Treasury Inspector General for Tax Administration

Office of Audit

PROGRESS HAS BEEN MADE, BUT ADDITIONAL STEPS ARE NEEDED TO ENSURE TAXPAYER ACCOUNTS ARE MONITORED TO DETECT UNAUTHORIZED EMPLOYEE ACCESSES

Issued on September 9, 2009

Highlights

Highlights of Report Number:  2009-20-119 to the IRS Chief Technology Officer, Deputy Commissioner for Operations Support, and Deputy Commissioner for Services and Enforcement.

IMPACT ON TAXPAYERS

About 50,000 Internal Revenue Service (IRS) employees access the Integrated Data Retrieval System (IDRS) to process taxpayer data during the course of their normal work duties.  The IRS requires managers of IDRS users to review and respond to IDRS security reports that present questionable accesses to the taxpayer accounts.  IDRS security reports are produced online by the IDRS Online Reports Services system.  While national averages of report certification rates have improved, the IRS did not ensure that managers in all IDRS business divisions were completing their responsibilities for reviewing and certifying IDRS security reports.  Until additional improvements are made, the IRS cannot ensure that taxpayer accounts on its primary tax account system are being properly protected from unauthorized accesses.

WHY TIGTA DID THE AUDIT

This review was included in TIGTA’s Fiscal Year 2008 Annual Audit Plan as part of the statutory requirements to annually review the adequacy and security of IRS information technology.  In Fiscal Year 2006, TIGTA reported that IRS certification rates for IDRS security reports were deficient.  During this review, TIGTA evaluated IRS compliance with IDRS security program policy and assessed whether corrective actions taken to address our prior audit findings were effective.

WHAT TIGTA FOUND

The IRS national averages of certification and timeliness rates for IDRS security reports significantly improved since our prior review.  During Fiscal Year 2005, only 54 percent of IDRS security reports were certified.  During this review, 89 percent of IDRS security reports were certified for Fiscal Year 2008.  However, of the total 325,475 security reports requiring certification by IDRS managers in Fiscal Year 2008, 36,493 reports (11 percent) were not reviewed and certified, potentially allowing improper accesses to go undetected.  Although the IRS requires that managers of IDRS units maintain at least a 90 percent certification rate for their IDRS security reports, 816 IDRS managers had not met the 90 percent certification rate requirement, which equates to almost 33 percent of all IDRS managers.

The IRS did not complete all corrective actions recommended in our prior review.  Specifically, the IRS did not implement effective compliance reviews or hold managers accountable for their security report responsibilities.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Associate Chief Information Officer, Cybersecurity, 1) implement compliance review procedures for IDRS security officers that are designed to monitor and enforce IDRS business division compliance with security report responsibilities, 2) clarify what IRS organizational management level should be assigned the responsibility for providing a response identifying corrective actions that are required for certification rates lower than 90 percent, and 3) biannually provide a list of IDRS managers who have not met their IDRS security report responsibilities to the IRS business organization executive responsible for monitoring and enforcing IDRS business division and manager compliance with IDRS security program policy.  TIGTA also recommended that the Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement ensure IRS business organizations identify the executives responsible for monitoring and enforcing IDRS business division compliance with IDRS security program policy.

In their response to the report, IRS officials agreed with the recommendations.  The Associate Chief Information Officer, Cybersecurity, plans to 1) implement compliance review procedures for IDRS security officers, 2) clarify the responsible level among IRS management for submitting responses when certification rates are lower than 90 percent, and 3) provide, at least biannually, IRS business organization executives responsible for monitoring and enforcing IDRS security compliance with a list of IDRS managers who have not met their IDRS security report responsibilities.  In addition, the Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement plan to issue a joint memorandum reiterating IDRS security program policy requirements.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2009reports/200920119fr.html.

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov