By Jason Bramwell, Staff Writer
The US Treasury Department implemented the Joint Audit Management Enterprise System (JAMES) for use by all bureaus, including the IRS, to track, monitor, and report the status of internal control audit results. The JAMES tracks specific information on issues, findings, recommendations, and planned corrective actions (PCAs) from audit reports issued by the Government Accountability Office (GAO), TIGTA, and the Treasury Office of Inspector General.
Additionally, the Treasury Department uses this information to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations.
In its report, TIGTA examined whether closed corrective actions to security weaknesses and findings that it previously recommended to the IRS had been fully implemented, validated, and documented as implemented.
What TIGTA found was that eight (42 percent) of nineteen PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data, according to TIGTA.
"Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords, databases without the latest software updates, and user accounts with long periods of inactivity that were not locked," TIGTA noted in the report. "The causes for these conditions include the IRS changing the scanning tool for its systems, which required additional time for organizational approval and the need to ensure that useable information was generated by those tools, systems development constraints, and the need for the IRS to minimize the impact of system changes to its users."
TIGTA noted that as a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.
"The IRS is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations," the report stated.
In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to the JAMES and were not readily available. According to TIGTA, the IRS Chief Financial Officer's Office of Internal Control (OIC), which administers the agency's management control program, has a responsibility to audit IRS PCAs to ensure that they are implemented; however, it did not conduct the audits.
"When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access," Treasury Inspector General for Tax Administration J. Russell George said in a written statement.
TIGTA made six recommendations to the IRS, including the following four:
- Advising the IRS to strengthen its management controls to adhere to internal control requirements
- Providing refresher training to employees involved in uploading data to the JAMES
- Auditing the corrective actions for closed PCAs
- Changing the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA's six recommendations and plans to issue guidance on internal control requirements, provide employee training, and revise the procedures to improve the IRS' management controls over the PCAs.
However, the IRS partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated to ensure the implementation of all PCAs over security weaknesses.
"We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented," IRS CFO Pamela LaRue wrote in response to the report. "In addition, the OIC will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed."