A recent report released by the Treasury Inspector General for Tax Administration (TIGTA) reveals that the IRS is incompetent in following even its own procedures. Occasionally, the IRS makes what is known as a Risk-Based Decision (RBD), meaning the agency violates its own policies in an attempt to complete a task deemed unfeasible under existing policy. Though the IRS has set very strict guidelines for itself when making RBDs, the agency often ignores those guidelines and operates in a haphazard way, exposing itself to data breaches and leading to wasted taxpayer dollars:
“IRS systems and data are at risk of breach by insider threats and could potentially result in wasted resources through fraud or collusion with contractors and software vendors.”
When assessing an RBD, the IRS requires itself to electronically record the reasoning and the decision itself. However, when assessing this guideline, TIGTA determined that “the RBDs are neither supported nor adequately tracked in the spreadsheet cybersecurity function officials refer to as their library.” The risks that are identified in the spreadsheet aren’t supported with accurate documentation or cost estimates. The supposed “library” isn’t even a complete list of RBDs in the agency.
RBD mismanagement can have an effect on all levels of the agency. The report says, “Because the RBDs are not consistently documented, reviewed, or maintained centrally, IRS management lacks the ability to adequately manage information technology RBDs, which ultimately affects the IRS’s ability to manage enterprise risk.”
The effects of negligence could have dangerous effects:
“Consequently, taxpayer data may not be secured and may be vulnerable to unauthorized disclosure, which can lead to identity theft.”
Several recommendations, such as further documentation and training for officials, have been given to the IRS. Hopefully for taxpayers, the agency will take TIGTA’s criticisms to heart and stop using our tax dollars in such careless ways.