The Internal Revenue Service needs to take additional steps to improve security at some of its facilities, according to a new report that found an increase in threats to IRS employees in recent years.

Due to the nature of the IRS’s mission, the organization remains a target for those who are angry at the tax system or the government, the report noted. Threats of violence directed at the IRS’s 100,000 employees at more than 600 facilities throughout the country have increased during a time of continued financial hardship. In the one-year period between October 2010 and September 2011, there were more than 1,400 reported threat incidents directed towards IRS employees and infrastructure.

The report, publicly released Thursday by the Treasury Inspector General for Tax Administration, identified deficiencies in the IRS’s Physical Security Risk Assessment Program and found that most but not all IRS facilities received risk assessments as required. As a result, the IRS may have security vulnerabilities that are not identified and addressed in a timely manner, thereby placing IRS employees and taxpayers at risk.

IRS employees may be exposed to many difficult, threatening, and even extremely dangerous situations because of daily and ongoing interactions with the public, an earlier report released in January noted.  In 2010, an irate taxpayer, Andrew Joseph Stack III, set fire to his own house and then piloted a single-engine Piper Cherokee airplane into an IRS office building in Austin, Texas, killing one longtime IRS employee, Vernon Hunter, and injuring 13 others (see Plane Crashes into IRS Building).

The IRS is required to conduct comprehensive and timely risk assessments to identify and address vulnerabilities in physical security. The overall objective of TIGTA’s latest review was to determine whether physical security risk assessments were conducted as required at all IRS facilities.

In the new report, TIGTA found that while the IRS completed risk assessments at nearly all of its facilities, it did not review 14 facilities. Five of those facilities remained open as of calendar year 2013 and the other nine facilities were closed prior to calendar year 2013. 

In addition, the IRS did not conduct risk assessments at 49 other facilities that were not specifically occupied by IRS employees but were located in or adjacent to IRS facilities. These 49 facilities, which included childcare centers, parking lots and garages, storage units, and a credit union, are not specifically occupied by IRS employees. The IRS said that security at those buildings were the responsibility of the Federal Protective Service but did not provide evidence that that the facilities received a risk assessment.

Completed risk assessments prepared by the IRS identified numerous needs for additional security countermeasures, such as posting signs advising of video surveillance or relocating walls to allow security guards to see visitors entering the facility. However, TIGTA found that some countermeasures were not acted upon. The IRS cited resource constraints as a reason that countermeasures were not implemented.

TIGTA made seven recommendations to the IRS’s director of physical security and emergency preparedness. IRS management agreed with the recommendations and plans to implement corrective actions to address them. For example, the IRS plans to ensure that inventory records include all relevant information and develop a process to ensure that required countermeasures are in place and functioning at all Taxpayer Assistance Centers.

“Ensuring the security of IRS employees, facilities and taxpayers is of the utmost importance to us,” IRS chief of agency-wide services David A. Grant wrote in response to the report.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access