on-site evaluation of federal tax information and its use, that's what we're here to talk about. Looking at the tenants and the requirements to safeguard federal tax information in accordance with Publication 1075, Publication 1075 being our bible during audit time, and you're probably well aware of that. Use the 1075 whenever you can because there's a lot, it is a very meaty document, but there's a lot of good information in there that will help you in preparation for your audit, in steps that you need to take after your audit, and all the reporting that's required. 

Make sure that you're using the version that is on IRS's website. It is the September 2016 version. If you go to IRS's website, you'll see it there. You can do a keyword search under Publication 1075. It will come up with an electronic purple cover. I will tell you that we are no longer in a position or IRS is no longer sharing these as hard copies. I know in the years past, they share this information as hard copy. That was really great to have, those nice shiny books and the binders, but we don't have those anymore. So we just have to pull it off the website and print what we can. 

Included in our review were secondary sources with federal tax information, which included access to SSA and our vendors. All of our data is housed at Social Security Administration, as you guys probably are aware.

So Social Security Administration or SSA is a part of our review, as well as their storage providers, and people that are providing storage for SSA are part of our review as well. 

I was gonna say any questions, but I'm used to these interactive presentations. I know we'll take questions at the end. So, I apologize.

[NO AUDIO]
Our Key Teams Involved
DC OCSE (Headquarters)- 5 security team staff, 7 federal managers and staff, 5 support staff
Baltimore Data Facility – 5 operations staff
Manassas Data Facility – 5 operations staff
IV&V/Testing Team – 3 Data Quality staff
SSA – 3 mainframe staff

Moving to the next slide, the key teams that were involved, there were quite a few teams that were involved. This doesn't even begin to illustrate how many people played a part. These were the critical staff. These were the ones that were not allowed to take sick days during that audit process because we needed to make sure they were healthy and ready to go. They were integral and to making sure that we had a successful audit. So I would say that is a huge key for us is to ensure that you have the appropriate teams and members participating in the pre-audit calls, in the pre-audit discussions, in any of the pre-audit correspondence going back and forth to make sure those key staff are involved. 

I'm mentioning this slide with making sure you have the appropriate teams involved because we did have a small issue with our review where one of our team members was not really identified as a key member until almost a couple weeks before the review started, before IRS came for the on-site. So again important to make sure that you prepare yourself and have all those key players involved early on in the process to reduce those number of surprises that you don't wanna see when they're on site. As it's stated in the Publication 1075, and I'm just gonna read it exactly as it is as far as sites are concerned, sites will be reviewed based on the federal tax information flow through the agency. So that can include field offices, consolidated data centers, on-site storage facilities, disaster recovery sites and contractor staff sites. So I think it's just important to understand the network of sites and facilities that might be involved in your audit.

Moving on to the next slide, and this is document preparation. Anyone that has gone through an IRS review or have been part of an IRS review knows there's a tremendous amount of document preparation. It's alphabet soup. There's so many acronyms to keep apprised of and that there is a lot of redundancy, meaning you might talk about something in January and then you have a follow-on call with the IRS in February or March in preparation for your review in April, and they're asking you the same questions, just different ways, or they may ask you the same exact question, but to different people. So we think, with the redundancy, and I can give you an example on our end, were data flow diagrams. We must have talked about them at least three or four times prior to our IRS audit. But then during the opening conference, we went through everything that we had done prior to that, as far as the data flow diagrams, we went through all of that again once IRS was on-site. So I would tell you that I don't think that you can be prepared, there's not such a thing as over preparing, I guess, as far as we're concerned. I think there's so much document preparation, there's so much that's involved, but the preparation is incredibly important before they even step foot in the door. I'll ask Derek Cullum. He was involved in so many of these reports that we've put together if he has anything to add on document preparation.

[NO AUDIO]
Document Preparation
Preliminary Secutriy Evaluation(PSE) – Provides information on IT infrastructure and flow of data through systems, Data Flow Diagrams
Policy and procedures
Safeguard Computer Security Evaluation matrix(SCSEM)
Safeguard Disclosure Security Evaluation Matrix (SDSEM)
Nessus package
Management, Operational and Technical Controls (MOT)
On-site review and timeline

Derek: Not really other than the fact that (clears throat) as you see with two of the documents specifically, here, are rather important. One of them is actually readily available on a, usually when they post updates to their website, you can always pull them, which is the SCSEM. Those are basically kind of your technical bible, so to speak (clears throat) for what they're going to test against when they arrive for the audit. Again, as I said, those are posted on their website. You can do a keyword search in Google and pretty much pull up the various technologies that you may have in your environment that you can use that SCSEM to kind of prepare yourself with various configurations or document preparation before they arrive. So you get a little bit ahead of the curb there.

The other thing also that you kinda get with this whole process is what they call Nessus switch. If you're not familiar with that, it's basically a vulnerability scanner that they're going to use when they come out to your facility, and more so your site, and run it against your technical infrastructure. So your IT folks will be really heavily involved in that process. As we'll go in some slides a little bit later, we had a little bit of a snafu with that, but we'll go into it with more detail as we move on.

Scott Hale: Thank you, Derek. 

[NO AUDIO]
IRS/CSCE Safeguard Review Timeline
December 2016 IRS Engagement Letter
March 6 PSE/Data Flow call with IRS
March 13 Policy & Procedure checklist
March 27 Completed SDSEMs
March 30 Nessus Prep Package
April 4 Completed MOT SCSEMs
April 4-6 & 11-12 IRS On-site review
April 14 Preliminary Findings Report
May 22/June 28 Corrective Action Plan (CAP) and Safeguard Review Report (SRR)

So moving on to the next slide. This is a comprehensive review timeline: so how this process originates, where it starts with the IRS engagement letter which they send via email, to where it ends with us getting our Corrective Action Plan and Safeguard Review Report. So looking at this, it takes about six months, soup to nuts, from the time we get the engagement letter, to when we get that final Corrective Action Plan and the Safeguard Review Report at the end. What's important here is with the IRS engagement letter, they sent us an email as well to identify or confirm who our point of contact was for our agency, and hopefully they're doing that with your reviews as well. It's really important to identify a singular point of contact with your agency so they have someone to correspond with and making sure that person is involved in every step of the way. So that actually went out on the same day as the IRS engagement letter. They both went out to us on December 19th, informing us about the audit that was coming up in April or April 3rd. The engagement letter includes a lot of important information about sort of the process, what the preliminary activities that are going to take place, what types of document preparation are going to be required. Then it also gives us some time frames and who should be participating in these prelim calls even before the audit. So we found the IRS engagement letter to be very helpful, as well as the point of contact to make sure that's identified early on. 


