The Internal Revenue Service hasn’t kept up with auditors’ recommendations to protect taxpayer information that is vulnerable to hackers, according to a government watchdog report, which has raised new concerns about the additional information the agency will store under the Affordable Care Act.
The Treasury Inspector General for Tax Administration says at least 8 of 19 recommended fixes from previous audits have not been fully implemented — despite the IRS reporting they were complete. As a result, the report says the IRS failed to do things like properly lock user accounts, update software, or scan servers containing taxpayer information for “major vulnerabilities,” which makes it easier for “malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes.”
The IRS “is also increasing its susceptibility to performance and security weaknesses inherent in older software versions, its exposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system operations,” says the report, issued September 27.
In all eight of the missed planned corrective actions, or “PCAs”, the inspector general’s investigation found the IRS Office of Internal Control didn’t audit any of them to ensure their implementation. Four also lacked the proper executive approval to close them, and three had no documentation at all to support their closure.
Investigators then examined a broader sample size of 69 PCAs, and found only 24 had documentation to fully support their closure.
“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders can exploit security weaknesses and may gain unauthorized access,” Inspector General J. Russell George says in the report.
This is just the latest IRS audit to reveal lack of oversight at the agency, raising concerns it may not be equipped to take on new responsibilities under the Affordable Care Act, which include storing taxpayers sensitive health-care information.
Even before the report’s release, former IRS Commissioner Mark W. Everson expressed concerns about the new law’s demands on the agency, telling a congressional committee back in August, “This is really quite a heavy lift… And there is a risk here that there can be disgorged information, and it would be very damaging to the Service and the confidence of taxpayers in the IRS if that were to happen.”
As to the Inspector General’s recommendations on ensuring current, future and former PCAs are fully implemented, the report says the IRS agreed with most them but “may not necessarily address previously closed corrective actions,” and that implementation of some of the recommendations “appears to be contingent upon identifying adequate resources.”
In a statement, the IRS said it has made great strides in improving its IT systems and its oversight to help support the nation’s tax system.
“We have made progress on oversight and enhanced security controls. With state-of-the-art technology as our foundation, our progress is guided by best practices and a high performance organization. We have modernized our technology in order to improve the filing experience for all taxpayers.”