GAO found that more than 82% of unauthorized access violations resulted in an employee’s suspension, resignation or removal.
In more than half of the cases, the IRS could not substantiate that a violation occurred.
Employees at the center of unsubstantiated cases, however, may have faced disciplinary action for other reasons. GAO found that at least one employee under review for unauthorized access had as many as eight other misconduct issues under investigation.
Related misconduct issues include making false statements or becoming involved in matters that resulted in a real or perceived conflict of interest with official duties.
Another 22% of cases went unresolved, meaning the employee under review resigned, retired, or otherwise separated from the agency before a final determination in the case.
Senate Finance Ranking Member Mike Crapo (R-Idaho) requested the GAO review.
Deputy IRS Commissioner Jeffrey Tribiano told GAO that IRS employees are “constantly reminded” that they are limited to access taxpayer information directed related to their work, and that violations of that policy are handled “with the upmost seriousness.”
“The vast majority of IRS employees take their charge to protect taxpayer information as the foundation of their career in serving America’s taxpayers. The small number of employees who do not uphold our standards face serious discipline up to and including removal from the IRS,” Tribiano said.
The GAO report stems from a ProPublica report from June 2021, headlined “The Secret IRS Files.”
The outlet claimed it obtained a vast cache of information of “never-before-seen records” showing how billionaires like Jeff Bezos, Elon Musk and Warren Buffet paid little in income tax compared to their overall wealth.
IRS Commissioner Chuck Rettig told the government operations subcommittee of the House Oversight and Reform Committee last month that the Treasury Inspector General for Tax Administration has “sole jurisdiction” over the investigation of this incident.
“I share the concern here. The delay in getting answers for the public certainly impacts the ability of the public to have trust and respect for the Internal Revenue Service,” Rettig said during the April 21 hearing.
Treasury Secretary Janet Yellen told the Senate Banking, Housing and Urban Affairs Committee last week that the department’s own inspector’s general is reviewing its information security controls.
“We have done everything within our power to make sure that there is not inappropriate access to such data,” Yellen said in a May 10 hearing.
It is a crime for federal employees to willingly gain unauthorized access to tax returns or taxpayer information, or make an unauthorized disclosure of a taxpayer’s information or tax return.
While managers have some discretion in disciplinary action, IRS policy generally requires firing or suspending IRS employees that willfully gain access to unauthorized taxpayer information.
Criminal cases of unauthorized access are punishable by a fine of up to $1,000 and up to a year in jail, as well as termination from the agency. A criminal case of unauthorized disclosure is a felony and results in a maximum $5,000 fine and up to five years in jail.
The IRS is required to notify taxpayers that their information was accessed, if the agency proposed disciplinary action against an employee. Taxpayers can also seek damages through civil action.
If an IRS employee is found liable for disclosing tax information, the federal government may face damages of up to $1,000 per unauthorized access or disclosure.
TIGTA investigates cases of unauthorized access or disclosure of taxpayer information.
Once TIGTA starts an investigation, the IRS Human Capital Office reviews an employee’s misconduct history and forwards case evidence to the management of the IRS employee under investigation.
TIGTA receives tips from IRS employees and the IRS cybersecurity office. The agency’s cyber office flags potential cases of unauthorized access through the agency’s Security Audit and Analysis System, a centralized data repository that collects audit logs from various applications.
TIGTA also receives tips from other federal personnel and the public.
TIGTA has a dedicated team that conducts an in-depth analysis of employee access to taxpayer information. Their work includes analyzing IRS employee behavior to determine whether access was inadvertent or warrants further investigation.
Between 2012 and 2021, the Justice Department agreed to prosecute 35 of TIGTA’s more than 2,000 referrals for prosecution. Of those 35 cases, 24 of them resulted in guilty verdicts.
It took the IRS and TIGTA a combined average of 464 days to investigate unauthorized access cases. After receiving a report from TIGTA, the IRS generally took 211 days to close a case.
The IRS, since 2017, has not met its goal of investigating and closing unauthorized disclosure cases in 180 days.
IRS officials said the agency shut down a specialized unit that worked on unauthorized access cases between fiscal 2014 and 2015, and may have contributed to slower processing times.
After disbanding the team, the investigation workload went to employees in the agency’s Human Capital Office, who did not have expertise in investigating unauthorized disclosures.
IRS officials told GAO that by 2017, most of the remaining employees who did specialize in processing unauthorized disclosure cases had retired.
The IRS closed the fewest cases of unauthorized disclosure during fiscal 2020. Agency officials said the IRS imposed a moratorium on disciplinary actions in March 2020 because of the COVID-19 pandemic. The agency ended the moratorium on May 31 that same year.
More than of closed cases involved employees working in the Wage & Investment Division, and 30% of cases involved employees from the Small Business/Self-Employed Division.
IRS officials told GAO that more than 90% of users of systems used to process tax information work in either of those divisions.
Most unauthorized access cases involved non-management employees. Managers accounted for less than 10% of unauthorized access and 15% of unauthorized disclosures.
Employees appealed disciplinary action in at least 74 unauthorized access cases.
IRS employees accused of unauthorized disclosure or access can appeal disciplinary action through the agency’s Equal Employment Opportunity complaint process, arbitration or the Merit Systems Protection Board.
A collective bargaining agreement between the IRS and the National Treasury Employees Union requires the agency to notify employees facing disciplinary action of their appeal rights. IRS employees have 30 to 45 days to appeal the IRS’s final decision.
GAO said IRS employees can inadvertently gain unauthorized access to taxpayer information — for example, if an employee types the wrong Taxpayer Identification Number.
GAO’s review doesn’t look at unauthorized access from IRS Chief Counsel employees, which made up about 3% of the total workforce in 2021.
The report also doesn’t look into unauthorized access from IRS contractors or other federal, state and local government employees who may have access to sensitive taxpayer information. GAO is working on a separate report looking into unauthorized access cases from IRS contractors.
GAO said the IRS could issue a notice to employees to “be aware of their home surroundings,” while teleworking, to avoid inadvertent disclosures. That includes smart devices and built-in digital assistants.