The U.S. Internal Revenue Service used a flawed and ineffective process for monitoring system security weaknesses, according to a report recently released by the Treasury Inspector General for Tax Administration.
The IRS failed to accurately and completely describe security weaknesses, understated the number of weaknesses, and overstated progress in addressing the weaknesses, the report said.
Specifically, the agency prepared nearly identical reports for each system, noting only broad control topics rather than specific problems.
Also, the IRS assumed that if a system was certified and accredited, then nearly all of its weaknesses had been addressed. "This assumption is not valid since certified and accredited systems can still have security weaknesses," the IG wrote.
As a result of the flawed process, the information given to the Office of Management and Budget and the Inspector General has been "inaccurate and misleading," according to the audit.
IRS management agreed with the audit's findings and has established a working group to develop an approach for managing the process.