The Internal Revenue Service is not doing enough to control system administrator accounts on its computers, putting taxpayer information at risk, according to a new report.
The Treasury Inspector General for Tax Administration found that administrator user accounts were not always authorized and maintained properly, and administrator activities were not consistently reviewed and documented. TIGTA also discovered weak controls over user accounts that could allow unauthorized users to gain access to the accounts.
The Treasury Department watchdog group conceded that the IRS had established the appropriate procedures for authorizing administrator user accounts and reviewing account activities for improprieties. But TIGTA found that managers and system administrators did not always adhere to those procedures. Inspectors could not find authorization and approval documentation for 31 of 607 user accounts.
TIGTA also found that 79 of the 607 user accounts it examined were no longer needed. Weak passwords on user accounts existed on all five of the applications TIGTA investigated. System administrator activities were not being monitored for questionable activities for four of those applications.
