An audit of the four collection agencies collecting delinquent income tax debt on behalf of the Internal Revenue Service were largely given seals of approval, although the report did highlight a few areas that are in need of improvement.
The report, issued last week by the Treasury Department’s Inspector General for Tax Administration, highlights some information security deficiencies among the PCAs while also calling out the Internal Revenue Service for not being as diligent as it should be in administering its contract.
The contract between the federal government and the collection agencies has not been a walk in the park for anyone. According to reports, it is costing the federal government more to collect on the debts than it is receiving and it has been accused of disproportionately placing accounts of lower-income taxpayers with the four agencies. Bills have been introduced in Congress that would force the IRS to either make changes to the program or to it shut down, if enacted.
Among the highlights uncovered by the report:
- The IRS was unaware that one PCA could not provide monthly vulnerability scans of systems containing taxpayer data.
- Three of the four PCAs were not timely remediating critical- and high-risk vulnerabilities within the required 30 calendar days.
- Three of the four PCA mailrooms where taxpayer correspondence and payments are received were not included in the IRS’s annual security assessments.
- One PCA did not have a secure mail processing area for payments and did not secure misdirected payments prior to sending them to the IRS.
- One PCA did not back up video footage, and three PCAs did not back up their video footage to an offsite location.
- The IRS did not enforce Publication 4812, Contractor Security Controls, requirements for cell phone use policy specific to IRS data nor ensure that data were encrypted before transferring it to the PCAs.
Overall, however, the audit found that the PCAs were generally maintaining proper information security protocols.
We found that the PCAs have a secure and dedicated infrastructure for housing taxpayer data, authentication and access control policies and procedures were working as intended for access management to IRS data, and processes for employee terminations and transfers. All PCAs complied with the IRS’s record retention policy.
Of the eight recommendations made by the report, the IRS agreed with six and partially agreed to the other two. From the report:
The IRS plans to timely communicate all vulnerabilities, develop policies on the use of mobile devices, perform annual security assessments over mailrooms, and perform a feasibility study to identify possible options for ensuring data at rest are encrypted. For the two partially agreed to recommendations, the IRS did not address the enforcement of vulnerability remediation and the inclusion of all devices when scanning for vulnerabilities.