Office of Audit
IMPROVEMENTS ARE NEEDED FOR INFORMATION
TECHNOLOGY CONTRACT ADMINISTRATION
CONTROLS TO MITIGATE RISKS
Final Report issued on August 2, 2016
Highlights of Reference Number:† 2016-20-035 to the Internal Revenue Service Chief Information Officer and Chief Procurement Officer.
IMPACT ON TAXPAYERS
The IRS relies on contracting support for its information technology products and services. †It is important that the IRS adheres to Federal Acquisition Regulation requirements to mitigate risk for its information technology contracts.† Effective contract administration processes include post-award activities performed by IRS officials after a contract has been awarded to determine how well both the IRS and the contractor meet the requirements of the contract.
WHY TIGTA DID THE AUDIT
The overall objective of this review was to determine whether the IRS information technology contract administration processes incorporate appropriate means to mitigate risk in contracting activities and ensure adherence to applicable policies and procedures.
WHAT TIGTA FOUND
Risks for information technology contracts awarded between October 2008 and May 2014 were not adequately mitigated to protect the IRSís systems and sensitive data and to ensure that the IRS receives services and products that meet contractual requirements.† TIGTA analyzed 14 information technology contract files and supporting documentation.† The estimated value of these contracts is $81.3 million. †The sample was selected from 6,045 information technology contracts with total obligations of $3.3 billion.† The obligation amount of the contracts is based on the respective award date for each contract.† TIGTA assessed controls within 13 high-risk areas.
TIGTA identified two key areas in which overall improvements are needed to address the control weaknesses identified during our review.† First, clarification is needed to ensure consistent and reliable implementation of reviews required to mitigate security risks through the information technology contract administration process.† Second, the overall operational controls for contract administration and fraud controls for individual information technology contracts should be carefully reexamined to ensure that post-award contract file reviews are reliable.† Overall, TIGTA found control weaknesses with:† 1) Security Compliance Reviews, 2) contract file documentation, 3) Contractor Exclusion Reviews, 4) Contract Administration Plans, and 5) Contracting Officerís Representativesí Appointment Letters.
WHAT TIGTA RECOMMENDED
TIGTA made five recommendations.† TIGTA recommended that the Chief Technology Officer ensure that IRS policy and procedures are updated to provide clear guidance and instructions for the Security Compliance Review Checklist certification process.† In addition, the Chief Procurement Officer should ensure that:† IRS policy and procedures are improved to ensure that the security checklists are sufficiently documented, maintained, and reviewed and that information technology contract files are maintained in a complete, organized, and consistent manner for review purposes.
In managementís response to the report, the IRS agreed with three recommendations and partially agreed with two others. †The IRS plans to implement corrective actions for all five recommendations. †The IRS also expressed concern about the sample size of information technology contracts selected for review.† TIGTA believes that our sample selection methodology and statistical projections and other audit evidence adequately support the audit results and recommendations.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number ††/† 202-622-6500
E-mail Address †/† TIGTACommunications@tigta.treas.gov
Website†††††† ††††††/† https://www.treasury.gov/tigta