So moving on to the next slide. IRS physical security review: Identifying personnel with FTI access. The focus on federal tax information flow from the time it's received until it's disposed. Record-keeping, secure storage, limited access, the training involved, internal inspections, reporting requirements, and the destruction of federal tax information, and the inspection walk-through of the locations, as well as the interviews with your staff. In our case, it was interviews with myself as a federal manager with other federal managers that are part of OCSE, and our supporting teams, as well as contractor personnel. So anyone that's involved with the process where they are receiving or have access to federal tax information are a part of this process.

Again, I'm gonna reiterate, you can't, as far as identifying personnel with FTI access, it goes back to preparation and ensuring that you're doing as much preparation as possible before they even step foot in the building because you don't want any surprises when they get here and then you find out later that this person actually had access to federal tax information and you didn't realize it. You don't want those kinds of surprises. So wherever you can nip that before they even step foot in the building is ideal.

IRS computer security review. I think Derek just talked about a few of these things, but our focus for us was on systems that received, processed, stored, or transmit federal tax information, which included our Child Support Portal or what you might know as the OCSE Portal, Social Security Administration, as we talked about, since they're housing our data, and then HHS-owned equipment, and then the evaluating, testing procedures, as Derek mentioned: the SCSEMs, the testing with Nessus, and the MOTs, or the, help me out with that one, Derek.

Derek: It's management control, with operational controls and technical controls. 

Scott Hale: Management controls, Yep, there you go. What Derek said.

So that was pretty much inclusive of our computer security review.

Moving on to the next slide. So this is a sample of our schedule. This is actually our schedule, but this was critical to the success of our review, was to come up with a comprehensive schedule to make sure that our personnel that we needed in one place were able to participate in say an interview over here, that their time wasn't needed somewhere else in a completely different location.

So what this slide is to show you is what we put together as far as our schedule to make sure that the physical security part of the IRS team, where they were going to be, the IT security part of the IRS audit team, where they were going to be, and then who they were gonna meet with, and what types of areas they were gonna be looking at as part of that, and where they were gonna be looking at that because we have one location, our main location near Washington, DC, but then we have our satellites in Baltimore, et cetera, spread about. So we wanted to make sure that we had everyone covered and that we weren't missing people for those critical areas. So I would tell you that putting together this schedule was hugely hugely important for us. 

So best practices and lessons learned to sort of sum this up. The pre-audit preparation and participation are key. Developing a comprehensive schedule and timeline, as we just talked about. Each on-site audit is different from the previous one that you had. So the one that we had in 2014 was very different from the one that we had in 2017, however, there were commonalities. There were things that we saw that were similar. There was information that we could take from that 2014 review that certainly helped us in our 2017 review. So we definitely encourage you to look at your previous experiences, even though they're not gonna be the same, but look at those as maybe a guideline to help you with some answers to your questions. Again, using and knowing the Publication 1075 and using the IRS Safeguards Program web link as your primary references. These are extremely important. Following your audit, after your audit is a complete, you've done your closeout, you've gotten your report, it's very important to us that you stay on top of that post-review process. Create a team. What we did was we created a team to start looking at all those findings and look at the change request that we need to create in order to remedy these findings. We meet every couple of weeks to review this. It involves the IT. It involves the physical security. And then what we're putting in as far as compiling our cap and compiling our Safeguard Review Report to get everything back to IRS in follow-up to our audit. If you have questions or you need clarification, contact us. Certainly we're here to help you. We do have a good relationship with members of the Safeguards Team at IRS. We may not always like their answers, but we certainly want to help you where we can. So if you have questions, need clarification, contact us. Our contact information is going to be on the last slide of my presentation. 

So moving to the next slide. Post-review, ongoing maintenance, and compliance. These are just things that are  requirements that we need to do: The Safeguard Security Report, which is an annual report. Corrective Action Plan is semi-annual. I would encourage you that even if your finding can't be completed or resolved, explain your progress and plan of action and make sure it's different. If you are moving forward with your plan of actions from this six months to the next six months, indicate that in your report. The internal inspection reports for our headquarters, field offices, and data centers, which is every 18 months. Reviewing and updating the IRS SCSEMS every one to two years and check the IRS website for updates. Although I'll tell you, once you receive that engagement letter and they provide you with the SCSEMs or you talk in your prelim call about what SCSEMs you're going to use or what MOT templates you should be using, make sure that they adhere to that, that they're not gonna change them on you 'cause that's a question you need to ask them because they will sometimes update those SCSEMs. You need to make sure if they do update those SCSEMs, that you're aware of it. And then IRS Publication 1075 updates. These were just a few of the ones that I pointed out because they were updated in the September 2016 Publication 1075, but the background investigation and requirements, the contractor 45-day notification and the safeguarding contract language. 

The next slide is helpful resources. Again, just some information. IRS Safeguards Program webpage, great place to go to. SCSEM, FAQs, the Nessus scans, disclosure videos and updates. Child-support updates are on the webpage, although I will tell you there's a couple of links that are broken right now. We have notified IRS. I think they made some formatting changes to that particular page and there's a couple of broken links that are there, but we are working with them to get them fixed and hopefully they'll be fixed soon. You can also use our OCSE website. There's a lot of Child-Support correspondence related to IRS and safeguards that are on our OCSE website. We'll also keep you informed on our OCSE website if there are updates made to the Publication 1075, if they put out a new version. In the statute 26 USC 6103, specifically 6103 P as in Paul four, and (l)(6), (l)(8), and (l)(10). Those are the specific sections for Child Support and Safeguards. And then the IRS Safeguards mailbox, which is safeguardreports@irs.gov.

If you have questions, if you're unclear on something, that's what we did. We had questions on several of our findings that we sent an email to the Safeguards mailbox, and they responded within a couple of weeks. They responded pretty quickly to us. So that's a place you can go to get answers to questions, or clarifications, et cetera. 

[NO AUDIO]
 Contact Us
 Scott Hale
 OCSE Collection, Enforcement, and Special Matching Programs Manager
Scott.Hale@acf.hhs.gov

 Danny Markley
 OCSE Senior Security Analyst
 Danny.Markley@acf.hhs.gov

 Derek Cullum
 OCSE Senior Security Engineer
 Derek.cullum@acf.hhs.gov

And then finally, as I mentioned, me or the OCSE security team, which if you look on the next slide, that is where you see our contact information for me, for Danny Markley, who's not here with us, but he's our senior security analyst and his email, and then Derek who spoke a little earlier, our senior security engineer. So with that, I think I will turn it over to Ashley for her presentation.

