TIGTA Finds Problems With IRS Purchase Cards, Network Security

The Treasury Inspector General for Tax Administration (TIGTA) released a pair of reports on Tuesday finding problems with the security of the IRS Windows environment and a lack of control over IRS purchase cards (TIGTA Reports 2011-20-111 and 2011-10-075, respectively).

Purchase Cards

In Report 2011-10-075, TIGTA states that between Sept. 1, 2007, and March 31, 2009, the IRS made more than 174,000 purchases using purchase cards. These purchases amounted to more than $80 million, but TIGTA said the IRS does not have controls in place to make sure improper or abusive purchases are not made with the cards. It also has no controls to ensure improper or abusive purchases are detected promptly and no way to ensure corrective action is taken.

Under the General Services Administration’s SmartPay Program, IRS offices can use Citibank MasterCard purchase cards to make official purchases within predetermined limits, rather than having to submit the paperwork associated with a procurement request. Under the Federal Acquisition Regulation, using a purchase card is the preferred method for making and paying for purchases of goods and services up to $3,000. During the period TIGTA audited, there were 4,270 purchase cardholders in the IRS.

The TIGTA audit found various violations, including purchases that were made without necessary approvals, purchases that were split in two to circumvent “micro-purchase” limits, and purchases made from improper sources.

TIGTA recommends that the IRS emphasize to its cardholders that split-purchase transactions will not be tolerated and the importance of preparing an order log prior to purchase. TIGTA also recommends improved oversight reviews to identify split-purchase transactions and to evaluate the requirement for purchasing office supplies from contract vendors and preferred suppliers.

In a response letter included in the report, the IRS said it agrees with TIGTA’s recommendations and said that it plans to provide guidance on oversight and enforcement responsibilities.

Network Security

In a separate audit, TIGTA reviewed whether the IRS has structured its Windows environment to provide efficient and secure management of its Windows servers.

The audit found that the IRS has not done enough to centralize its Windows environment, and therefore cannot achieve consistent identity and authorization management.

According to Report 2011-20-111, the IRS maintains a network of 6,000 servers and 110,000 workstations, which use the Windows operating system. However, TIGTA found that three organizations (Business Systems Modernization, Statistics of Income, and Integrated Submission and Remittance Processing) maintain groups of Windows servers outside of the IRS’ main centralized group of servers. TIGTA also found that the IRS spent $1.2 million to maintain obsolete equipment in the Business Systems Modernization group, which uses outdated Windows 2000 servers that are not supported by Microsoft.

The audit also found that the IRS does not ensure that all computers connected to its network are authorized and compliant with its security policies. The IRS has standards designed to prevent unauthorized computers from being connected to its network, but has no controlling authority to enforce those standards.

TIGTA recommends (1) that the IRS establish an enterprisewide body to enforce its Windows server group design criteria and ensure unauthorized server groups are not created; (2) that noncentralized server groups are shut down; (3) that standards to ensure that nonauthorized computers cannot connect to the IRS network are implemented; and (4) that the IRS use network scanning tools to detect unauthorized computers connected to the network and that procedures are developed and implemented to remove those computers.

The IRS agreed with the TIGTA recommendations and said it plans to take corrective actions.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.