TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Used Information Technology Assets Are Being Properly Donated; However, Disposition Procedures Need to Be Improved

 

 

 

April 25, 2014

 

Reference Number:  2014-20-021

 

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number  /  202-622-6500

E-mail Address /  TIGTACommunications@tigta.treas.gov

Website           /  http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

USED INFORMATION TECHNOLOGY ASSETS ARE BEING PROPERLY DONATED; HOWEVER, DISPOSITION PROCEDURES NEED TO BE IMPROVED

 Highlights

Final Report issued on April 25, 2014

Highlights of Reference Number:  2014-20-021 to the Internal Revenue Service Chief Technology Officer and the Chief, Agency-Wide Shared Services. 

IMPACT ON TAXPAYERS

The IRS Information Technology and Agency-Wide Shared Services organizations work together to dispose of the IRS’s information technology equipment.  If the IRS’s processes associated with the disposition of its information technology equipment are not effective, the risk of loss, theft, or inadvertent release of sensitive information is increased, which can reduce the public’s confidence in the IRS’s ability to effectively monitor and use its resources.

WHY TIGTA DID THE AUDIT

This audit is included in TIGTA’s Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.  The overall objectives of this review were to validate the accuracy of the disposal asset inventory and determine the effectiveness of the IRS’s actions taken or planned to fulfill the requirements set forth by the General Services Administration.

WHAT TIGTA FOUND

While the IRS is complying with requirements to donate its previously used information technology equipment to non-Federal recipient organizations, there are several processes associated with asset disposal that need improvement.  For example, improved documentation is needed to ensure compliance with media sanitization guidelines. 

Controls over the processing of Federal electronic assets reported as missing, lost, or stolen can be strengthened.  Information technology equipment that cannot be located are written off; however, these lost items are not reported to the Computer Security Incident Response Center as required.

Further, documentation of disposal actions can be improved, and the inventory system does not archive electronic asset disposal data.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency-Wide Shared Services, reemphasize the importance of completing new disposal forms when changes are identified and ensure that updated procedures reflect the policy change requiring the use of Standard Form-122, Transfer Order Excess Personal Property, when transferring Federal electronic assets.  TIGTA recommended that the Chief Technology Officer ensure that offices complete and maintain documentation for each asset to provide an audit trail regarding the sanitizing and verifying of storage media, report lost or stolen information technology equipment within one hour after detection, and report assets written off as lost to the Computer Security Incident Response Center and TIGTA.  Finally, the Chief Technology Officer should ensure that the Knowledge Incident/Problem Services Asset Management (KISAM) system's archiving mechanism is developed.

IRS management agreed with our recommendations.  The IRS plans to update its standard operating procedures to ensure that disposal forms are free of all edits and markups.  Contingent upon funding availability, the IRS plans to enhance the KISAM to include an electronic form to document storage media sanitization for each asset, update procedures to require that Computer Security Incident Response Center and TIGTA report numbers are documented prior to finalizing the asset record as lost, and ensure that the KISAM system’s archiving mechanism is developed so that the information technology asset data can be effectively managed in accordance with the IRS’s Records Control Schedule.  Finally, the IRS plans to issue an employee communique reinforcing existing policy for reporting lost or stolen information technology equipment. 

 

April 25, 2014

 

 

MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER

                                  CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:                       Michael E. McKenney /s/ Michael E. McKenney

Acting Deputy Inspector General for Audit

 

SUBJECT:                  Final Audit Report – Used Information Technology Assets Are Being Properly Donated; However, Disposition Procedures Need to Be Improved (Audit # 201320022)

 

This report presents the results of our review to validate the accuracy of the disposal asset inventory and determine the effectiveness of the Internal Revenue Service’s (IRS) actions taken or planned to fulfill the requirements set forth by General Services Administration Bulletin FMR [Federal Management Regulation] B-34.  This audit is included in the Treasury Inspector General for Tax Administration’s Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees. 

Management’s complete response to the draft report is included as Appendix VI. 

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  If you have any questions, please contact me or Alan Duncan, Assistant Inspector General for Audit (Security and Information Technology Services). 

 

Table of Contents

 

Background

Results of Review

Federal Electronic Assets Are Reused and Donated; However, Program Improvements Can Be Made

Recommendation 1:

Improved Documentation Is Needed to Ensure Compliance With Media Sanitization Guidelines

Recommendation 2:

Controls Over Processing Federal Electronic Assets Reported As Missing/Lost/Stolen Can Be Strengthened

Recommendations 3 through 5:

Documentation of Disposal Actions Can Be Improved

Recommendations 6 and 7:

The Inventory System Currently Does Not Archive Electronic Asset Disposal Data

Recommendation 8:

Appendices

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Sample Certification Letter

Appendix V – Flowchart of Disposal Process

Appendix VI – Management’s Response to the Draft Report

 

 

Abbreviations

 

CSIRC

Computer Security Incident Response Center

FEA

Federal Electronic Asset

FMR

Federal Management Regulation

FY

Fiscal Year

GSA

General Services Administration

IRM

Internal Revenue Manual

IRS

Internal Revenue Service

IT

Information Technology

ITAMS

Information Technology Asset Management System

KISAM

Knowledge Incident/Problem Services Asset Management

NIST

National Institute of Standards and Technology

REFM

Real Estate and Facilities Management

SF

TIGTA

Standard Form

Treasury Inspector General for Tax Administration

UNS

User and Network Services

 

