Everything Is in the Best of Hands: “Security Weaknesses Are Not Timely Resolved and Effectively Managed”

The Treasury Inspector General for Tax Administration (TIGTA) released a report today, and it doesn’t make for pleasant reading; it’s titled, “Security Weaknesses Are Not Timely Resolved and Effectively Managed.”  If you wonder why some don’t feel confident with the IRS preparing tax returns, look no further.  The summary (relating to what the IRS is currently doing with “Plan of Action and Milestones (POA&Ms)”) is quite damning:

The IRS did not timely review 291 (73 percent) of 401 POA&Ms TIGTA analyzed based on agency security policies nor did it perform the required closure reviews within the 60-day time period for 138 (49 percent) of 282 POA&Ms marked as either Accepted, Completed, or Validated.

Due to staffing shortfalls, IRS employees are not facilitating the timely resolution of information security weaknesses. Agency-wide, there are more than 500 POA&Ms categorized as Late, including 23 with risk severity ratings of either critical or high…

In addition, business units are not timely creating POA&Ms or consistently entering required POA&M information…

Finally, the IRS is not accurately identifying and tracking resources required to resolve information security weaknesses. For the 12,089 POA&Ms, there was a total estimated cost of $2.6 billion to resolve the information security weaknesses. From January 1, 2018, through August 26, 2022, the IRS finalized remediation efforts for 3,139 POA&Ms with total estimated costs of $134.5 million to resolve the information security weaknesses. However, during the closure process, the IRS did not reevaluate the estimated budget and update it with actual costs at closure, as required.

TIGTA made four recommendations, and at least the IRS agreed with all of them; the IRS plans on correcting all of them no later than May 15, 2024.  As to why this is important, TIGTA noted: “Failure to timely review, track, and close POA&Ms to resolve information security weaknesses puts the IRS at risk for exploitation by threat actors. In addition, tracking associated resources required to resolve POA&Ms facilitates informed decision-making.”  Tax professionals have enough security risks without having the IRS contributing more!


Comments are closed.