TIGTA report says IRS should do a better job protecting taxpayer data

BY SALLY P. SCHREIBER, J.D.

The IRS does not do a good job of correcting security weaknesses, thereby failing to protect taxpayer data, the Treasury Inspector General for Tax Administration (TIGTA) concluded in a report released Thursday. TIGTA’s audit found that the IRS does not always correct known security problems and the corrective action process does not always work as intended. The report calls on the IRS to improve management or internal controls of planned corrective actions (PCA).

TIGTA performed the audit as part of its statutory requirement to review the adequacy and security of IRS technology each year. “When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” Treasury Inspector General J. Russell George said in a press release.

In particular, the report examined whether PCAs that had been reported as closed because they were resolved were actually resolved correctly. It found that eight of 19 PCAs (42%) were only partially implemented even though they were approved and closed as fully implemented to address reported security weaknesses from earlier TIGTA audits. Other problems uncovered were that documentation did not always support closing the PCAs, and the documents were not properly uploaded to a database used to gather this documentation.

TIGTA’s report recommended that the IRS strengthen its management controls to adhere to internal control requirements, further train employees responsible for entering documentation about PCAs, ensure that there is a proper separation of duties when PCA reports are signed and that they receive appropriate executive review and approval, audit closed PCAs to be sure they were closed correctly, and change closed PCAs to open if they were only partially implemented. In response, the IRS agreed to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.

The IRS only partially agreed with TIGTA’s recommendation to upload documentation into the database for previously closed PCAs, noting that it would do so after it completed a cost/benefit analysis. TIGTA responded that the IRS should complete its recommendation to ensure that all PCAs concerned with security weaknesses are implemented and to comply with a Treasury Department mandate to upload supporting documentation to the database.

Sally P. Schreiber ( sschreiber@aicpa.org ) is a JofA senior editor.

VIDEO

Excel walk-through: Sparklines

Want to liven up your spreadsheets with some color and graphical elements? Kelly L. Williams, CPA, Ph.D., shows how to use Excel sparklines, which illustrate data trends and patterns via small charts that fit in a single Excel cell.

PODCAST

What’s next for potential CPA licensure changes

A new model proposed by NASBA and the AICPA is designed with an eye on the future for newly licensed CPAs. The AICPA's Carl Mayes, CPA, provides background on the project and a look ahead to 2020.