Treasury Inspector General for Tax Administration
Office of Audit
WEAKNESSES IN ASSET MANAGEMENT
CONTROLS LEAVE INFORMATION TECHNOLOGY ASSETS VULNERABLE
Issued on September 16, 2013
Highlights of Report Number: 2013-20-089 to the Internal Revenue Service Chief Technology Officer.
IMPACT ON TAXPAYERS
The IRS Information Technology organization controls more than 306,000 information technology assets worth almost $720 million using the Knowledge, Incident/ Problem, Service Asset Management (KISAM) system. Our review determined that weaknesses in controls over asset management create an environment in which information technology assets are vulnerable to loss. The risk of loss, theft, or the inadvertent release of sensitive information can decrease the public’s confidence in the IRS’s ability to monitor and use its resources effectively.
WHY TIGTA DID THE AUDIT
This audit was included in our Fiscal Year 2012 Annual Audit Plan and addresses the major management challenge of Modernization. The overall objectives were to determine whether system user permissions were appropriate to ensure the safeguarding of the information technology asset inventory and to review the effectiveness of the system in maintaining an accurate and complete information technology asset inventory.
WHAT TIGTA FOUND
TIGTA found that information technology asset data successfully migrated from the legacy inventory system to the KISAM–Asset Manager. However, the audit log used to capture events was not being reviewed to ensure that only appropriate accesses were made. In addition, information technology asset data within the KISAM–Asset Manager are inaccurate and incomplete because the IRS is not following its procedures to ensure that all assets are accurately recorded and timely updated in the KISAM–Asset Manager.
TIGTA also found that ineffective inventory controls created an environment where information technology assets are vulnerable to loss. TIGTA selected 146 information technology assets to physically verify and could not locate and verify or find proper supporting documentation for 34 information technology assets worth more than $948,000. In addition, IRS offices improperly completed the annual inventory reconciliation process.
WHAT TIGTA RECOMMENDED
To improve the controls over information technology assets, TIGTA recommended that the Chief Technology Officer ensure that the inventory records are updated to correct the deficiencies identified in our review; the reconciliation process is effectively completed and offices provide supporting documentation for quality review; and dollar threshold criteria are included in the Asset Management Inventory Certification Plan for certifying information technology assets with a high‑dollar value that affect financial statement reporting. TIGTA also made several recommendations that will help the IRS Information Technology organization ensure that the data captured in its inventory management system are complete and accurate and that its assets are adequately safeguarded against theft or loss.
In their response to the report, IRS management agreed with all eight recommendations. IRS management agreed to deliver KISAM Asset Manager Tool enhancements for performing asset verification and correct data deficiencies identified by TIGTA; develop a missing asset aging report to facilitate researching and resolving assets in a missing status; and update the Fiscal Year 2014 Inventory Certification Plan to include the verification of the Serial Number field and assets with an acquisition value of $50,000 or greater.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500