Security weaknesses at IRS facilities go unaddressed

The Internal Revenue Service needs to beef up security at its facilities to address ongoing threats, according to a recent report.

The report, released Monday by the Treasury Inspector General for Tax Administration, pointed out the IRS is often the target of threats from individuals and organizations looking to do it harm. The IRS already develops and implements physical security policies, procedures and processes to deal with both current and emerging threats to its people and facilities, but the report recommends making some improvements at its 532 locations across the country. 

The IRS has come under renewed threats after the passage last month of the Inflation Reduction Act, which includes $80 billion in extra funding over 10 years for the agency, with some of the funds going toward increased enforcement and auditing, mainly of high-income taxpayers and corporations. Critics have warned of the funds going to hire tens of thousands of armed IRS agents, although much of the money is supposed to be dedicated to hiring additional taxpayer service employees, updating the IRS's antiquated technology and replacing older employees who are retiring.

"It is important for the IRS to track the status of countermeasures at these locations to ensure that known security vulnerabilities are mitigated," said the report. "Without effective management and documentation of the countermeasure tracking and approval process for known security vulnerabilities, IRS employees and facilities may be at increased risk if a necessary countermeasure was not implemented."

The IRS headquarters in Washington
The IRS headquarters in Washington.
Andrew Harrer/Bloomberg

The report noted that the IRS updated its security countermeasure procedures in response to a previous TIGTA report, but the new process didn't ensure that minimum physical security countermeasures were tracked and considered. The IRS's process for documenting the tracking and monitoring of recommended countermeasures was not effective because the IRS does not consistently use a centralized system to track physical security countermeasure recommendations, approvals, implementation actions, and associated costs. As a result, TIGTA couldn't determine the status of all the current recommended physical security countermeasures in a number of the IRS facilities it reviewed. The report also pointed out that security specialists didn't consistently and clearly document why they decided to reject a recommended countermeasure. 

TIGTA recommended that the IRS ensure such recommendations, approvals and denials be tracked and maintained in a central location, IRS officials agreed with the report's recommendations and plans to implement a tool to track and maintain countermeasures in a central location as well as update their policies and procedures and to provide formalized training.

The IRS said it's already begun taking corrective actions to address the findings and recommendations in the report. "We have completed testing and are in the final stages of implementing this tool," said Richard Rodriguez, chief of facilities management and security services at the IRS, in response to the report. "Updates to our policies and procedures are drafted and we are in the process of planning the formalized training for our physical security specialists. We expect to begin the new process the first quarter of fiscal year 2023."

For reprint and licensing requests for this article, click here.
Tax IRS TIGTA Security risk
MORE FROM ACCOUNTING TODAY