The Internal Revenue Service’s (IRS) Office of Research conducts analyses to identify tax noncompliance issues, root causes for the issues, and practical approaches to modify non-compliant behavior. To perform their jobs, Office of Research employees have access to millions of taxpayer records. Assuring the security of these records is important to avoid unauthorized disclosure, misuse or loss of taxpayer data. The objective of this review was to determine if the Office of Research adequately safeguarded taxpayer data used in research efforts.

We identified three security issues in the Office of Research where taxpayer data was not adequately secured against the risks of unauthorized disclosure, misuse, and loss. During our review, we became aware of potential inappropriate accesses to computer workstations at one Office of Research site that could have led to the theft or improper disclosure of taxpayer data. These access attempts are being investigated by the Treasury Inspector General for Tax Administration’s Office of Investigations.

Approvals ensure that research plans have adequately presented detailed project information, including data needs and security. Over half of the projects we reviewed did not have proper approvals from the responsible executive as required, yet employees working those projects obtained taxpayer data.

Access controls provide assurance that those without authorization are not allowed access to sensitive data. Office of Research sites had security weaknesses that hindered their ability to limit access to taxpayer data on a need-to-know basis.

The main detection control available on computer systems is the audit trail, which provides a track record of key accesses to taxpayer files. Office of Research sites were not consistently activating and reviewing audit trails, and, in some cases, did not maintain adequate separation of duties for adding, deleting or modifying data on the research systems.

To reduce the risk of unauthorized disclosure, misuse, and loss of taxpayer data, we recommend that all requests for taxpayer data be approved, as required. We also recommend that access to taxpayer data used in research be limited and monitored.

Management’s Response: IRS management generally agreed with our findings and recommendations. The modernization of the Office of Research and the centralization of the Information Systems Division affected the implementation of some of the corrective actions. In light of the modernized Research offices, the policies and procedures that address our findings will be carried over into the Operating Divisions, which will take over jurisdiction of the various District Office Research and Analysis sites throughout the country. In addition, a newly created council will provide oversight and coordination over the implementation of corrective actions.

Management’s complete response to the draft report is included in Appendix IV.

Office of Audit Comment: While we concur with all of the corrective actions, we do not agree that four of the seven corrective actions have been completed, as reported in management’s response. The corrective actions cited generally describe actions and events that will occur in the future versus actions that have already been implemented.