IRS Should Enhance Controls to Protect Tax Information According to GAO

GAO issued a management report to IRS Commissioner, Charles Rettig, on May 9th stating that improvements are needed to enhance the IRS’ internal control over financial reporting.  On that same day, GAO issued another report entitled, “IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices.”

The purpose of GAO’s management report was to uncover new and continued control deficiencies identified during its FY 2018 audit of IRS financial controls. GAO identified specific control deficiencies in the following areas:

• Nationwide strategy for safeguarding taxpayer receipts and associated information
• Physical security policies and procedures
• Review of visitor access logs
• Transmission of taxpayer receipts
• Designations of unit security representatives
• Review of automated tax refund information prior to certification for payment
• Review of refund schedule numbers for manual refunds
• Review of suspicious and questionable tax returns in examination

GAO made the following 12 recommendations to address these concerns.  Stating the appropriate IRS officials should:

1. Implement actions to address the two primary causes of control over unpaid assessments.
2. Document and implement a formal comprehensive strategy for nationwide coordination, consistency, and accountability for control over physical security.
3. Determine the reasons staff did not consistently comply with requirements for maintaining an emergency contact list at all of its facilities and establish a process to enforce compliance with the requirement.
4. Establish and implement policies and procedures requiring corrective actions to be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests.
5. Establish and implement policies or procedures to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured.
6. Update and implement policies or procedures to clarify who is responsible for conducting the annual review of the visitor access logs, the date the review is to be conducted, and how the review should be documented.
7. Identify the reason IRS’s policies and procedures related to the transmittal forms were not always followed, and design and implement actions to provide reasonable assurance that units comply with these policies and procedures.
8. Implement policies or procedures to clearly define the roles and responsibilities of second-level managers and security account administrators for validating the information on designation forms.
9. Update and implement procedures to clearly specify the tax refund data elements that Processing Validation Section Certifying Officers are required to verify before certifying the tax refunds in Secure Payment System.
10. Establish and implement a review process to provide reasonable assurance that the refund schedule number (RSN) that data conversion key entry operators enter into the Integrated Submission and Remittance Processing (ISRP) system and post to the master files are correct.
11. Implement a validity check in the ISRP system to confirm that RSNs that data conversion key entry operators enter into the system have the required 14 digits.
12. Update and implement policies or procedures to require that reviewers follow up with tax examiners to verify the errors they made in working on cases related to suspicious or questionable tax returns are corrected.

IRS agreed with GAO’s recommendations and suggestions for corrective actions. IRS plans to implement GAO’s suggested improvements for financial reporting internal controls.

In the second report, GAO analyzed IRS’ efforts to track, monitor, and deter theft of taxpayer information from third-parties. The IRS is responsible by law to protect sensitive taxpayer identity and financial information in its own systems. However, the IRS is not responsible for the security of information held by third-party providers, but it attempts to safeguard taxpayer information through the Authorized e-file Provider program.

GAO found that current IRS efforts do not ensure that taxpayer information is being properly protected via third-parties. One issue is that the IRS does not have enough authority overpaid providers.  It cannot require or regulate minimum security controls for systems used by paid providers. Additionally, tax software providers adhere to jointly developed security controls on a voluntary basis. Currently, 15 tax software providers comply with 140 information security controls developed using NIST guidance.  But this only covers about a third of all tax software providers and the security controls are not required. GAO also found that the IRS had not substantially updated the standards for the last nine years.

GAO made eight recommendations, including the following, to improve third-party cybersecurity controls:    

• Congress should consider providing the IRS with explicit authority to establish security requirements for paid preparers’ and Authorized e-file Providers’ systems.
• The IRS should develop a governance structure to coordinate all aspects of the IRS’s efforts to protect taxpayer information while at third-party providers.
• The IRS should require all tax software providers to adhere to prescribed information security controls.
• The IRS should regularly review and update security standards for tax software providers.
• The IRS should update the IRS’s monitoring programs to include basic cybersecurity issues.
• The IRS should standardize incident reporting requirements for all types of third-party providers.

The IRS agreed with three of the eight recommendations but stated that it believed it did not have statutory authority to implement another three of the recommendations.