Controls Continue to Need Improvement to Ensure That All Planned Corrective Actions for Security Weaknesses Are Fully Implemented and Documented

The Chief Information Officer should change the PCA status from closed to open in the JAMES for the corrective actions TIGTA identified as not fully implemented and the status of the PCAs should remain open until they are fully implemented.

The Chief Information Officer should reopen the closed PCA associated with TIGTA, Ref. No. 2014-20-087, "While the Data Loss Prevention Solution Is Being Developed, Stronger Oversight and Process Enhancements Are Needed for Timely Implementation Within Budget," and comply with the IRS's internal guidance to submit a request with justification for the cancellation/rejection of the PCA to TIGTA for review and action. Once TIGTA provides a response, the information should be forwarded to the Internal Controls organization for uploading into the JAMES.

The Chief Financial Officer should update the Internal Revenue Manual (IRM) to broaden the Audit Coordination and OAR offices auditing to include reviewing management's corrective actions to ensure that the PCAs are fully and appropriately implemented.

The Chief Financial Officer should ensure that the Associate CFO, Internal Controls, works with the Cybersecurity organization to upload the supporting documentation for the 51 closed PCAs TIGTA determined did not have sufficient documentation in the JAMES, provided that the appropriate PCA retention period after the fiscal year in which the PCA was closed has not expired.

The Chief Financial Officer should ensure that Internal Controls organization reviewers improve the development of their skillsets to obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions. Part of the development could include attending audit evidence training courses offered by the Federal Government and the private sector.