Why TIGTA Did This Audit Cloud computing is a range of services delivered over the Internet. At the IRS, its cloud environment includes managed services consisting of information technology solutions provided by third parties, i.e., managed service providers, via contracts. These cloud managed services contracts (hereafter referred to as cloud services contracts) are the legal and binding agreement between the IRS and the third parties providing the cloud services. This audit was initiated to assess the IRS’s efforts to provide effective management and oversight of cloud services contracts.
Impact on Tax Administration The Inflation Reduction Act of 2022 provides the IRS $4.8 billion for modernization efforts, including the expansion of cloud migrations. The inability to identify all cloud services contracts and to determine the contract values of cloud applications increases the risk of potential lost cost savings and duplication of cloud services as well as making uninformed financial decisions. When service level agreements (SLA) are inconsistently and ineffectively used, the IRS may be unable to successfully manage risks, ensure that service levels are met, and apply applicable penalties. Further, routinely bypassing the Cloud Front Door process creates confusion and leads to inefficiency for applications migrating to the cloud.
TIGTA made seven recommendations to the Chief Procurement Officer. They include developing a process to track cloud services contracts and to determine the contract values by cloud application; and consistently incorporating the SLAs, penalties, and applicable contract clauses into cloud services contracts. TIGTA also made five recommendations to the Chief Information Officer. They include clarifying in a formal policy that applications migrating to the cloud are required to engage and be processed centrally; ensuring that all applications operating in the cloud have obtained governance board approval; and implementing the new security review guidance for continuous monitoring. The IRS agreed with all 12 recommendations. The Chief Procurement Officer plans to develop an identification and tracking process for cloud services contracts that includes product and service descriptions and contract values, and update a checklist indicating whether SLAs and contract clauses are required in cloud services contracts. The Chief Information Officer plans to implement a new policy requiring all applications migrating to the cloud to follow the centralized process and obtain governance approval, and implement the new security review guidance for continuous monitoring.
Want to get involved with OS AI? - A small number of Sponsorship Opportunities are now available here. Starting at $500.