oversight

Confidentiality of Tax Data: IRS' Implementation of the Taxpayer Browsing Protection Act

Published by the Government Accountability Office on 1999-03-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to the Honorable Paul Coverdell
                U. S. Senate



March 1999
                CONFIDENTIALITY
                OF TAX DATA
                IRS’ Implementation
                of the Taxpayer
                Browsing Protection
                Act




GAO/GGD-99-43
GAO                  United States
                     General Accounting Office
                     Washington, D.C. 20548

                     General Government Division



                     B-281988

                     March 31, 1999

                     The Honorable Paul Coverdell
                     United States Senate

                     Dear Senator Coverdell:

                     This report responds to your request that we determine what the Internal
                     Revenue Service (IRS) has done to implement the Taxpayer Browsing
                                                           1
                     Protection Act (Public Law 105-35). That law, which was enacted on
                     August 5, 1997, made willful unauthorized inspection of taxpayer data
                     illegal. As agreed with your office, this report discusses (1) actions IRS has
                     taken to implement the law and (2) the number of potential and proven
                                                                           2
                     incidents of unauthorized access by IRS employees that IRS has identified
                     since enactment of the law, as well as the penalties imposed in cases
                     where unauthorized access was proven.

                     IRS has two approaches for implementing P.L. 105-35. Over the long term,
Results in Brief     IRS believes that modernizing its core automated systems offers the best
                     means to prevent and detect unauthorized access to taxpayer data.
                     According to IRS, modernization will (1) allow it to restrict employees’
                     access to only those taxpayer records that they have a specific work-
                     related reason to look at and (2) enable it to detect unauthorized accesses
                     almost as soon as they happen. It will be several years, however, before
                     this modernization becomes a reality.

                     In the meantime, IRS has taken several other steps directed at deterring,
                     preventing, and detecting unauthorized access and ensuring that
                     consistent disciplinary action is taken when unauthorized access is
                     proven. For example, IRS

                   • provides agencywide briefings to all employees on unauthorized access
                     and has developed a form to be signed by all employees to document
                     attendance at a briefing and receipt of guidance on what constitutes an
                     unauthorized access;




                     1
                         P. L. 105-35, 111 Stat. 1104 (1997).
                     2
                     Instead of “browsing,” IRS uses the acronym “UNAX” to cover all cases of willful unauthorized access
                     or inspection of taxpayer records. In this report, we use “unauthorized access” instead of UNAX.




                     Page 1                                       GAO/GGD-99-43 Taxpayer Browsing Protection Act
  B-281988




• centralized within the Office of the Chief Inspector the identification and
                                               3
  investigation of potential access violations;
• created a Centralized Adjudication Unit (CAU) in the National Office to
  track proven access violations and to provide assistance in administering
  penalties; and
• implemented an automated tool that is expected to improve IRS’ ability to
  detect unauthorized accesses.

  Between October 1, 1997, and November 30, 1998, the Office of the Chief
  Inspector identified 5,468 potential instances of unauthorized access (i.e.,
  “leads”) and completed preliminary investigative work on 4,392 of those
        4
  leads. Of those 4,392 leads, 338 were determined to warrant further
  investigation. Many of these 338 cases were still under investigation or in
  the process of adjudication as of January 25, 1999. Using data provided by
  IRS, we identified 36 cases for which investigation and adjudication had
  been completed. Of those 36 cases, 15 involved an IRS determination that
  IRS employees had intentionally accessed taxpayer data without
  authorization. In the other 21 cases, IRS determined that either there was
  no unauthorized access or the access was accidental.

  According to IRS, employees involved in the 15 cases of intentional
  unauthorized access either resigned in lieu of termination or were
  terminated. According to IRS data, proven cases of unauthorized access
  that occurred after enactment of Public Law 105-35 have generally been
  referred to U.S. Attorneys for prosecution, and these U.S. Attorneys have,
  with one exception, declined to prosecute. According to IRS, the one case
  that was accepted for prosecution was still open as of February 2, 1999,
                                                        5
  but the employee has been removed from the agency. As required by the
  law, IRS notified the three taxpayers whose data the employee had
  accessed.




