When FISMA Compliance Just Isn't Enough

GAO Identifies Control Failures at Internal Revenue Service
When FISMA Compliance Just Isn't Enough

Complying with FISMA and NIST requirements won't guarantee the integrity of an agency's financial reporting.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

That's one conclusion of a just-published Government Accountability Office audit - dated June 25 - that Internal Revenue Service managers failed to perform sufficient monitoring to identify a material weakness of an internal financial control, as required by the Office of Management and Budget.

Not only did the IRS fail to implement fully key parts of its information security program in fiscal year 2011, which ended last Sept. 30, but the tax agency's monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting, the audit says.

Another shortfall the audit unveiled: Two clerks at an IRS service center improperly adjusted a taxpayer's account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts as they performed their payment processing duties. "Consequently," writes Steven Sebastian, GAO managing director of financial management and assurance, "they had the potential to misappropriate a payment and alter the taxpayer's account to conceal the theft."

Sebastian says the situation occurred because IRS procedures did not specifically prohibit access to such system commands for support personnel who are responsible for processing payments, adding that IRS procedures did not require monitoring these particular employees' system accesses.

GAO recommends that the IRS commissioner should direct appropriate agency officials to update the Internal Revenue Manual to specify steps to be taken to prevent support clerks and other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts. IRS Commissioner Douglas Shulman, in a written response, concurs with that suggestion as well as more than two dozen other GAO recommendations, and promises that appropriate action to fix weaknesses highlighted in the GAO audit will be taken in the coming months.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.