IRS Should Boost Efforts to Investigate Unauthorized Access to Taxpayer Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The Internal Revenue Service is working to correct weaknesses in its ability to determine whether employees are inappropriately accessing taxpayer data, but it can and should do more, according to a Treasury Inspector General for Tax Administration report released Nov. 6.

An audit trail--a record showing who has accessed a computer system and what operations a person has performed during a given period of time--is a key component of information technology security, TIGTA said in the report dated Sept. 20.

The federal watchdog found that IRS has created a central system to store data trails and is educating employees on the type of information it needs to investigate potential unauthorized access.

Holding Employees Accountable.

However, IRS needs to improve its processes for ensuring that audit trails effectively support investigations of unauthorized access and allow management to identify noncompliant activity and hold employees accountable.

Additionally, TIGTA said IRS audit trail documentation does not require the collection of sufficient information.

“Unauthorized access to taxpayer records by IRS employees is a very serious offense, and the IRS must do everything in its power to make sure that it collects sufficient information to detect, monitor, and properly investigate all such activity,” J. Russell George, Treasury Inspector General for Tax Administration, said in a statement accompanying the report.

Testing Audit Trail.

TIGTA recommended a series of improvements to IRS processes. IRS officials agreed to improve processes to test audit trail data but disagreed with TIGTA's recommendations to collect additional information.

Audit trails are useful both for maintaining security and for recovering lost transactions, according to TIGTA. Most accounting systems and database management systems include an audit trail component that documents events occurring on a computer from system and application processes, as well as from user activity.

At IRS, the trails are used to determine whether inappropriate activity, such as unauthorized access to taxpayer data, is occurring.

Due to the sensitive nature of tax return information, Section 6103 of the Internal Revenue Code and the Taxpayer Browsing Protection Act of 1997 require IRS to detect and monitor unauthorized access and disclosure of taxpayer records.

The willful unauthorized access or inspection of taxpayer records is a crime punishable upon conviction by fines, prison terms, and termination of employment.

The report, “Audit Trails Did Not Comply With Standards or Fully Support Investigations of Unauthorized Disclosure of Taxpayer Data” (2012-20-099), is available at


Request Bloomberg Law: Privacy & Data Security