IRS modernization effort leaves IRS IT vulnerable, says TIGTA


The Internal Revenue Service's IT modernization efforts have left vulnerabilities in place that can expose taxpayer information, says the Treasury Inspector General for Tax Administration.

In a report (.pdf) dated Sept. 28 but not published until Dec. 4, TIGTA says the IRS's Modernization Program "remains a major risk and that improved controls are needed."

Auditors cite two key systems, Modernized eFile and the Customer Account Data Engine 2, calling in the latter's case for stronger traceability controls. Auditors also say that IRS data integrity testing hasn't provided sufficient assurance that CADE 2 data is consistently accurate and complete--a problem for a database meant to become the authoritative repository of taxpayer information.

TIGTA notes that the challenges will continue as new systems are developed since the IRS must implement provisions of the Patient Protection and Affordable Care Act, which will "introduce significant risk management challenges."

Another area of concern is in the IRS's patch management because the tax agency has "not yet discovered all the IT assets residing on its network and, therefore, cannot ensure all assets are appropriately patched," says the report. In a March 2012 audit, TIGTA said that the IRS has a 12 percent noncompliance rate of known assets, which meant 23 critical patches were not applied to servers and resulted in 7,329 vulnerabilities on average on those servers.

The report says that the IRS has technological advances at its fingertips and needs to use them fully. It says that virtualization technology has improved operational efficiency but says additional improvements are needed and available through better application of the technology.

Emphasis is placed on areas like this since TIGTA says server virtualization saved the IRS $10.2 million as of the end of fiscal 2011 and should provide $1.3 million savings through reduced power consumption in fiscal 2013. Further virtualization could save an additional $7.73 million over five years.

TIGTA says it did not offer any new recommendations in the assessment because it was based largely on previous TIGTA reports and reports from other oversight organizations.

For more:
download the report, 2012-20-120 (.pdf)

Related Articles:
George: Non-IRS data can help combat tax-related identity theft
IRS two-factor authentication system nearly 2 years behind schedule, finds TIGTA
Risks in Modernized e-File will delay retirement of legacy systems, says TIGTA