The Australian Taxation Office (ATO) has set a governance framework that supports ongoing management of its Tax Agent and Business Portals, while its strategic and business planning activities offer clear direction and guidance for their future development.

But the Australian National Audit Office (ANAO) believes the ATO could do better on documenting the roles and responsibilities of the Portals' business owners and key internal stakeholders, and on improving its performance measurement framework.

Acting Auditor-General Steve Chapman recommended the ATO clearly articulate roles and responsibilities in the interests of achieving a more coordinated approach to managing the Portals.

"Developing specific performance measures for the Portals will better inform management decision making, particularly regarding future investment in the Portals," he said in a new audit report, Tax Agent and Business Portals.

The Tax Agent and Business Portals give tax agents and businesses a gateway to online services like access to tax information and the ability to complete a range of online transactions in a secure environment 24 hours a day, seven days a week.

The latest audit report finds the ATO has been responsive to the need to improve information access for tax agents and expended a considerable effort in quickly developing the Tax Agent Portal. Overall, survey results have shown tax agents' satisfaction with and use of the Portal is high and increasing, and tax agents have experienced savings from using the Portal.

But it finds the ATO needs to go further in introducing measures to reduce risk.

"The ATO in introducing the Tax Agent Portal aimed to achieve a balance between uptake of the Portal and IT security (i.e. secure online access to taxpayer information). Access to business systems data via the Internet exposes the ATO to an increased level of risk. The ANAO considers that although the ATO has introduced a range of IT security and user access controls, these controls need to be strengthened in several areas to better protect the integrity of the ATO's business systems," the report said.

The ANAO is also urging the ATO to adopt a more systematic, directed, and comprehensive approach to IT security planning. It says the ATO should define the roles and responsibilities of system owners and other key stakeholders to support a coordinated approach to future Portals IT security planning.

And it concludes while the ATO has implemented appropriate internal application security controls for Portals users, which restrict user access to functionality within the application, the ATO does not maintain security baselines for all key system security components. The ATO has issued security baseline guidelines for some components, but has not established a formal process for monitoring compliance with the guidelines.

"The ANAO considers that, without formalised security baselines for all key system security components and ongoing compliance and security enforcement measures, the ATO, through operation of its Portals, may be exposed to a higher level of IT security risk than is considered acceptable," the report says.

It also wants the ATO to improve its practices supporting the administrator function, user access. It notes the ATO's own reviews have also identified a lack of sufficient mechanisms to ensure consistency in the process for the authorization and revocation of Portals user access, and the monitoring and review of internal user access.

The ATO needs to be able to produce a clear and meaningful end-to-end view of a user's actions within the Portals to enable the reconstruction of events and to provide an adequate audit trail of user transactions. The report says this is particularly important when reviewing transactions performed to detect possible security breaches. The ATO is undertaking a project to establish processes that will enable a complete view of a user's actions within its systems, including the Portals.