Dec 14th 2012
By Ken Berry
According to the Treasury Inspector General for Tax Administration (TIGTA), the IRS' computer systems have more than a few glitches.
In a new report released on December 4, 2012, the government watchdog said that the IRS has made strides in developing and implementing significant information technology (IT) capabilities during the past year, but still needs to make improvements. The report reflects TIGTA's annual evaluation of the IT systems required by the IRS Restructuring and Reform Act of 1998.
"The IRS made significant progress in modernizing its system, but it must continue its efforts to ensure that its computer systems are effectively secured to protect sensitive financial and taxpayer data," said J. Russell George, TIGTA's head honcho. "Until the IRS addresses security weaknesses, it will continue to put the confidentiality, integrity, and availability of financial and taxpayer information and employee safety at risk," he continued.
In particular, TIGTA focused on two key systems in its latest report, the Modernized eFile and the Customer Account Data Engine 2 (CADE 2), calling for stronger controls for CADE 2. Auditors also say that IRS data integrity testing hasn't provided proper assurance that CADE 2 data is consistently accurate and complete. This presents problems for a database intended to become the authoritative repository of taxpayer information.
TIGTA believes that the IRS' Modernization Program remains a major risk and that better controls could ensure long-term success for both of these key systems. Furthermore, the IRS must develop and implement new systems to accommodate provisions in the new health care legislation (the Affordable Care Act), posing significant risk management challenges.
Another area of concern relates to the IRS's patch management. The IRS has "not yet discovered all the IT assets residing on its network and, therefore, cannot ensure all assets are appropriately patched," reports TIGTA. In a March 2012 audit, TIGTA noted that the IRS has a 12 percent noncompliance rate of known assets, meaning that twenty-three critical patches were not applied to servers and resulted in 7,329 vulnerabilities on average on those servers.
TIGTA seems frustrated by the lack of progress because it's convinced that the IRS has the necessary technological capabilities at its fingertips and isn't using them fully. Although virtualization technology has improved operational efficiency, additional improvements are needed through better application of the technology. Server virtualization saved the IRS $10.2 million as of the end of fiscal 2011 and should provide $1.3 million savings through reduced power consumption in fiscal 2013. TIGTA says that further virtualization would save another $7.73 million over five years.
Normally, TIGTA offers recommendations to the IRS, but didn't do so in this assessment because it was based mainly on previous TIGTA reports and information from other oversight organizations. But that doesn't mean it won't be watching the IRS' next move closely.
- TIGTA Report: IRS Computer Security Center Effective, Could Be Better
- TIGTA Report: IRS Security Controls "Weak"