When FISMA Compliance Just Isn't EnoughGAO Identifies Control Failures at Internal Revenue Service
Complying with FISMA and NIST requirements won't guarantee the integrity of an agency's financial reporting.
That's one conclusion of a just-published Government Accountability Office audit - dated June 25 - that Internal Revenue Service managers failed to perform sufficient monitoring to identify a material weakness of an internal financial control, as required by the Office of Management and Budget.
Not only did the IRS fail to implement fully key parts of its information security program in fiscal year 2011, which ended last Sept. 30, but the tax agency's monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting, the audit says.
Another shortfall the audit unveiled: Two clerks at an IRS service center improperly adjusted a taxpayer's account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts as they performed their payment processing duties. "Consequently," writes Steven Sebastian, GAO managing director of financial management and assurance, "they had the potential to misappropriate a payment and alter the taxpayer's account to conceal the theft."
Sebastian says the situation occurred because IRS procedures did not specifically prohibit access to such system commands for support personnel who are responsible for processing payments, adding that IRS procedures did not require monitoring these particular employees' system accesses.
GAO recommends that the IRS commissioner should direct appropriate agency officials to update the Internal Revenue Manual to specify steps to be taken to prevent support clerks and other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts. IRS Commissioner Douglas Shulman, in a written response, concurs with that suggestion as well as more than two dozen other GAO recommendations, and promises that appropriate action to fix weaknesses highlighted in the GAO audit will be taken in the coming months.