WHILE EFFECTIVE ACTIONS HAVE BEEN TAKEN TO ADDRESS PREVIOUSLY REPORTED WEAKNESSES IN THE PROTECTION OF FEDERAL TAX INFORMATION AT STATE GOVERNMENT AGENCIES, ADDITIONAL IMPROVEMENTS ARE NEEDED

Treasury Inspector General for Tax Administration

Office of Audit

WHILE EFFECTIVE ACTIONS HAVE BEEN TAKEN TO ADDRESS PREVIOUSLY REPORTED WEAKNESSES IN THE PROTECTION OF FEDERAL TAX INFORMATION AT STATE GOVERNMENT AGENCIES, ADDITIONAL IMPROVEMENTS ARE NEEDED

Issued on November 10, 2009

Highlights

Highlights of Report Number: 2010-20-003 to the Internal Revenue Service Commissioner for the Small Business/Self-Employed Division.

IMPACT ON TAXPAYERS

The Internal Revenue Service (IRS) Safeguards Program is tasked with ensuring that State Government agencies receiving Federal tax information maintain adequate safeguards to protect the data from unauthorized disclosure. Weaknesses in the program may increase the risk that taxpayer data are not being adequately secured and might be inappropriately accessed or used, possibly for fraudulent purposes such as identity theft.

WHY TIGTA DID THE AUDIT

TIGTA initiated this audit as a follow up to a prior audit report to determine whether the IRS Safeguards Program has implemented sufficient policies and procedures to ensure that State Government agencies are adequately protecting Federal tax information received from the IRS. This audit was included in TIGTA’s Fiscal Year 2009 Annual Audit Plan and is part of our statutory requirements to annually review the adequacy and security of IRS information technology.

WHAT TIGTA FOUND

The IRS had corrected two of four previously reported conditions. The IRS revised the Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities (Publication 1075) and the test plans used to conduct safeguard reviews to be consistent with guidelines provided in National Institute of Standards and Technology Special Publication 800-53a. The IRS also implemented effective controls to manage the contract supporting the Safeguards Program. However, TIGTA believes the other two areas, the use of Plans of Actions and Milestones (POA&Ms) and timeliness of reporting results, continue to require management attention.

While the Safeguards Program implemented the use of POA&Ms to track security weaknesses, it did not monitor the targeted due dates of the recorded weaknesses in the POA&Ms. TIGTA identified 45 State Government agencies in the POA&M tool having 1,094 security weaknesses that had not been corrected by the targeted milestone dates. The Safeguards Program conducted only a limited review of the information provided by the State agencies in their annual reports to validate that the corrective actions taken were appropriate and implemented and was not proactively monitoring the progress of corrective actions or validating the closure of corrective actions.

Also, safeguard review reports continue to be issued in an untimely manner. For safeguard reviews conducted in Fiscal Year 2008, the Safeguards Program issued 66 of 78 draft reports in an average of 106 calendar days after the closing conferences. As of June 30, 2009, the remaining 12 draft reports for Fiscal Year 2008 had not yet been issued to the recipient agencies and their contractors.

WHAT TIGTA RECOMMENDED

TIGTA recommended the Director, Safeguards, Small Business/Self-Employed Division should 1) revise existing policies, as necessary, to require State agencies and their contractors to provide sufficient documentation on a more frequent basis to support that corrective actions were taken to address reported computer security weaknesses, 2) complete planned personnel actions so that adequate staffing is available to proactively monitor and validate the corrective security actions taken by State agencies and their contractors, and 3) continue to use the recently implemented monitoring tool and complete the training of new staff to increase the efficiency of the reporting process.

In their response to the report, IRS officials agreed with our recommendations. The IRS plans to revise Publication 1075 to require State agencies to report the status of their actions to address outstanding findings on a semiannual basis and provide documentary verification when closing high-priority findings. The IRS also plans to complete a recruitment action to staff a full-time position dedicated to the monitoring of corrective actions taken by State agencies and their contractors. Lastly, the Office of Safeguards plans to continue to utilize the inventory monitoring tool and complete the training of new staff.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2010reports/201020003fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov