A new watchdog report from the Treasury Inspector General for Tax Administration (TIGTA) finds that the IRS as of July 2023 was giving 19 contractors access to sensitive systems after the contractors had unfavorable background checks.
The Feb. 6 report explains that some contractors continued to have access to the tax agency’s Business Entitlement Access Request System (BEARS) application even after that access was no longer required.
“As of July 13, 2023, our evaluation identified a total of 91,661 users, of which 5,068 were contractors, who were authorized to access one or more of the 276 sensitive systems specific to our evaluation. Procedures to systemically remove users who no longer require access to sensitive systems were not always working as intended,” stated TIGTA.
“For example, TIGTA identified 279 users who were listed in BEARS as separated who, as of July 13, 2023, continued to have access to at least one IRS sensitive system,” the report says.
“However, for each of these individuals IRS network access was removed, which according to the IRS, reduces, but does not eliminate, the risk that a user can access a sensitive system,” the report says.
“The IRS did not always remove contractor access to sensitive systems when background investigations were not favorable,” the report continues. “Specifically, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023. However, these contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems, as required.”
The report also explains that the IRS is taking steps to improve its ability to safeguard data housed in its systems through means such as identifying and recording users’ actions when they access sensitive data.
As part of that effort, the agency is pushing forward with its Compliance Data Warehouse enhanced data security project which will “enhance security controls for user access and data exporting of Federal Tax Information from certain IRS systems,” the report says.
“However, for some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the report says.
“TIGTA has reported that a key deficiency in the IRS’s detection and deterrence processes did not ensure that all sensitive systems provide complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes,” the report says.
The watchdog made three recommendations – all of which the IRS concurred with – including “ensuring that access to sensitive systems is immediately suspended when a contractor is identified as not having a favorable background investigation determination and ensuring that user network and sensitive system access are timely removed for users who separate from the IRS,” TIGTA said.
