IRS Needs More Controls for IT Contract Administration to Protect Data and Systems

TIGTA’s review of a sample set of IRS IT contracts valued at $81.3 million found that their post-award controls did not enabled the IRS to “mitigate known risks and ensure that operational practices adhered to contract  administration policies and procedures.”

TIGTA selected a sample of 14 contracts from a pool of over 6,000 contract files totaling $3.3 billion in obligations. TIGTA examined 13 high-risk contract administration areas for each contract to determine whether or not IRS had sufficient controls in place for each area.  TIGTA found two areas for improvement:

• Clarifications should be established to “ensure consistent and reliable implementation of reviews required to mitigate security risks through the information technology contract administration process.”
• Operational controls need to be reexamined for fraud controls and contract administration to confirm that post-award contract file reviews are reliable.

Overall, TIGTA found control weaknesses in the following processes:

• Security Compliance Reviews
• Contract File Documentation
• Contractor Exclusion Reviews
• Contract Administration Plans
• Contracting Officer’s Representatives’ Appointment Letters

TIGTA recommended that the CTO ensure IRS policy and procedures are updated to provide clear guidance and instructions for the Security Compliance Review Checklist certification process. TIGTA also recommended that the Chief Procurement Officer improve IRS policy and procedures, ensure that the security checklists are sufficiently documented, maintained, and reviewed.  The Chief Procurement Officer should also mandate that IT contract files are maintained in a complete, organized, and consistent manner for review purposes.

The IRS agreed with the TIGTA findings and plans to implement the five TIGTA recommendations.