Report: IRS security protocols risk taxpayer data

The Internal Revenue Service (IRS) has failed to implement new management protocols to sufficiently protect the security of American taxpayers' personal data, according to a new report from the government’s tax watchdog.

The report, conducted in September but publicly released for the first time Thursday, examined previous IRS actions to bolster the agency’s ability to ensure secure taxpayer data.

But the annual internal audit of IRS security protocols conducted by the Treasury Inspector General for Tax Administration (TIGTA) said that the actions taken by the agency were insufficient and could leave personal data open to a possible security breach.

“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders can exploit security weaknesses and may gain unauthorized access,” said the report.

The IRS instituted a number of "planned corrective actions" (PCAs) in response to previous TIGTA reports about security shortcomings in the agency, but the new TIGTA report said that those PCAs, considered “closed” or completed by the IRS, were inadequate.

“During our audit, TIGTA determined that eight (42 percent) of 19 PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented.”

Among its recommendations, TIGTA said the IRS should “strengthen its management controls to adhere to internal control requirements,” “provide refresher training to employees involved” in the internal auditing process and indicate where past actions to fix security shortcomings have been incomplete.

TIGTA said that the IRS “agreed with five of TIGTA’s six recommendations and plans to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs.” It said that it “partially agreed with the sixth recommendation to upload documentation for previously closed PCAs” pending the completion of an internal IRS assessment.

The new report follows a March 2013 assessment (pdf) from the Government Accountability Office (GAO), the Congressional watchdog for the government’s use of public funds, which previously raised concerns about security protections in place by the IRS.

It too placed fault at the ability of the agency to successfully implement the management reforms of security problems it had already been alerted to or identified.

“An underlying reason for these [security] weaknesses is that IRS has not effectively implemented portions of its information security program,” that report said.

Until IRS appropriately controls users’ access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure,” it went on to say.