The Treasury Inspector General for Tax Administration (TIGTA) found that while IT risk management practices are improving for the Internal Revenue Service (IRS), mitigation documentation and oversight practices need to be improved.
“The Information Technology organization’s functions and programs are identifying, assessing, and reporting risks, but information on risk mitigation plans, mitigation activities, and closure rationale, as well as closure documentation, is not being captured in sufficient detail to be useful,” an August 14 TIGTA report said.
TIGTA found that some functions of the agency were using a risk management tool that “does not capture essential information, while some functions and program risk records failed to include complete or sufficient details of the risk management efforts.
Additionally, TIGTA found that “19 of 20 accepted unmitigated risks were not reassessed quarterly as required by established guidance.”
TIGTA recommended to the CIO that:
- Except for the Cybersecurity function, all IT functions should record risks in the Item Tracking Reporting and Control (ITARC) system;
- Require detailed descriptions of risk mitigation plans and activities, as well as closure rationale be documented and uploaded to ITARC;
- To periodically review risk descriptions and uploaded documentation to ensure the information is appropriate, current, complete, and accurate; and
- Periodically reassess all accepted unmitigated risks so “acceptance remains management’s preferred response.”
The IRS concurred with all four recommendations.
TIGTA was tasked with assessing the IT risk management process in accordance with an Office of Management and Budget directive that requires Federal agencies to stand up a formal Enterprise Risk Management capability.