Treasury Inspector General for Tax Administration
Office of Audit
THE PHYSICAL SECURITY RISK ASSESSMENT PROGRAM NEEDS IMPROVEMENT
Issued on September 16, 2013
Highlights of Report Number: 2013-10-101 to the Internal Revenue Service Chief, Agency-Wide Shared Services.
IMPACT ON TAXPAYERS
The IRS’s Physical Security and Emergency Preparedness office is responsible for conducting risk assessments to ensure that IRS facilities are secure and employees and taxpayers are safe. TIGTA’s review identified deficiencies in the Physical Security Risk Assessment Program and found that all facilities did not receive risk assessments as required. As a result, the IRS may have security vulnerabilities that are not identified and addressed in a timely manner, thereby placing IRS employees and taxpayers at risk.
WHY TIGTA DID THE AUDIT
This audit was initiated because of the numerous threats made against IRS facilities and employees. To proactively mitigate these threats, the IRS is required to conduct comprehensive and timely risk assessments to identify and address vulnerabilities in physical security. The overall objective of this review was to determine whether physical security risk assessments were conducted as required at all IRS facilities.
WHAT TIGTA FOUND
The IRS completed 630 risk assessments at IRS facilities and met its requirement to provide a report summarizing the findings to the IRS Commissioner in January 2011. However, the IRS did not complete risk assessments at 14 facilities. Additionally, the IRS could not provide evidence that risk assessments were performed for 49 facilities that are the responsibility of the Federal Protective Service. These 49 facilities included childcare centers, parking lots and garages, and storage units that, although not occupied by IRS employees, are within or adjacent to facilities housing IRS employees.
Completed risk assessments prepared by the IRS identified numerous additional security countermeasure needs at IRS facilities. However, TIGTA found that some countermeasures were not acted upon. The IRS cited resource constraints as a reason that countermeasures were not implemented. For example, the IRS did not implement blast mitigation countermeasures at approximately 191 facilities and has not added additional guards or other countermeasures at certain Taxpayer Assistance Centers. During site visits to IRS facilities, TIGTA also found that risk assessments did not identify additional vulnerabilities. For example, a childcare center allows direct access to one IRS facility without the required screening. At another facility, a local IRS manager chose not to implement countermeasure improvements paid for and provided to the facility.
WHAT TIGTA RECOMMENDED
TIGTA made seven recommendations to the Director, Physical Security and Emergency Preparedness, to address identified weaknesses. For example, TIGTA recommended that the IRS include the development of a process to ensure that inventory records contain all relevant information including the dates when risk assessments should be performed. TIGTA also recommended that the IRS implement appropriate security protocols at the facility with the childcare center to screen all visitors entering the grounds and the building according to requirements.
In their response, IRS management agreed with the recommendations and plans to implement corrective actions to address them. For example, the IRS plans to ensure that inventory records include all relevant information and develop a process to ensure that required countermeasures are in place and functioning at all Taxpayer Assistance Centers.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500