 

Background

 

In October 2009, President Obama signed into law Executive Order 13514, Federal Leadership in Environmental, Energy, and Economic Performance,[1] with the intent to create a clean energy economy that would increase the Nation’s prosperity, promote energy security, protect the interest of taxpayers, and safeguard the health of our environment.  Executive Order 13514 also states that the Federal Government is to lead by example.  To fulfill Executive Order 13514’s requirements, the General Services Administration (GSA) developed guidance for Federal agencies to follow that included establishing a comprehensive and transparent Governmentwide policy on used Federal electronics that maximizes reuse, clears data and information stored on used equipment, and ensures that all Federal electronics are processed by certified recyclers. 

On February 29, 2012, the GSA issued GSA Bulletin FMR [Federal Management Regulation] B‑34, Disposal of Federal Electronic Assets, which identifies specific categories of property[2] targeted as Federal Electronic Assets (FEA) for disposal under the provisions of the bulletin.  In addition, GSA Bulletin FMR B-34 reminds Federal agencies to follow the National Institute of Standards and Technology (NIST) recommendations for cleaning storage media (e.g., hard drives), establishes the due date for filing annual reports with the GSA, and provides a sequence for disposing of FEAs.  The sequence for disposing of property encourages Federal agencies to use every opportunity to reuse its functional FEAs (either within the agency or by transferring it to another agency or donating the equipment to an eligible nonprofit organization).  If an agency decides the FEA should be abandoned or destroyed, then it must provide the FEA to a certified recycler or refurbisher.  The Internal Revenue Service (IRS) primarily relies on three organizations for recycling/refurbishing its FEAs:  Mission West Virginia Inc.; Per Scholas; and Federal Prison Industries (also known as and hereafter referred to as UNICOR).  The IRS also donates FEAs to the Comp 4 Kids organization under the Computers for Learning authority.[3]

In Fiscal Year[4] (FY) 2011, the IRS implemented a new software tool to track its information technology asset inventory – the Knowledge Incident/Problem Services Asset Management (KISAM) system.  Prior to deployment, the IRS migrated inventory data from its predecessor system, the Information Technology Asset Management System (ITAMS).  However, assets that were in a final disposition status[5] were not migrated over to the KISAM system and remained available in a separate database for research after the ITAMS application was taken offline in March 2012. 

During FYs 2009 through 2012, the IRS retired more than 152,000 FEAs.  Table 1 provides our analysis of the number of retired FEAs by type of asset.  This table shows that desktop and laptop computers top the list with more than 63,000 and 44,000, respectively.    

Table 1:  Number of Retired FEAs by Asset Type
(FYs 2009 through 2012)

Asset Type

Number of Items Retired

Desktop Computers

63,031

Laptop Computers

44,734

Printers[6]

39,073

Servers

4,335

Copiers[7]

836

Total

152,009

Source:  Treasury Inspector General for Tax Administration (TIGTA)
analysis of ITAMS information dated March 2012 and KISAM system
information dated August 2012.

Two organizations within the IRS share responsibility for disposing of FEAs:  1) User and Network Services (UNS) within the Information Technology (IT) organization and 2) Real Estate and Facilities Management (REFM) within the Agency-Wide Shared Services organization.  Within the UNS organization, the Service Asset and Configuration Management organization’s Hardware Asset Management office is responsible for providing oversight, coordination, and guidance on managing the information technology equipment enterprise-wide.  This includes developing asset management policies, developing and improving processes for asset management and control, and working closely with asset owners enterprise-wide.

The REFM organization helps the IRS mission by providing policy, oversight, and strategic planning for the agency’s personal property assets.  IRS management indicated that in FY 2012 the REFM organization implemented new policies and procedures to enhance the organization’s supporting operations.  For example, the REFM organization:

During FYs 2010 and 2011, the UNS organization reorganized to become a high-performing organization built upon reengineered service delivery processes, updated technology tools, and industry best practices.  Under this new blueprint, the UNS organization established six field operations areas and four depot locations (Brookhaven, New York; Memphis, Tennessee; Austin, Texas; and Ogden, Utah) and subsequently centralized the disposition of its laptop and desktop computers at two of the depot locations.  Additionally, one of the two depots has responsibility for assisting and coordinating with other offices regarding the disposition of other information technology equipment.  In addition, the REFM organization has employees in each field operations area and at each depot location to facilitate asset management through a life cycle approach toward the effective and efficient accountability, use, maintenance, protection, transfer, and disposition of personal property in accordance with governing Federal regulations.  Finally, IRS management stated that the REFM organization supports the IRS goals, objectives, and recycling efforts of the Federal management of personal property by:

·       Managing its inventory effectively.

·       Maximizing reuse of information technology assets.

·       Enhancing the recycling of information technology assets to meet national disposition objectives.

·       Ensuring that property managers are well trained.

The IT organization initiates the disposal process by identifying equipment that is beyond its useful life.  It then completes the required paperwork and ensures that storage media has been sanitized.  Upon completion of these actions, the IT organization updates the KISAM system inventory to reflect that the disposed property belongs to the REFM organization.  The REFM organization maintains control of the equipment throughout the remainder of the disposal process.  Appendix V provides a flowchart detailing this process.

