TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

PRIVATE COLLECTION AGENCIES ADEQUATELY PROTECTED TAXPAYER DATA

Issued on March 26, 2008

Highlights

Highlights of Report Number:  2008-20-078 to the Internal Revenue Service Commissioner for Small Business/Self-Employed Division.

IMPACT ON TAXPAYERS

The Internal Revenue Code authorizes the Internal Revenue Service (IRS) to enter into contracts with private collection agencies (referred to as PCAs or contractors) to assist in the collection of delinquent Federal Government tax liabilities.  Inadequate security controls over taxpayer data provided to contractors would create increased risks of unauthorized access, misuse, disclosure, modification, or destruction of taxpayer data.

WHY TIGTA DID THE AUDIT

Currently, the IRS has contracts with two PCAs to assist in the collection of delinquent Federal Government tax liabilities.  As of February 2008, nearly 98,000 accounts had been provided to these contractors for resolution, representing more than $911 million.  Under the terms of their contracts with the IRS, PCAs must ensure that their computer systems are compliant with the Federal Information Security Management Act of 2002 and adhere to National Institute of Standards and Technology guidance.  The overall objective of this review was to determine whether PCAs were adequately protecting taxpayer data at the time of TIGTA’s review.

WHAT TIGTA FOUND

TIGTA reviewed the computer security controls over taxpayer data provided to the two current PCAs and determined that the controls were adequate.  In particular, files were securely transmitted from the IRS to the contractors and adequately secured on the contractors’ systems.  In addition, workstations used by contractor collection personnel were adequately controlled to prevent unauthorized copying of taxpayer information to removable media or transfer via email.  The contractors also maintained adequate audit trails and performed periodic reviews, including reviews to identify unauthorized access to taxpayer data.  TIGTA also identified best practices that should be considered by current and future PCAs to strengthen computer security controls.

WHAT TIGTA RECOMMENDED

TIGTA made no recommendations in this report and, therefore, did not require a formal written response from the IRS.  However, key IRS management officials reviewed the report prior to issuance and agreed with the results of the review.

READ THE FULL REPORT

To view the report, including the scope and methodology, go to:

http://www.treas.gov/tigta/auditreports/2008reports/200820078fr.html.

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov