The Internal Revenue Service needs to do a better job of tracking its efforts to eliminate identified flaws in the security of systems involving taxpayer data, according to a new government report released to the public on Thursday.
The
It turned out that eight of the 19 planned corrective actions, or 42 percent of the PCAs, that had already been approved and closed and were supposedly fully implemented to address the reported security weaknesses from prior TIGTA audits were only partially implemented. These involved systems with taxpayer data.
In addition, documents did not support the closure of the planned corrective actions, and supporting documents were not always uploaded to a Treasury Department database and were not readily available.
“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” said TIGTA Inspector General J. Russell George in a statement.
TIGTA made six recommendations, including advising the IRS to strengthen its management controls to adhere to internal control requirements, provide refresher training to employees involved in uploading data to the Treasury database, audit the corrective actions for closed PCAs, and change the status of closed PCAs to open for those that were partially implemented.
IRS management agreed with five of TIGTA’s six recommendations and plans to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs. IRS management partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated, to ensure the implementation of all PCAs over security weaknesses.
“We will continue to work with the IRS business units to ensure that the closures of corrective actions are properly documented,” wrote IRS CFO Pamela LaRue in response to the report. “In addition, the [Office of Internal Control] will develop a program to audit completed actions to provide assurance that audit agencies' recommendations have been fully addressed.”
