GAO report looks at security risks at IRS

A report U.S. Government Accountability Office (GAO) examines security risks to the safety of confidential taxpayer information at the Internal Revenue Service (IRS).

© Shutterstock

The GAO report identifies dozens of security weaknesses at the agency and makes recommendations aimed at safeguarding and protecting taxpayer information. It also made several recommendations to improve security.

The report was requested by Sen. Mike Crapo (R-ID), the Senate Finance Committee ranking member, and Rep. Jason Smith (R-MO), chair of the House Ways and Means Committee.

“Instead of devoting time and resources to developing new federal programs that would collect and expose even more sensitive information from taxpayers, the IRS should instead focus on addressing the security weaknesses identified by the GAO and Treasury Inspector General for Tax Administration (TIGTA) and improving its woeful customer service,” Crapo said.

Among the GAO report’s findings, it said that the IRS has failed to implement 77 GAO recommendations targeted at safeguarding taxpayer information. It added that the IRS still lacks controls and logging and monitoring capabilities on all its systems containing confidential taxpayer data. The right controls would allow it to identify persons who have accessed such data without authorization.

It noted that the many key controls will not be in place until July 2024 at the earliest.

Further, since 2009, the IRS has been operating a system used by one of its enforcement units focused on affluent taxpayers without having developed an authorization to operate or system security plan for it. This has created a risk of unauthorized access or disclosure to taxpayer information for those taxpayers whose information is collected by this system.

Additionally, it said that two IRS research and analysis systems with access to taxpayer data retain taxpayer information far longer than authorized by IRS Records Control Schedules.

“As this report illustrates, the IRS has repeatedly squandered the public’s trust by failing to protect taxpayer privacy and in some cases willfully ignoring recommendations that would have increased taxpayer information security. President Biden’s solution is to reward the IRS with an $80 billion pay raise to increase audits on working families, while doing very little to shore up the vulnerabilities that put taxpayers at risk,” Smith said.

Ultimately, the GAO made 15 new recommendations to the IRS, including to: establish agency-wide training completion goals for contractors; maintain comprehensive inventory of systems that store taxpayer information; and risk-assess its methods of data transferals to contractors.