The Treasury Inspector General for Tax Administration, (TIGTA) today publicly released its review of whether the Internal Revenue Service (IRS) has made adequate progress in implementing required Federal security configurations on employee computers.

TIGTA conducted the audit as part of its statutory requirement to annually review the adequacy and security of IRS technology.

The audit concluded that the IRS has made slow progress in implementing Federally-required security settings on its more than 98,000 desktop and laptop computers. The IRS implemented about half of the 254 required security settings on its computers in October 2008, 9 months after the deadline set by the Office of Management and Budget. As of December, the IRS had implemented 81 percent of the settings.

According to the report, the delays in implementing the settings were due to the untimely creation of a project team in January of 2008 to implement the settings, a week before the deadline for completing the installation. Once created, the team did not follow basic project management practices.

The report also found that the IRS has not implemented an automated monitoring tool to detect and monitor changes to the settings after installation. Also the IRS has not modified its software contracts to ensure that new software operates properly with the settings.

"This report reveals a troubling situation," stated J. Russell George, the Treasury Inspector General for tax Administration. "The security of IRS computers is critical. Taxpayers have every right to expect that the IRS protects their privacy and personal information to the highest possible degree. Without a complete set of security settings on employees' computers, the IRS is at risk of business disruption and unauthorized access to taxpayer data."

TIGTA recommended that the IRS improve its technology project management practices, consider acquiring an automated monitoring tool and prioritize the updating of software contracts. The IRS agreed with TIGTA's recommendations.