Ashley: Okay, thank you Scott. I appreciate that.

So as Laura mentioned in the beginning, my name is Ashley Dexter and I'm the Deputy Director here in the state of Kansas.

So I'm going to be echoing a lot of what Scott said, but from the state's perspective here in Kansas. So my presentation is talking about best practices and proven strategies and sort of getting down to the nitty-gritty of exactly what all this entails.

So, moving forward, the first thing that we realized here a few years ago, probably about six years ago is when we had our, not our first IRS audit, but our first one where we had several findings and we definitely realized 
that we needed to start making some changes and implement some best practices so that the subsequent audits could go a little bit better.

So the first thing that we looked at was actually designating a position that's responsible for the IRS compliance and having an agency point of contact. So this isn't the full-time job of that position, but for probably three to six months prior to an actual audit, it's somewhat becomes their full-time job just in all the preparation that takes place. When I first became the agency point of contact for Child Support, I was actually what we called an automation manager and this position was someone that basically coordinated between Child-Support Business and Child-Support IT. And then as I moved into the deputy director position, I still maintained the agency point of contact for CSS, but my staff that took over my previous position, who was also previously a business analyst, she has definitely stepped in to that role as far as helping me with the preparation. But definitely it takes someone that has organizational skills, project-management type skills because of all the coordination that occurs. But it also needs to be someone, in our opinion here in Kansas, that represents Child-Support Business because, ultimately, the business is responsible for safeguarding everything that we receive from the IRS. That person, with that business knowledge, but then also has an understanding and involvement in or with the Child-Support IT process. So I don't necessary know everything there is to know about IT. I'd learned a lot through being the IRS point of contact, but you definitely need someone that has an idea at high level of how the systems interface, how they talk to one another, how as a state we talk to OCSE, and then also how security access works: How is access granted? Who gets access? Are there security profiles that determine who can see what in your state Child-Support system? Are some things hard coded? Things like that that at a high level you're going to be asked about. 

As Scott mentioned, you wanna know who is looking at your stuff before they ever walk in the door and who has access. So, like I said, this position here in Kansas is ultimately responsible for all the submissions. So we do the Safeguard Security Report, the Corrective Action Plan, all the audit materials, the 45-day notices, internal inspections, the annual training materials, the fingerprint background checks. All of those things run through that single point of contact to ensure that we are being fully compliant.

So just to give you a little overview of Kansas, we were the first state to be fully privatized. So except for about 25 of us here in the administration office in Topeka, all of our Child-Support case load is handled by four different full-service vendors. We have a call center vendor and then our state disbursement unit is also run by a vendor. Our IT is a little bit different. There's about 10 state staff, and then there's some contract staff that they are assigned to CSS and they do the work for us, but they don't directly report to us. They report to a statewide IT that handles all state agencies other than just the agency that Child Support's in, but they do work at our direction.

So we still are ultimately responsible for coordinating with them and working with them. We are state administered here, so we don't have county-based programs. Like I said, we have four vendors that we have contracts, but then we're also a judicial state. One other thing I will tell you about the vendors is that they all have their own IT staff for desktop support, networking, connectivity, on-site support, things like that. So although they connect to us to use our statewide Child-Support system, we don't have the ability to remote into their computers or do things like that to make sure that everything is set up correctly. So that also takes a lot of oversight and coordination between us, and our vendors, and their IT staff.

So moving on. I the nitty-gritty about the timeline. So about six months prior, you're gonna find out the dates that they're coming. For us, the last few times, it's been in April, which is when my birthday is, and it's usually they're here on my birthday. So it's a great present for me (laughs) every three years. But anyway, it's usually always about the same time for us in April. We're probably the week or two right after OCSE. So at that time, knowing from past experience that I know they're gonna be visiting offices close to our headquarters, that starts our mind thinking about which offices we wanna send them to so that we can focus our efforts on preparing staff and those offices. We start talking about this at our statewide management meetings that we have every month, at any trainings we have, unit meetings, on-site field training. Anything we have or we have contact with our field, management, and staff, we start talking about it to start getting people thinking. And then I mentioned how they'll, at least for us, they visited offices that are usually like within an hour. So that limits where I can send them here at Kansas 'cause we're spread out. So we don't have that many offices within an hour, but I have a few. So that way I know, I pretty much know every three years where my options are and that helps keep us  They also always visit the SDU, the State Disbursement Unit, and here at the call center, and then the data center. So we know those are standards that they're gonna be coming to.

So about three months prior, this is when I start getting contacted with the information and request pertaining to the upcoming review. This is when they're going to start giving you the check list of documentation, which I'll show you here in just a second, and everything that's on there. And then also they'll start scheduling  the, we'll start talking about which locations we want them to visit. So then what we do is we start scheduling on-site review at those locations so we can start getting our staff prepared so that we can actually do a review before they come and do a review. That is also part of when we do the Safeguard Disclosure Security Evaluation Matrix, which I'll show you here in just a minute as well, at least the front page of it. Like they mentioned earlier, you can go online and actually download that so you can start getting an idea of what questions they're gonna be asking. 

But again we complete that on the field offices that they wanna visit, which is usually two, the call-center data center, the SDU. So then what we do is we actually go out to those offices and we go through the SDSEM with the site manager so they're aware of the kind of things the auditors are gonna be looking for and asking questions about. So this is when we'd start reserving conference rooms, workspace for the IRS, and start building the agenda, getting calendars blocked off for all the staff that will need to participate, any contractors, IT staff, data center, administration staff, SDU, call center. The other thing we wanna do is, as we start looking through the checklist, is we wanna make sure that everything we have is up-to-date with the Pub 1075.

So like Scott mentioned, the last one was back in September of 2016. One of the big changes they made was exhibit seven language changed. Well, that changes, exhibit seven is the language that talks about contracts. Well, we're fully privatized. So for us, that was basically updating every single contract we have to get that new language because we wanted it done before they came in April because we knew that would be a finding. So we got that done.

So taking a look at the list, and I realize that might be a little small, so I'll try to maybe read a couple items off here. The agenda and SDSEM we already talked about. But you as the agency point of contact actually build the agenda based on what they tell you they wanna see. So that is kinda nice though because you can, you can really be prepared as far as who will be where, when. But some of the things that they review are gonna be your tribal relationships, your appeal process, your locate process: interstate, intergovernmental, mail room, and then paper case files, or if you have imaging processes.

