Tech Security Needs Improvement at IRS

Two recent reports have found that the IRS could improve its decision-making in IT security, and that its inventory control over wireless devices.

The first of the two reports from the Treasury Inspector General for Tax Admininistration, 2014-10-075, found that inventory controls over the approximately 49,000 wireless telecommunication devices reportedly in use at the IRS “could be improved.”

Prior work by TIGTA had found that processes for assigning and monitoring the use of the devices were not adequate to ensure that employees had a business need for the devices, and that the IRS had paid for thousands of devices that were unused. The current audit found that more that over 94 percent of IRS employees were appropriately issued a wireless device, but inventory records and controls were not consistently updated, resulting, in part, in the IRS paying monthly service fees on almost 6,800 devices that were not properly inventoried.

TIGTA made several recommendations for improving inventory controls, which the IRS agreed with.

 

Decision-making

The second report, 2014-20-092, looked at the IRS’s ability to make risk-based decisions regarding exceptions to its own policies and requirements in the area of information system security.

Exceptions can be made in cases where too closely following the rules is not technically or operationally possible, or where it’s cost-effective, but if they are granted outside established guideline, “The organization may be accepting too much risk related to security of its systems and data,” TIGTA said in a statement. “Consequently, taxpayer data may not be secured and may be vulnerable to unauthorized disclosure, which can lead to identity theft.  Furthermore, accepted weaknesses may result in security breaches, which can cause network disruptions and prevent the IRS from performing vital taxpayer services, such as processing tax returns, issuing refunds, and answering taxpayer inquiries.”

TIGTA’s audit found that the IRS collects “minimal” information about risk-based decisions, and doesn’t require supporting documentation about why decisions were made. IT risks can be also be approved through different processes, and may not be known about by the Cybersecurity organization within the IRS that is responsible for risk-based decisions.

The inspector general made a number of recommendations to require complete documentation, training for all appropriate officials, expanded efforts to track and centrally store supporting information, and create a quarterly review of risk-based decision details.

The IRS agreed with the recommendations.

For reprint and licensing requests for this article, click here.
Tax practice
MORE FROM ACCOUNTING TODAY