Monday, April 18 is the filing deadline for federal income taxes. It’s a day where we all are reminded how much of a pain our 70,000+ page tax code inflicts upon us every year. For those of you who hire accountants, alla salute you’re done and you don’t have to go through the headache of filing your own taxes. Of course, that’s dependent on whether you gave your accountant all the proper documents and receipts. To those who wanted to file on their own, you’re gluttons for punishment. Regardless, they’re due next Monday, and every identity thief out there would probably like to take a peek at your 1040 form. As it so happens, a Government Accountability Office report showed that the Internal Revenue Service isn’t doing the best job keeping your taxpayer data safe:
The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2015, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were further restricting access privileges on key financial applications and continuing its migration to multifactor authentication across the agency. However, significant control deficiencies remained. For example, the agency had not always (1) implemented controls for identifying and authenticating users, such as applying proper password settings; (2) appropriately restricted access to servers; (3) ensured that sensitive user authentication data were encrypted; (4) audited and monitored systems to ensure compliance with agency policies; and (5) ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.
An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program had not yet been effectively implemented. For example, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring access. In addition, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, for the 28 prior recommendations that IRS informed us that it had addressed, 9 of the associated weaknesses had not been effectively corrected.
Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implement elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2015.
Well, that’s great. To pour more salt in the wounds, IRS Commissioner John Koskinen did not impress Congress when he told them his agency pretty much encourages illegal aliens to commit tax fraud by submitting tax forms under fraudulent social security numbers (via Washington Examiner):
Congressional disgust with IRS Commissioner John Koskinen deepened on Wednesday after his claim that the agency effectively encourages illegal immigrants to file tax returns using fraudulent Social Security numbers, with lawmakers calling for his ouster.
"I think it certainly is appropriate to talk about new leadership," South Carolina Sen. Tim Scott, a Republican who sits on the Senate Finance Committee, told the Washington Examiner.
Koskinen on Tuesday told Scott's committee that the agency does not take action when tax returns are submitted using fraudulent personal information. "It's not the normal identity theft situation," Koskinen said, adding that it helps the government to collect more revenue.
Koskinen held firm, saying his agency's main goal is to maximize revenue, not to enforce the law. "The tax code is set up, and our obligation, everybody who is earning money has an obligation to pay taxes, and we do everything we can to make sure they pay those taxes," he said. "To the extent that to get the employment, they've borrowed or somehow gotten a Social Security number, that's not a jurisdiction we have.
Someone get me a glass of Wild Turkey, please–and maybe one or several aspirins.