As far as IT stuff, the backup tapes, data warehouse, data center, disaster recovery. If you have any off-site storage, they'll be looking at that, your SDU, and then of course your disposal process. They'll go to two different field offices, usually as long as time allows, the headquarters, if you have a new hire program that, like they say on here, may or may not have FTI quality assurance.

Moving onto the next one. Then they're gonna want all of this stuff. Basically what we've done in Kansas is three years ago we started, and although this might be a ton of paper to print, I actually just started printing all of this out and organizing it into a big huge like three-inch three-ring binder. I don't know. It might actually be five inch. I can't even, it's so big (laughs). It is a ton of paper and the book is a nice arm workout to carry around for the week of the audit, but it really is worth every effort because what has happened in the last two audits when I started doing this was, sure enough, I sent all of this documentation 'cause you have to send all this documentation to them via email ahead of the audit.

What always happens is that then they get here, and they, "Oh, did you send me that? "Do I have that?," and you know you did, but they're doing these audits every week and I'm sure that they get mixed up. "Okay, was this Kansas, "or was this when I was at OCSE, "or was this when I was at California the week before?" I'm mean I'm sure these get confused in their minds, rightly so. So having that book right there with you, with all of this stuff printed out and organized by tabs and labeled, you can say, "Yep, I send it to you, but here it is again. "Let we show you, right here. "Here's our password policy." Boom, "Right here is our visitor access log." Boom, "Right here is our policy on "printing FTI," things like that. Whatever it might be, you've got it right there at your fingertips.

So some of the things they're looking for are prints of all the screens which contain FTI: the email policy, the fax policy, badge policy, your incident and response policy, the training, confidentiality statements, documentation to verify everybody has had the training, internal inspection schedule, your internal inspection actual documentation, your visitor access logs, screen prints of the warning banner, all those things, and on and on it goes, which a lot of this is gonna be, it might be in your Child-Support business policy and procedure, but it also might be in your IT world.

So it really takes coordination working with them, with IT, to make sure you get all this 'cause stuff like password policy, that's gonna be set by my agency's IT as a whole. So that's not specific to just to Child Support. So I can go to them and get that.

That's an example, so then I have to go to them to get. The other thing they're gonna want your SLA, your service level agreement with your data center. They're gonna want copies of all your contracts because they're looking to see that that exhibit seven language is in there. And so it is a ton of paperwork and it's a lot to organize, but I have just found in the last two audits that it is really beneficial to have that with you.

So this is a screenshot of what the Safeguard Disclosure Security Evaluation Matrix looks like. At the bottom, I don't know if you guys can see, but first it wants to know about the FTI extracts. Those are all your interfaces and how you get FTI from OCSE and other various places, and then there's a tab for headquarters. I believe I made one for call center and then I made one for each of our field offices. This past year they did our Manhattan office and then our Topeka office, which is actually two different vendors. So we had two different contractors to work with, and then the data center and the off-site storage. There's questions on each of those tabs and it basically just walks you through the physical security of those offices.

The next thing I've included is an example of the agenda that we had. This was our actual agenda this year. The big thing that I want to talk to you guys about on this is at the opening conference, the very first session, Scott mentioned that you guys have a data flow discussion, and that usually takes the majority of the time. A lesson learned for me this year was realizing exactly how in-depth that conversation is and that you have to make sure that all of the appropriate IT folks are there. I relied a little bit on some of my other IT management to get the right folks there and I just realized that now I know exactly who needs to be there in the future and I'll make sure those folks are there. You have to have your network and connectivity people there. They are the ones that are really going to be at the head of that conversation, talking about how, words like VPN, and firmware, and routers, and all this different stuff that most of Child-Support Business people are like, "What?" (laughs) That's why we need those people there, but then also obviously your state system folks that actually run your statewide Child Support system and do any maintenance and modifications to it. They need to be there, your security folks, all those tech people.

So day one was kind of the opening conference, the data center. We met here at the administration office to talk through things like training and central registry.

Day two was actual site visits to our call center, our Manhattan field office, and then our Topeka field office, and then our SDU. So that was a big day that we went all around Kansas for a little bit. This agenda, I do also wanna specify, is specific to the physical review. Scott showed you earlier, I think what I saw on his, was there's also a whole separate IT schedule, and I'll talk to you a little bit later about that in the lesson learned.

And then of course the last day is just back at the administration, if there's any final things here needed. Usually that morning, they're gonna be preparing, they're gonna be pretty much done, finishing up their preliminary report to present at the closing conference, and that's where you hopefully get the majority of any major findings to where then you can not be surprised when you actually get the final report.

So, preparation. We talked about setting up a shared drive folder location that's specific just for the documentation needed for that year's audit, both business and IT staff have access to to save stuff. I already talk to you guys about printing out all of the information and putting it in the book. Like I said, it saved us on several findings to be able to point that out right then and there when the question was asked. 

Moving on to about one month prior, we schedule visits with each of the location that they're gonna be visiting so that we can start quizzing fast and we can start preparing them. We give them an overview of why the IRS conducts these audits, a general idea of how it will go, make sure they understand they need to have their badges on, they need to be visible, any visitors that come in on that day, including the IRS, need to sign in, and then we quiz the staff. 

So just in our experience, some of these questions are the ones that we've gotten the most often: Do you take training? How often? What's the penalty for release? Do you conduct the inspections? Do you get paper FTI? And how often do you review access logs? That was a new one this year that we ended up getting a couple findings for because it used to be quarterly and now it's monthly. So heads up on that one, to say monthly (laughs).

But basically we try to make sure our staff understand that we collect millions of dollars through the offset program for kiddos and we just wanna be able to keep that ability. So we don't want them to be scared. We don't want them to think they're gonna say the wrong thing, but it's okay to say I don't know, or I'm not sure, or I would go ask my supervisor, instead of trying to make up some answer that might not be the right one. So, anyway.

Then about one month prior, they start scheduling the PSE calls. These are more of the technical calls. Now as the agency point of contact, I sat in on these calls. I know in the past that, that was another lesson learned, is that we sometimes left this to our IT folks to just handle, but really, it's important to have the business side because the business knows how it all comes out in the end at the user level. And especially here where we're privatized, some of my state IT, they know how we connect, but then they may not always know the final, how it then manifest at the actual vendor location with their IT and their staff because they're not as directly involved. Those calls are extremely technical, and these are usually with the technical reviewers, which are folks from a company called Booz Allen Hamilton. They are a contractor that the IRS uses to do the technical piece. And so, you definitely need your IT staff on those calls to understand the network infrastructure, the data flow, and then the hardware inventory specifications.

