Treasury Inspector General for Tax Administration
November 26, 2013
TIGTA - 2013-50
Contact: David Barnes
WASHINGTON – The Internal Revenue Service (IRS) is testing the concept of allowing employees access to work e-mail and other services on their personal smartphones, according to a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
The report questions whether the “Bring Your Own Device” (BYOD) program is cost-effective and adequately protects taxpayer data. BYOD is a popular trend in mobile computing that allows users to access network resources on their personal mobile devices, such as smartphones.
The overall objective of this review was to evaluate the IRS’s costs, administration, and security for its BYOD efforts.
The IRS purchased 1,000 mobile device management software licenses in June 2012 for use by employees with personally owned iPhones, iPads, and Android smartphones. As of May 2013, 519 licenses were being used, all but two for iPhones and iPads.
TIGTA found that the IRS has not developed a complete cost-benefit analysis to fully justify the implementation of the BYOD concept. While the IRS did compare the estimated cost of BYOD to the cost of the IRS’s existing mobility programs prior to starting the BYOD pilot project, it has not updated the cost-benefit analysis. The initial analysis overestimated the number of existing smartphone users. The January 2013 IRS analysis was based on 5,000 Blackberry users and 15,000 cell phone users. The IRS has about 4,300 Blackberry® users and about 10,500 cell phone users.
The IRS’s initial analysis assumed that all employees with IRS-provided cell phone or smartphones would willingly choose to participate in BYOD. However, nearly half the mobile device management software licenses purchased by the IRS for use in the test are not being used.
TIGTA expressed concern that the IRS allows BYOD devices access to resources on the IRS network in addition to e-mail access. This increases the risk that privacy and taxpayer data could be compromised. TIGTA also raised concerns about allowing devices based on the Android operating system to participate in the BYOD pilot, because these devices are more subject to malware than the Apple devices tested in earlier phases.
“A Bring Your Own Device program could provide significant benefits and even potential cost savings,” said J. Russell George, Treasury Inspector General for Tax Administration. “However, the IRS must conduct a thorough, realistic cost-benefit analysis before such a program’s benefit can be appropriately ascertained.”
TIGTA made five recommendations, including that the IRS:
IRS management agreed with four of TIGTA’s five recommendations and proposed some corrective actions that it plans to take only if the BYOD pilot is expanded or funding is identified. IRS management disagreed with the recommendation to defer admitting Android devices into the pilot until a security-risk assessment is completed.
TIGTA believes that some of the corrective actions proposed by the IRS are inadequate because they are contingent on BYOD expansion or additional funding. The relevant controls should be put in place for the existing BYOD effort, which does not have a clear end date and which is being used by hundreds of employees and devices within the production environment.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.