The Internal Revenue Service needs to improve its efforts in investigating whether its own employees are inappropriately accessing taxpayer data, according to a new government report.

J. Russell George

The report, which was publicly released Tuesday by the Treasury Inspector General for Tax Administration, found that the IRS should improve its processes for ensuring that its audit trails effectively support investigations of unauthorized access of taxpayer data to allow IRS management to identify noncompliant activity and hold employees accountable. TIGTA's report did acknowlegde that the IRS is working to correct the weaknesses in its ability to determine whether its employees are inappropriately accessing taxpayer data, but added that the IRS can and should do more.

An audit trail showing who has accessed a computer system and what operations he or she has performed during a given period of time is a key component of information technology security, TIGTA noted. Audit trails are useful for maintaining security and recovering lost transactions. Most accounting systems and database management systems include an audit trail component that documents events occurring on a computer from system and application processes, as well as from user activity. At the IRS, the trails are used to determine whether inappropriate activity, such as unauthorized access to taxpayer data, is occurring.

Due to the sensitive nature of tax return information, Section 6103 of the Tax Code and the Taxpayer Browsing Protection Act of 1997 require the IRS to detect and monitor unauthorized access to and disclosure of taxpayer records. The willful unauthorized access or inspection of taxpayer records is a crime punishable upon conviction by fines, prison terms and termination of employment.

TIGTA reviewed the IRS’s efforts to implement effective audit trails showing unauthorized access for the information systems that store and process taxpayer data.

In its report, TIGTA acknowledged that the IRS has created a central system to store data trails and is educating employees on the type of information it needs to investigate potential instances of unauthorized access. However, the IRS needs to improve its processes for ensuring that audit trails effectively support so-called “UNAX” investigations and allow IRS management to identify noncompliant activity and hold employees accountable, according to the report. In addition, TIGTA inspectors found that the IRS’s audit trail documentation does not require the collection of enough information.

“Unauthorized access to taxpayer records by IRS employees is a very serious offense, and the IRS must do everything in its power to make sure that it collects sufficient information to detect, monitor, and properly investigate all such activity,” said TIGTA Inspector General J. Russell George in a statement.

TIGTA recommended a series of improvements to IRS processes in the report. IRS officials agreed to improve processes to test audit trail data but disagreed with TIGTA recommendations to collect additional information.

The IRS did not agree that validation should be completed before final approval had been granted of audit plans by the IRS’s Employee Security Audit Trail (ESAT) office. The IRS also did not agree that audit plan templates should be updated to identify the location of information on audit log testing and stakeholder comments, nor that the guidance on timestamps needs revision, although the IRS did say it would review the timestamp procedures.

TIGTA said it continues to recommend that the IRS formalize a location where test and ESAT validation results can be found, set shorter time frames to implement the proposed changes, postpone closing audit trail specific weaknesses, and revise its timestamp procedures.