Three weeks prior, we had the Nessus prep calls, that's again, that Nessus is that vulnerability scanning tool that we talked about earlier. This is what the IRS uses. I think in there I copy pasted some of what was from the IRS website just so you guys could see what that actually is talking about, but it's some of the security of the systems that store, process, transmit, or receive federal tax information. And then I put the link in there as well that you can actually go get the audit files.

So again, getting prepared ahead of time, running scans yourself ahead of time can help you with that so you won't have any surprises. So then they send the on-site review package. It includes all their tools, the prep package, Safeguard Computer Security Evaluation Matrix, the MOT. This is where you need again those system administrators, application owners, network engineers for each technology are vital to this side of the review. For us, we have a statewide information security officer, and they took the lead in coordinating that side of the review.

Here's where I talked about the business side with the IRS physical safeguards reviewer and then the IT side with the Booz Allen Hamilton IT team. So you wanna make sure that you've received both finalized schedules and that you've coordinated with everyone so people are where they're supposed to be. That was a lesson learned for us is that we never got the finalized IT schedule. So they came and I had to scramble. Luckily, I have great people here that I already blocked off all their calendars, but I didn't know exactly when and where. So because their calendars were already blocked off for the whole time, they at least knew that they were ready to be very flexible that week. And so again that's why you need to have a CSS or Child Support IT person that will also help take that lead on coordinating the IT review because for the physical review, I as a business person, an agency point of contact went with the IRS physical reviewer. So you want somebody who's on-site with the IT reviewers.

At the closing conference of the audit week, you'll receive the preliminary findings reports and any criticals you have to respond to within a week. Usually you're gonna know those as soon as they see them. They usually will point them out right away, like, "Yep, that's probably gonna be a critical." So again, they're not trying to give you surprises.

So two months after the audit, about then, you get the Safeguard Review Report and your Corrective Action Plan. Then I will distribute those findings to each of our entities and determine the method for responding. So all those responses come to me as a point of contact, and then I save all those into our CAP, and then I submit them to the IRS by our deadline. In Kansas, our deadlines are April and October. So we have one coming up here in just a week or two. And then it's my responsibility to ensure that all the findings are responded to. Again, like what was said earlier, even if you don't have it resolved, having something like a plan, we're working on it, something is what they wanna see.

Then finally, just take a deep breath because you survived (laughs) and just know that everyone has findings. The IRS themselves, they're not 100% compliant because, I mean if you were 100% compliant, you probably couldn't even turn on your computer. So it's really finding what is your 100%, and that may be 70, that may be 80, it may be 60, who knows? But that's kind of a nice little thing to have at the back of your mind.

So here's the lesson learned, I talked a little bit already about the IT schedule. I talked about how your point of contact really needs to understand both business and IT processes at a high level so that you can know how those things interact with each other and you start discussing it early to get staff prepared. For us, a few specific things, we got rid of any and all paper FTI. We don't print. The only thing that we get is the IRS offset notices that are undeliverable and we have them all returned here to the administration office so that we have one location for those to be handled so that we can really control how they're handled.

We also don't save the IRS address to our system to then send the postmaster letter. We have a policy that states we verify that a different way, then we'll send our verification. We found anyway that usually that address is something we already had any way or we got the more recent one anyway. But that was another change that we made. We use their logs. There's no reason to reinvent the wheel. They have the sample logs right there in the Pub 1075. So why not just use them? The most important is just showing them that you care and you are trying to meet compliance and that you submit your reports timely. Really that's the lesson that we learned is that as long as we're showing that we're actively engaged and working on it, we seem to be just fine.

So about six years ago, we had over 100 findings that didn't even include the section H findings of IT, which was probably another two or 300. Three years ago, when the previous findings were being addressed and the preparations listed in this presentation were initiated, we got over 100 down to 13. This year we had three, and one of which is held in abeyance regarding disclosure to contractors. So to me that doesn't really count. We had two (laughs).

[NO AUDIO]
Questions?
 Contact information
 Ashley Dexter, Deputy IVD Director, Kansas Child Support Service
 Ashley.Dexter@ks.gov
 785-213-5955

But anyway, so my contact information is up there. Definitely if any states ever or anybody has any questions or want some advice, there's my information. I'm happy to talk with you. With that, I will hand it over to Scott Reese.

Scott Reese: Thank you Ashley and (clears throat) hello from bluhs-free Pacific Northwest As Ashley, as Laura mentioned at the beginning of the conference, I'm the IT Chief for the Division of Child Support. My presentation is more of a look back at our experiences, and there's a slide at the end with some lessons learned, but you'll probably note that there'll be some lessons for you that are particular to your agency as we move through this.

I'll start with a little background information. Our system, it's a legacy system. It's born from a 30-year-old green screen system with mainframe, I won't go too much into the details, but there's been lots and lots of modernization throughout the years. The green screens aren't visible to the users anymore, but we still have a lot of that system existing on that mainframe, in addition to a number of servers, a variety of technologies that we support and it's all in-house development. While we've got contractors that support other parts of our systems, and certainly other agencies, but the development was all done in-house and the system's still rock solid and does what users need it to do, but certainly there's a lot of moving pieces and a lot of balls in the air at any one point.

Our last regular safeguard audit was in October of 2014. We had over 400 findings at that point, and 10 of them were critical, with the rest of them spread out between the other ratings, which are significant, moderate and limited. But when I came on a couple of years ago, we were in the process of moving our architecture from our state data center for a variety of reasons. We had to move our mainframe system out of our state data center in Olympia and find a vendor that would house that externally. So again there are a variety of reasons for that as an enterprise service provided by our state IT organization. We were the only agency that was using that mainframe. So with retirement coming up, they took the Unisys mainframe, which is what we have, out of their roadmap. So we had to find another way to house that. So we went out for a contract and we eventually landed on Unisys. And so we now have our mainframes in Salt Lake City, Utah and Eagan, Minnesota, all of that to say we weren't working on some of the audit findings that we had because we were in the middle of this other project. So whether lack of progress on those findings or because we had a new vendor housing our mainframe, which certainly has a lot of IRS data on it, 
the IRS sent us a letter the first part of August, saying that they were gonna come in a few weeks and do a special risk audit. If you're looking at the timeframe there, we went live with the new mainframe in September of 2016.