  3
   In January 1999, after we had completed our audit work, most of the activities of the Office of the
  Chief Inspector, including those discussed in this report, were transferred to the Treasury Inspector
  General for Tax Administration—a new position established by the IRS Restructuring and Reform Act
  of 1998. Because that transfer occurred after we completed our audit work, we refer to the Office of
  the Chief Inspector in this report.
  4
   October 1, 1997, is the starting date for these statistics rather than August 5, 1997 (the date the law
  was enacted), because the centralized unit responsible for identifying potential cases of unauthorized
  access was created on October 1, 1997.
  5
  Because this case was still open as of February 2, 1999, it is not one of the 15 cases discussed earlier in
  which intentional unauthorized access was proven.




  Page 2                                         GAO/GGD-99-43 Taxpayer Browsing Protection Act
             B-281988




             Over the past few years, both IRS’ Office of Internal Audit and we have
Background   reported on the need for improved controls to protect against
             unauthorized accesses of taxpayer data by IRS employees.

             In October 1992, Internal Audit reported that IRS had limited ability to
             prevent unauthorized accesses and detect such accesses once they had
                       6
             occurred. In September 1993, we reported that IRS did not adequately
             monitor the activities of thousands of employees who were authorized to
                                             7
             read and change taxpayer files. We noted that the greatest risk involved
             IRS’ Integrated Data Retrieval System (IDRS), which is the primary
             computer system used by IRS employees to access and adjust taxpayer
                       8
             accounts. In 1994, IRS implemented an automated tool—the Electronic
             Audit Research Log (EARL)—to monitor and detect unauthorized accesses
             to data on IDRS.

             In August 1995, we reported that IRS had taken some actions to, among
                                                                                9
             other things, restrict account access and analyze computer usage. We
             concluded, however, that IRS still lacked sufficient safeguards to prevent
             or detect unauthorized accesses of taxpayer information. We noted, for
             example, that security reports issued to monitor and identify unauthorized
             accesses were cumbersome and virtually useless to managers responsible
             for ensuring computer security. In 1996, IRS implemented enhancements
             to EARL that were designed to improve the quality of data being provided
             to managers. In April 1997, we reported on continuing shortcomings in IRS’
                                                                                   10
             efforts to prevent unauthorized access to confidential taxpayer data. We
             noted, for example, that IRS did not (1) monitor all employees with access
             to automated systems and data for evidence of unauthorized access, (2)
             consistently investigate cases involving unauthorized access, and (3)
             consistently discipline employees who accessed taxpayer data without
             authorization.




             6
                 Review of Controls over IDRS Security, IRS Internal Audit Reference No. 030103, October 23, 1992.
             7
              IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management
             Information (GAO/AIMD-93-34, Sept. 22, 1993).
             8
              IRS officials estimated that about 85 percent of all taxpayer accesses are made through IDRS. The
             remaining 15 percent are made through other IRS systems.
             9
              Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141, Aug.
             4, 1995).
             10
              IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses
             (GAO/AIMD-97-49, Apr. 8, 1997).




             Page 3                                          GAO/GGD-99-43 Taxpayer Browsing Protection Act
                         B-281988




                         Because of continuing concerns about unauthorized accesses, Public Law
                         105-35 was signed into law on August 5, 1997. The law made willful
                         unauthorized inspection of taxpayer data illegal. The law provides that a
                         person convicted of unauthorized access shall be subject to a fine of up to
                         $1,000, or imprisonment of not more than 1 year, or both, together with the
                         costs of prosecution. The law also states that an officer or employee of the
                         United States who is convicted of any such violation shall, in addition to
                         any other punishment, be dismissed from office or discharged from
                         employment. In cases where a person is criminally charged with
                         unauthorized access, the law requires that the Secretary of the Treasury
                         notify the taxpayer whose tax information was accessed.

                         To achieve our objectives, we
Scope and
Methodology            • interviewed officials from IRS’ Centralized Case Development Center
                         (CCDC), CAU, Office of Systems Standards and Evaluation, and Office of
                         Chief Inspector (we discuss the role of each of these offices later in the
                         report);
                       • visited the CCDC in Cincinnati, OH, to observe its operations;
                       • analyzed data runs that IRS produced at our request as well as IRS
                         management information system reports on unauthorized access; and
                       • reviewed IRS reports and documentation on unauthorized access.

