TIGTA report says IRS should do a better job protecting taxpayer data


The IRS does not do a good job of correcting security weaknesses, thereby failing to protect taxpayer data, the Treasury Inspector General for Tax Administration (TIGTA) concluded in a report released Thursday. TIGTA’s audit found that the IRS does not always correct known security problems and the corrective action process does not always work as intended. The report calls on the IRS to improve management or internal controls of planned corrective actions (PCA).

TIGTA performed the audit as part of its statutory requirement to review the adequacy and security of IRS technology each year. “When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” Treasury Inspector General J. Russell George said in a press release.

In particular, the report examined whether PCAs that had been reported as closed because they were resolved were actually resolved correctly. It found that eight of 19 PCAs (42%) were only partially implemented even though they were approved and closed as fully implemented to address reported security weaknesses from earlier TIGTA audits. Other problems uncovered were that documentation did not always support closing the PCAs, and the documents were not properly uploaded to a database used to gather this documentation.

TIGTA’s report recommended that the IRS strengthen its management controls to adhere to internal control requirements, further train employees responsible for entering documentation about PCAs, ensure that there is a proper separation of duties when PCA reports are signed and that they receive appropriate executive review and approval, audit closed PCAs to be sure they were closed correctly, and change closed PCAs to open if they were only partially implemented. In response, the IRS agreed to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.

The IRS only partially agreed with TIGTA’s recommendation to upload documentation into the database for previously closed PCAs, noting that it would do so after it completed a cost/benefit analysis. TIGTA responded that the IRS should complete its recommendation to ensure that all PCAs concerned with security weaknesses are implemented and to comply with a Treasury Department mandate to upload supporting documentation to the database.

Sally P. Schreiber ( sschreiber@aicpa.org ) is a JofA senior editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.