The Treasury Inspector General for Tax Administration (TIGTA) in a final report issued November 3 concluded that transfer pricing issues are not being properly evaluated by the Internal Revenue Service because of various procedural barriers at the agency.
The IRS shares data with various outside entities including Federal, State, and local agencies; financial institutions; and contractors for tax administration purposes. IRS and Federal guidelines require that sensitive data is protected during transmission to prevent unauthorized access or disclosure. TIGTA initiated this audit to determine whether the IRS is properly protecting this data and whether it is maintaining encryption controls and other security configurations in accordance with the National Institute of Standards and Technology.
The IRS uses three methods to transfer data to external partners: 1) a commercial off-the-shelf product for transfers over the Internet, 2) a commercial off-the-shelf product for direct mainframe-to-mainframe data transfers, and 3) drop boxes to allow the IRS and its external partners to place and retrieve data transfers. In reviewing all three of these external file transfer methods, TIGTA found the IRS did not ensure that encryption requirements are being enforced and ensure that non-secure protocols are not being used in order to fully protect information during transmission. These protocols include File Transfer Protocol and Telnet, which are known insecure transfer protocols. The IRS also did not remediate high-risk vulnerabilities or install security patches on file transfer servers in a timely manner. For example, TIGTA found 61 servers with high-risk vulnerabilities, 10 servers with outdated versions of Windows and UNIX operating systems still in operation, and 32 servers missing 18 unique security patches, of which four were deemed as critical. Lastly, the IRS did not ensure that corrective action plans for security control weaknesses met IRS standards. This reduced the assurance that the IRS would correct weaknesses timely.
TIGTA made six recommendations in the report. Of these recommendations, IRS management agreed with two, partially agreed with three, and disagreed with one.