When FISMA Compliance Just Isn’t Enough

Editor’s Note:  The GAO Management Report, Improvements Are Needed to Enhance the Internal Revenue Service’s Internal Controls and Operating Effectiveness, is attached below.  For more information about the Management Report as it pertains to continuous monitoring, please see the FISMA Focus Continuous Monitoring Discussion Forum here.

From: GovInfoSecurity

GAO Identifies Control Failures at Internal Revenue Service
By Eric Chabrow
 

Complying with FISMA and NIST requirements won’t guarantee the integrity of an agency’s financial reporting.

That’s one conclusion of a just-published Government Accountability Office audit – dated June 25 – that Internal Revenue Service managers failed to perform sufficient monitoring to identify a material weakness of an internal financial control, as required by the Office of Management and Budget.

Not only did the IRS fail to implement fully key parts of its information security program in fiscal year 2011, which ended last Sept. 30, but the tax agency’s monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting, the audit says.

Another shortfall the audit unveiled: Two clerks at an IRS service center improperly adjusted a taxpayer’s account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts as they performed their payment processing duties. “Consequently,” writes Steven Sebastian, GAO managing director of financial management and assurance, “they had the potential to misappropriate a payment and alter the taxpayer’s account to conceal the theft.”

Sebastian says the situation occurred because IRS procedures did not specifically prohibit access to such system commands for support personnel who are responsible for processing payments, adding that IRS procedures did not require monitoring these particular employees’ system accesses.

GAO recommends that the IRS commissioner should direct appropriate agency officials to update the Internal Revenue Manual to specify steps to be taken to prevent support clerks and other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts. IRS Commissioner Douglas Shulman, in a written response, concurs with that suggestion as well as more than two dozen other GAO recommendations, and promises that appropriate action to fix weaknesses highlighted in the GAO audit will be taken in the coming months.

GAO.ManagementReport.IRS.25June2012

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *