Treasury Inspector General for Tax Administration
June 14, 2010
TIGTA - 2010-26
Contact: Karen Kraushaar
WASHINGTON -- The Internal Revenue Service needs to improve the security of the Automated Collection System (ACS), a telephone contact system used to collect tax revenues and help taxpayers resolve their tax issues, according to a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
The ACS is used by IRS employees to collect unpaid taxes and secure tax returns from delinquent taxpayers who have not complied with previous collection notices. Using the system, IRS employees can access taxpayer account information and issue notices, liens and levies to resolve cases. TIGTA evaluated whether the IRS implemented controls limiting which employees can access the ACS, what taxpayer information they can view, and what actions they completed while in the ACS.
TIGTA found that the IRS has configured several security features on the ACS to automatically delete inactive accounts, lock out users after three unsuccessful logon attempts, and lock employee workstations after a period of time to prevent unauthorized users from gaining access to the ACS.
However, TIGTA also found that IRS managers did not ensure that employees had no more than the amount of access to taxpayer records than was necessary to perform their duties. In addition, the IRS does not track all of the activities in which employees accessing the ACS engage.
"The Automated Collection System is a critical component that grants IRS employees significant access to sensitive taxpayer information to help enhance compliance activities," said J. Russell George, the Treasury Inspector General for Tax Administration. "The IRS must implement additional security controls to protect sensitive taxpayer information from potential harm," he said, adding, "When users are granted excessive access privileges, the risk increases for malicious actions and the unauthorized disclosure of taxpayer data."
TIGTA made 12 recommendations to the IRS to improve its management of employee access to the ACS and the sensitive data it contains from potential harm. The IRS agreed with 10 of the recommendations and stated that it is already taking corrective actions.
To view the report, including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/auditreports/2010reports/201020028fr.pdf.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.