So about a couple of weeks before that, we had the IRS on site doing an audit. So the timing wasn't good from our perspective, but we certainly rolled with it (laughs). So when they came in, as Ashley mentioned, Booz Allen Hamilton is there contact as a contractor. So they came on board and watched our, did their review. It was a new audit essentially with the audit findings. They did not do the MOT. They just did the technical and it was relatively new for the IRS. I think we were the first state, we were lucky enough to be the first state with the special risk audit. So while they gave us a full list of audit findings, they boiled it down to a letter that said we had to get, five new critical findings complete with set timeline at risk of losing our offset funding, which for the state of Washington was roughly $43 million, which is obviously huge for us. Even though they gave us that letter, I will say the IRS was very open to the discussion, and as Ashley said, if you implemented all of the findings, you probably couldn't turn your computer on. That's absolutely true.

So I think even while the exit interview was stern, we understood what we had to do in front of us. We also understood from the IRS that they know we had a lot of work to do and essentially said they're willing to work with us to make sure that we're moving forward, but still meeting our timelines.

So we had five organizations involved in this. We had of course ourselves, the Division Of Child Support, the Department of Social and Health Services, which is our enterprise health and human services organization. It also has foster care, juvenile rehabilitation, and of course 10F food assistance. We had the WaTech, which is the state IT that housed our Unisys mainframe. They're certainly still players, even though we moved out of there with the mainframe. We have a lot of our infrastructure still there, including most of our communication technology that are there. So that's still housed there. Unisys was a player in this audit even though we weren't in production yet. They (clears throat) had production data on their system because we were in the process of converting. We had a lot of our data already on their system in anticipation of turning it on, the first week of September. So they went out to those sites, as well as, so they went to, IRS came here in Olympia. They went to Eagan, Minnesota. They went to Salt Lake City Utah to test our new relationship with Unisys (laughs). Luckily when we went through contract negotiations, we were very clear that the IRS had the ability to come on site at any point and we also stipulated that we, as the state, as the agency that was paying the bill, had the opportunity to come on site at any time as well. We also included the IRS 1075 language that Ashley mentioned in the contract. So everybody was on the same page. We even talked about anticipation of the background checks that Scott mentioned early on. So we talked about that even though at that time, when we were going through contract negotiations, it hadn't been finalized yet, but we still gave them a heads up, saying, "These were coming, "and they apply to vendors as well."

The due date on each of our findings varied. The IRS and Booz Allen Hamilton were very, they took into consideration the different times it was gonna take to get this work done. They really understood the things that we could do in a short period of time versus those things that were gonna take us quite a bit longer. They demonstrated a really good understanding of our environment and considered the fact that we were gonna be working with multiple agencies and some of it was not going to be in our hands, but we were gonna have to work that through executive management and executive sponsorship. But at the time we got the letter, we really thought all of the time frames they put down were doable. It didn't turn out to be the case, but at that time when we sat down and talked to them, we really felt pretty good about the relationship we had and we thought that we could get the work done.

We broke (clears throat) each of the findings, each of those five findings, we tracked that in a different way because it wasn't the typical findings that they give us at the end of an audit. It was the letter that essentially had these five critical findings that we broke up into a variety of tasks. So (clears throat) we broke that up into essentially 16 different tracks and projects. We tracked them using POAMs or plans of action and milestones. So that's how we tracked it. So we had to do some cross walking with the IRS every time we talk to them. There's probably some lessons learned there to make sure that we're on the same page when we're talking about the findings in particular.

But some of the things that might stand out for, that stood our for us, it might stand out for some of you, are we had some unsupported software that was still out there.

The next two bullets are somewhat related in that we had transactions going in the clear, so to speak. They were not encrypted or they were unsecure. We were behind our networks and behind some firewalls, but they were still not being encrypted from point-to-point. So they called those out. We had (clears throat) remote access with a single user ID and sign-on as opposed to what the IRS requires here with a dual factor authentication where you're entering two layers of security to get to the FTI information. The flat network was a huge workload for us and a big lift. The IRS gave us the most time to work on this, but it was big for us.

So a flat network essentially means that the FTI data was available or going over the same network, it wasn't available for everybody, but it was going over the same network as those other administrations within the SHS. So the juvenile rehabilitation, the foster care folks as well as the four A folks all had access to the same network. So we had to separate the FTI information and we lumped in all of Division of Child Support information into that category and said we just need our own segmented network out there. So we've made some significant progress, but it was a significant amount of work. Defense in depth was another, at a high level, it's essentially a separation of data from your applications. So if someone hacks into the presentation layer, they can't get to the data. So at a super high level, that's what defense in depth is. It's a significant rework of applications. A lot of times you're rewriting the entire application because if you move the data, you have to change the presentation layer to say go find my data in a new place. So it's a lot of work and the flat network does a lot of the defense in this area. So it's somewhat related to flat network.

The last bullet point is not to be missed. It's one of the vendors refused to let the IRS into their data center, and this was our check-writing vendor. So I can't really say it was the vendor's fault 'cause we used a state master contract when we hired this check vendor. So the IRS language was not in the contract. So what happened was they, when we called them and told them the IRS was coming on site, they're saying, "Well you're a relatively small customer "and we really don't want to "let you into our data center and" perhaps we have to notify all of our "other customers that you're coming in." So they just thought it was easier that they just back out of the contract. So we had to quickly find another vendor to handle our check writing. So I'll come back to that in lessons learned, obviously. So the impact for us, obviously our priorities changed. We set aside a number of our findings from previous audits. We had to work with the business to set aside some of the primary work that they really wanted us to do. So our business delivery, our business value, I tend to separate things to talk about business value and technical debt. So our technical debt went way up as a result of this and our ability to deliver some of the business value things really declined. 

So Laura introduced us, saying, we're gonna talk about our work on closing 400 findings, but I can say that we really, while we closed some of the other findings, we were really focused on those 16 tasks that we had out there. So significant significant impact to staff and resources as we moved through that. 

So we had two formal projects out of this. Out of those 16 tasks, we had two of them that really rose to the level of meeting formal project management. So we focused on those and the rest of them we were able to work with other agencies and just treat them as smaller projects or coordinated efforts. They didn't have, we didn't call them projects with a capital P, I guess. So we employed those in-house developers and the in-house work or the in-house resources that we had, we didn't employ any contractors with this work. The decision we made pretty early on, by the time we brought in external contractors, we would not be able to deliver in the timeframes that the IRS asked us to do it. So we just really had to work with the business and say, "Look, we need to employ these internal resources on this." So we didn't bring in those contractors. One of the lessons learned I didn't include in the slide is that we could've probably brought in external resources from within the agency, other security folks. We could've brought in more developers or testers out of the other parts of the organization. We didn't do that.

