U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

July 28, 2011
TIGTA - 2011-41
Karen Kraushaar
karen.kraushaar@tigta.treas.gov
TIGTACommunications@tigta.treas.gov
(202) 622-6500

IRS Needs To Limit Employee Access To Taxpayer Bankruptcy Records

WASHINGTON -- The Internal Revenue Service (IRS) should take steps to limit employee

access to sensitive information about taxpayer bankruptcy petitions, a new report from the

Treasury Inspector General for Tax Administration (TIGTA) concludes.

The IRS is notified of bankruptcy cases because taxpayers are required to list their creditors and

liabilities when filing for bankruptcy protection. The IRS inputs the taxpayers' sensitive

information into its Automated Insolvency System (AIS) to track the legal requirements for

dealing with the taxpayers and to protect the Government's financial interests.

At the IRS's request, TIGTA reviewed whether the IRS sufficiently limits employee access to

protect taxpayers' personal data and to ensure that the Government's interest is protected when

taxpayers file for bankruptcy.

Although some AIS access controls are in place, such as the automatic lockout control and

password complexity settings, TIGTA found that other required access controls have not been

implemented or are not operating effectively.

TIGTA found many IRS employees have excessive privileges on the AIS. Managers did not

ensure duties were adequately segregated among employees to prevent and detect unauthorized

activities. Also, AIS's inadequate access control scheme caused managers to inadvertently grant

unneeded, excessive privileges to employees.

Additionally, TIGTA found that some significant actions taken by employees on taxpayers'

bankruptcy cases are not logged. This prevents managers from determining which employee

changed a taxpayer's bankruptcy case or the IRS's Proof of Claim and what changes were made.

"While TIGTA did not find errors or indications of fraud during its review, excessive employee

privileges on the AIS increase the risks that errors, fraud, or unauthorized activities could be

performed by employees acting alone or in collusion with others," said J. Russell George, the

Treasury Inspector General for Tax Administration.

TIGTA made six recommendations to the IRS to limit access to the AIS to only those employees

with a business need.

The IRS agreed with the recommendations and is taking corrective actions.