This review was performed in the UNS and REFM organizations’ offices located at the Austin Campus in Austin, Texas; the Brookhaven Campus in Islip, New York; and the New Carrollton Federal Building in New Carrollton, Maryland, during the period October 2012 through December 2013.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.  Detailed information on our audit objectives, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Federal Electronic Assets Are Reused and Donated; However, Program Improvements Can Be Made

IRS management advised that they had written agreements to donate FEAs for reuse and recycle with three organizations:  Mission West Virginia Inc.; Per Scholas; and UNICOR.  However, the agreements were still in draft status and undergoing revision at the conclusion of our audit work.  In the absence of the written agreements, IRS management provided us with certificates demonstrating that UNICOR had been certified under the Responsible Recycling Program and that Per Scholas had been certified under the e-Stewards Certification Program.[8]  Although we did not receive a similar certification for Mission West Virginia Inc., IRS management indicated this organization was registered as a Microsoft refurbisher.

As previously mentioned, GSA Bulletin FMR B-34 encourages Federal agencies to use every opportunity to reuse or donate their FEAs.  Table 2 highlights three organizations that received the majority of the IRS donations, in terms of original acquisition cost.  The figures presented in Table 2 also show that the IRS was donating/reusing its FEAs prior to Executive Order 13514 taking affect in FY 2010. 

Table 2:  Top Three Organizations Receiving FEAs
(
original acquisition cost)

Organization[9]

FY 2009

FY 2010

FY 2011

FY 2012

Comp 4 Kids

 

$4,867,960

$10,523,696

$10,936,297

Mission West Virginia Inc.

$97,895,576

$12,530,868

$41,909,067

$9,823,660

Per Scholas

$15,410,144

$5,500,495

$433,362

$329,510

Total Original Acquisition Cost of Items Donated to the Top Three Non-Federal Agencies

$113,305,720

$22,899,323

$52,866,125

$21,089,467

Source:  TIGTA analysis of annual reports filed with the GSA.

GSA Bulletin FMR B-34 encourages agencies to use every opportunity to participate in reusing and donating equipment; however, the current annual reporting mechanism only captures the name of the non-Federal recipient, the classification of the donated equipment, the authority used to donate the equipment, and the total original acquisition cost of the donated or reused items.  Without a count of the number of FEAs donated or reused, the IRS and the GSA cannot fully measure progress in complying with GSA Bulletin FMR B-34.  A more meaningful measure would be to provide a count of the number of FEAs donated or reused.  For example, the Environmental Protection Agency sponsors a program called the Federal Electronics Challenge,[10] which requires agency participants to complete an annual report to measure progress against program goals, and the report requires agencies to provide the number of items donated or reused.

Further, the IRS cannot accurately report whether it donated FEAs as part of the Computers for Learning Program or used a certified recycler as required by GSA Bulletin FMR B-34.  While the GSA Annual Report of Property Furnished to Non-Federal Recipients includes a column for disclosing the type of authority[11] the IRS exercised when disposing of its FEAs, the instructions distributed to the REFM organization employees did not include specific guidance to ensure that the employees correctly and consistently recorded the authority that permitted the transfer of the FEAs.  In addition, the instructions stated that the information needed to complete the annual reports could be found in the property disposal records maintained by each office.  However, the disposal records maintained by each office do not provide information that identifies the authority that permitted the equipment transfer.  Instead, the employee must rely on the limited available information (e.g., name of the recipient organization, condition code status of the information technology equipment) to complete the authority section of the annual report.

As a result, the FY 2012 Annual Report of Property Furnished to Non-Federal Recipients had multiple entries for Mission West Virginia Inc. showing it received FEAs under the following authorities:  Certified R2 Recycler; Certified Recycler – Other; and Computers for Learning Program.  Although it is possible for Mission West Virginia Inc. to receive property for educational purposes and for recycling of parts, there is currently no process in place for employees to ensure the accuracy of authorities recorded on the annual report.  If the appropriate authorities are not captured, it will be difficult for the IRS to show it complies with GSA Bulletin FMR B-34 and Executive Order 13514.

Upon this discovery, IRS management implemented corrective actions for FY 2013 annual reporting.  The REFM organization issued to its property officers internal guidance on how to use the “Authority” field and to add a column to their log/spreadsheet for each transaction to identify the “Authority” for which the FEAs were donated to ensure consistency when preparing the annual property reports for the GSA.

Recommendation

Recommendation 1:  The Chief, Agency-Wide Shared Services, should require offices responsible for disposal of Federal Electronic Assets to maintain a count of the number of FEAs donated to non-Federal recipients.  The GSA Office of Personal Property Policy Division Utilization and Disposal should also be contacted to determine if information on the number of FEAs donated to non-Federal recipients would add value to the GSA annual reporting process. 

Management’s Response:  The IRS agreed with this recommendation.  The IRS will maintain a count of FEAs transferred to non-Federal recipients.  The IRS will also contact the GSA Office of Personal Property Policy Division with TIGTA’s recommendation and inquire whether the FEA count could add value to the Federal agencies’ annual property reports.