                         Other than checking for consistency, we did not verify the reliability of
                         statistical data provided by IRS. We also did not assess the effectiveness of
                         the various actions taken by IRS since enactment of Public Law 105-35.

                         We requested comments on a draft of this report from IRS and the Acting
                         Treasury Inspector General for Tax Administration. Their comments are
                         discussed near the end of this letter. We did our work from October 1998
                         through January 1999 in accordance with generally accepted government
                         auditing standards.

                         In an August 1997 report on controlling unauthorized access to taxpayer
IRS’ Actions to          records, IRS concluded that, in the long run, the best solution was to
Implement Public Law     modernize core IRS systems. According to IRS, modernization will (1)
105-35                   allow it to restrict employees’ access to only those taxpayer records that
                         they have a specific work-related reason to look at and (2) enable it to
                         detect unauthorized accesses almost as soon as they happen. However,
                         IRS does not expect to implement those modernization efforts for several
                         years. In the meantime, IRS has taken several steps directed at deterring,
                         preventing, and detecting unauthorized access and ensuring that




                         Page 4                            GAO/GGD-99-43 Taxpayer Browsing Protection Act
                                B-281988




                                appropriate disciplinary action is taken when unauthorized access is
                                proven.

Steps Taken by IRS to Deter     Some of IRS’ actions are intended to deter unauthorized access (i.e., keep
                                employees from trying to access taxpayer data without authorization).
Unauthorized Access             These actions focus on awareness. In an attempt to make certain that all
                                employees are explicitly informed about unauthorized access and the
                                related penalties, IRS, among other things,

                              • adopted a policy that proven instances of unauthorized access will result
                                in removal from IRS, absent any extenuating circumstances;
                              • sent a memo in October 1997 to all IRS employees that discussed, among
                                other things, the penalties associated with unauthorized access;
                              • started giving annual agencywide briefings in November 1997 to inform all
                                employees of IRS’ unauthorized access policy and the penalties for
                                violations;
                              • created a form that is to be signed by employees and managers to
                                acknowledge attendance at a briefing and receipt of guides on what
                                constitutes unauthorized access;
                              • created a policy that all employees who join or return to IRS after the
                                annual awareness briefings have been administered will be given their
                                briefing within 30 days;
                              • developed a standard message to be given in all training courses in which
                                access to tax information is discussed;
                              • developed a video and guides on unauthorized access to ensure that
                                managers deliver a consistent message in briefing employees; and finally,
                              • established an unauthorized access steering committee and unauthorized
                                access support team to address questions and issues raised by employees
                                and managers.

Steps Taken by IRS to           Other IRS actions are intended to prevent unauthorized access (i.e., stop
                                employees who intentionally or unintentionally try to access taxpayer data
Prevent Unauthorized            without authorization). In that regard, according to IRS, the most effective
Access                          way to safeguard against unauthorized access is to build controls into
                                automated systems that prevent employees from accessing information
                                they have no need to access. However, according to IRS, its current
                                systems cannot be effectively modified to provide the “need to know”
                                environment that allows employees to access taxpayers’ records only
                                when they have a work-related reason to do so. IRS expects to correct this
                                situation as part of its long-term systems modernization effort. In the
                                meantime, IRS has taken some steps to prevent unauthorized access. For
                                example, IRS (1) has incorporated blocks into its systems to prevent
                                employees from accessing their own records and, in some cases, the



                                Page 5                            GAO/GGD-99-43 Taxpayer Browsing Protection Act
                            B-281988




                            records of their spouses or ex-spouses and (2) is reviewing the access
                            rights given to individual employees to ensure that they do not have
                            greater access to tax data than is necessary to do their work.

