IRS Urged by TIGTA to Fix Weaknesses in Its Systems Security
by Terri Eyden on
By Jason Bramwell, Staff Writer
In its report Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data, the Treasury Inspector General for Tax Administration (TIGTA) concluded that the IRS needs to step up its tracking efforts to eliminate weaknesses in the security of systems involving taxpayer data.
The US Treasury Department implemented the Joint Audit Management Enterprise System (JAMES) for use by all bureaus, including the IRS, to track, monitor, and report the status of internal control audit results. The JAMES tracks specific information on issues, findings, recommendations, and planned corrective actions (PCAs) from audit reports issued by the Government Accountability Office (GAO), TIGTA, and the Treasury Office of Inspector General.
Additionally, the Treasury Department uses this information to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations.
In its report, TIGTA examined whether closed corrective actions to security weaknesses and findings that it previously recommended to the IRS had been fully implemented, validated, and documented as implemented.
What TIGTA found was that eight (42 percent) of nineteen PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data, according to TIGTA.
"Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords, databases without the latest software updates, and user accounts with long periods of inactivity that were not locked," TIGTA noted in the report. "The causes for these conditions include the IRS changing the scanning tool for its systems, which required additional time for organizational approval and the need to ensure that useable information was generated by those tools, systems development constraints, and the need for the IRS to minimize the impact of system changes to its users."
TIGTA noted that as a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.
"The IRS is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations," the report stated.
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available. According to TIGTA, the IRS Chief Financial Officer's Office of Internal Control (OIC), which administers the agency's management control program, has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits.
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access," Treasury Inspector General for Tax Administration J. Russell George said in a written statement.
TIGTA made six recommendations to the IRS, including the following four:
- Advising the IRS to strengthen its management controls to adhere to internal control requirements
- Providing refresher training to employees involved in uploading data to the JAMES
- Auditing the corrective actions for closed PCAs
- Changing the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA's six recommendations and plans to issue guidance on internal control requirements, provide employee training, and revise the procedures to improve the IRS' management controls over the PCAs.
However, the IRS partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated to ensure the implementation of all PCAs over security weaknesses.
"We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented," IRS CFO Pamela LaRue wrote in response to the report. "In addition, the OIC will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed."
- TIGTA Report: IRS Needs to Make Virtual Servers More Secure
- TIGTA Wants IRS to Improve Security Risk Assessments
You may like these other stories...
The Republican-led House of Representatives is expected to pass a bill this week that would permanently extend the bonus depreciation tax break. But don’t expect President Obama to sign it.The Obama administration said...
Washington D.C., our nation's capital, is the healthiest city in the country, according to a new report from USA Today. But now it's going to cost politicos on the Hill and Gen-Xers in Foggy Bottom a little extra to...
Credit Suisse says pension assets at risk unless court delays sentencingJohn Letzing of the Wall Street Journal reported on Wednesday that Credit Suisse Group AG says its management of billions of dollars in assets for...
Upcoming CPE Webinars
Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
FRF for SMEs Series--Statement of Cash Flows, Subsequent Events, Related Party Issues, Accounting for Investments including Consolidations, Part 4A
This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.