The IRS purchased approximately $1.2 million in information technology (IT) products initiated by business units outside of the
IT organization that were not properly approved by management, a Treasury Inspector General for Tax Administration (TIGTA) audit found.
Despite the Taxpayer First Act’s requirement that the IRS's chief information officer oversee the development, implementation and maintenance of information technology throughout the IRS, the oversight was inconsistent, the audit found. Out of a total of $2.2 million in IT purchases between October 2020 and December 2021, only $1 million, or 41 percent of the total, had been properly authorized.
None of the individuals who approved the majority of the purchases—$1.2 million, or 59 percent of the total—had the authority to do so, the audit found.
The agency has a written policy and procedures to mitigate unauthorized hardware, but “the detection and oversight of unauthorized hardware are not defined and documented,” TIGTA also found. The IT organization could provide documentation of its oversight on only 8 percent of the 103 information systems used in the IRS, being unable to provide evidence of any oversight for the remaining 92 percent.
The IRS has
procedures to manage unauthorized software, but the methodology
used to manage unauthorized software needs improvement, the audit reported. A review of a March 2022 report determined that only 22 (1 percent) of 2,815 unauthorized software would have been reviewed and 2,793 (99 percent) of unauthorized software would not have been reviewed.
“Without effective controls and management oversight of all information technology resources, the IRS risks unnecessarily increasing the exposure of its information systems to potential malware and viruses; making less informed program decisions; using information technology resources inefficiently; and not complying with requirements,” the report read. “In addition, as stewards of taxpayer dollars, the IRS must ensure that it only pays for procured information technology products as authorized.”
TIGTA made eight recommendations to the IRS chief information officer. They include ensuring that:
1) the appropriate management official approves the purchase of information technology products;
2) inherently information technology-related work is clarified;
3) inherently information technology-related work is not performed by non-IT organization staff;
4) oversight of information systems not managed by the IT organization is documented;
5) procedures are updated to include and clarify stakeholders’ defined roles and responsibilities in detecting, overseeing, and reviewing unauthorized hardware;
6) all unauthorized software are disabled;
7) unauthorized software standard operating procedures are updated; and
8) unauthorized software performance metrics are developed.
The IRS agreed with all eight recommendations.