IRS, GAO at odds over cybersecurity requirements on tax preparers

IRS says it needs congressional action. The GAO disagrees.
Getty Images

The Internal Revenue Service hasn’t put in place a structure to issue cybersecurity dictates to paid tax preparers because it doesn’t believe it has the authority to do so — but the Government Accountability Office begs to differ.

The government watchdog recommended the IRS establish a security structure in a 2019 report, but the agency contended Congress would need to take action to give the IRS more power. As of January of this year, the IRS still believes it needs statutory authority, the GAO said in a report released Monday. The GAO’s suggestion is that IRS should create a governance structure or steering committee to “to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers.”

Hackers have targeted tax preparation companies for years in identity theft and tax return theft schemes, as the IRS itself has repeatedly warned. In one recent case, a U.S. court sentenced a Russian man to five years in prison for a scheme in which he used malware against American tax preparers to steal $1.5 million. More recently, Intuit, which makes the TurboTax software, revealed it had been breached, in what is the latest evidence of scammers’ ongoing interest in financial data.

“Without this structure, it is unclear how IRS will adapt to changing security threats in the future and ensure those threats are mitigated,” the GAO wrote.


As ransomware attacks have recently hit industries that tangibly harm consumers — especially incidents at Colonial Pipeline and the meat supplier JBS — Congress and the Biden administration have sounded increasingly open to regulating cybersecurity. The dispute between the GAO and IRS might prove one avenue for them to act.

In January, the IRS cited “the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file returns,” according to the GAO. And the GAO said that the IRS agrees with the original 2019 recommendation.

The IRS allowed that implementing the recommendation might be possible without congressional action, but “without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources,” wrote Kirsten Wielobob, the then-deputy commissioner for services and enforcement.

The GAO still disagrees with the IRS conclusion.

“As we reported, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination,” the watchdog said. “These activities include updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.”

Tim Starks

Written by Tim Starks

Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he's covered cybersecurity since 2003. Email Tim here:

Latest Podcasts