The Internal Revenue Service continues to make progress with its information technology systems and policies, according to a new report, but risks to taxpayer data remain.
The
Two of five function areas of the IRS’s Cybersecurity Framework were rated “not effective,” namely its ability to identify its cybersecurity risks, and its ability to detect cybersecurity incidents. In both areas, TIGTA said that the IRS had defined policies, procedures and strategies, but that they were not consistently implemented, leaving taxpayer information at risk.
The IRS was rated “effective” in the other three function areas — the ability to protect against cybersecurity risks, to respond to them, and to recover from them – though its efforts had not been optimized, according to the report.
“The trillions of dollars that flow through the IRS each year make it an attractive target for criminals who want to exploit the tax system in various ways for personal gain,” the report stated. “The proliferation of stolen personally identifiable information poses a significant threat to tax administration by making it difficult for the IRS to distinguish legitimate taxpayers from fraudsters. … The IRS’s ability to continuously monitor and improve its approach to taxpayer authentication is a critical step in defending the agency against evolving cyberthreats and fraud schemes and in protecting trillions of taxpayer dollars.”
To better assess the security and privacy of taxpayer data, TIGTA conducted four audits of different IRS systems. Its review of the agency’s ability to validate transcript requests for its Income Verification Express Service, or IVES, Program, found that the IRS cannot effectively authenticate electronic taxpayer signatures on Form 4506-T, “Request for Transcript of Tax Return,” and that most IVES Program participants were not fulfilling certain required validation requirements.
On the other hand, TIGTA reviews found that most IRS laptops and desktops were wiped clean of all data before disposal, most required security controls were in place for the “Get My Payment” application, and that the agency’s Information Sharing and Analysis Center complied with the appropriate tax information laws and included privacy controls to protect taxpayer data.
Catching up with the times
“The reliance on legacy systems and aged hardware and software, and its use of outdated programming languages, pose significant risks to the IRS’s ability to deliver its mission,” the report warned. “Modernizing the IRS’s computer systems has been a persistent challenge for many years and will likely remain a challenge for the foreseeable future.
It highlighted technology-related obstacles to the service’s ability to respond to the COVID-19 pandemic. The IRS leveraged its telework program to continue operations as the coronavirus spread in 2020, with the number of employees reporting time teleworking rising from approximately 27,500 to 41,000 in the middle two weeks of March, and rising further to as many as 60,700 by the end of September.
However, the IRS was hampered in leveraging telework by its limited ability to issue laptops and other equipment to employees who weren’t already in the telework system, according to the report, which also noted that IRS managers cited helpdesk delays, issues with virtual private networks and SharePoint sites not working.
The IRS is currently in the midst of the first of two three-year phases of a six-year IT modernization roadmap.
In 2021, its budget was approximately $11.9 billion, with roughly $4.5 billion for IT investments; of the latter $1.8 billion was intended to fund the new responsibilities, many of them related to the coronavirus pandemic, that Congress has laid on the service.