Improved Documentation Is Needed to Ensure Compliance With Media Sanitization Guidelines

GSA Bulletin FMR B-34 encourages agencies to follow the recommendations outlined in NIST 800-88, Guidelines for Media Sanitization, and to develop consistent agency practices to clean hard drives and other storage devices in order to protect sensitive data.  Section 4.8 of NIST 800‑88 states that a Certificate of Sanitization (see Appendix IV for a sample) should be completed for each piece of electronic media that has been sanitized.  The guidance further states that the decision regarding completion of a certificate depends upon the confidentiality level of the data on the media and suggests the documentation can be in either paper or electronic form.  Internal Revenue Manual (IRM) sections 10.8.1, Information Technology Security, and 2.14.1, Asset Management, state that a letter or form stipulating that the sanitization and verification procedures have been complied with shall be signed by the responsible person who performed the procedures and shall accompany the device when it is turned in for disposal.

While the IRS uses the appropriate disk wipe utility or degaussing techniques to sanitize storage media, it needs better documentation to confirm each piece of electronic media has been sanitized.  The IRS includes a certification statement on its documentation when disposing of FEAs, as follows:

I certify that all IT equipment with permanent data/media storage listed on this form have been removed or wiped clean of any sensitive or proprietary information and software by use of a disk wipe utility according to the governing IRM policy and procedures, and verification of this removal or wiping has been performed.

IRS personnel believe this certification statement complies with the requirements outlined in NIST 800-88.  The current certification statement is computer generated by the automated Standard Form (SF)-120, Report of Excess Personal Property, database program.  According to instructions for this program, users will be prompted with a question asking if they are “excessing computer processing units.”[12]  If the SF-120 contains computers with data or storage media, the user should answer yes.  Based on our review of disposal documentation, it is not uncommon for this documentation to contain hundreds of line items of information technology equipment and FEAs.  Sometimes the documents contain all computers, other times the documents contain a mix of assets including computers, smartphones, printers, and fax machines. 

We observed the sanitization and verification process at one of the two depot locations.[13]  One individual sanitized the storage media of those items prepared for disposal, while another individual verified the sanitization by reviewing the hard drive sectors to ensure that all data had been wiped.[14]  The individuals would document the completion of this process by placing a sticker on the equipment and including their initials and date of completion.  Another individual, separate from this process, would complete the disposal documentation using the automated SF-120 database program.  Although that individual worked in the same group with the employees doing the sanitization and verification, that individual did not physically verify the items to ensure that they included the stickers prior to completing the form and including the certification statement.  Further, after the information technology equipment leaves the IRS, there is no longer any evidence available to show the dates when the sanitization and verification occurred and to ensure that the process was completed by independent parties. 

The confidential and proprietary nature of the data stored on IRS media devices places these devices at a higher risk if the sanitization and verification process is not properly completed.  Although we did not observe any adverse conditions during our audit, we believe the IRS needs to implement a more rigorous documentation standard to demonstrate it took appropriate actions to sanitize and verify storage devices prior to those devices leaving the IRS.  This documentation should be retained with the disposal documentation for the asset. 

Recommendation

Recommendation 2:  The Chief Technology Officer should ensure that offices complete a separate letter or form for each asset and maintain this documentation to provide an audit trail for the process of sanitizing and verifying storage media.

Management’s Response:  The IRS agreed with this recommendation.  Contingent upon funding availability, the IRS will enhance the existing process to include an electronic form within KISAM to document storage media sanitization for each asset.

Controls Over Processing Federal Electronic Assets Reported As Missing/Lost/Stolen Can Be Strengthened

In a prior report,[15] we reported that the IRS did not perform sufficient steps to locate information technology assets in a missing status prior to writing off the equipment as lost.  The IRS agreed to take corrective action to develop a report that would include appropriate data to help facilitate researching and resolving these assets.  During our current review of the disposal process, we judgmentally selected[16] 43 FEAs that were reported in a missing, lost, or stolen status to ensure compliance with procedures.  Our review found the following:

IRM 10.8.1.4.8, Incident Response, states that all employees and contractors shall report computer security incidents to the IRS’s CSIRC within one hour after detection.  The IRM defines the loss or theft of information technology equipment as a reportable incident, especially when the loss or theft could result in unauthorized access to systems, IRS information, or an individual’s Personally Identifiable Information.  In addition, IRM 2.14.1.13.20.4, Asset Management, Information Technology (IT) Asset Management,[17] states that all lost and stolen incidents of information technology equipment must also be reported to TIGTA.

For the 14 FEAs that were not timely reported to the CSIRC, the lateness ranged from 103 minutes to 24 days after the incident was detected.  Timely reporting of security incidents ensures that the CSIRC can take the necessary steps to disable devices and reduce the potential for unauthorized access or a data breach.

A further review of the disposal documentation associated with the 14 FEAs that were not timely reported to the CSIRC identified that these items were written off by the IRS after doing research to locate the assets.  We also identified 878 other information technology assets that were included in these disposal documents and written off the inventory system as lost because the IRS lost accountability for these assets.

Recommendations

The Chief Technology Officer should:

Recommendation 3:  Reemphasize the importance of reporting lost or stolen information technology equipment within one hour after detection. 

