Treasury Inspector General for Tax Administration

Office of Audit

AN INDEPENDENT RISK ASSESSMENT OF FACILITY PHYSICAL SECURITY WAS NOT PERFORMED IN COMPLIANCE WITH CONTRACT REQUIREMENTS

Issued on July 25, 2012

Highlights

Highlights of Report Number:  2012-10-075 to the Internal Revenue Service Deputy Commissioner for Operations Support.

IMPACT ON TAXPAYERS

The IRS has an obligation to protect the Federal Government’s tax administration system, which includes its 100,000 employees stationed at more than 700 facilities, taxpayer information, and the taxpayers who visit the IRS throughout the United States.  Our review identified significant deficiencies in the administration of an IRS physical security risk assessment contract.  As a result, the contractor was unable to conduct an in-depth, independent assessment regarding the security posture of IRS facilities, as required by the contract.  When contracts are not properly administered, the IRS may not receive the desired contract outcomes and the best return on the taxpayers' dollar.

WHY TIGTA DID THE AUDIT

This audit was initiated because effective risk assessments are the primary method used to identify security weaknesses and allow steps to be taken to improve overall security at IRS facilities.  The objective of this review was to determine whether the IRS administered the Physical Security Risk Assessment contract in compliance with acquisition regulations and guidance to ensure the IRS received the contract deliverables in accordance with the terms and conditions of the contract.

WHAT TIGTA FOUND

TIGTA determined that the IRS did not receive an in-depth, independent assessment regarding the security posture of its facilities as required by the contract.  In addition, the IRS did not administer the Physical Security Risk Assessment contract in compliance with relevant acquisition regulations and guidance.  IRS management and Physical Security and Emergency Preparedness program office employees, without the knowledge of the contracting officer, instructed the contractor to perform services that were lesser in scope than required by the original contract.  In addition, the contractor indicated that the Physical Security and Emergency Preparedness program office did not provide the contractor access to all of the information necessary to complete a report outlining the IRS’s overall security posture.  As a result of these actions, an independent risk assessment of facility physical security was not performed in compliance with contract requirements.  In fact, the contractor declined to provide a validation of the acceptability of the IRS’s security posture.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Deputy Commissioner for Operations Support 1) reemphasize to IRS management officials, program office employees, and contracting officer’s technical representatives that contracting officers must be promptly notified of any changes to contract requirements, and 2) ensure contracting officer’s technical representatives perform their specific responsibilities including:  advising the contracting officer when changes in the work occur, reviewing contractor vouchers and invoices to ensure they are accurate, determining whether services are delivered in conformance with the requirements of the contract, and following the contract’s quality assurance plan.

In their response, IRS management agreed with our recommendations and plans to issue a memorandum reemphasizing that contracting officers must be promptly notified of any changes to contract requirements so required modifications can be timely executed.  Also, the IRS plans to issue a memorandum to contracting officer’s technical representatives outlining their roles and responsibilities.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2012reports/201210075fr.html.

E-mail Address:   TIGTACommunications@tigta.treas.gov

Phone Number:   202-622-6500

Website:   http://www.tigta.gov