TIGTA report says IRS should do a better job protecting taxpayer data

BY SALLY P. SCHREIBER, J.D.

The IRS does not do a good job of correcting security weaknesses, thereby failing to protect taxpayer data, the Treasury Inspector General for Tax Administration (TIGTA) concluded in a report released Thursday. TIGTA’s audit found that the IRS does not always correct known security problems and the corrective action process does not always work as intended. The report calls on the IRS to improve management or internal controls of planned corrective actions (PCA).

TIGTA performed the audit as part of its statutory requirement to review the adequacy and security of IRS technology each year. “When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” Treasury Inspector General J. Russell George said in a press release.

In particular, the report examined whether PCAs that had been reported as closed because they were resolved were actually resolved correctly. It found that eight of 19 PCAs (42%) were only partially implemented even though they were approved and closed as fully implemented to address reported security weaknesses from earlier TIGTA audits. Other problems uncovered were that documentation did not always support closing the PCAs, and the documents were not properly uploaded to a database used to gather this documentation.

TIGTA’s report recommended that the IRS strengthen its management controls to adhere to internal control requirements, further train employees responsible for entering documentation about PCAs, ensure that there is a proper separation of duties when PCA reports are signed and that they receive appropriate executive review and approval, audit closed PCAs to be sure they were closed correctly, and change closed PCAs to open if they were only partially implemented. In response, the IRS agreed to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.

The IRS only partially agreed with TIGTA’s recommendation to upload documentation into the database for previously closed PCAs, noting that it would do so after it completed a cost/benefit analysis. TIGTA responded that the IRS should complete its recommendation to ensure that all PCAs concerned with security weaknesses are implemented and to comply with a Treasury Department mandate to upload supporting documentation to the database.

Sally P. Schreiber ( sschreiber@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.