Management’s Response:  The IRS agreed with this recommendation.  The IRS will issue an employee communique reinforcing existing policy for reporting lost or stolen information technology equipment.  Contingent upon funding availability, the IRS will implement a KISAM enhancement to report and monitor the IRS’s compliance with existing policy.

Recommendation 4:  Update procedures to ensure that information technology assets written off as lost are reported to the CSIRC and TIGTA.  

Management’s Response:  The IRS agreed with this recommendation.  Contingent upon funding availability, the IRS will update procedures to require the CSIRC and TIGTA report numbers be documented in the KISAM prior to finalizing the asset record as lost.

Recommendation 5:  Ensure that incidents involving the loss or theft of information technology equipment are reported to TIGTA.

Management’s Response:  The IRS agreed with this recommendation.  Contingent upon funding availability, the IRS will require the TIGTA report number be documented in the KISAM for all equipment reported as lost or stolen to the Information Technology organization.

Documentation of Disposal Actions Can Be Improved

We selected a judgmental sample of 90 FEAs in a pending[18] and final disposition status and identified several areas in 79 of the cases in which the IRS can improve its documentation for these actions.  For example, two of the FEAs we selected for review were associated with disposal documents that contained assets that were blacked out.  Of the 369 assets reflected on these disposal documents and shown as being transferred outside the IRS, 56 were blacked out without any notations or explanations indicating what had happened to these assets.  When we asked the IRS to explain the circumstances surrounding the blacked-out assets, it could not recall because of the time that had elapsed. 

Prior to the transfer of the information technology equipment from the UNS organization to the REFM organization, both parties verify the barcode and serial number of the items listed on the SF-120 to ensure that all items have been properly accounted for.  According to IRM 2.14.1.13.20.2, any corrections, additions, or deletions of items on the SF-120 will require IT organization staff to either redo the original SF-120 to match the items verified or to complete a second SF-120 if additional items are found.  Not complying with the procedures to redo the SF-120 or not having an explanation documented on the SF-120 describing the circumstance for the blacked-out assets increases the risk or likelihood that these assets could have been stolen. 

We also identified inconsistencies outlined in the procedures regarding the types of disposal documents to use when transferring FEAs from the IRS.  For example, if the IRS decides it needs to return an item to the vendor, the procedures state that a Form 1933, Report of Survey, or a Miscellaneous Form should be completed.  Whereas if the IRS decides to donate its FEAs to a non-Federal recipient organization, the procedures state that an SF-122, Transfer Order Excess Personal Property, should be completed and a signature/date obtained from a representative of the organization accepting the equipment.  IRS management took corrective action to change the procedures to ensure that the SF-122 would be used to document all transfers of FEAs.  This corrective action became effective in September 2013.    

Throughout our review, we shared our concerns about other discrepancies we identified relating to the documentation supporting the disposition of FEAs.  The following list represents additional management actions taken by the IRS to correct these discrepancies:

·      According to IRM 2.14.1.13.20.2, the disposal documentation should contain the following data to describe the items being disposed:  barcode, serial number, category, manufacturer, and model.  Our review of disposal documentation for the 79 previously examined FEAs indicated 58 did not reflect the manufacturer for the items.  The IRS agreed with this observation and modified its SF-120 program to ensure that the manufacturer name is included on future SF-120 reports. 

·      IRM 2.14.1.13.12.7 states that the disposition of equipment depends on the overall condition of the equipment at the time of disposition.  Specific codes are entered into the KISAM system that describe the condition of the property.  As an example, condition code 4 means the equipment shows some wear but it can be used without significant repair.  Further, GSA Bulletin FMR B-34 specifically encourages agencies to reuse or donate FEAs in specific condition codes.  We raised concerns that there was no clear guidance in the IRM to explain how the condition codes should be applied to ensure consistency.  We also identified some discrepancies in which the condition code in the inventory system did not align with how the item was disposed.  For example, an item that was reflected as repairable and that should have been donated was disposed of as scrap.  IRS management recognizes there should be a better understanding of the condition codes and has included this item as an agenda item in upcoming meetings with personnel. 

Recommendations

Recommendation 6:  The Chief Technology Officer should reemphasize the importance of completing new disposal forms when changes are identified.

Management’s Response:  The IRS agreed with this recommendation.  The IRS will update its standard operating procedures to prohibit edits and markups of previously completed disposal forms.

Recommendation 7:  The Chief, Agency-Wide Shared Services, should ensure that IRM procedures are updated to reflect the recent policy change requiring the use of SF-122 when transferring or donating FEAs. 

Management’s Response:  The IRS agreed with this recommendation and will ensure that the policy guidance provided to the REFM territories on September 23, 2013, is included in the next revision of IRM 1.14.4, Personal Property Management, Real Estate and Facilities Management.

The Inventory System Currently Does Not Archive Electronic Asset Disposal Data

Section 17 of the IRS Records Control Schedule[19] provides details regarding the retention requirements for electronic and paper records.  It states that system data associated with the asset should be retained until three years after disposition. 

When the IRS went live with a new system of records known as the KISAM system in August 2011, assets in retired status were not migrated to the KISAM system.  This left 400,000 information technology assets in a final disposition status in the predecessor system ITAMS because the KISAM system archive mechanism had not been completed.[20]    

The IRS interim archiving process being used includes maintaining the asset information that was not migrated from the ITAMS as raw data in an Oracle® database.  The data are retrievable only by a person who knows the Oracle software, placing a hardship on the organizations that may need easy access to the information in order to complete supplemental assignments. 

