Treasury Inspector General for Tax Administration

Office of Audit

IMPROVED CONTROLS ARE NEEDED TO ENSURE THAT ALL PLANNED CORRECTIVE ACTIONS FOR SECURITY WEAKNESSES ARE FULLY IMPLEMENTED TO PROTECT TAXPAYER DATA

Issued on September 27, 2013

Highlights

Highlights of Report Number: †2013-20-117 to the Internal Revenue Service Chief Financial Officer and Chief Technology Officer.

IMPACT ON TAXPAYERS

Management controls are a major part of managing an organization and provide reasonable assurance that organizational objectives are achieved.† When weaknesses are identified within an organization, management controls dictate that these weaknesses need to be tracked, monitored, and reported to ensure that they are corrected.† Our audit identified weakened management controls in the IRS over its closed planned corrective actions (PCA) for the security of systems involving taxpayer data.† When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders can exploit security weaknesses and may gain unauthorized access.

WHY TIGTA DID THE AUDIT

This audit was part of our statutory requirement to annually review the adequacy and security of IRS technology, and it addresses the IRS major management challenge of Security of Taxpayer Data and Employees.† The overall objective was to determine whether closed corrective actions to security weaknesses and findings reported by TIGTA have been fully implemented, validated, and documented as implemented.

WHAT TIGTA FOUND

The Chief Financial Officerís Office of Internal Control administers the IRSís management control program and is responsible for entering, monitoring, and tracking audit report findings, recommendations, and PCAs in the Department of the Treasuryís Joint Audit Management Enterprise System (JAMES).† The Office of Internal Control took a major step to strengthen the IRSís management control program by recently publishing new guidance on monitoring internal controls for the PCAs.† However, guidance that was in effect since May 2004 was not sufficient.

During our audit, TIGTA determined that eight (42 percent) of 19 PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented.† These PCAs involved systems with taxpayer data.† In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available.† The Office of Internal Control also has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS further strengthen its management controls to adhere to internal control requirements, provide refresher training to employees involved in the JAMES process, audit the corrective actions for closed PCAs, and change the status of closed PCAs to open for those that were partially implemented.† In their response, IRS management agreed with five of our six recommendations and plans to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRSís management controls over the PCAs.

IRS management partially agreed with the sixth recommendation to upload documentation into the JAMES for previously closed PCAs, pending the completion of a cost/benefit analysis and risk-based approach.† TIGTA believes the IRS should complete our recommendation as stated, which will ensure that all PCAs over security weaknesses are implemented as reported.† In addition, the IRS will be in compliance with the Department of the Treasuryís mandate to upload supporting documentation to the JAMES.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2013reports/201320117fr.html.

E-mail Address: ††TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Website:†† http://www.treasury.gov/tigta