The teams helping the Internal Revenue Service implement new health law programs need to pay more attention to security configuration control settings.
Alan Duncan, an assistant inspector general at the office of the Treasury Inspector General for Tax Administration, and other office officials have given that assessment in a final audit report on the IRS information technology program.
The Patient Protection and Affordable Care Act requires the IRS to help with activities such as verifying the income and family size of exchange plan applicants, and to help with providing a new premium tax credit for some middle-income health insurance buyers.
In August 2013, the IRS had 292 employees in its PPACA program management office. In fiscal year 2013, which ended Sept. 30, that office had a budget of about $97 million, or about 4 percent of total IRS information technology organization spending.
Investigators often find problems with improper security configuration control settings at the IRS, Duncan and colleagues write in their report.
Investigators found configuration control setting problems when they looked at the PPACA premium tax credit program and also at two other, unrelated programs – a Treasury Internet Connections initiative and a project that would allow several virtual servers to run on one computer.
One top priority for the IRS PPACA premium tax credit team is to stick to “important systems development controls for configuration and change management,” officials said.
The team also has to do a better job of sticking to systems development controls for fraud detection and mitigation, officials said.
The IRS PPACA family information verification program team should come up with a better process for sticking to configuration management guidelines when baseline requirements change, and it also has to do a better job of communicating PPACA program configuration control board emergency meeting processes, officials said.