TIGTA Releases Report on IRS Physical Security
The Treasury Inspector General for Tax Administration (TIGTA) recently released a report presenting the results of its review of the IRS’ process for implementing countermeasures recommended in facility security risk assessments.
TIGTA’s goal of the review was to determine whether the implementation of security countermeasures ensures that 1) identified security vulnerabilities are addressed or 2) risk acceptance is adequately documented when countermeasures are not implemented. The IRS does have in place physical security policies, procedures and processes to deal with current and emerging threats, but the report recommended some areas for improvement at its 532 locations.
The report called attention to the fact that the IRS is often the target of threats. The IRS has come under renewed threats following the passage of the Inflation Reduction Act, which includes $80 billion in funding over 10 years for the agency, with some of the funds allocated to increased enforcement and auditing, primarily of high-income taxpayers and corporations. Critics have raised concerns of the funds going to hire tens of thousands of armed IRS agents, even though much of the funding is intended for hiring additional taxpayer service employees, updating technology and replacing retiring employees.
In the report, TIGTA noted the IRS updated its security countermeasure procedures in response to a previous TIGTA report, but the updated process did not ensure that minimum physical security countermeasures were tracked and considered. The report found the IRS' process for documenting the tracking and monitoring of recommended countermeasures was ineffective because the IRS does not consistently use a centralized system to track physical security countermeasure recommendations, approvals, implementation actions and costs. Therefore, TIGTA could not determine the status of all current recommended physical security countermeasures in a number of the IRS facilities it reviewed. The report also noted that security specialists did not consistently and clearly document why they decided to reject a recommended countermeasure.
TIGTA recommended the IRS track all recommendations, approvals and denials in a central location. IRS officials agreed with the report's recommendations and said they are planning to implement a tool to track and maintain countermeasures in a central location, as well as update their policies and procedures and provide formalized training. The IRS said it has already completed testing of the tool and is in the final stages of its implementation. Updates to policies and procedures have been drafted and the agency is in the process of planning the formalized training for its physical security specialists. The IRS expects to begin the new process in the first quarter of fiscal year 2023.