Treasury Inspector General for Tax Administration
October 21, 2014
TIGTA - 2014-32
Contact: David Barnes
WASHINGTON – Management oversight and internal controls at the Internal Revenue Service’s (IRS) Office of Safeguards should be improved to ensure the effective protection of Federal Tax Information (FTI).
That is the finding of an audit report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).
Section 6103 of the Internal Revenue Code authorizes the IRS to disclose FTI to various Federal agencies, State and local entities, and U.S. territories. It also requires recipients of FTI to establish effective safeguards for ensuring that taxpayer information is protected from unauthorized use and disclosure. If required safeguards for FTI are not established and maintained, the FTI is at an increased risk of unauthorized use and disclosure.
This audit was initiated to determine if the Office of Safeguards provides adequate oversight of the agencies that receive FTI. Federal regulations govern the confidentiality of FTI provided to agencies, and agencies must follow those requirements to receive it.
While the Office of Safeguards conducts on-site agency reviews to ensure that adequate safeguards are maintained, the reviews are conducted after FTI is released to agencies. This occurs in part because the IRS’s Internal Revenue Manual does not require the performance of on-site validation of an agency’s ability to protect FTI prior to its release to the agency.
In addition, the Office of Safeguards 1) does not set specific background investigation requirements for employees and contractors at agencies receiving FTI and 2) does not conduct on-site review tests on each agency’s background investigation policies and procedures.
“Our audit found that effective controls have not been established to ensure that the Internal Revenue Service’s annual report on the safeguards of agencies that receive Federal Tax Information is timely submitted to the required U.S. congressional committees,” said J. Russell George, Treasury Inspector General for Tax Administration. “If required safeguards for FTI are not established and maintained, the FTI is at an increased risk of unauthorized use and disclosure.”
TIGTA recommended that the Deputy Commissioner for Operations Support ensure that on-site agency reviews are conducted prior to the release of FTI for any new systems or agencies receiving FTI for the first time unless an independent security assessment or IRS risk-based
assessment is performed that includes the IRS requirements for the security of FTI and the assessment is reviewed and approved/prepared by the Office of Safeguards; establish and ensure that background investigation requirements for all agency employees and contractors with access to FTI are consistent with the IRS’s background investigation requirements; ensure that background investigation validation tests are conducted during on-site agency reviews; improve congressional reporting timeliness; and improve on-site information technology security testing processes.
In their response to the report, IRS management partially agreed with the first recommendation and agreed with the other seven. The IRS plans to conduct an initial risk-based assessment before authorizing the release of FTI to an agency for the first time and develop a comprehensive policy to detail requirements; develop specific background investigation requirements for external agency employees and the agency’s contractors authorized to access FTI; conduct background investigation validation tests; and timely submit reports to Congress. The IRS also deployed a new management information system to provide enhanced tracking capabilities for the list of active agencies, reports, and related documents.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.