Lawmakers grill IRS on management, IT security

With current commissioner John Koskinen's term set to expire Nov. 12, lawmakers from both parties grilled the tax agency about its ability to manage sensitive taxpayer data.

At an Oct. 25 House Oversight and Government Reform joint subcommittee hearing, members from both sides expressed frustration with the IRS' repeated failure to implement oversight recommendations for workforce management, IT security and legacy systems, as well as its decision to award -- then suspend -- a bridge contract to Equifax after a breach exposed the personal data of more than 140 million Americans.

"I'm tired of excuses at this point," said Government Operations Subcommittee Chairman Mark Meadows (R-N.C.). "This is about management. This about the failure to put in safeguards to address things that are important to the American people."

Treasury Inspector General for Tax Administration J. Russell George noted that while the IRS has taken steps to update its systems, some of which are "three to four times older than industry standards," the tax agency continues to face "significant challenges in modernizing its legacy systems and hardware infrastructure."

He pointed to $12 million spent on new email systems for which software was never deployed and the ongoing Customer Account Data Engine 2 update -- the agency's planned replacement for its 50-plus year old source for individual taxpayer accounts, initiated in 2009 and has "no planned completion date."

By George's estimate, 64 percent of IRS IT systems entering fiscal year 2017 are "aged," and he's worried that "the risk of a catastrophic systems failure is increasing as our infrastructure continues to age."

IRS Deputy Commissioner for Operations Support Jeffrey Tribiano testified that an IT refresh is "a high priority," but that "we are challenged by our budget situation." He testified that a breach or system failure during filing season, when the IRS processes more than 200 million electronic tax returns, "could have a large effect on this economy and taxpayers."

Another area that Tribiano said has been tightened by budget constraints is the number of employees the agency can support to handle customer service, pointing to a fiscal year 2017 budget "about $900 million below what it was in 2010." He estimated that funding decline had led to cuts of at least 16,000 employees.

Lawmakers, however, complained that many IRS problems cannot be linked to budget woes, including the rehiring of terminated employees and the Equifax contract.

While IRS CIO Gina Garza testified that "no IRS data had been breached" in the Equifax breach, lawmakers from both sides of the aisle echoed the Government Accountability Office's ruling allowing the IRS to move forward with Experian, and criticized the sole-source contract extension.

George noted that the IRS is "taking quite seriously the issues we have uncovered," adding, "the IRS, if it had additional resources, could do more."

Tribiano said the IRS would implement TIGTA's recommendations by Oct. 31.