According to IRS management, there is no urgent need to develop the archiving mechanism because data in the KISAM system database have not yet reached the retention requirements for assets placed in final disposition.  The KISAM system would be updated with the archiving requirement in Release 2.  However, until this development is completed, the IRS will just retain all asset records in the KISAM system database.  While IRS management decided not to implement the KISAM system with an archiving capability, this functionality will be needed in the future to ensure the effectiveness and efficiency of the KISAM system and the research of disposed assets records.

Recommendation

Recommendation 8:  The Chief Technology Officer should ensure that the KISAM system’s archiving mechanism is developed so that information technology asset data can be effectively managed in accordance with the IRS’s Records Control Schedule.

Management’s Response:  IRS agreed with this recommendation.  Contingent upon funding availability, the IRS will ensure that the KISAM system’s archiving mechanism is developed so that the information technology asset data can be effectively managed in accordance with the IRS’s Records Control Schedule.

 

Appendix I

 

Detailed Objectives, Scope, and Methodology

 

Our overall objectives were to validate the accuracy of the disposal asset inventory and determine the effectiveness of the IRS’s actions taken or planned to fulfill the requirements set forth by GSA Bulletin FMR B-34.  To accomplish our objectives, we:

I.                 Verified the accuracy of the KISAM system disposed asset inventory that migrated from the ITAMS.    

A.    Identified the criteria for maintaining electronic records for disposed assets.

B.    Interviewed IRS personnel to identify any recent changes/decisions to the electronic records retention criteria. 

C.    Used migration criteria obtained during a prior audit,[21] analyzed ITAMS retired assets, and identified the population of retired assets in the ITAMS.

D.    Evaluated the results from Step I.C. and identified the number of assets that met the electronic records management criteria. 

E.     Selected a judgmental sample[22] of 30 assets from 423,377 assets identified from Step I.D. and reviewed disposal documentation to confirm the accuracy of their retired status.  Some of the criteria considered for our judgmental sample included assets with disposal codes 09 (in process of excess) and 16 (missing); assets with a physical inventory date (i.e., manual touch date, Tivoli scan date, barcode scan date, self‑certification date) subsequent to the disposal date; and assets with a missing or invalid disposal report number.

F.     Matched ITAMS retired assets to the KISAM system and identified records that migrated to the KISAM system.  (Note:  According to the IRS, the only records that migrated to the KISAM system were those assets in the ITAMS as disposal code 09 (in process of excess) and 16 (missing)).

II.               Evaluated whether the IRS used every opportunity to reuse functional FEA in accordance with the requirements outlined in GSA Bulletin FMR B-34.

A.    Interviewed REFM organization personnel to understand their role in the disposal of FEAs.

B.    Interviewed IT organization personnel to understand their role in following NIST 800-88, Guidelines for Media Sanitation, for FEAs.

C.    Identified the organizations the IRS used to recycle its FEAs and validated that they met GSA’s certification requirement, e.g., Responsible Recycling or e-Stewards Certification Programs.

D.    Reviewed copies of annual reports submitted by the IRS to the Department of the Treasury/GSA for FYs 2009 through 2012 to evaluate the volume of equipment provided to schools or other organizations.  We obtained supporting documentation for these summary reports and/or compared these volumes to the ITAMS and KISAM system data. 

E.     Analyzed the ITAMS and KISAM system data for FEA items with condition codes 1 (New), 4 (Usable), and 7 (Repairable) to identify any trends for FYs 2009 through 2012.  For FY 2012 disposals, we obtained disposal documentation to identify how the equipment was disposed, e.g., donated to a school, transferred for refurbishing/reuse.

III.             Assessed the effectiveness of the controls over the disposition of FEAs to ensure that the assets and their data are safeguarded from fraud, waste, abuse, and/or the inadvertent disclosure of Personally Identifiable Information. 

A.    Compared REFM organization procedures for asset disposal to the policy outlined in GSA Bulletin FMR B-34.

B.    Compared REFM and IT organizations’ asset disposal procedures. 

C.    Analyzed data from the KISAM system Asset Manager to identify the population and potential trends/irregularities of FEAs classified as pending or final disposition.   

D.    Using data from Step III.C., selected a judgmental sample of 30 of 60 final excessed FEAs from the Brookhaven Campus in Islip, New York.  Our selection criteria included consideration of the following:  FEAs in disposal codes other than 00 (transfer to the Agency-Wide Shared Services organization) and 09 (in process of excess), assets with an inventory verification date subsequent to the disposal action, assets with missing or invalid disposal report numbers, and assets with an acquisition and disposal date within the same year. 

E.     Using the data from Step III.C., selected a judgmental sample of 30 of 60 FEAs pending disposal at the Brookhaven Campus.  Selection criteria included consideration of the following:  FEAs in disposal codes 00 (transfer to the Agency‑Wide Shared Services organization) and 09 (in process of excess), assets that contained a future warranty expiration date, e.g., FYs 2013 or 2014, and acquisition and disposal date within the same year.

F.     Collaborated with TIGTA’s Office of Investigations and obtained information regarding open and closed investigations involving lost/stolen information technology equipment.