We'd probably look into that if we were gonna do this all over again, which I don't really wanna do (laughs) and that's just because the next, our internal resources really were overloaded in some areas. So it was, again, I won't, the Unisys information is, that bullet is just about that new contract was really tested when the IRS came in before we even went live. So when they went out to visit those sites, there were a couple of findings in both locations and ultimately Unisys was able to fix those up, but we really had to work on and we even had to call in some of the original negotiating teams, from the vice president, that helped us with the negotiations to help us fix some of the things that were out there. Ultimately, that worked out pretty well.

Of course, the dollar signs is just the money that was involved in bringing in new tools to help us resolve some of these issues and the time just in salary and benefits considering that we weren't doing as much of business value there. So from a progress perspective, we have closed a lot of critical findings. In fact, in our view, we've closed most of them. We've got all the unsupported and unsecure software upgraded and transitioned, either into new software or new hardware. We've completed the network segmentation and we've got obviously a new vendor for check printing. We've closed some other findings. We've closed some of our serious and lesser findings just because they were easy for us to do or they may have even saved us time. Let's do it this way and we can close these other findings. But the test that we always put those sorts of questions to was, can we get it done in the same amount of time? Even if it was gonna cost us more time later, we went ahead and made the decision that we would just do it later and spend the extra week or two weeks or a month even to clean up the other findings later. We were really focused on making sure that we met the timelines that we had promised the IRS. The one remaining critical, I could've actually updated the slide to say that we've made the assumption that we're done with the critical findings or the things that they outlined, the IRS outlined in that letter.

Defense in depth is something that is always gonna be ongoing and we've made enough significant changes that when we talked to Booz Allen Hamilton, they said they'd be willing to talk about that and perhaps reduce that finding. We sent the letter off saying, we think we're done, and we haven't heard back from the IRS saying that we're not. So we're just gonna move forward like we have and continue that way. We have more on that in a sec.

The lessons learned and best practices for us, and some of the other speakers, as both Scott and Ashley both touched on this, but gaining and fostering a good executive sponsorship and maintaining clear communications with the IRS are both key. Certainly, from a business value perspective, we had many meetings and conversations with both the executive sponsorship as well as management teams and communications at the field, saying we've got all this stuff going on and really helping people understand the importance of the work. So, thankfully we had good executive sponsorship, not only within DCS with Wally and the management team, but those other organizations that work within the state, we really got good support from those organizations. That was really through everybody from the top down understanding the importance of the work. So that was huge for us.

The timely communication with IRS, as Ashley said in her lessons learned, you can't stress this enough. So it bears mentioning again. The IRS is willing to work with us, but you have to be communicative. You have to make sure that you're giving them good cause for any extensions you had. Obviously working across five organizations, implementing that network segmentation was a huge lift and took a lot of different organizations.

I didn't mention that we had all of our counties within the state of Washington, our prosecuting attorneys all had to make changes within their infrastructure as well to help this segmentation happen. So lots and lots of communication on that. So the IRS did grant us a couple of extensions, but the last one was through October 2nd. So we were able to send that letter, saying, we had finished that up on October 2nd. Again, utilize those subject matter experts effectively. As you work on these projects, you need to understand where your bottlenecks are going to be and try to supplement them as much as you can. That's certainly a lesson learned for us that we certainly take to heart.

Project management methodologies. Again, use them where you need to use them. I mean, again, it's the project with a P. But there's also project management methodologies you can use on the tasks as far as communication. Making sure you got your risk and issues quickly escalated to the executive management where they need to be. So that good top-down communication and bottom-up communication is super important. I could have added organizational change management to this as well, making sure that people understand what's in it for them or why it's important so that they understand their role in making sure the stuff happens. Internal and external communication just leans to the effective project management again.

So what's next for us? I put finish in quotes there because defense in depth is just something that's always always going on. Actually all of the security issues are gonna be ongoing. I attended a conference recently where the vendor predicted that within the next five years, 50% of security dollars will be spent on infrastructure that you can't update through the network. So these are those pieces of infrastructure that are out there, routers and things that are attached to the, that aren't attached to the network where you can't update the software through the network. So I'd certainly anticipate the IRS looking at model numbers and manufacturers and making sure that you've got the software that's out there that doesn't have any vulnerabilities in it.

So some of you may have done the math. So our last but it was in October of 2014. So next Tuesday, we have the next safeguard audit. IRS will be on-site. So our next step, of course, we've been preparing for that, but our next step as well, we see the light at the end of the tunnel here. We're not sure whether it's actually the end of the tunnel or a train coming at us. So with that (chuckles), I will turn this back to Laura, and thanks.

Laura: Thanks Scott, thank you. I guess I'm pretty lucky that I got you to agree to speak before you knew the actual date of your next audit. So I appreciate you saying yes.

Great job, everyone. Some of the perspectives that I come from in having been responsible for those findings and for the audit itself, I wish that I had heard a presentation like this prior to having to go to an audit myself. In one of your last comments, Scott, pertaining to the use of infrastructure, and the use of servers, and routers, and updating those things through the network, it makes me wonder how the IRS is dealing with cloud repositories for data and if anybody has had any experience. Maybe Scott Hale, you may have heard how those audits are going and how that kind of activity and process for handling data is being handled by the IRS. Do you happen to have any feedback on that? Either one of the Scott's. It sounds like no.

Scott Hale: This is Scott Hale. I might defer to Scott Reese because I'm not as technical. I know there's some information within the Pub 1075 that talks about having information in the cloud and some of what's approved by the IRS as far as the cloud. But other than that, that's about my expertise.

Scott Reese: Yeah, and this is Scott Reese. I would say that they're just getting into what they're gonna do with the cloud. Our solution is technically a cloud solution, even though we have separate infrastructure at their state data center. It is a cloud solution, in a sense, in that it's in a state data center shared with a lot of other customers, both private and public industry. Like I said, they want to go on-site. They want to get into those, they wanna hold those vendors to the same 1075 standards that we have. So as more and more of these cloud vendors become FedRAMP certified, then the more the data will be safe and I think the IRS will have some better guidelines around this in the future.

Laura: Yeah and probably more comfort as well. I mean it probably would be a good recommendation to anyone who's thinking about going out and procuring new data space or systems to refer to the 1075 documentation to make sure that what they're procuring is meeting those standards. 

It looks like there are a couple of questions that have come in that I want to address. The first one is, Can the presentation be emailed to the state's point of contact or IRS? The PDF of this entire presentation is on this webcast. It's listed there, files for download. I believe it will also be posted on NCO's website. So any of you that are interested in downloading that and sharing it with your colleagues, feel free to do so.

