Inspector General: IRS's Aging IT Puts Taxpayer Data at RiskIRS Pegs Replacement Costs at $430 Million
See Also: Top 50 Security Threats
An audit from the Treasury Department's inspector general for tax administration, made public this week, reviewed an IRS's Sustaining Infrastructure Program that's aimed to address the operational challenge of replacing its aging hardware infrastructure. The IG reports the IRS isn't faring well.
The IG says the IRS has yet to achieve its stated objective of reducing its aging hardware to an acceptable level, deemed at 20 percent to 25 percent of all IT hardware. Instead, the percentage of older machines in use increased to 64 percent at the start of fiscal 2017 last Oct. 1 from 40 percent at the beginning of FY 2013.
Workweek of Time to Address Each Incident
Auditors analyzed 107 incident tickets most likely to involve old hardware failures in FY 2016 and found that the aggregate length of time to resolve the issues was approximately 4,541 hours, or 42 hours per incident.
"Aged information technology hardware still in use introduces unnecessary risks," Deputy Inspector General for Audit Michael McKenney writes in the report. "These aged hardware failures may have also had a negative effect on IRS employee productivity, security of taxpayer information and customer service."
The IRS estimates that the replacement cost for its old hardware is about $430 million.
IRS CIO S. Gina Garza characterizes replacement of aging infrastructure as a high priority for the agency. "However," she says in a written response, "providing sufficient funding to reduce the aged percentage of infrastructure to industry standards has been challenging. The IRS has faced the challenge of accomplishing its mission with decreased funding levels over several years and it did so while absorbing $1.3 billion in costs for unfunded or partially funded mandates."
IRS Questions IG's Assumptions
Garza challenges the auditors' underlying premise that the agency is using resources inefficiently by not spending all of its appropriated funds each fiscal year. She says transferring more than $5 million from one program to another requires congressional approval, but tight deadlines required in the budgeting process are hard to meet. "Given the time of the annual request and how long it takes to receive congressional approval, we would not be able to utilize surpluses identified late in the fiscal year," Garza says.
The IG recommended that the IRS CIO develop comprehensive guidance that describes the agency's enterprisewide processes, policies and procedures as well as the roles and responsibilities of IRS IT personnel to efficiently manage the its aged hardware. Auditors also recommended that the IRS implement systemic controls to prevent erroneous incident ticket time entries to an asset management system where the incident stop time is earlier than the incident start time.
The IRS accepted both of those recommendations, saying they'll be implemented by Oct. 31 and Dec. 15, respectively.