IRS employees ineffectively redacted taxpayer information, including Social Security numbers, attached to accepted offers in compromise, which by law the public may review for one year, the Treasury Inspector General for Tax Administration said in an audit released April 12.
During the audit, conducted from July to December 2015, the IRS suspended access to OIC public inspection files at 10 facilities across the United States, pending full redaction of filers' personal information, TIGTA said in the report, dated March 28. The IRS Small Business/Self-Employed Division updated its OIC inspection procedures in November 2015.
TIGTA said its review of a representative sample of 300 OIC files found seven instances of redaction errors, or just more than 2.3 percent, in which SSNs or employer identification numbers were visible. This would equate to 654 improperly redacted files out of 28,028 generated between August 1, 2014, and July 31, 2015, TIGTA said.
While conducting its audit, TIGTA said, it identified and documented more than 300 additional instances of visible SSNs or EINs.
The IRS Office of Privacy, Governmental Liaison, and Disclosure (PGLD) determined that filers whose information had been potentially exposed do not need to be notified, TIGTA said.
Reproductions by TIGTA of improperly redacted documents show myriad errors. One example shows a simple lack of redaction, while another shows an SSN written in pen immediately below a redaction. SSNs also remained visible after being drawn over by an opaque marker or a few horizontal lines from what appeared to be a ballpoint pen.
TIGTA said PGLD identified and reported concerns with OIC public inspection files "at least as far back as July 2010," and an October 2015 PGLD report found redaction errors in some 29 percent of cases, although those errors were more broadly defined than in TIGTA's review, including exposed mailing addresses.
The IRS "did not adequately protect sensitive taxpayer information, even after it was brought to the attention of management during internal reviews," TIGTA said.
TIGTA said the public viewing sites lack, and are not required to keep, records of who or how many people accessed the documents. Based on anecdotal reports from site employees, and a lack of recorded visitors during the July-December audit period, TIGTA assessed as low the risk that taxpayer data had actually been compromised, but it did not draw any conclusion.
"Because there were no internal controls at the public inspection sites, we could not determine the extent of potential unauthorized disclosures or identity theft that may have occurred," TIGTA said.
The hard copy files must be held for one year, after which they are destroyed, TIGTA said.
The redaction process varied widely among the 10 sites, with some only cursorily reviewing documents they received with redaction errors while others were more diligent, TIGTA said.
In its official response to a preliminary version of the report, submitted after public access had been suspended, the IRS said that "given the rarity of public viewing requests . . . the risk of exposure is minimal." The IRS also outlined options it was considering for improving the redaction process, including potentially eliminating the requirement to include tax transcripts.
"We believe that the IRS needs to be committed to safeguarding the identity of all taxpayers in administering all of its programs, whether large or small, high-profile or little known," TIGTA commented. "Identity theft continues to be a serious and evolving issue which has a significant impact on tax administration."
OICs, submitted via Form 656, "Offer in Compromise," sometimes with a fee, are agreements between a filer and the IRS to settle an outstanding tax liability for less than its full value, on grounds such as the filer's inability to pay or verifiable doubt on the amount owed. TIGTA said the IRS accepted about 40 percent of OIC applications it received in fiscal 2014.
TIGTA traced the public review program to the early 1950s: After an IRS employee was indicted for accepting bribes from taxpayers seeking OICs, a congressional investigation found that the IRS had accepted lenient settlements with "racketeers and politically connected individuals." Then-President Harry Truman issued an executive order directing the IRS to open accepted OICs to public inspection, TIGTA said.
An OIC public inspection file should include two items: a redacted copy of the Form 7249, "Offer Acceptance Report," and a "sanitized account transcript," TIGTA said. Individuals must call the IRS in advance and request an appointment to view the files.
TIGTA said its report did not include recommendations because the IRS had responded to the issues it uncovered. However, TIGTA added that it would issue a second report -- focused on the files' completeness, the public review program's administrative costs, and potential cost savings -- which it expects will include recommendations.
Follow Luca Gattoni-Celli (@TheGattoniCelli) on Twitter for real-time updates.