IRS requests priority help

A mounting list of unfinished corrective actions identified by Inspector General for Tax Administration auditors for the Internal Revenue Service's modernization and information technology service has led tax agency officials to request help from auditors in prioritizing the items' urgency.

"We have a finite level of resources in the IT budget in the IRS," said W. Todd Grams, the tax agency chief information officer. "We can't address all of them in a single year and make any appreciable progress," he told Federal Computer Week.

Tax administration auditors have identified more than 140 shortcomings that need a corrective action, said Margaret Begg, assistant inspector general with jurisdiction over IRS information systems programs.

"There was recognition that the tracking and monitoring of the corrective actions may not have been as strong" at the IRS, Begg said.

"I would rather actually close out and knock a few of them out rather than make a little progress on a lot of them," Grams said. Treasury auditors and IRS officials should meet by March to reach agreement on which actions will gain priority, he added.

The most recent Treasury audit report also shows tax agency's process for identifying and managing security weaknesses is flawed and ineffective. Consequently, information provided to the Office of Management Budget under Federal Information Security Management Act (FISMA) is misleading, the report states.

The number of reported weaknesses has been significantly understated because IRS officials considered each tax administration or Government Accountability Office audit as one weakness. Tax agency officials reported 319 system-level weaknesses for its 80 major systems in its most recent report to the Treasury Department. But, "generally, operational and technical control weaknesses were not reported," the audit states.

IRS officials also overstated their progress on rectifying those weakness. Tax agency officials assumed that if a system was certified and accredited, then any weaknesses discovered by auditors had been sufficiently addressed. "This assumption is not valid since certified and accredited systems can still have security weaknesses," auditors said.

The audit recommends two corrective actions. IRS officials responded to the audit by accepting both, stating they have established a working group that is constructing "an enterprise approach to instituting FISMA as a core organizational process," and that the tax agency will also develop a cross-referenced matrix of corrective actions with testing efforts that should be in place by mid-October.