IRS Tax: Inadequate Controls on IRS Contractors Place Taxpayer Data At Risk for Unauthorized Access or Disclosure
The IRS regularly provides taxpayer data to contractors who store and process the data at contractor facilities outside of IRS offices. While sharing this information is necessary for contractors to support the IRS's mission of tax administration, contractors must comply with security control requirements including annual security reviews. The IRS, which is ultimately responsible for identifying and regulating all contractors who have data access, does not always ensure that contractors are complying with IRS security policies and procedures and protecting taxpayer information, according to the report.
In its review, TIGTA also found that security weaknesses identified by the IRS at contractor facilities were not corrected in a timely manner. TIGTA's review of eight contractor site visits by the IRS officials found security weaknesses in all eight facilities, and the IRS was unable to provide monitoring documents for seven of these facilities.
"The IRS needs to improve its current processes and controls to identify all contractors who process, manage, or store IRS taxpayer data at contractor facilities and to ensure timely corrective actions are taken to correct security weaknesses," said J. Russell George, the Treasury Inspector General for Tax Administration. "It is imperative that taxpayer data be protected from unauthorized access or disclosure at all times."
TIGTA recommended that the IRS implement a better system to identify contractors receiving and using IRS taxpayer data at contractor facilities and that the IRS improve its system for monitoring and identifying security weaknesses at such facilities, to ensure the weaknesses' timely correction.
In their response to the report, IRS management agreed with TIGTA's recommendations and stated that they plan to take appropriate corrective actions.