Steps Taken by IRS to       Until February 1999, when a new system was implemented, IRS depended
                            primarily on EARL to identify potential instances of unauthorized access
Detect Unauthorized         through after-the-fact analysis of accesses to data on IDRS. EARL used
Accesses to Taxpayer Data   data analysis techniques based on a few known patterns of abuse to
on IDRS                     identify potential cases of unauthorized access. When EARL was run, it
                            created lists of potential violations (leads) that were provided to analysts
                            at each of IRS’ 10 service centers. The analysts were responsible for
                            researching the lists to determine whether the leads warranted further
                            investigation. An IRS study done in August 1997 concluded that the just-
                            described process did not provide the consistent approach needed to
                            support IRS’ policy on unauthorized access of taxpayer records. According
                            to the study report and IRS officials, (1) there was a lack of uniformity in
                            the output produced by EARL because each service center had developed
                            its own computer programs, (2) most EARL leads required labor-intensive
                            research to determine whether unauthorized access likely took place, and
                            (3) each service center had developed its own techniques for developing
                            EARL cases.

                            To correct this lack of a consistent approach to unauthorized access, IRS
                            (1) centralized responsibility for identifying and investigating potential
                            instances of unauthorized access in CCDC, which is located within IRS’
                            Office of the Chief Inspector, and (2) developed a new automated tool to
                            provide better unauthorized access detection capabilities.

Creation of CCDC            In May 1997, the Acting Commissioner of Internal Revenue transferred
                            responsibility for the detection of unauthorized access to the Office of the
                            Chief Inspector. In October 1997, the Chief Inspector created CCDC, which
                            is responsible for identifying potential cases of unauthorized access and
                            determining whether they warrant further investigation by the Internal
                            Security Division in the Office of the Chief Inspector. CCDC became
                            operational in February 1998, when it began assuming responsibility from
                            the 10 service centers for analyzing unauthorized access leads. The
                            transition was completed in September 1998. Since then, CCDC has been
                            responsible for reviewing all leads and deciding which, if any, should be
                            referred to Internal Security. The CCDC staff includes forensic data
                            analysts, security analysts, computer programmers, and criminal
                            investigators. In addition to referrals from CCDC, Internal Security also
                            receives allegations of unauthorized access from various other sources,




                            Page 6                           GAO/GGD-99-43 Taxpayer Browsing Protection Act
                             B-281988




                             such as calls to the Inspection Service integrity hotline from IRS
                             employees, taxpayers, and tax practitioners.

Implementation of New        IRS, in February 1999, implemented the Audit Trail Lead Analysis System
Automated Tool               (ATLAS) to replace EARL. IRS officials stated that ATLAS is an
                             improvement over EARL because ATLAS (1) will provide better
                             unauthorized access detection capabilities and (2) is a national system that
                             will not be subject to local modifications and practices by the 10 service
                             centers. These improvements, according to the Director of CCDC and IRS
                             documents, will produce better leads than those produced by EARL,
                             because they are more indicative of potential unauthorized access.

                             For example, according to IRS, ATLAS is programmed to do an exact
                             match between an employee’s name and the names of taxpayers whose tax
                             information the employee has accessed. EARL’s name match component,
                             on the other hand, only matched the first six characters of the last names.
                             According to IRS data, of the 5,468 total leads received by the Office of the
                             Chief Inspector between October 1, 1997, and November 30, 1998, EARL’s
                             match of the first six characters of an employee’s name accounted for
                             3,793 (69.4 percent). However, of the 338 closed leads that were referred to
                             Internal Security for investigation, only 67 (19.8 percent) were generated
                             by EARL’s name match. According to the Director of CCDC and IRS
                             documents, ATLAS’ increased precision in matching names should result
                             in fewer leads—because there will now have to be an exact match of last
                             names—but these should be more indicative of potential unauthorized
                             access.

Steps Taken by IRS to        Although IRS has taken several steps to identify unauthorized accesses
                             involving IDRS, it has done little to detect accesses involving the estimated
Detect Unauthorized Access   130 other information systems that contain taxpayer information. IRS does
to Taxpayer Data on          not have a system such as EARL or ATLAS to analyze accesses involving
Systems Other Than IDRS      these other systems. IRS officials in the Systems Standards and Evaluation
                             Office (the office with overall responsibility for security and privacy within
                             IRS) informed us that this problem is to be corrected as part of IRS’ long-
                             term systems modernization efforts. However, these efforts will not be
                             implemented for several years. Meanwhile, according to these officials,
                             they have been looking at the controls in these various information
                             systems to prevent unauthorized access. They also said that they depend
                             on the supervisors of employees who use non-IDRS information systems to
                             be on the alert for unauthorized access.




