SharePoint Online Access and Security Controls Need Improvement

Date Issued

Wednesday, March 18, 2026

Submitting OIG

Treasury Inspector General for Tax Administration

Agencies Reviewed/Investigated

Internal Revenue Service

Report Number

2026-200-010

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

$1,055,782

Report updated under NDAA 5274

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
The Chief Information Officer should ensure that the site owners using manual documentation or a permission workflow method of access control review the SPO logs to ensure that only authorized users with a business need have access.
2	No	$0	$0
The Chief Information Officer should ensure that all SPO sites identify their access control method.
3	No	$0	$0
The Chief Information Officer should implement an automated tool that can identify and remove sensitive data (such as PII and FTI) on SPO sites.
4	No	$0	$0
The Chief Information Officer should implement an automated tool that can block restricted file types on SPO sites.
5	No	$0	$0
The Chief Information Officer should establish a process to identify and update sites that are missing appropriate site administrators.
6	No	$0	$1,055,782
The Chief Information Officer should coordinate with the Office of Chief Counsel to identify opportunities to recover, from the original contractor, the amount paid for the SharePoint 2013 extended service contracts due to delays and deficiencies in the original contractor's work.
7	No	$0	$0
The Chief Information Officer should ensure that future information technology contracts include milestones, deliverables, and/or more stringent performance monitoring.