TIGTA Finds IRS Weaknesses in Asset Management Controls Over its IT Assets
Weaknesses in asset management controls at the Internal Revenue Service (IRS) leave information technology assets vulnerable to loss, according to a new report released by the Treasury Inspector General for Tax Administration (TIGTA).
The IRS Information Technology organization controls more than 306,000 information technology assets worth almost $720 million using the Knowledge, Incident/ Problem, Service Asset Management (KISAM) system.
“TIGTA’s audit determined that weaknesses in controls over asset management create an environment in which information technology assets are vulnerable to loss,” said J. Russell George, Treasury Inspector General for Tax Administration. “The risk of loss, theft, or the inadvertent release of sensitive information can decrease the public’s confidence in the IRS’s ability to monitor and use its resources effectively.”
The overall objectives of TIGTA’s report were to determine whether system user permissions were appropriate to ensure the safeguarding of the information technology asset inventory and to review the effectiveness of the system in maintaining an accurate and complete information technology asset inventory.
TIGTA found that information technology asset data successfully migrated from the legacy inventory system to the KISAM–Asset Manager. However, the audit log used to capture events was not being reviewed to ensure that only appropriate accesses were made. In addition, information technology asset data within the KISAM–Asset Manager are inaccurate and incomplete because the IRS is not following its procedures to ensure that all assets are accurately recorded and timely updated in the KISAM–Asset Manager.
TIGTA also found that ineffective inventory controls created an environment where information technology assets are vulnerable to loss. TIGTA selected 146 information technology assets to physically verify and could not locate and verify or find proper supporting documentation for 34 information technology assets worth more than $948,000. In addition, IRS offices did not properly complete the annual inventory reconciliation process.
To improve the controls over information technology assets, TIGTA recommended that the Chief Technology Officer ensure that the inventory records are updated to correct the deficiencies identified in TIGTA’s review; the reconciliation process is effectively completed and offices provide supporting documentation for quality review; and dollar threshold criteria are included in the Asset Management Inventory Certification Plan for certifying information technology assets with a high-dollar value that affect financial statement reporting. TIGTA also made several recommendations that will help the IRS Information Technology organization ensure that the data captured in its inventory management system are complete and accurate and that its assets are adequately safeguarded against theft or loss.
In their response to the report, IRS management agreed with all eight recommendations. IRS management agreed to deliver KISAM Asset Manager Tool enhancements for performing asset verification and correct data deficiencies identified by TIGTA; develop a missing asset aging report to facilitate researching and resolving assets in a missing status; and update the Fiscal Year 2014 Inventory Certification Plan to include the verification of the Serial Number field and assets with an acquisition value of $50,000 or greater.
Source: US Department of the Treasury news release