TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Audit

Highlights

ACTIONS ARE NEEDED TO IMPROVE THE SAFEGUARDING OF TAXPAYER INFORMATION AT VOLUNTEER PROGRAM SITES

Final Report issued on November 13, 2019

Highlights of Reference Number:  2020-40-004 to the Commissioner of Internal Revenue.

IMPACT ON TAXPAYERS

The Volunteer Program plays an important role in helping the IRS improve taxpayer service and increase participation in the tax system.  The program provides no-cost Federal tax return preparation and electronic filing to underserved segments of individual taxpayers, including low‑income to moderate-income, elderly, disabled, and limited-English-proficient taxpayers.  Because taxpayers who use return preparation services at volunteer sites disclose their Personally Identifiable Information and this information is coveted by identity thieves, the sites must safeguard taxpayer information.

WHY TIGTA DID THE AUDIT

Security over taxpayer data and protection of resources is a top IRS management challenge.  The audit was initiated to assess the adequacy of and adherence to the IRS’s volunteer site requirements to safeguard and protect sensitive taxpayer information.

WHAT TIGTA FOUND

The Stakeholder Partnerships, Education, and Communication function worked with its partners to heighten awareness of data security at volunteer sites.  However, improvements are needed in some areas to strengthen the data security processes.  For example, the IRS’s partners participating in the Volunteer Program do not develop a written Information Security Plan for each site.

TIGTA’s unannounced visits to 20 volunteer sites identified multiple security weaknesses at each site, such as 1) *********************************************2************************************************, 2) site coordinators are unaware of security requirements, 3) sites using wireless connections to transmit taxpayer data did not complete a required risk assessment, and 4) *****************2********************* ********2*******.

Finally, TIGTA found that procedures should be improved to reduce the risk of potential identity theft.  *2* *********************************************************2************************************************************* *********************************************************2************************************************************* *********************************************************2************************************************************* *********************************************************2************************************************************* *******2********.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS 1) issue guidance to its partners requiring them to develop an information security plan for each site; 2) require site coordinators to use the security feature included in the tax preparation software to restrict volunteers’ access to prepared returns; 3) develop procedures to confirm that site coordinators are aware of security requirements; 4) ensure that site reviews include an assessment of compliance with security controls; 5) update procedures for partners to validate volunteers’ identity using only Government-issued identification prior to participating in the Volunteer Program; 6) reinforce training for Stakeholder Partnerships, Education, and Communication function reviewers and site coordinators on how to report volunteers who are caught violating the standards of conduct; 7) develop procedures to evaluate security incidents at Volunteer Program sites to identify affected taxpayers whose information is at risk; and 8) emphasize to all volunteer sites and partners their responsibilities to evaluate and report to the IRS all partner‑owned and IRS-loaned lost or stolen computers.

IRS management agreed with the recommendations and plans to take corrective actions.

Redaction Legend:

2 = Law Enforcement Techniques/ Procedures and Guidelines for Law Enforcement Investigations or Prosecutions.

 

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

https://www.treasury.gov/tigta/auditreports/2020reports/202040004fr.pdf.

 

Phone Number   /  202-622-6500

E-mail Address  /  TIGTACommunications@tigta.treas.gov

Website             /  https://www.treasury.gov/tigta