IRS Urged by TIGTA to Fix Weaknesses in Its Systems Security

By Jason Bramwell, Staff Writer
 
In its report Improved Controls Are Needed to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect Taxpayer Data, the Treasury Inspector General for Tax Administration (TIGTA) concluded that the IRS needs to step up its tracking efforts to eliminate weaknesses in the security of systems involving taxpayer data.
 
The US Treasury Department implemented the Joint Audit Management Enterprise System (JAMES) for use by all bureaus, including the IRS, to track, monitor, and report the status of internal control audit results. The JAMES tracks specific information on issues, findings, recommendations, and planned corrective actions (PCAs) from audit reports issued by the Government Accountability Office (GAO), TIGTA, and the Treasury Office of Inspector General. 
 
Additionally, the Treasury Department uses this information to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations. 
 
In its report, TIGTA examined whether closed corrective actions to security weaknesses and findings that it previously recommended to the IRS had been fully implemented, validated, and documented as implemented. 
 
What TIGTA found was that eight (42 percent) of nineteen PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data, according to TIGTA.
 
"Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords, databases without the latest software updates, and user accounts with long periods of inactivity that were not locked," TIGTA noted in the report. "The causes for these conditions include the IRS changing the scanning tool for its systems, which required additional time for organizational approval and the need to ensure that useable information was generated by those tools, systems development constraints, and the need for the IRS to minimize the impact of system changes to its users." 
 
TIGTA noted that as a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.
 
"The IRS is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations," the report stated. 
 
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available. According to TIGTA, the IRS Chief Financial Officer's Office of Internal Control (OIC), which administers the agency's management control program, has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits. 
 
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access," Treasury Inspector General for Tax Administration J. Russell George said in a written statement.
 
TIGTA made six recommendations to the IRS, including the following four:
  • Advising the IRS to strengthen its management controls to adhere to internal control requirements
  • Providing refresher training to employees involved in uploading data to the JAMES
  • Auditing the corrective actions for closed PCAs
  • Changing the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA's six recommendations and plans to issue guidance on internal control requirements, provide employee training, and revise the procedures to improve the IRS' management controls over the PCAs. 
 
However, the IRS partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated to ensure the implementation of all PCAs over security weaknesses.
 
"We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented," IRS CFO Pamela LaRue wrote in response to the report. "In addition, the OIC will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed." 
 
Related articles:
 

You may like these other stories...

At long last, the Obama administration issued draft instructions along with revised draft tax forms that provide companies guidance on how to comply with the Affordable Care Act’s (ACA) employer mandate.The US Treasury...
Treasury Secretary Lew to speak on tax reform, inversionsDamian Paletta of the Wall Street Journal wrote on Friday that Treasury Secretary Jacob Lew is planning a September 8 speech about a controversial corporate strategy...
The IRS requires most freelancers and other self-employed individuals to use the cash method of accounting, under which income isn't counted until cash, a check, or an e-payment is received, and expenses aren't...

Already a member? log in here.

Upcoming CPE Webinars

Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 10
Transfer your knowledge and experience to prepare your team for the challenges and opportunities of an accounting career.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.
Sep 18
In this course, Amber Setter will shine the light on different types of leadership behavior- an integral part of everyone's career.