Auditors find IRS security holes

"Managers and System Administrators Need to Limit Employees’ Access to Computer Systems"

An audit of Internal Revenue Service computer systems shows that unauthorized access to tax information systems remains a danger.

Individuals who leave or employees whose duties have changed continue to have access to confidential information because IRS managers have not followed existing IT security procedures, according to a Treasury Inspector General for Tax Administration (TIGTA) audit released last month.

TIGTA auditors looked at five IRS systems for six months ending in January 2005 and found that 21 percent of registered users “no longer had a business need to have systems access,” the report states.

Auditors found five instances of system access by former employees. They also found that of 513 employees that did have a business need, in only a quarter of those cases did proper documentation for system access exist.

That lack of documentation might merely be an administrative oversight as a result of paper records not being digitally inputted when IRS fully automated the access request process in 2004. Another explanation is “system administrators may have granted employees access to systems without proper authorization,” the report states.

These problems would be largely rectified by automatically disabling, then deleting user accounts after periods of inactivity, auditors state.

In a written response, IRS Chief Information Officer W. Todd Grams said he will institute by Sept. 1 a policy that disables user accounts after 45 days and deletes them after 90 days, for most systems.

User accounts on some systems such as travel or training, often remain inactive beyond those time periods because employees only access them on an as-needed basis, Grams wrote in his response.

The CIO shop will also prepare a report by Dec. 31 evaluating whether the disablement and deletion process could be automated. Already, e-mail notifications are being sent out to systems' administrators directing them to disable accounts following the departure of an employee.

In addition, IRS employees are required to annually recertify their adherence to security procedures, but now system administrators will cut off the user accounts of those people who do not do so within 45 days.

About the Author

David Perera is a special contributor to Defense Systems.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.