IRS Urged by TIGTA to Fix Weaknesses in Its Systems Security
by Terri Eyden on
By Jason Bramwell, Staff Writer
In its report Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data, the Treasury Inspector General for Tax Administration (TIGTA) concluded that the IRS needs to step up its tracking efforts to eliminate weaknesses in the security of systems involving taxpayer data.
The US Treasury Department implemented the Joint Audit Management Enterprise System (JAMES) for use by all bureaus, including the IRS, to track, monitor, and report the status of internal control audit results. The JAMES tracks specific information on issues, findings, recommendations, and planned corrective actions (PCAs) from audit reports issued by the Government Accountability Office (GAO), TIGTA, and the Treasury Office of Inspector General.
Additionally, the Treasury Department uses this information to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations.
In its report, TIGTA examined whether closed corrective actions to security weaknesses and findings that it previously recommended to the IRS had been fully implemented, validated, and documented as implemented.
What TIGTA found was that eight (42 percent) of nineteen PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data, according to TIGTA.
"Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords, databases without the latest software updates, and user accounts with long periods of inactivity that were not locked," TIGTA noted in the report. "The causes for these conditions include the IRS changing the scanning tool for its systems, which required additional time for organizational approval and the need to ensure that useable information was generated by those tools, systems development constraints, and the need for the IRS to minimize the impact of system changes to its users."
TIGTA noted that as a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.
"The IRS is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations," the report stated.
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available. According to TIGTA, the IRS Chief Financial Officer's Office of Internal Control (OIC), which administers the agency's management control program, has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits.
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access," Treasury Inspector General for Tax Administration J. Russell George said in a written statement.
TIGTA made six recommendations to the IRS, including the following four:
- Advising the IRS to strengthen its management controls to adhere to internal control requirements
- Providing refresher training to employees involved in uploading data to the JAMES
- Auditing the corrective actions for closed PCAs
- Changing the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA's six recommendations and plans to issue guidance on internal control requirements, provide employee training, and revise the procedures to improve the IRS' management controls over the PCAs.
However, the IRS partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated to ensure the implementation of all PCAs over security weaknesses.
"We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented," IRS CFO Pamela LaRue wrote in response to the report. "In addition, the OIC will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed."
- TIGTA Report: IRS Needs to Make Virtual Servers More Secure
- TIGTA Wants IRS to Improve Security Risk Assessments
You may like these other stories...
IRS audits less than 1 percent of big partnershipsAccording to an April 17 report from the Government Accountability Office (GAO), the IRS audits fewer than 1 percent of large business partnerships, Stephen Ohlemacher of the...
Legislation coming out of Washington just might reduce homeowners' burden for disaster insurance. It's a topic very much on everyone's minds since the mudslide in Oso, Washington. The loss of human life was...
Divorce is hard, and the IRS isn't going to make it any easier. The IRS generally says "no" to tax deductions that might ease the pain of divorce. In certain circumstances, however, you might be able to salvage...
Upcoming CPE Webinars
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.