Inspector General: “For some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users.”

IRS Commissioner Daniel Werfel will testify to the House Ways and Means Committee on Thursday Feb. 15. One topic he will likely be questioned about is a recent Treasury Inspector General for Tax Administration report calling out the IRS for continued negligence with respect to safeguarding private, personal taxpayer information.

This report comes after the sentencing of an IRS contractor who stole private data from IRS systems and provided news outlets with “a vast trove of IRS data on the tax returns of thousands of the nation’s wealthiest people, covering more than 15 years.” The IRS thief stole the tax files of over 7,600 people and over 600 entities, and yet was only charged with a single felony count. Even the Biden-appointed judge expressed astonishment at this fact in the courtroom.

The TIGTA report found that the long-running culture of neglect continues at the IRS.

Key findings:

The IRS fails to maintain proper procedures to track theft of sensitive data.

The report said:

“For some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users. TIGTA has repeatedly reported a key deficiency in the IRS’s detection and deterrence processes is not ensuring that all sensitive systems are providing complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes.”

IRS ignored TIGTA requests for information.

The report said:

“Our repeated contacts with management officials requesting interim results of their identification of sensitive systems went unaddressed. As such, we had to identify an alternate source of information we could use for our evaluation.”

IRS did not even know how many sensitive systems exist within the agency.

The report states:

“To perform this evaluation, we requested information from the IRS that identifies all sensitive systems. However, our ability to obtain a complete and reliable inventory of its sensitive systems was a ongoing challenge throughout this evaluation. Our inability to readily obtain this information resulted in continued delays in our ability to complete this evaluation and report to the Chairman of the U.S. House Ways and Means Committee.”

In fact, the IRS failed to consistently label their sensitive systems, meaning that TIGTA was unable to match 88 of the 364 identified sensitive systems.

TIGTA noted the large quantity of users with access to sensitive systems.

The report said:

“As of July 13, 2023, our analysis of BEARS data identified 153,120 users who currently have or had access to an IRS information technology system, of which 13,321 are contractors. Further, of these 153,120 users, 91,661 have or had access to one or more of the 276 sensitive systems included in our evaluation.”

The sensitive systems are still being accessed by terminated employees of IRS contractors.

The report said:

“Our assessment of the 91,661 users identified that actions were not always taken to timely remove users once they separated from the IRS. For example, we identified 279 users who were listed in BEARS (Business Entitlements Access Request Systems) as separated, as of July 13, 2023, continued to have access to at least one IRS sensitive system.”

Several IRS contractors who had failed the background checks still retained access to sensitive systems.

The report said:

“Of the 5,068 users listed in BEARS as a contractor, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023. These contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems as required.”

The TIGTA report states that all IRS contractors must have a favorable determination to their background checks to be approved access to IRS systems which the IRS has obviously neglected.

The report said:

“The fact remains that the IRS should have suspended or disabled these contractors’ access until a favorable determination was on file. (…) We are concerned that these individuals who were not considered suitable for IRS employment were retained as contractors and were given access to sensitive systems.”