Report: Risk assessments not completed at some IRS offices

According to a report issued in September by the Treasury Inspector General for Tax Administration, a recent audit brought about due to a number of threats against IRS offices and employees, found that the Internal Revenue Service did not complete risk assessments at 14 of its facilities in 2010.

The report also said that the IRS could not prove that risk assessments were completed at 49 facilities that fall under the purview of the Federal Protective Service. Although these 49 facilities, which include childcare centers, parking lots and garages, and storage units, are not occupied by IRS employees, they are either located within or adjacent to places that do.

Some completed risk assessments reportedly identified “numerous additional security countermeasures” that need to be implemented at IRS facilities, but some of these countermeasures were never implemented, according to the TIGTA.

“For example, the IRS did not implement blast mitigation countermeasures at approximately 191 facilities and has not added additional guards or other countermeasures at certain Taxpayer Assistance Centers,” the TIGTA report stated. The main reason cited by the IRS for failing to implement these measures was “resource constraints.”

To address these vulnerabilities, the TIGTA made seven recommendations to the IRS’ director of physical security and emergency preparedness. These include:

  • Develop a process to ensure that inventory records include all relevant information, such as the date facilities are open and closed as well as the dates risk assessments should be performed.
  • Work with the FPS to ensure that the IRS receives copies of FPS risk assessments performed at IRS facilities and a schedule of when the FPS plans to perform future risk assessments of IRS facilities.
  • Update the policies for the risk assessment program to distinguish which facilities, such as childcare centers, parking lots, and storage facilities, require an FPS risk assessment and which ones, such as IRS employee-occupied facilities, require a PSEP office risk assessment.
  • Follow the prioritization schedule developed by PSEP office management to implement the recommendations from the CY 2010 risk assessments and ensure that the most critical security vulnerabilities are addressed as funding becomes available.
  • Develop a process to ensure that required countermeasures are in place and functioning as required at all TACs.
  • Implement appropriate security protocols at the facility with the childcare center to ensure that all visitors entering the campus grounds and the building are screened according to ISC standards.
  • Ensure that risk assessment documents are retained long enough so they will be available when future risk assessments are conducted.

The report said the IRS agreed with each of these recommendations and that they either already have or are in the process of making the necessary corrections.