Audit Report Issued on IRS

Ralph DeFrangesco

I love the fact that someone is auditing the Internal Revenue Service. I guess I have to be careful not to pick on the agency too much before my taxes are due, but I just can't help myself. Last week, Deputy Inspector General for Audit Michael Phillips issued four recommendations to the chief information officer of the IRS. The recommendations are so basic that if these people worked in industry, they would be fired for letting them happen. According to the report, the IRS is doing virus scans on 89 percent of its servers. Why wouldn't they scan 100 percent? Do they really need someone to tell them to scan 100 percent of their servers? The report went on to say that the auditors found that the reason was because the administrators failed to carry out this responsibility. My reaction is what "The Donald" Trump says, "You are fired!"


The second recommendation was that the administrators should not use their privileged accounts to access the Internet. During the week that the auditors monitored account use, 63 administrator accounts accessed the Internet a total of 820 times. I say: "Fired!"


The third recommendation I really had to laugh at. I'm sorry, but do you really need someone to tell you that when an employee blatantly violates IRS Internet access policies that you have to tell him or her? Isn't that a manager's job? To pour more salt into the wound, the IRS does not have a policy on how to deal with such rule-breaking. I know you are saying that I am enjoying this.


The last recommendation I have to agree with. Training users on proper computer, Internet, and e-mail use is very important. However, the IRS claims to have a training program in place that every employee and contractor must certify that they have taken on a yearly basis. This training, The IRS Information Protection Mandatory Briefing, includes a security-awareness refresher and covers common ways users can infect their system. I'm not sure what the problem is here.


I chose this topic for multiple reasons: first, to show readers that even large organizations that have money are no better off than any other organization. In other words, money won't fix all problems. Second, to show you that organizations suffer with similar problems. Granted, you would expect to see the problems outlined in smaller organizations. Finally, if this were to happen in industry, the people responsible would probably be fired or have to go before the audit committee and explain why it happened. I guess that's probably why no one was fired. There is no one holding these people responsible.


I guarantee that next year, or the year after, there will be more findings like this, or worse. We can only hope that now that Vivek Kundra, the new federal CIO, is back on the job that he has the authority to fire people who do not follow some basic IT principles. However, I know that he will be too busy working on way more important projects rather than working on mundane problems like developing IT policies. If they are struggling with these basic issues, it makes you wonder what other problems there are; and I just mean at the IRS. Don't be surprised if you see more break-ins on government servers, an increase in internal threats and more identity theft. I believe that this will happen because it's a year in transition. We have a new administration, a new federal CIO and soon a new federal CTO. Hackers know the best time to attack is in an atmosphere of change.

Add Comment      Leave a comment on this blog post
Mar 19, 2009 7:34 AM b allen b allen  says:

Perhaps the issue is that there is an assumption that IT is responsible for all of these points, rather than just the first one, and their information security/risk team (which needs to be independent of IT so it is NOT an IT Security team purely focussed on IT) being responsible for the rest, and that technology can fix the above issues. 

IT do technology: they make it work and fix it when broken.  They look after the businesses information on the IT systems and connect it all together.  If they had a standard for scanning desktops and servers for viruses and other malicious code, with some input from their security team, and been audited against it, these issues would then have been identified and addressed a lot earlier - having audit points against you is a great way to focus minds on what needs looking at, and either accepting the actions, or explaining why action cannot/will not be taken and the resulting risk to the organisation. 

Information security focusses on people and process, supported by technology, and looks at how the information needs to be secured, regarless of the medium.  The last three issues you mention are primarily people issues. 

An Information Security team would have a security policy, and supporting standards that would prohibit the use of administrative IDs for Internet access, and also an acceptable use standard that warns of disciplinary action when users breach it.  (This would require the support of HR, but above all, senior management.) 

Then it all needs wrapping up with an awareness and education programme that encourages/teaches the right behaviours so users follow good practice.  It sounds as though the content of their current programme is either not up to scratch or that as there is no enforcement of any policy there is no reason for users to behave any differently. 

A major cultural change is required there, and an increase in the political will to make these necessary changes happen.

Mar 19, 2009 8:06 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to b allen


What a great post. I tried to have a little fun with the IRS, but you bring to reality that yes, IT gets blamed too  much for things out of our control. Although we ARE very good, we can't do everythingThe last three recomendations should also involve management, HR, corporate training, Internal Auditing, and IT Security.


Mar 25, 2009 2:10 AM Winston on Truth Winston on Truth  says:

It seems that since the public (and some in the private) sector must undergo annual technology audits to reduce their exposure to various identity thefts, virus avoidance, etc. to get a good financial credit worthiness (for loans) the government would at least be a bit more concerned for systems intrusions since it borrows money from the Federal Reserve and foreign nations (China, England, EAI, etc.).  But then the government has always done what they view as right in their own eyes and it leads to destruction and corruption.

Mar 25, 2009 2:50 AM Auditor Auditor  says:

I was one of the engineers that performed these audits on the IRS.  The basic assumption that IT and Security ought to be separated is of course a problem in just about every corporation.  Does IT install and maintain A/V on a server or does Security?  There are no hard and fast rules.   There should be a policy, and that is part of the problem.  The additional part of the problem is that while a policy may exist, it may be out of date or not even adhered to due to lack of publishing, training, or awareness on the part of IT or any regular user.  Having these yearly audits is what keeps the business in line security wise.  Having someone on staff year-round to monitor changes in IT security activities would go alot farther.  The auditing teamswere split between IRS employees and outside contractors.  There was often a disconnect about how strict we should be on performing tests...typically in favor of letting IRS off the hook (so there are actually many more issues - check the GAO - that are not even listed which would make the IRS look even more foolish).

Mar 26, 2009 3:07 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Auditor


I thank you for taking the time to share with us some of the issues that you faced at the IRS. As you said, a lot of organizations are facing the same issues. Definitely having an auditor on staff does make a difference.



Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.