G.    Identified FEA in the KISAM system designated as lost/stolen/missing and selected a judgmental sample of 30 from 2,166 FEAs.

H.    Conducted Forrester Research Inc.[23] research and identified articles on information technology inventory write-off practices and/or shrinkage rate, i.e., how much theft/loss is acceptable.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objectives:  GSA Bulletin FMR B-34, NIST 800-88, and the IT and REFM organizations’ policies and procedures relating to the disposition of FEA.  We evaluated these controls by interviewing IRS management and staff from the UNS, REFM, and Cybersecurity organizations; reviewing policies and procedures outlined in the IRM; and reviewing relevant supporting documentation.

 

Appendix II

 

Major Contributors to This Report

 

Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology Services)

Danny Verneuille, Director

Myron Gulley, Audit Manager

Diana Tengesdal, Audit Manager

Chinita Coates, Lead Auditor

Ryan Perry, Senior Auditor

Allen Henry, Auditor

Sarah Shelton, Auditor

Ashley Weaver, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Information Officer for Operations  OS:CTO

Associate Chief Information Officer, User and Network Services  OS:CTO:UNS

Director, Real Estate and Facilities Management  OS:A:RE

Director, Operations Service Support  OS:CTO:UNS:OS

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Director, Risk Management Division  OS:CTO:SP:RM

 

Appendix IV

 

Sample Certification Letter

 

CERTIFICATE OF SANITIZATION

PERSON PERFORMING SANITIZATION

Name:

Title:

Organization:

Location:

Phone:

MEDIA INFORMATION

Make/Vendor:

Model Number:

Serial Number:

Media Property Number:

Media Type:

Source (ie user name or PC Property number):

Classification:

Data Backed Up:     Yes    No    Unknown

Backup Location:

SANITIZATION DETAILS

Method Type:      Clear           Purge         Damage          Destruct

Method Used:      Degauss    Overwrite    Black Erase    Crypto Erase      Other:

Method Details:

Source:  NIST 800-88, September 2012.  PC = Personal Computer.

 

Appendix V

 

Flowchart of Disposal Process

 

The Flowchart was removed due to its size.  To see the Flowchart, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

Source:  IRM 2.14.1, Asset Management, Information Technology (IT) Asset Management, November 2011.

Appendix VI

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C.  20224

 

CHIEF TECHNOLOGY OFFICER

 

April 3, 2014

 

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AU.DIT

 

FROM:                             Terence V. Milholland /s/ Terence V. Milholland

                                          Chief Technology Officer

 

SUBJECT:                       Draft Audit Report - TIGTA Draft Report - Used Information Technology Assets Are Being Properly Donated; However, Disposition Procedures Need to Be Improved (Audit #201320022) (e-trak #2014-52093)

 

Thank you for the opportunity to review the draft audit report and discuss the report observations with the audit team.  We appreciate your acknowledgement of the IRS's compliance with Executive Order 13514 Federal Leadership in Environmental, Energy, and Economic Performance and General Services Administration Federal Management Regulation 8-34 requirements for the reuse, recycling, and refurbishing of federal electronic assets.

 

The IRS is in agreement with all of the recommendations provided by TIGTA and will take corrective actions contingent upon funding availability.  The IRS has implemented an effective asset disposal process and we believe the recommendations in the audit will simply serve to enhance the documentation artifacts associated with that process.  In response to your recommendations, we have attached our corrective action plan.

 

We value your continued support and the assistance your organization provides.  If you have any questions, please contact me at (202) 622-6800 or a member of your staff may contact Lisa Starr, Senior Manager, Program Oversight at (240) 613-4219.

 

Attachment

 

Attachment

 

RECOMMENDATION #1:  The Chief, Agency-Wide Shared Services should require offices responsible for disposal of Federal Electronic Assets to maintain a count of the number of FEAs donated to non-Federal recipients.  The GSA Office of Personal Property Policy Division Utilization and Disposal should also be contacted to determine if information on the number of FEAs donated to non-Federal recipients would add value to the GSA annual reporting process.

 

CORRECTIVE ACTION #1:  The IRS agrees with this recommendation.  The IRS will maintain a count of FEAs transferred to non-Federal recipients.  The IRS will also contact the GSA Office of Personal Property Policy Division with TIGTA's recommendation and inquire whether the FEA count could add value to the Federal agencies' annual property reports.

 

IMPLEMENTATION DATE:  August 25, 2014

 

RESPONSIBLE OFFICIAL:  Chief, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #2:  The Chief Technology Officer should ensure that offices complete a separate letter or form for each asset and maintain this documentation to provide an audit trail for the process of sanitizing and verifying storage media.

 

CORRECTIVE ACTION #2:  The IRS agrees with this recommendation.  Contingent upon funding availability, the IRS will enhance existing process to include an electronic form within Knowledge, Incident/Problem, Services, and Asset Management (KISAM) to document storage media sanitization for each asset.

 

IMPLEMENTATION DATE:  January 25, 2015

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, User & Network Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #3:  The Chief Technology Officer should re-emphasize the importance of reporting lost or stolen information technology equipment within one hour after detection.

 

CORRECTIVE ACTION #3:  The IRS agrees with this recommendation.  The IRS will issue an employee communique reinforcing existing policy for reporting lost or stolen information technology equipment.  Contingent upon funding availability, the IRS will implement a KISAM enhancement to report and monitor IRS's compliance with existing policy.