                             Page 7                            GAO/GGD-99-43 Taxpayer Browsing Protection Act
                                       B-281988




Steps Taken by IRS to                  In August 1997, the Office of Systems Standards and Evaluation reported
                                       that the handling and tracking of unauthorized access cases had not been
Ensure Consistent                      consistent. The report further stated that IRS would be better served if key
Disciplinary Actions                   operations were centralized to establish consistency and timeliness in
                                       developing cases, making decisions on levels of evidence for removals and
                                       legal actions, processing and implementing removals, and tracking and
                                       reporting cases.

                                       To deal with inconsistencies in case handling and tracking, IRS created
                                       CAU within the Labor Relations Office in the National Office. CAU, which
                                       became operational in October 1997, is responsible for tracking and
                                       reporting the status of all unauthorized access cases; preparing paperwork
                                       for all cases, including those in which unauthorized access was not
                                                11
                                       proven; forwarding paperwork on cases to the heads of the appropriate
                                       offices for clearance or disciplinary action; and providing consultative
                                       support to management in the administration of discipline. To further
                                       ensure that consistent disciplinary actions are imposed for proven cases of
                                       unauthorized access, the Systems Standards and Evaluation Office is
                                       tasked with reviewing those actions.

                                       Between October 1, 1997, and November 30, 1998, the Office of the Chief
Number of Potential                    Inspector received 5,468 leads (information indicating potential
and Proven Instances                   unauthorized accesses) and completed work on 4,392 of those leads. Of
                                                                                                               12


of Unauthorized                        the 4,392 closed leads, 338 (8 percent) resulted in referrals to Internal
                                       Security. Table 1 shows the disposition of the 4,054 closed leads not
Access and the                         referred for investigation.
Penalties Imposed
Table 1: Disposition of Closed Leads
Not Referred for Investigation         Disposition                                                                                       Number
Disposition                            Resolved—access business related                                                                    2,493
                                       No basis for referral—further research not warranteda                                               1,446
                                       Cancelled—lead entered in errorb                                                                      115
                                       Total                                                                                               4,054
                                       a
                                        According to IRS, this disposition category was used when (1) the EARL lead was invalid and there
                                       was no reason for the lead to have been identified by the system or (2) research on the lead could not
                                       develop information to substantiate either a business-related or a nonbusiness-related connection
                                       between the employee and the taxpayer whose data was accessed.
                                       b
                                        According to IRS, this disposition category was used when the lead was entered in error, such as the
                                       wrong employee SSN, or when it was a duplicate to a lead that was already open in the system.
                                       Source: GAO analysis of data obtained from CCDC on the disposition of leads closed by the Office of
                                       the Chief Inspector between October 1, 1997, and November 30, 1998.


                                       11
                                        According to IRS, any case in which the employee was interviewed during the investigation must be
                                       forwarded to CAU.
                                       12
                                        October 1, 1997, is the starting date for statistics in this section, rather than August 5, 1997 (the date
                                       the law was enacted), because CCDC was created on October 1, 1997.




                                       Page 8                                          GAO/GGD-99-43 Taxpayer Browsing Protection Act
B-281988




During the period covered by our review, EARL accounted for a large
majority of the leads received by the Office of the Chief Inspector and
most of the cases referred to Internal Security for further investigation. Of
the 5,468 leads received by the Chief Inspector during the 14 months
                                                                            13
ending November 30, 1998, 4,742, or 87 percent, were generated by EARL.
The other 13 percent came from other sources, such as complaints from
taxpayers and IRS employees. Although most of the leads referred to
Internal Security also came from EARL (about 56 percent of the 338
referrals), other sources of leads proved to be more productive. In that
regard, of the EARL leads closed by the Office of the Chief Inspector, 5
percent were referred for investigation compared with about 22 percent of
the leads from other sources.

Between October 1, 1997, and November 30, 1998, according to IRS’ data,
                                                     14
Internal Security opened at least 139 investigations of cases in which
unauthorized access was alleged to have occurred after passage of Public
            15
Law 105-35. As of November 30, 1998, Internal Security had completed 86
of these investigations, while the other 53 investigations were still
         16
ongoing.

