Treasury Inspector General for Tax Administration
November 21, 2013
TIGTA - 2013-46
Contact: Voneka Bennett
WASHINGTON – The Internal Revenue Service (IRS) needs to do a better job of tracking its efforts to eliminate identified flaws in the security of systems involving taxpayer data, according to a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA reviewed whether closed corrective actions to security weaknesses and findings reported by TIGTA have been fully implemented, validated, and documented as implemented.
TIGTA identified weakened management controls over the IRS’s closed planned corrective actions (PCA) for the security of systems involving taxpayer data. Eight (42 percent) of 19 PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data.
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to a Treasury Department database and were not readily available.
“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” said J. Russell George, Treasury Inspector General for Tax Administration.
TIGTA made six recommendations, including advising the IRS to: strengthen its management controls to adhere to internal control requirements, provide refresher training to employees involved in uploading data to the Treasury database, audit the corrective actions for closed PCAs, and change the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA’s six recommendations and plans to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs. IRS management partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated, to ensure the implementation of all PCAs over security weaknesses.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.