TIGTA report says IRS should do a better job protecting taxpayer data

BY SALLY P. SCHREIBER, J.D.

The IRS does not do a good job of correcting security weaknesses, thereby failing to protect taxpayer data, the Treasury Inspector General for Tax Administration (TIGTA) concluded in a report released Thursday. TIGTA’s audit found that the IRS does not always correct known security problems and the corrective action process does not always work as intended. The report calls on the IRS to improve management or internal controls of planned corrective actions (PCA).

TIGTA performed the audit as part of its statutory requirement to review the adequacy and security of IRS technology each year. “When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” Treasury Inspector General J. Russell George said in a press release.

In particular, the report examined whether PCAs that had been reported as closed because they were resolved were actually resolved correctly. It found that eight of 19 PCAs (42%) were only partially implemented even though they were approved and closed as fully implemented to address reported security weaknesses from earlier TIGTA audits. Other problems uncovered were that documentation did not always support closing the PCAs, and the documents were not properly uploaded to a database used to gather this documentation.

TIGTA’s report recommended that the IRS strengthen its management controls to adhere to internal control requirements, further train employees responsible for entering documentation about PCAs, ensure that there is a proper separation of duties when PCA reports are signed and that they receive appropriate executive review and approval, audit closed PCAs to be sure they were closed correctly, and change closed PCAs to open if they were only partially implemented. In response, the IRS agreed to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.

The IRS only partially agreed with TIGTA’s recommendation to upload documentation into the database for previously closed PCAs, noting that it would do so after it completed a cost/benefit analysis. TIGTA responded that the IRS should complete its recommendation to ensure that all PCAs concerned with security weaknesses are implemented and to comply with a Treasury Department mandate to upload supporting documentation to the database.

Sally P. Schreiber ( sschreiber@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

Keeping client information safe in an age of scams and security threats

A look at the Dirty Dozen tax scams and ways to protect taxpayer information.

TECHNOLOGY Q&A

How to create maps in Excel 2016

Microsoft Excel 2016 has two new mapping capabilities. J. Carlton Collins, CPA, demonstrates how to make masterful 2D and 3D maps in Excel 2016.

QUIZ

News quiz: IRS enforcement, a hot job, and audit value

The IRS’s 2016 Data Book, a “hot job” of particular interest at this time of year, and insight into how executive and audit committees view the insights from financial statement audits received attention recently. See how much you know with this short quiz.