IRS Needs to Take Action Against Cyber Threats to Better Protect Taxpayer Data

WASHINGTON – The Treasury Department agency tasked with overseeing the Internal Revenue Service has issued a report saying that the nation's taxing authority needs to do a better job of tracking its efforts to eliminate identified flaws in the security of systems involving taxpayer data.

The Treasury Inspector General for Tax Administration (TIGTA) reviewed whether closed corrective actions to security weaknesses and findings reported by TIGTA have been fully implemented, validated, and documented as implemented.

TIGTA identified weakened management controls over the IRS’s closed planned corrective actions (PCA) for the security of systems involving taxpayer data. Eight (42 percent) of 19 PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented. These PCAs involved systems with taxpayer data.

In addition, documents did not support the closure of the PCAs, and supporting documents were not always uploaded to a Treasury Department database and were not readily available.

“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders may exploit security weaknesses to gain unauthorized access,” said J. Russell George, Treasury Inspector General for Tax Administration.

TIGTA made six recommendations, including advising the IRS to: strengthen its management controls to adhere to internal control requirements, provide refresher training to employees involved in uploading data to the Treasury database, audit the corrective actions for closed PCAs, and change the status of closed PCAs to open for those that were partially implemented.

IRS management agreed with five of TIGTA’s six recommendations and plans to issue guidance on internal control requirements, provide training, and revise the procedures to improve the IRS’s management controls over the PCAs. IRS management partially agreed with the sixth recommendation to upload documentation for previously closed PCAs, pending the completion of a cost-benefit analysis and risk-based approach. TIGTA believes the IRS should complete the sixth recommendation as stated, to ensure the implementation of all PCAs over security weaknesses.