Treasury Inspector General for Tax Administration

Office of Audit

WEAKNESSES IN ASSET MANAGEMENT CONTROLS LEAVE INFORMATION TECHNOLOGY ASSETS VULNERABLE
TO LOSS

Issued on September 16, 2013

Highlights

Highlights of Report Number:  2013-20-089 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

The IRS Information Technology organization controls more than 306,000 information technology assets worth almost $720 million using the Knowledge, Incident/ Problem, Service Asset Management (KISAM) system.  Our review determined that weaknesses in controls over asset management create an environment in which information technology assets are vulnerable to loss.  The risk of loss, theft, or the inadvertent release of sensitive information can decrease the public’s confidence in the IRS’s ability to monitor and use its resources effectively.

WHY TIGTA DID THE AUDIT

This audit was included in our Fiscal Year 2012 Annual Audit Plan and addresses the major management challenge of Modernization.  The overall objectives were to determine whether system user permissions were appropriate to ensure the safeguarding of the information technology asset inventory and to review the effectiveness of the system in maintaining an accurate and complete information technology asset inventory.

WHAT TIGTA FOUND

TIGTA found that information technology asset data successfully migrated from the legacy inventory system to the KISAMAsset Manager.  However, the audit log used to capture events was not being reviewed to ensure that only appropriate accesses were made.  In addition, information technology asset data within the KISAMAsset Manager are inaccurate and incomplete because the IRS is not following its procedures to ensure that all assets are accurately recorded and timely updated in the KISAMAsset Manager.

TIGTA also found that ineffective inventory controls created an environment where information technology assets are vulnerable to loss.  TIGTA selected 146 information technology assets to physically verify and could not locate and verify or find proper supporting documentation for 34 information technology assets worth more than $948,000.  In addition, IRS offices improperly completed the annual inventory reconciliation process.

WHAT TIGTA RECOMMENDED

To improve the controls over information technology assets, TIGTA recommended that the Chief Technology Officer ensure that the inventory records are updated to correct the deficiencies identified in our review; the reconciliation process is effectively completed and offices provide supporting documentation for quality review; and dollar threshold criteria are included in the Asset Management Inventory Certification Plan for certifying information technology assets with a high‑dollar value that affect financial statement reporting.  TIGTA also made several recommendations that will help the IRS Information Technology organization ensure that the data captured in its inventory management system are complete and accurate and that its assets are adequately safeguarded against theft or loss.

In their response to the report, IRS management agreed with all eight recommendations.  IRS management agreed to deliver KISAM Asset Manager Tool enhancements for performing asset verification and correct data deficiencies identified by TIGTA; develop a missing asset aging report to facilitate researching and resolving assets in a missing status; and update the Fiscal Year 2014 Inventory Certification Plan to include the verification of the Serial Number field and assets with an acquisition value of $50,000 or greater.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:  

http://www.treas.gov/tigta/auditreports/2013reports/201320089fr.html

E-mail Address:   TIGTACommunications@tigta.treas.gov

Phone Number:   202-622-6500

Website:   http://www.treasury.gov/tigta