From October 1, 1997, to January 25, 1999, according to IRS, Internal
Security sent CAU 64 cases for adjudication in which unauthorized access
                                                                      17
was alleged to have taken place after enactment of Public Law 105-35. As
of January 25, 1999, action had been completed on 36 of these cases, and
28 remained open. In 15 of the 36 completed cases, IRS determined that an
intentional unauthorized access had occurred. Of the remaining 21 cases,
IRS determined that 14 involved no unauthorized access, 6 involved
accidental accesses that were reported by the employees to their

13
   As discussed earlier, of the leads generated by EARL, 3,793 resulted from EARL’s name match
component.
14
  We say “at least” because there were gaps in IRS’ data that prevented us from knowing in all cases
whether an opened investigation involved an access that occurred after passage of Public Law 105-35.
If we could not tell when the access occurred, we did not include the investigation in our count of 139.
There were 80 cases for which we could not determine the date of the alleged unauthorized access.
15
   The 139 opened investigations cannot be related back to the 338 referrals from CCDC discussed
earlier because, as noted earlier, Internal Security receives allegations of unauthorized access from
sources other than CCDC.
16
   During this time, Internal Security was also investigating unauthorized accesses that were alleged to
have taken place before passage of Public Law 105-35.
17
   The number of cases received for adjudication (64) could differ from the number of investigations
completed by Internal Security (86) because not all completed investigations require adjudication. If
Internal Security determines, as a result of its investigation, that there was no unauthorized access and
if the employee was not interviewed as part of the investigation, the case need not be sent to CAU.




Page 9                                         GAO/GGD-99-43 Taxpayer Browsing Protection Act
                                        B-281988




                                        supervisors in accordance with established procedures, and 1 involved an
                                        accidental access that was not reported in accordance with established
                                        procedures. In the latter case, the employee was reprimanded.

                                        As shown in table 2, of the 15 proven intentional unauthorized accesses, 10
                                        involved service center employees, and 5 involved district office
                                        employees. According to IRS, the offending employees in those 15 cases
                                                                                                   18
                                        either resigned in lieu of termination or were terminated.

Table 2: Number of Intentional
Unauthorized Accesses by IRS Location   Location                                                       Number of unauthorized accesses
                                        Service center
                                        Andover                                                                                                 2
                                        Brookhaven                                                                                              2
                                        Atlanta                                                                                                 1
                                        Austin                                                                                                  1
                                        Kansas City                                                                                             1
                                        Memphis                                                                                                 1
                                        Ogden                                                                                                   1
                                        Philadelphia                                                                                            1
                                        Subtotal                                                                                               10
                                        District office
                                        Ohio                                                                                                    2
                                        Gulf Coast                                                                                              1
                                        Indianapolis                                                                                            1
                                        New Jersey                                                                                              1
                                        Subtotal                                                                                                5
                                        Total                                                                                                  15
                                        Source: Data obtained from CAU on cases completed between October 1,1997, and January 25,
                                        1999, in which IRS had determined that an intentional unauthorized access had occurred after
                                        enactment of Public Law 105-35.

                                        According to IRS data, proven cases of unauthorized access that occurred
                                        after enactment of Public Law 105-35 have generally been referred to U.S.
                                        Attorneys for possible prosecution. In almost every case, according to IRS
                                        data, the U.S. Attorney declined to prosecute. As of February 2, 1999, one
                                                                                 19
                                        case had been accepted for prosecution. According to IRS, although the
                                        case was still open, the employee had been removed from the agency.
                                        Pursuant to the law, IRS notified the three taxpayers whose data the
                                        employee had accessed.




                                        18
                                           As of January 25, 1999, CAU also had 11 open cases in which removal of the employee had been
                                        proposed and 5 cases in which it was preparing a removal proposal.
                                        19
                                           This case is in addition to the 15 cases discussed earlier in which intentional unauthorized access was
                                        proven. Because legal action had not yet been completed, this case was considered one of the 28 cases
                                        that were open as of January 25, 1999.




                                        Page 10                                        GAO/GGD-99-43 Taxpayer Browsing Protection Act
                  B-281988




                  We obtained written comments on a draft of this report from IRS’ Chief
Agency Comments   Information Officer (see app. I) and the Acting Treasury Inspector General
                  for Tax Administration (see app. II).

