IRS Urged by TIGTA to Fix Weaknesses in Its Systems Security

By Jason Bramwell, Staff Writer
 
In its report Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data, the Treasury Inspector General for Tax Administration (TIGTA) concluded that the IRS needs to step up its tracking efforts to eliminate weaknesses in the security of systems involving taxpayer data.
 
The US Treasury Department implemented the Joint Audit Management Enterprise System (JAMES) for use by all bureaus, including the IRS, to track, monitor, and report the status of internal control audit results. The JAMES tracks specific information on issues, findings, recommendations, and planned corrective actions (PCAs) from audit reports issued by the Government Accountability Office (GAO), TIGTA, and the Treasury Office of Inspector General. 
 
Additionally, the Treasury Department uses this information to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations. 
 
In its report, TIGTA examined whether closed corrective actions to security weaknesses and findings that it previously recommended to the IRS had been fully implemented, validated, and documented as implemented. 
 
What TIGTA found was that eight (42 percent) of nineteen PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data, according to TIGTA.
 
"Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords, databases without the latest software updates, and user accounts with long periods of inactivity that were not locked," TIGTA noted in the report. "The causes for these conditions include the IRS changing the scanning tool for its systems, which required additional time for organizational approval and the need to ensure that useable information was generated by those tools, systems development constraints, and the need for the IRS to minimize the impact of system changes to its users." 
 
TIGTA noted that as a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.
 
"The IRS is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations," the report stated. 
 
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available. According to TIGTA, the IRS Chief Financial Officer's Office of Internal Control (OIC), which administers the agency's management control program, has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits. 
 
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access," Treasury Inspector General for Tax Administration J. Russell George said in a written statement.
 
TIGTA made six recommendations to the IRS, including the following four:
  • Advising the IRS to strengthen its management controls to adhere to internal control requirements
  • Providing refresher training to employees involved in uploading data to the JAMES
  • Auditing the corrective actions for closed PCAs
  • Changing the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA's six recommendations and plans to issue guidance on internal control requirements, provide employee training, and revise the procedures to improve the IRS' management controls over the PCAs. 
 
However, the IRS partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated to ensure the implementation of all PCAs over security weaknesses.
 
"We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented," IRS CFO Pamela LaRue wrote in response to the report. "In addition, the OIC will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed." 
 
Related articles:
 

You may like these other stories...

The IRS has announced the special per diem rates for 2014-15 that taxpayers can use for substantiating the amount of ordinary and necessary business expenses incurred while traveling away from home. The new per diem rates...
The issue of international assignees was, for a long time, limited to a small number of companies – meaning only those that operated on an international scale. But in recent years, global expansion has shifted into...
Exclusive: Lois Lerner breaks silenceIn her first press interview since the IRS Tea Party targeting scandal broke 16 months ago, ex-agency official Lois Lerner told Politico that employers won’t hire her, she’s...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.