Treasury Inspector General for Tax Administration
November 8, 2016
TIGTA - 2016-33
Contact: Karen Kraushaar, Director of Communications
WASHINGTON — The Internal Revenue Service (IRS) must adhere to Federal Acquisition Regulation requirements to mitigate risk for its information technology contracts to protect the IRS’s systems and sensitive data and to ensure that the agency receives services and products that meet contractual requirements. However, a review of contract files found that the IRS did not ensure that it mitigated risks for the sample information technology contracts valued at $81.3 million, according to an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA randomly selected 14 from 6,045 information technology contract files for a detailed review of paper-based and electronic files to see if post-award controls for these contracts enabled the IRS to mitigate known risks and ensure that operational practices adhered to contract administration policies and procedures.
In the audit, TIGTA analyzed the selected information technology contract files, including required supporting documentation and approvals. TIGTA selected the sample from 6,045 information technology contracts awarded between October 2008 and May 2014 with total obligations of $3.3 billion.
TIGTA assessed controls within 13 high-risk contract administration areas and identified two key areas for which the IRS needs to make overall improvements to address control weaknesses identified during the review. First, clarification is needed to ensure consistent and reliable implementation of reviews required to mitigate security risks through the information technology contract administration process. Second, the IRS should carefully reexamine overall operational controls for contract administration and fraud controls for individual information technology contracts to ensure that post-award contract file reviews are reliable.
Overall, TIGTA found control weaknesses with: 1) Security Compliance Reviews, 2) contract file documentation, 3) Contractor Exclusion Reviews, 4) Contract Administration Plans, and 5) Contracting Officer’s Representatives’ Appointment Letters.
“It is critical that the IRS clarify information technology security risks and enforce appropriate controls with its contract review process to ensure compliance with all applicable policy and guidance for information technology contracts,” said J. Russell George, Treasury Inspector General for Tax Administration.
TIGTA made five recommendations in the report. TIGTA recommended that the Chief Technology Officer ensure that the IRS updates policy and procedures to provide clear guidance and instructions for the Security Compliance Review Checklist certification process. In addition, the Chief Procurement Officer should ensure that the IRS improves policy and procedures to ensure that the IRS sufficiently documents, maintains, and reviews security checklists and maintains information technology contract files in a complete, organized, and consistent manner for review purposes.
IRS management’s response to the report agreed with three of the recommendations and partially agreed with two others. The IRS plans to implement corrective actions for all five recommendations.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.