The Treasury Inspector General for Tax Administration (TIGTA) released a pair of reports on October 11 finding problems with the security of the IRS Windows environment and a lack of control over IRS purchase cards (TIGTA Reports 2011-20-111 and 2011-10-075, respectively).
In Report 2011-10-075, TIGTA states that between September 1, 2007, and March 31, 2009, the IRS made more than 174,000 purchases using purchase cards. These purchases amounted to more than $80 million, but TIGTA said the IRS does not have controls in place to make sure improper or abusive purchases are not made with the cards. It also has no controls to ensure improper or abusive purchases are detected promptly and no way to ensure corrective action is taken.
Under the General Services Administration’s SmartPay Program, IRS offices can use Citibank MasterCard purchase cards to make official purchases within predetermined limits, rather than having to submit the paperwork associated with a procurement request. Under the Federal Acquisition Regulation, using a purchase card is the preferred method for making and paying for purchases of goods and services up to $3,000. During the period TIGTA audited, there were 4,270 purchase cardholders in the IRS.
The TIGTA audit found various violations, including purchases that were made without necessary approvals, purchases that were split in two to circumvent “micro-purchase” limits, and purchases made from improper sources.
TIGTA recommends that the IRS emphasize to its cardholders that split-purchase transactions will not be tolerated and the importance of preparing an order log prior to purchase. TIGTA also recommends improved oversight reviews to identify split-purchase transactions and to evaluate the requirement for purchasing office supplies from contract vendors and preferred suppliers.
The IRS agrees with TIGTA’s recommendations and said that it plans to provide guidance on oversight and enforcement responsibilities.
In a separate audit, TIGTA reviewed whether the IRS has structured its Windows environment to provide efficient and secure management of its Windows servers.
The audit found that the IRS has not done enough to centralize its Windows environment, and therefore cannot achieve consistent identity and authorization management.
According to Report 2011-20-111, the IRS maintains a network of 6,000 servers and 110,000 workstations, which use the Windows operating system. However, TIGTA found that three organizations (Business Systems Modernization, Statistics of Income, and Integrated Submission and Remittance Processing) maintain groups of Windows servers outside of the IRS’ main centralized group of servers. TIGTA also found that the IRS spent $1.2 million to maintain obsolete equipment in the Business Systems Modernization group, which uses outdated Windows 2000 servers that are not supported by Microsoft.
The audit also found that the IRS does not ensure that all computers connected to its network are authorized and compliant with its security policies. The IRS has standards designed to prevent unauthorized computers from being connected to its network, but has no controlling authority to enforce those standards.
TIGTA recommends (1) that the IRS establish an enterprisewide body to enforce its Windows server group design criteria and ensure unauthorized server groups are not created; (2) that noncentralized server groups are shut down; (3) that standards to ensure that nonauthorized computers cannot connect to the IRS network are implemented; and (4) that the IRS use network scanning tools to detect unauthorized computers connected to the network and that procedures are developed and implemented to remove those computers.
The IRS agreed with the TIGTA recommendations and said it plans to take corrective actions.