IRS Tax: TIGTA Audits Unauthorized IRS Employee Access to Taxpayer Accounts
The Treasury Inspector General for Tax Administration (TIGTA) today publicly released its review of the Internal Revenue Service's (IRS) procedures for ensuring that questionable access by employees to taxpayer information stored in the IRS's Integrated Data Retrieval System (IDRS) are reviewed by IRS management.
The IDRS is used by approximately 50,000 IRS employees to process taxpayer data. IDRS managers must review, certify and respond to security reports about questionable access to taxpayer accounts. While national averages of report certification rates have improved, the IRS did not ensure that all managers in IDRS business divisions reviewed and certified the security reports they received.
The IRS requires IDRS managers to maintain at least a 90 percent certification rate. Approximately 33 percent (816) of all IDRS managers did not meet this requirement.
"Until the process for certifying IDRS security reports is improved, the IRS cannot ensure that taxpayer accounts are fully protected from unauthorized access by IRS employees," commented J. Russell George, the Treasury Inspector General for Tax Administration.
TIGTA recommended that the IRS:
1. Implement compliance review procedures for IDRS security officers that are designed to monitor and enforce compliance with security report responsibilities;
2. Clarify what level of IRS organizational management should provide a response identifying corrective actions that are required for certification rates lower than 90 percent;
3. Ensure that each business division identifies the executive responsible for monitoring and enforcing compliance with IDRS security policy; and
4. Biannually provide a list of IDRS managers who have not met their IDRS security report responsibilities to the executive responsible for monitoring and enforcing compliance with IDRS security policy.
IRS officials agreed with TIGTA's recommendations and plan to take actions, and the Deputy Commissioners plan to issue a joint memorandum reiterating IDRS security program policy requirements.