The IRS Needs to Address Access Control Deficiencies for the Enterprise Data Platform

Date Issued

Sunday, June 28, 2026

Submitting OIG

Treasury Inspector General for Tax Administration

Agencies Reviewed/Investigated

Internal Revenue Service

Report Number

2026-208-026

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
The Chief Information Officer should work with the Treasury Department to ensure that privileged Enterprise Data Platform user accounts are fully integrated with the PUMAS.
2	No	$0	$0
The Chief Information Officer should ensure that the responsible unit with the authority to remove Enterprise Data Platform user access is timely notified when appropriate e.g., entitlements are changed or accounts are inactive.
3	No	$0	$0
The Chief Information Officer should coordinate with the Treasury Department to resolve the infrastructure issue between IRS and Treasury networks and ensure that systemic processes are incorporated into the platform user account management process once the infrastructure limitations are resolved.
4	No	$0	$0
The Chief Information Officer should establish a corrective action plan or an RBD to address the lack of automated provisioning of user accounts.