                  The Chief Information Officer said that IRS agreed with the information in
                  our report. He emphasized that, in some regards, IRS’ current weaknesses
                  are associated with its aging systems and that these weaknesses will be
                  corrected as part of IRS’ long-term systems modernization plans. In the
                  meantime, according to the Chief Information Officer, IRS (1) has initiated
                  actions to block employees’ access to more taxpayer accounts than they
                  are currently restricted from accessing and (2) is reviewing the feasibility
                  of incorporating audit trail records from systems other than IDRS into
                  ATLAS.

                  The Acting Treasury Inspector General for Tax Administration said that
                  the report provides a good summary of the actions taken by his office
                  (formerly the Office of the Chief Inspector) to implement the provisions of
                  Public Law 105-35. He said that the identification and investigation of
                  unlawful accesses of taxpayer information has been and will remain a high
                  priority of his office.

                  As agreed with your office, unless you publicly release its contents earlier,
                  we plan no further distribution of this report until 30 days from the date of
                  this letter. At that time, we will send copies to Senator William V. Roth,
                  Chairman, and Senator Daniel P. Moynihan, Ranking Minority Member,
                  Senate Committee on Finance; and Representative Bill Archer, Chairman,
                  and Representative Charles B. Rangel, Ranking Minority Member, House
                  Committee on Ways and Means. We will also send copies to the Honorable
                  Robert E. Rubin, Secretary of the Treasury; the Honorable Charles O.
                  Rossotti, Commissioner of Internal Revenue; the Honorable Jacob Lew,
                  Director, Office of Management and Budget; and Mr. Lawrence W. Rogers,
                  Acting Treasury Inspector General for Tax Administration. Copies will be




                  Page 11                           GAO/GGD-99-43 Taxpayer Browsing Protection Act
B-281988




made available to others upon request. Major contributors to this report
were David J. Attianese, Assistant Director; and John Lesser, Evaluator-in-
Charge. Please contact me on (202) 512-9110 if you have any questions.

Sincerely yours,




Margaret T. Wrightson
Associate Director, Tax Policy and
  Administration Issues




Page 12                          GAO/GGD-99-43 Taxpayer Browsing Protection Act
Page 13   GAO/GGD-99-43 Taxpayer Browsing Protection Act
Contents



Letter                                                                                                1


Appendix I                                                                                           16

Comments From the
Internal Revenue
Service
Appendix II                                                                                          17

Comments From the
Acting Treasury
Inspector General for
Tax Administration
Tables                  Table 1: Disposition of Closed Leads Not Referred for                         8
                          Investigation Disposition
                        Table 2: Number of Intentional Unauthorized Accesses by                      10
                          IRS Location




                        Abbreviations

                        ATLAS         Audit Trail Leads Analysis System
                        CAU           Centralized Adjudication Unit
                        CCDC          Centralized Case Development Center
                        EARL          Electronic Audit Research Log
                        IDRS          Integrated Data Retrieval System
                        IRS           Internal Revenue Service




                        Page 14                           GAO/GGD-99-43 Taxpayer Browsing Protection Act
Page 15   GAO/GGD-99-43 Taxpayer Browsing Protection Act
Appendix I

Comments From the Internal Revenue Service




              Page 16     GAO/GGD-99-43 Taxpayer Browsing Protection Act
Appendix II

Comments From the Acting Treasury
Inspector General for Tax Administration




               Page 17      GAO/GGD-99-43 Taxpayer Browsing Protection Act
Page 18   GAO/GGD-99-43 Taxpayer Browsing Protection Act
Page 19   GAO/GGD-99-43 Taxpayer Browsing Protection Act
Page 20   GAO/GGD-99-43 Taxpayer Browsing Protection Act
Ordering Information

The first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following address,
accompanied by a check or money order made out to the
Superintendent of Documents, when necessary. VISA and
MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.

Order by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
     th                  th
700 4 St. NW (corner of 4 and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using fax
number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and testimony.
To receive facsimile copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a touch-tone phone. A
recorded menu will provide information on how to obtain these
lists.

For information on how to access GAO reports on the INTERNET,
send e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested




(268862)