IRS Needs to Better Protect Tax Information Shared with Other Government Agencies

The Internal Revenue Service’s Office of Safeguards is not doing enough to protect the federal tax information that it is required to disclose to other government agencies, according to a new report.

The report, from the Treasury Inspector General for Tax Administration, found that the Office of Safeguards should improve its management oversight and internal controls over federal tax information.

Section 6103 of the Tax Code authorizes the IRS to disclose federal tax information to various federal agencies, as well as state and local entities, and U.S. territories, the report noted. It also requires recipients of federal tax information, or FTI, to establish effective safeguards for ensuring that taxpayer information is protected from unauthorized use and disclosure. If the required safeguards for FTI are not established and maintained, tax information is at an increased risk of unauthorized use and disclosure, TIGTA pointed out.

Federal regulations govern the confidentiality of FTI provided to agencies, and agencies must follow those requirements to receive it, the report noted.

In recent years, the IRS has seen an increasing need to share federal tax information with other government authorities. The Affordable Care Act, for example, requires it to share information with the Department of Health and Human Services and state and federal health insurance exchanges, which provide tax subsidies to help individuals and businesses buy health insurance.

While the Office of Safeguards conducts on-site agency reviews to ensure that adequate safeguards are maintained, the reviews are conducted after the tax information is released to agencies. This occurs in part because the IRS’s Internal Revenue Manual does not require on-site validation of an agency’s ability to protect the information prior to its release to the agency.

In addition, TIGTA noted, the Office of Safeguards does not set specific background investigation requirements for employees and contractors at agencies that receive federal tax information. The office also does not conduct on-site review tests on each agency’s background investigation policies and procedures.

“Our audit found that effective controls have not been established to ensure that the Internal Revenue Service’s annual report on the safeguards of agencies that receive federal tax Information is timely submitted to the required U.S. congressional committees,” said TIGTA Inspector General J. Russell George in a statement. “If required safeguards for FTI are not established and maintained, the FTI is at an increased risk of unauthorized use and disclosure.”

TIGTA recommended that the IRS’s deputy commissioner for operations support ensure that on-site agency reviews are conducted prior to the release of federal tax information for any new systems or agencies receiving FTI for the first time, unless an independent security assessment or IRS risk-based assessment is performed that includes the IRS requirements for the security of FTI and the assessment is reviewed and approved or prepared by the Office of Safeguards. The IRS should also establish and ensure that background investigation requirements for all agency employees and contractors with access to FTI are consistent with the IRS’s background investigation requirements, the report suggested.

In addition, the IRS should ensure that background investigation validation tests are conducted during on-site agency reviews, the report recommended. The agency should also improve congressional reporting timeliness, as well as improve its on-site information technology security testing processes.

In response to the report, IRS management partially agreed with the first recommendation and agreed with the other seven. The IRS plans to conduct an initial risk-based assessment before authorizing the release of FTI to an agency for the first time and develop a comprehensive policy to detail requirements. It will also develop specific background investigation requirements for external agency employees and the agency’s contractors authorized to access FTI; conduct background investigation validation tests; and submit reports to Congress on a timely basis. The IRS has also deployed a new management information system to provide enhanced tracking capabilities for the list of active agencies, reports and related documents.

“The Office of Safeguards has undergone significant change over the past two years,” wrote Peggy Sherry, deputy commissioner for operations support at the IRS, in response to the report. “The IRS increased the Safeguards staffing to accommodate the recent legislative changes that allowed for data sharing with many new agencies, including State Departments of Correction and Health Insurance Exchanges. This effort required extensive coordination, training and support to ensure the appropriate staff was available to manage the significant increase in workload.”

In a statement emailed to Accounting Today, the IRS added, "The IRS takes data security very seriously, and the agency has a long, successful track record of sharing and protecting federal tax information with authorized agencies. The IRS’s Office of Safeguards’ top priority is to protect taxpayer data and, to that end, it has developed protocols over the years that have established a strong defense of the data entrusted to the IRS.

"The IRS agreed with most of TIGTA’s recommendations," the IRS statement continued. "However, it is important to note that the IRS has deployed a new, comprehensive inventory management system while TIGTA’s audit was in process that addresses many of the concerns outlined in this report. This new system, which established an additional layer of protection, was not evaluated by TIGTA in the report."

For reprint and licensing requests for this article, click here.
Tax practice Finance
MORE FROM ACCOUNTING TODAY