IRS auditors call for constraints on contractors' computer access

Treasury Department auditors found that lax security procedures at the Internal Revenue Service have allowed private contractors to put IRS computer systems and sensitive taxpayer data at risk.

IRS security officials discounted the severity of the auditors' assessment but generally agreed with the recommendations of an investigation that Treasury auditors conducted on four private-contractor operations between March and September last year.

The auditors recommended that IRS officials restrict contractors' computer access privileges to the minimum required for them to perform their jobs and that contactors be given updated workstations. Many of the older computer systems assigned to contractors were insecure and could not easily be made secure, according to the auditors. Their findings were published in a report that was labeled for limited public use and was not widely circulated.

The report, with the contractors' names and other sensitive data removed, revealed that root access privileges had been granted unnecessarily to about 50 contractor personnel. Root access permits users to make changes to computer systems without detection. Other contractor employees had violated IRS security procedures by installing e-mail and instant-messaging software on IRS computers.

In some cases, the report says, contractors blatantly circumvented IRS policies and procedures, even when IRS security personnel pointed out the inappropriate practices.

The IRS has more than 900 contracts with private contractors and consultants who perform many tax administration activities.

In a memo to the IRS' chief of mission assurance, an official in Treasury's office of the inspector general, stated his concerns. "Without sufficient oversight," he said, "the involvement of non-IRS employees in critical IRS functions adds to the risk of misuse or unauthorized disclosure of taxpayer data and could lead to loss of equipment or sensitive taxpayer data through theft or sabotage."

Although the IRS never formally announced the release of the report, a copy of it was obtained under the Freedom of Information Act by the National Treasury Employees Union, which opposes having federal jobs go to private contractors.

Colleen Kelley, president of the treasury union, believes federal agencies have been consistently lax in their oversight of contractors. The auditors' findings should be of concern to taxpayers, Kelley said.

"It's an important issue," she said, "especially when you think about the other initiatives the IRS says it wants to embark on, like privatizing tax collections."