The IRS does not do a good job of correcting security weaknesses, thereby failing to protect taxpayer data, the Treasury Inspector General for Tax Administration (TIGTA) concluded in a report released Thursday. TIGTA’s audit found that the IRS does not always correct known security problems and the corrective action process does not always work as intended. The report calls on the IRS to improve management or internal controls of planned corrective actions (PCA).
TIGTA performed the audit as part of its statutory requirement to review the adequacy and security of IRS technology each year. “When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” Treasury Inspector General J. Russell George said in a press release.
In particular, the report examined whether PCAs that had been reported as closed because they were resolved were actually resolved correctly. It found that eight of 19 PCAs (42%) were only partially implemented even though they were approved and closed as fully implemented to address reported security weaknesses from earlier TIGTA audits. Other problems uncovered were that documentation did not always support closing the PCAs, and the documents were not properly uploaded to a database used to gather this documentation.
TIGTA’s report recommended that the IRS strengthen its management controls to adhere to internal control requirements, further train employees responsible for entering documentation about PCAs, ensure that there is a proper separation of duties when PCA reports are signed and that they receive appropriate executive review and approval, audit closed PCAs to be sure they were closed correctly, and change closed PCAs to open if they were only partially implemented. In response, the IRS agreed to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.
The IRS only partially agreed with TIGTA’s recommendation to upload documentation into the database for previously closed PCAs, noting that it would do so after it completed a cost/benefit analysis. TIGTA responded that the IRS should complete its recommendation to ensure that all PCAs concerned with security weaknesses are implemented and to comply with a Treasury Department mandate to upload supporting documentation to the database.