 

IMPLEMENTATION DATE:  January 25, 2015

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, User & Network Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #4:  The Chief Technology Officer should update procedures to ensure that information technology assets written off as lost are reported to the CSIRC and TIGTA.

 

CORRECTIVE ACTION #4:  The IRS agrees with this recommendationContingent upon funding availability, the IRS will update procedures to require the CSIRC and TIGTA report numbers be documented in KISAM prior to finalizing the asset record as lost.

 

IMPLEMENTATION DATE:  January 25, 2015

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, User & Network Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #5:  The Chief Technology Officer should ensure that incidents involving the loss or theft of information technology equipment are reported to TIGTA.

 

CORRECTIVE ACTION #5:  The IRS agrees with this recommendationContingent upon funding availability, the IRS will require the TIGTA report number be documented in KISAM for all equipment reported as lost or stolen to Information Technology.

 

IMPLEMENTATION DATE:  January 25, 2015

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, User & Network Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #6:  The Chief Technology Officer should re-emphasize the importance of completing new disposal forms when changes are identified.

 

CORRECTIVE ACTION #6:  The IRS agrees with this recommendation.  The IRS will update its Standard Operating Procedure to prohibit edits and markups of previously completed disposal forms.

 

IMPLEMENTATION DATE:  November 25, 2014

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, User & Network Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #7:  The Chief, Agency-Wide Shared Services should ensure that IRM procedures are updated to reflect the recent policy change requiring the use of SF-122 when transferring or donating FEAs.

 

CORRECTIVE ACTION #7:  The IRS agrees with this recommendation and will ensure the policy guidance provided to the REFM territories on September 23, 2013, is included in the next revision of IRM 1.14.4, Personal Property Management, Real Estate and Facilities Management.

 

IMPLEMENTATION DATE:  November 25, 2014

 

RESPONSIBLE OFFICIAL:  Chief, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.

 

RECOMMENDATION #8:  The Chief Technology Officer should ensure that the KISAM system's archiving mechanism is developed so that information technology asset data can be effectively managed in accordance with the IRS's Records Control Schedule.

 

CORRECTIVE ACTION #8:  IRS agrees with this recommendation.  Contingent upon funding availability, the IRS will ensure that the KISAM system's archiving mechanism is developed so that the information technology asset data can be effectively managed in accordance with the IRS's Records Control Schedule.

 

IMPLEMENTATION DATE:  July 25, 2015

 

RESPONSIBLE OFFICIAL:  Associate Chief Information Officer, Enterprise Operations

 

CORRECTIVE ACTION MONITORING PLAN:  We enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion.



[1] Exec. Order No. 13514, Federal Leadership in Environmental, Energy, and Economic Performance, 3 C.F.R. 52117 (2009).

[2] Examples include Federal Supply Class 3610 – copiers and Federal Supply Group 70 – desktop/laptop computers, printers, peripherals, and electronic components.

[3] See Computers for Learning website:  www.computers.fed.gov.

[4] A 12-consecutive-month period ending on the last day of any month.  The Federal Government’s fiscal year begins on October 1 and ends on September 30.

[5] Assets with a disposal code assignment indicating the assets are no longer in the IRS’s inventory. 

[6] Printers such as desktop, portable, network, and specialized.

[7] Copiers consist of floor/table models and color/noncolor. 

[8] The e-Stewards Certification Program is designed to enable individuals and organizations that dispose of their old electronic equipment to identify easily recyclers that adhere to the highest standard of environmental responsibility and worker protection.  The e-Stewards Certification is open to electronics recyclers, refurbishers, and processors.

[9] The IRS also donates information technology assets to UNICOR.  These donations are reported by UNICOR on its annual report; therefore, the IRS does not report the donations to avoid double counting.

[10] The Federal Electronics Challenge assists Federal agencies and facilities in meeting the goals of Executive Order 13514 and facing the challenges posed by electronics acquisition, use, and disposal.

[11] The authority describes the type of non-Federal recipient receiving the property.  Examples include, Computers for Learning Program – EO12999, Certified R2 Recycler, and Certified Recycler – Other.

[12] The excessing of computer processing units refers to computers with data/media storage units to be disposed of on SF-120, Form 1933, Report of Survey, and Miscellaneous Form.

[13] We could not observe the process at the second location because of a moratorium on sanitizing storage media that went into effect shortly before our visit.

[14] If a storage device was not wiped after two attempts, the depot would send it to another location for degaussing. 

[15] TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets Vulnerable to Loss p. 13 (Sept. 2013).

[16] A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.

[17] All subsequent references to IRM 2.14.1.13 are from this titled section.

[18] Assets with a disposal code assignment indicating the assets are still in the IRS’s inventory awaiting disposal.

[19] A document that provides mandatory instructions for what to do with records (and nonrecord materials) no longer needed for current Government business.

[20] TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets Vulnerable to Loss p. 6 (Sept. 2013).

[21] TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave Information Technology Assets Vulnerable to Loss (Sept. 2013).

[22] A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.

[23] Forrester Research Inc. is an independent technology and market research company that provides advice on existing and potential impacts of technology to its clients and the public.