Congressional auditors have uncovered a series of security breaches at the Internal Revenue Service that may jeopardize taxpayer funds, the privacy of IRS records, and the physical safety of employees at the tax service.In a report to Congress, auditors from the U.S. Government Accountability Office revealed a series of troubling practices, including the failure of managers at many Taxpayer Assistance Centers to adequately guard against internal theft by larcenous IRS employees.
The TACs are designed to serve taxpayers who choose to seek help from the IRS in person. These offices are responsible for accepting payments from the public — often in the form of cash — and for forwarding this money to the appropriate IRS service center for processing.
During the GAO’s most recent financial audit of the agency, however, investigators found that managers at nearly half of the centers audited failed to properly restrict the computer access rights of those employees who had the authority to accept cash payments from taxpayers — a clear security breach, according to the GAO.
The IRS’s own rules require that employees who receive cash payments from taxpayers be denied computer access to taxpayer account information, in order to prevent them from improperly adjusting account balances or changing the status of the taxpayer’s liability.
“No one individual should be in a position to both cause and conceal an error or irregularity,” the GAO warned.
DATA IN DANGER
The government auditors also raised concerns that the security of confidential taxpayer information may be at risk due to the IRS’s failure to maintain physical security controls at several TACs and field offices.
A number of facilities investigated by the GAO failed to adequately prevent unauthorized individuals from accessing areas that contained taxpayer receipts and sensitive information, the GAO said. The auditors’ concerns centered on the practice of granting cleaning service contractors unescorted access during non-operating hours.
Compounding that problem was the finding that TACs failed to conduct background investigations on custodial workers who had access to taxpayer funds and records.
Despite a recent presidential Homeland Security directive requiring background checks for the employees of all contractors who have access to federally controlled facilities, the GAO found that this had not been done at six of the 10 TACs that its auditors visited.
In fact, the auditors told Congress that at one of the TACs they’d inspected, they witnessed a janitor disarm and then reset the security system.
The security of confidential tax records was also found to be a problem at off-site locations where private contractors were hired to shred sensitive IRS documents. Again, the investigative arm of Congress concluded that the IRS neglected to conduct the required background investigations on these contractors, and that the tax service “did not perform periodic unannounced inspections ... to ensure that sensitive IRS information was being properly safeguarded.”
Congressional investigators also cited problems in the IRS’s controversial practice of hiring juveniles to process payments from taxpayers — an issue that had elicited criticism of the tax service in the past.
To address those problems, the IRS implemented new rules requiring juveniles seeking employment at the agency to provide written character references, and directed IRS managers to make direct contact with those individuals who were cited as references. These rules have been widely and routinely ignored by the tax service, the GAO learned.
Specifically, the auditors found that 83 percent of all juveniles that the IRS hired from October 2006 through April 2007 were employed in violation of the new character-reference rules, and that in 99 percent of the cases, IRS officials neglected to verify the references.
“The IRS attributed these issues to its employment office staff’s lack of awareness of recent revisions to its juvenile hiring policies,” the GAO said, with more than a hint of sarcasm.
DISASTERS IN THE MAKING
Perhaps the most troubling of the security breaches discovered involved the IRS’s failure to adequately protect employees and visiting taxpayers from crime, fire or other disasters at TACs.
During its most recent audit of the tax service, the GAO learned that the individuals designated by the IRS as “the first person contacted” in the event of a duress alarm emergency were not always appropriately qualified, or even geographically located, to provide a timely and effective response.
In one large metropolitan area, the service had designated a physical security analyst to be contacted as the first responder by the central monitoring station for five TACs visited by GAO investigators. However, “IRS officials informed us that physical security analysts are not qualified to act as first responders to duress alarm incidents because such alarms may indicate an event that the analyst is not trained to deal with, such as a crime in progress,” the GAO said. “In addition, we found that at any given time, this specific physical security analyst could be as far as 100 miles away.”
As a result of these defects, the GAO warned that there’s an increased risk that the IRS would not appropriately respond in an emergency situation to protect its employees and facilities, and to safeguard taxpayer receipts and information.
