Treasury Inspector General for Tax Administration

Office of Audit

THE IRS2GO SMARTPHONE APPLICATION IS SECURE, BUT DEVELOPMENT PROCESS IMPROVEMENTS ARE NEEDED

Issued on August 29, 2011

Highlights

Highlights of Report Number: 2011-20-076 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The Internal Revenue Service (IRS) developed the IRS2GO mobile application for the Apple iPhone and the Google Android smartphones. The application was successfully released to the public on January 20, 2011, and 147,205 iPhone users and 178,773 Android users had signed up as of May 15, 2011, and March 1, 2011, respectively. Although the IRS2GO application is secure, enhancements in the development process could be made for future mobile applications to ensure taxpayer privacy and security.

WHY TIGTA DID THE AUDIT

This audit was initiated because the IRS2GO application was the first mobile application developed by the IRS, and it allows the user to check on the status of his or her tax refund and receive tax tips. Our overall objective was to determine whether the IRS adequately tested and secured the IRS2GO smartphone application.

WHAT TIGTA FOUND

The IRS2GO application adequately secures data communications and does not store sensitive or Personally Identifiable Information on the smartphone. The IRS2GO application is available only from the Apple App Store or the Android Market. Smartphone users should ensure they are downloading this application from one of these two sites.

TIGTA found that appropriate processes were not followed for using a nonapproved programming language and open source software in the development of the IRS2GO application. Management was aware of the requirement to request waivers, but advised it made a risk-based decision not to pursue waivers in consideration of time constraints for the project. However, the IRS could not provide any documentation of the risk-based decision and informed us that it was a verbal decision.

TIGTA also found that documents required to authorize releasing the IRS2GO application to the public were not obtained until after the application was released. While the IRS2GO application did not have any significant security issues when it was released to the public, using a system development approach that does not comply with Office of Management and Budget Circular A-130 regulations increases the risk that applications released to the public may contain security or privacy weaknesses.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Associate Chief Information Officer, Enterprise Services, should ensure that waivers are obtained prior to deployment when applicable, risk‑based decisions are clearly documented, and updates to the Plan of Action and Milestones are addressed within the appropriate time period. In addition, the Associate Chief Information Officer, Enterprise Services, should coordinate the review of open source technologies for consideration of approval for use in future application development efforts and ensure that all system development activities follow an approach that is compliant with Office of Management and Budget Circular A-130.

In their response to the report, IRS officials agreed with the recommendations. In developing future mobile applications, the IRS plans to obtain the appropriate waivers prior to deployment, generate appropriate documentation for any risk-based decision, timely address appropriate actions, and continue to review proprietary and open source technologies. The IRS also plans to adhere to the current limited-use approval process and Office of Management and Budget Circular A-130 for future pilot innovative projects.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2011reports/201120076fr.html.

Email Address: TIGTACommunications@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov