The Treasury Inspector General for Tax Administration found approximately $1.2 million worth of information technology purchases at the IRS occurred without the proper approval and authorization of management, as required.
TIGTA, in an
For the period between October 2020 and December 2021, however, this oversight wasn't always there. The $1.2 million figure for unauthorized purchases represented 59% of IT orders inspected; meanwhile, $1 million, representing 41% of the sum, had been properly authorized.
"We believe that this situation occurred because the shopping cart approval process did not include comparing the management official who signed and approved the shopping cart to the Shopping Cart Signature Authority List before the Office of the Chief Procurement Officer purchased the requested information technology products," said the report. "As stewards of taxpayer dollars, the IRS must ensure that it only pays for procured information technology products as authorized."
None of the individuals who did approve the purchases had the authority to do so, according to the report.
Beyond this, TIGTA also faulted the IRS for the fact that the IT organization could provide documentation of its oversight on only 8% of the 103 information systems used in the IRS. It was unable to provide evidence of any oversight for the remaining 92%. Further, it said procedures for the detection and oversight of unauthorized hardware are also not clearly defined and documented.
"Without documented oversight of all information systems, the IRS is unable to demonstrate that it is complying with the [Taxpayers First Act] provision requiring the CIO to oversee the development, implementation, maintenance and security as well as maintain operational control of information technology throughout the IRS," said the TIGTA report.
The report also said that unauthorized software is not being properly managed. Examining a March 2022 unauthorized software list, TIGTA estimated that IRS IT workers reviewed a maximum of only 22 (1%) of 2,815 unauthorized software on the list. The remaining 2,793 (99%) unauthorized software would not have been reviewed.
"Personnel acknowledged that software with low execution totals is not likely to be reviewed," said the report. "The [Application Control Solution] team is staffed with three employees and they stated that it is impossible for them to review, research, and process all software shown on the unauthorized list. However, we believe that software with low execution totals may pose a higher security risk because the software is less commonly known and used."
TIGTA made eight recommendations to the CIO. They include ensuring that:
- The appropriate management official approves the purchase of information technology products;
- Inherently information technology-related work is clarified;
- Inherently information technology-related work is not performed by non-IT organization staff;
- Oversight of information systems not managed by the IT organization is documented;
- Procedures are updated to include and clarify stakeholders' defined roles and responsibilities in detecting, overseeing, and reviewing unauthorized hardware;
- All unauthorized software is disabled;
- Unauthorized software standard operating procedures are updated; and
- Unauthorized software performance metrics are developed.
The IRS agreed with all eight recommendations.
