Editor’s Note: The GAO Management Report, attached below, discusses shortcomings in IRS monitoring programs. Key “Results in Brief” discussing monitoring are quoted below. The Report contains significant additional discussion related to IRS system monitoring policies.
Monitoring Information Systems Material to Financial Reporting. IRS management had not performed sufficient monitoring of internal control over information systems material to financial reporting to determine whether such control was affected by any deficiencies in internal control that either individually or collectively constitute a material weakness that had not previously been reported, in accordance with Office of Management and Budget requirements. This was primarily because (1) IRS had not yet fully implemented key components of its information security program in fiscal year 2011; (2) IRS’s monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting; and (3) IRS has a previously identified material weakness in information security that still existed in fiscal year 2011 which rendered it unnecessary for IRS to support an assertion indicating that the related internal controls were effective.
Physical Security Reviews. IRS’s service center campus (SCC) and field office physical security personnel did not always properly or timely (1) complete the audit management checklists used to assess the physical security controls in place at these sites and (2) document supervisory reviews of completed checklists. This occurred primarily because IRS lacked procedures requiring centralized monitoring to detect whether analysts were properly completing such checklists and whether managers were timely and properly documenting their reviews of the completed checklists.
Integrated Data Retrieval System Access. Two clerks in the campus support unit at one SCC improperly had the ability to make adjustments to a taxpayer’s account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts in the course of their payment processing duties. Consequently, they had the potential to misappropriate a payment and alter the taxpayer’s account to conceal the theft. This occurred because IRS procedures did not specifically prohibit access to such system commands for certain campus support employees who were responsible for processing payments, and thus, IRS procedures did not require monitoring these particular employees’ system accesses.
Leave a Reply