The next question I see here is, How was Kansas able to comply with the vendor access to FTI? Ashley, can you address that question for us? 

Ashley>Sure. So section 5.5 of the Pub 1075 talks about Child-Support agencies. It's a small section there, but it does talk about how limited information can be disclosed to agents or contractors of the agency for the purpose of, and it's talking about establishing and collecting Child Support.

So for us, it starts with your actual contract. We were very strategic when we wrote these contracts to make sure that it's clear that the state office is still ultimately running this program. Like I said, earlier we're state administered, but we are still the final authority of the program, not the vendors. What I mean by that is such as it's specific in their contract that any equipment that they have, that they purchase for use for the duration of contract, it belongs to us, per the contract. Things like that that we have purposely put in there so that we retain control. Again, that may sound a little like, oh my gosh, you guys are control freaks. But really it's to get through some of this because that's a question that we've had is who ultimately owns those machines, and ultimately it's us, and that's what they want to hear. So we have that in the, we have that in the contracts. We have the exhibit seven language in the contract. We made sure we did all of the 45-day notifications before any of those contract start, and then we make our vendors look just like us, meaning they all use the CF email just like I use the CF. That's Department for Children and Families here in Kansas. So they use of our email. They're in our network. So when they email you in another state, it's gonna look like it's just coming like if I did. We hold them to the annual training. They sign all the paperwork. It goes to us. We make sure their offices meet all the physical security requirements: the double barriers, they have their logs, they don't print, all of those things that we would do if they were a state office. We treat them exactly the same and make them follow the Pub 1075, exactly, and there's penalties in their contract if they don't. 

So, yeah. That's how we've been able to handle that here in Kansas.

Laura>Thank you, Ashley. I wanna remind everybody who's attending today that we have a couple more minutes for questions. So if any of you are interested in sending in a question, please submit it on the space there at the proper place for the webcast.

We have another question that came in. When were the field offices to be visited identified? Who identified them? Was it Child Support or the IRS? I think, Ashley, I remember you mentioning that you had selected a couple of sites. But is there ever a situation where the IRS actually makes the determination that a particular office is the one they wanna see?

Ashley>So for us, the last two audits, the only thing they told me that they for sure had to go to was the FDU, the call center, the data center, and the headquarters. And then I had two different auditors, the last two times, but each of them said, "and then you need to identify, Ashley, "two of your field offices, "but try to keep them within an hour's drive "of your headquarters," and so that's what I did.

This time in April, I took them to two different offices. I've got about four offices within an hour. So three years ago I took them to two and then this year I took them to the other two. And so, really, unless they change anything in the future as far as timing, they really don't have time to drive all over the state because they're only here a limited time. So it has to be locations that are close. So I pretty much know now the four offices they're gonna go to or have the option to go to, unless offices close or move. But yeah, I was able to identify those and pick those.

Laura>And how much time did you have in advance?

Ashley>Well, the first time three years ago, I mean I knew probably three months in advance when they first did that engagement letter that Scott was talking about. This time, quite frankly, I just kinda made an assumption that it would be kinda the same thing that they would wanna go somewhere within an hour. So I pretty much knew, three years ago (laughs), what my options were, but I didn't make the decision until probably about three months prior because I of course talked it over with those site managers to make sure they were comfortable and okay with it. 'Cause I will tell you that, this is just being honest, we all have those offices where we'd rather send them in offices we'd rather than not go to. So I'll just leave it at that.

Laura:Okay, thank you very much.

Another question that came in: MSA finding, who did the IRS identify MSA should be provided to, all staff or remote staff? If remote staff, how is that defined? Does anyone want to take a stab at that?


Ashley: I'm not sure if I know what MSA stands for, exactly.
Laura: stands for (laughs). I'm feeling the same way. Does anybody else recognize that term? Okay then we'll get an answer to that question and send it out after the fact. Thank you for the question.

Another question came in: If your audit took place in the September 2016 Publication 1075 update, did you receive a finding for the background check requirements? Ashley, can you field that?

Ashley: I can.

Yes, our audit just took place in April, and no we did not receive a finding, but that's because we have that requirement met. We really adhere to that and got all of our policy and procedure in place and got it done before they came. Actually I'll tell you the auditor, from the IRS, when I told him that, I said, "And by the way, we already have this done," he was like, "What? "That's usually a standard finding." So I think that they are kinda just giving that out as a standard finding, but knowing that most people don't have it in place yet, but we were able to get it in place and get everybody fingerprint background checked before they came so we didn't have the finding. 

Laura: Okay, great.

And then back to the question about MFA. MFA stands for Multi-Factor (laughs)

Ashley: There we go.

Laura: Authentication. Okay now I know what it is. Two-FA is what I've seen used before, but that's cool. Scott Reese, can you—

Scott Reese: I think that's probably mine, this is Scott Reese.

Laura: Okay.

Scott Reese: The multi-factor finding, it applies for everything. For our finding in particular, it was on remote users, but it is certainly in the 1075 requirements that you have dual factor authentication to access IRS data. So if you don't have it, I think you can anticipate having that MFA finding for your system.

Laura: And there's quite a, if I understand the MFA properly, there's a vendor that you hire to provide that service for you, correct Scott?

Scott Reese: Some of it's the, yeah. We hired a vendor to fix the finding or we installed a new software to fix the finding. We actually moved. We had an IBM mainframe that had the single-factor authentication. So this was a finding that we had in 2014 that we already had in progress. So we actually used a different complete tool set and architecture to resolve those particular finding, but we did have a different vendor come in and help us with that.

Laura: Okay, all right, thank you. Well it looks like that's the end of our questions for today. 

I just personally wanna thank everyone, all the attendees, for joining, and participating, and asking great questions. I like to say thank you to the two Scott's and Ashley for just a wonderful presentation, one that I think everybody who's attending can take this away, share it with their staff, begin preparing, and you probably just saved a lot of heartache and headaches for a lot of your coworkers throughout the nation. 

So, again, thank you everyone and I think I'll turn it back over to Mike.

Mike: All right.

Thanks so much for a terrific presentation, to all of our presenters. 

On behalf of NCSEA, I'd like to thank our presenters for a great program and you, the audience, for your participation in today's event. You will now be directed to complete an online evaluation form. Please share this link with all participants at your site. Web talks are an important part of our programming and your feedback is vital to the improvements and developments of future events. Please take a few moments to complete this short survey.

This does conclude our program for today.


Thanks everyone and have a great rest of your day.