January 9, 2002
Via Regular Mail and Facsimile: (202) 927-7323
Mr. David C. Williams
Inspector General for Tax Administration
1125 15th Street, NW
Room 700A
Washington, D.C. 20005
Dear Inspector General Williams:
As Ranking Member of the Senate Committee on Finance (Committee), I continue to share your commitment to overseeing the Internal Revenue Service (IRS) to ensure that it effectively performs its mission while protecting the integrity of its inventory. This letter responds to information reported by the Inspector General for Tax Administration (TIGTA) upon my request relating to IRS inventory controls over computers, firearms, and other sensitive items that, if lost or stolen, might compromise the public's safety, national security, or ongoing investigations. See "Management Advisory Report: Review of Lost or Stolen Sensitive Items of Inventory at the Internal Revenue Service, November 2001 (Reference No.: 2002-10-030)." As you are aware, I have similarly asked the Inspector General of the Department of the Treasury (Treasury IG) to assess that Department's inventory practices. The Treasury IG's initial, unaudited response identifies the loss or theft of approximately 80 weapons and 1,300 computers. I expect the final audit report to be issued in the Spring of 2002.
TIGTA states that for the past three years, IRS reported 2,332 missing computers, six lost or stolen firearms, and "502 other investigative items that were lost or stolen" to include 50 communications devices, 40 identification badges, and 15 electronic surveillance devices that could compromise the public's safety or ongoing investigations. These numbers do not account for any losses pertaining to the events of September 11, 2001, and for IRS offices that did not provide complete information on the number of lost or stolen firearms and sensitive investigative items of inventory.
I am very concerned about the high number of missing IRS items, particularly those that may potentially compromise public safety or law enforcement. I also continue to be concerned that unauthorized users may be able to access information on missing computers, despite the security controls that should function in theory. This concern is heightened given that lost or stolen IRS computers may contain confidential taxpayer information. Our law provides that taxpayer returns and return information are confidential and may not be accessed or disclosed except as authorized by the Internal Revenue Code Section 6103. Civil actions for damages are permitted against the government and criminal sanctions may be imposed upon intentional violators.
Given the limited scope of my initial inquiry, TIGTA could not provide a precise figure on how many missing IRS computers might have had taxpayer information on the hard drives. IRS may have that information on the individual Reports of Survey (Forms 1933) that should be prepared whenever a computer is lost or stolen. However, TIGTA did obtain four Forms 1933, one of which indicated that there were computer files on the stolen computer related to taxpayer examinations, and those files were encrypted. Here, I question the sufficiency of IRS' computer encryption to protect confidential taxpayer information.
Given the importance of protecting taxpayer information from unauthorized disclosure and to protect the taxpayers' money, I appreciate your continuing your assessment of IRS inventory to include the following:
1.Identify the approximate value at the time of the loss, using an appropriate valuation method, for a representative sample of items from the reported 2,332 missing computers. Also, identify whether the missing computers were lost, stolen, or destroyed, where possible.
2.Identify the approximate value at the time of the loss, using an appropriatvaluation method, for the six lost or stolen firearms, and the 50 communications devices, 40 identification badges, and 15 electronic surveillance devices that were missing. Also, identify whether these investigative items were lost, stolen, or destroyed, where possible.
3.For the items in 1 and 2 above, identify the types of disciplinary actions, if any, taken against employees found to be responsible for the loss or theft. Specifically, I ask that you provide me what follow-up there has been on lost or stolen computers and to what extent IRS employees have reimbursed the government for missing computers. Also, please identify how many of the missing computers were the responsibility of a senior manager and what discipline action was taken against them. Finally, please identify if any individual has missing more than one computer, and what, if any, disciplinary action was taken against that individual.
4.For the missing computers in the sample, determine where possible how many computers contained confidential taxpayer information.
5.Assess the sufficiency of IRS encryption practices of taxpayer data maintained on desktop and laptop computers to prevent the unauthorized disclosure of such data if the computer was lost or stolen.
6.Provide to this Committee copies of Forms 1933 and related documents received from IRS and reviewed during your assessment. Also, please identify the responsible managers who failed to properly file a Form 1933 for a missing computer(s).
I appreciate receiving TIGTA's written response to this request by February 25, 2002.
Sincerely,
Charles E. Grassley
Ranking Member
CC Via Telefax (202) 622-5756:
The Honorable Charles O. Rossotti, Commissioner, Internal Revenue Service
Senator Grassley
Questions for Edward Kingman Jr.
Nominee, Assistant Secretary of Treasury for Management and Chief
Financial Officer (CFO), Department of Treasury
Please find attached a letter I sent to the Director of the Office of Management and Budget (OMB) regarding 2,300 missing computers at the Internal Revenue Service (IRS). Of note, the Treasury IG has found an additional 1,300 missing computers at the Department of Treasury (not including IRS).
1. The General Accounting Office (GAO) reported recently that serious weaknesses in the inventory control systems continue to prevent the IRS from having equipment information available for management purposes, and from having reasonable assurance that the assets are properly safeguarded.
Do you believe this is a serious matter and what steps do you intend to take to remedy this matter?
2. The IRS has reported a material weakness in inventory controls every year since 1983.
Is this acceptable and at what month and year can we expect this to no longer be a material weakness? Is there currently a person(s) who will be accountable if there continues to be a material weakness? If there is not presently a person accountable, will you designate someone to be accountable?
3. In what situations should an employee or manager be required to reimburse the federal government for a missing computer? Of the 2,300 missing computers, how many has the federal government received and/or sought reimbursement?
4. Do you have sufficient authority to remedy this matter at the IRS? If not, what additional authority do you require?
5. Please provide any additional comments you believe are appropriate in response to the letter to Mr. Daniels.