TIGTA CRITIQUES PROTECTION OF DATA

TIGTA critiques protection of data. The IRS continues to have challenges protecting taxpayer data, and especially ensuring that its various applications provide complete and accurate audit trails, according to the Treasury Inspector General for Tax Administration (TIGTA). TIGTA issued a report that highlights IRS shortcomings and challenges, titled Most Internal Revenue Service Applications do Not Have Sufficient Audit Trails to Detect Unauthorized Access to Sensitive Information, (TIGTA Rep. No. 2020-20-033). The new report is an update of a 2015 TIGTA audit that found similar issues with the IRS’s protection of taxpayer data. Audit trails have been a challenge for the IRS since at least 1997, and while the service has made some progress in implementing solutions to address audit trail problems. TIGTA says the solutions are not effective. TIGTA critiques protection of data.

In the report, TIGTA found the IRS could not provide an accurate inventory of all applications that store or process taxpayer data and personally identifiable information, which refers to taxpayer, financial, or employee information that identifies a taxpayer or entity. This inventory is critical for all as a baseline in applications that need to be monitored for potential unauthorized access by employees and cybercriminals. These applications are required to provide audit trail records to a repository used for investigations. During the audit, TIGTA determined that the IRS had 67 applications that should have been monitored for unauthorized access, but only 6 applications were providing accurate and complete audit trails. 30 (45%) were providing incomplete and inaccurate audit trails, and 31 (46%) were not providing any audit trails. TIGTA also found that not all applications with audit trail deficiencies were being tracked and monitored as required, allowing unresolved deficiencies to persist. TIGTA also concluded that inconsistencies between internal policy and the Audit Trail Deficiency Memorandum may contribute to the untimely documentation of planned corrective actions for information technology security weaknesses identified by internal or external evaluations. TIGTA made five recommendations for improvement, four of which the IRS agreed with and one of which it partially agreed with.