The IRS must address critical safeguard weaknesses in order to adequately protect sensitive taxpayer information, the Government Accountability Office (GAO) said in a report, while faulting the tax agency for failing to implement 77 of its recommendations, including two that it deems “high priority.”
The watchdog found that, while IRS employees had a 97 percent completion rate across four training courses for protecting taxpayer information, that rate was less than 75 percent for IRS contractors.
For instance, just 66 percent of the 14,000 or so contractors who were assigned to complete the “Insider Threat Awareness” training course actually finished it.
“As a result, IRS contractors are at increased risk of being unprepared to handle taxpayer information,” the watchdog said in the report.
Part of the problem is that the IRS doesn’t have agency-wide training completion goals for contractors, which was one of the watchdog’s 15 recommendations to the tax agency to better protect taxpayer data.
In fact, since 2010, the watchdog made 451 recommendations to the IRS aimed at safeguarding taxpayer information.
While the IRS has adopted most of GAO’s recommendations, 77 of them have not been implemented, including two that the watchdog considers high priority: updating a system modernization plan to assess risk more fully and developing rules to better protect taxpayer information while at third-party providers.
“Fully implementing these recommendations could significantly improve the IRS’s ability to safeguard taxpayer information,” the watchdog said.
The 15 new recommendations put forward by the watchdog include the IRS establishing training goals for contractors, keeping a comprehensive inventory of systems that store taxpayer data, and monitoring instances of willful unauthorized access (or attempted access) of tax returns or return information by contractors.
The IRS agreed with practically all of the watchdog’s recommendations in a letter to GAO obtained by The Epoch Times, which noted that 83 percent of the recommendations made since 2010 have been implemented.
The tax agency blamed a lack of resources for not meeting more of the recommendations, while insisting it cares about protecting taxpayer data and ensuring its systems are secure enough.
Been Here Before
Two watchdogs—GAO and the Treasury Inspector General for Tax Administration (TIGTA)—have repeatedly reported deficiencies in how the tax agency safeguards taxpayer information.In October 2022, TIGTA said that protecting taxpayer data was a top challenge for the IRS.
In November 2022, GAO found that the IRS had ongoing IT system security control deficiencies in areas like encryption and configuration of security settings that raised the risk of unauthorized access to sensitive taxpayer data.
Recent events have raised similar concerns, GAO said in the report, including when in December 2022, the IRS found it had accidentally disclosed on its website some taxpayer information that was meant to be kept confidential.
In its latest report, GAO found a number of IT-related shortcomings.
One of these gaps is inadequately developed security assessment and authorization documents for the system that tracks tax compliance risks for affluent taxpayers.
Another is insufficient procedures to determine when taxpayer information should no longer be stored in two of the tax agency’s research systems.
The watchdog also found that the IRS doesn’t properly assess the risk of methods it uses to share data with external entities.
Unauthorized Access
Another area flagged by the watchdog is in the area of UNAX, or unauthorized access to tax return information.GAO found that while multiple IRS offices oversee contractors, there is no agency-wide oversight process related to IRS contractor UNAX.
“As a result, IRS has limited insight into contractor UNAX trends and assumes greater risk of missing opportunities to improve the agency’s prevention efforts,” the watchdog said in the report.
The tax agency’s monitoring of UNAX prevention efforts is hampered by the fact that it lacks complete inventory systems that process or store taxpayer information.
While the watchdog acknowledged IRS steps to develop and maintain such an inventory, this work remains incomplete.
The watchdog also faulted the IRS for not monitoring cases of IRS contractor UNAX cases and for not assessing the risks of the IRS’s method for transferring taxpayer information to contractors.
“Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately,” the watchdog said of the IRS’s deficiencies.
Millions of Missing Records
The latest GAO report follows a TIGTA review of how the IRS stores old tax records, which contains the embarrassing finding that the tax agency has lost track of thousands of microfilm cartridges containing millions of sensitive business and individual tax records of Americans.The TIGTA report, issued in early August, faulted the IRS for being sloppy in the way it handles sensitive taxpayer information that could be used by criminals to commit identity theft and tax fraud.
“The IRS is not in compliance with records management requirements,” TIGTA said in the report.
It points to “significant deficiencies” in the way the IRS safeguards, stores, and accounts for microfilm cartridges that are used to backup and store photographic records of sensitive business and individual tax information.
“Deficiencies result in the inability of the IRS to account for thousands of microfilm cartridges containing millions of sensitive business and individual tax account records,” the watchdog report states.
In one shocking example of these “significant deficiencies,” the IRS was unable to account for a whopping 9,500 microfilm cartridges containing business tax account information at a Kansas City facility.
With up to 2,000 photographic images per cartridge, that put the potential number of missing images of sensitive business tax account information at 19 million.
In light of the startling findings, the watchdog recommended that the IRS carry out a detailed inventory of all microfilm cartridges on hand, including microfilm disposed of or missing.
IRS management agreed to do so by Oct. 15, 2023, pledging to also include a full reconciliation matching microfilm logs provided by vendors with physical microfilm cartridges.
Overall, the watchdog made 13 recommendations, including ensuring that microfilm cartridges are properly stored and preserved.
Asked for comment by The Epoch Times on the scathing report, the tax agency pointed to a letter from IRS wage and investment commissioner Kenneth C. Corbin, who blamed long-term underfunding and staff attrition for the problems.