Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

TIGTA Faults IRS for Unauthorized Technology Purchases

By:
S.J. Steinhardt
Published Date:
Apr 26, 2023

The IRS purchased approximately $1.2 million in information technology (IT) products initiated by business units outside of the IT organization that were not properly approved by management, a Treasury Inspector General for Tax Administration (TIGTA) audit found.

Despite the Taxpayer First Act’s requirement that the IRS's chief information officer oversee the development, implementation and maintenance of information technology throughout the IRS, the oversight was inconsistent, the audit found. Out of a total of $2.2 million in IT purchases between October 2020 and December 2021, only $1 million, or 41 percent of the total, had been properly authorized.

None of the individuals who approved the majority of the purchases—$1.2 million, or 59 percent of the total—had the authority to do so, the audit found.

The agency has a written policy and procedures to mitigate unauthorized hardware, but “the detection and oversight of unauthorized hardware are not defined and documented,” TIGTA also found. The IT organization could provide documentation of its oversight on only 8 percent of the 103 information systems used in the IRS, being unable to provide evidence of any oversight for the remaining 92 percent.

The IRS has procedures to manage unauthorized software, but the methodology used to manage unauthorized software needs improvement, the audit reported. A review of a March 2022 report determined that only 22 (1 percent) of 2,815 unauthorized software would have been reviewed and 2,793 (99 percent) of unauthorized software would not have been reviewed.

“Without effective controls and management oversight of all information technology resources, the IRS risks unnecessarily increasing the exposure of its information systems to potential malware and viruses; making less informed program decisions; using information technology resources inefficiently; and not complying with requirements,” the report read. “In addition, as stewards of taxpayer dollars, the IRS must ensure that it only pays for procured information technology products as authorized.”

TIGTA made eight recommendations to the IRS chief information officer. They include ensuring that:

1) the appropriate management official approves the purchase of information technology products;
2) inherently information technology-related work is clarified;
3) inherently information technology-related work is not performed by non-IT organization staff;
4) oversight of information systems not managed by the IT organization is documented;
5) procedures are updated to include and clarify stakeholders’ defined roles and responsibilities in detecting, overseeing, and reviewing unauthorized hardware;
6) all unauthorized software are disabled;
7) unauthorized software standard operating procedures are updated; and
8) unauthorized software performance metrics are developed.

The IRS agreed with all eight recommendations.

Click here to see more of the latest news from the NYSSCPA.