Oversight

IRS IT contracts could leak sensitive info, says watchdog

The IRS needs better controls for its IT contracts, which account for $3.3 billion in annual spending, to meet federal requirements to protect agency systems and sensitive information, according to a review conducted by the Treasury Inspector General for Tax Administration.

Auditors examined controls in "high-risk contract administration areas" and identified two in which controls were inadequate. First, the IRS needs to clarify guidance to ensure consistent and reliable use of IT contract reviews throughout a contract's life cycle. Second, the IRS needs to reassess its approach to fraud control.

The report states that there were control inadequacies in the IRS' security compliance reviews, contract file documentation, contractor exclusion reviews, contract administration plans and contracting officer's representative appointment letters.

Current guidance mandates that security checklists for IT contracts be submitted to the Office of Cybersecurity for review and certification. However, the office was not provided checklists for any of the contracts sampled by TIGTA.

Additionally, the Internal Revenue Manual and the guidance for security compliance reviews did not provide clear instructions about what triggers further reviews from the Office of Cybersecurity and do not adequately document risk mitigation controls.

Officials in the Office of Cybersecurity told auditors that they have begun to update and bolster the security checklist and policies for IT contracts to comply with the Federal Information Technology Acquisition Reform Act and the Federal Information Security Modernization Act.

Auditors also found that the IRS did not consistently adhere to operational and fraud controls. Contractor exclusion reviews, which assess whether a company is precluded from receiving an IRS contract, were not consistently conducted or documented in agency records. Contractors can be excluded because of delinquent federal taxes, violations of government contracts or convictions of tax evasion, embezzlement or various forms of fraud.

Furthermore, IRS officials are supposed to appoint qualified employees -- through an appointment letter to clarify and ensure a separation of duties -- to review and monitor all contracts that exceed $150,000. However, auditors found that appointment letters were not consistently issued, meaning the IRS could not verify whether the assigned duties were completed.

Auditors recommended that the IRS clarify its guidance for completing the security compliance review checklists and regularly update that guidance.

Additionally, they recommended that the IRS ensure that all procurement documents relating to federal and IRS guidance are saved and that the agency update its policy to require information on post-award contract duties to be maintained in agency records, as required by federal guidance.

IRS officials generally concurred with the recommendations.