In mid-1998, legislation was passed to establish the Treasury Inspector General for Tax Administration (TIGTA) and to define its role in conducting audits and investigations of the Internal Revenue Service (IRS). Prior to that date, the Inspection Service within the IRS conducted audits and investigations of the IRS. The IRS agreed to respond to TIGTA audit reports within 30 days of the issuance of the draft document and to include in its response planned corrective actions and associated implementation dates to address the recommendations made. The Inspector General Act of 1978 requires that the TIGTA report semi-annually on critical actions that have not yet been implemented.

During our review, management informed us that the Commissioner had designated financial and management controls as one of five top-level change processes to be pursued in Fiscal Year (FY) 2000. Part of this effort involved prioritization of open corrective actions from responses to TIGTA audit reports. Because this effort was not completed prior to the end of our audit fieldwork, we did not evaluate the results of this prioritization effort. However, we believe that the information in this report can be used in that effort to indicate where increased management oversight is needed.

Our overall objectives were to evaluate the relevance and status of unimplemented corrective actions in the Information Systems (IS) organization that had been rescheduled and to determine whether corrective actions closed during FY 1999 addressed the associated recommendations.

Actions that were closed by IS managers during FY 1999 addressed the associated recommendations and corrective actions were properly completed prior to removal from the tracking system.

However, the IS organization needs to establish better monitoring and prioritization mechanisms so that increased focus is given to ensure critical corrective actions are addressed timely. In addition, oversight should be increased to ensure that the initial responses to TIGTA reports effectively address the recommendations and provide for clear completion points for the actions that IS agrees to take.

The due dates for the 25 open, rescheduled actions we evaluated had been rescheduled a total of 81 times. In addition to these 25 open actions, approximately 39 percent of the corrective actions closed by the IS organization during FY 1999 had been rescheduled. Delays in closing actions ranged from 1 to 7 months.

In evaluating the 25 open, rescheduled actions, we identified 3 areas of significant risk in which the TIGTA has issued multiple reports with similar findings. The IS organization agreed to take actions to address these areas, but the actions remain incomplete as of the end of our fieldwork. Additional oversight is needed in the following critical areas to ensure the associated risk is addressed:

• Management of the IRS’ Modernization and Systems Development Programs.
• Security over systems that process taxpayer information.
• Defining and monitoring contracts.

Several of the open, rescheduled corrective actions we reviewed were vaguely written when the response to the original report was prepared. As a result, it was difficult for management to determine when sufficient action had been taken to address the recommendation.

For example, we identified two open corrective actions where sufficient action had been taken to address the recommendations. However, the proposed corrective actions in the responses were vague, and IS management was unable to determine if the actions were completed. We believe these open corrective actions should be closed because the appropriate action to address these recommendations has been taken.

We recommend that the Chief Information Officer (CIO) prioritize critical corrective actions and use monitoring mechanisms to ensure that these actions are timely taken. In addition, we recommend that the CIO designate knowledgeable staff to review responses to TIGTA reports as they are prepared to ensure that corrective actions are clear and concise and provide for measurable completion points.

Management’s Response: The CIO responded that Program Oversight has been realigned into the Strategic Planning and Client Services organization. This has resulted in improved access to executives and promoted greater executive involvement and ownership of audit activities. In addition, the use of program management techniques has been increased to provide executives with information identifying the owner, status, and risks associated with audit activities and open corrective actions. These actions were taken as part of the ongoing IS process to improve program oversight effectiveness.