A Q&A with Christopher Watson
The IRS Safeguards Program was designed to ensure that federal, state and local agencies properly protect federal tax information, and the requirements cover computer security, among other things. I spoke with Christopher Watson, senior manager of internal audit and risk advisory services at Schneider Downs & Co. in Columbus, OH, to find out more about the Program and what it entails.
What is the IRS Safeguards Program?
It’s a set of requirements created to ensure that local, state and federal governments and any sub-processors or vendors are appropriately securing federal tax information and records. It’s been in effect since the early 2000s, but there have been revisions along the way.
Who must comply with these requirements?
It applies to any government agency dealing with tax information and anyone to whom they might outsource their collections or operations. Who’s involved can also change depending on governments and politics—for instance, in Ohio, we’ve seen some administrations prefer to use more outsourcing than others. Wherever there’s more outsourcing, the IRS will take a harder look, because there’s additional risk. There’s no distinction between local, state, or federal agencies—they are all required to fill out an initial document and then update that every year to demonstrate their compliance.
What controls are covered?
The controls are around the custodianship and security, both physical and logical, of the information. There are a couple hundred specific controls included but the biggest ones are around the protections of records and destruction of information that the agency no longer needs. Another big area is making sure that sensitive or confidential information is not communicated to outside parties, and that it’s stored securely while at rest.
What if I am a vendor or contractor receiving federal tax information from or on behalf of government agencies?
Smaller contractors typically have less sophisticated resources and fewer internal staff, so they often need more assistance and outside expertise in this area. It’s important to take a proactive approach to make sure the information is protected. For one thing, I recommend that contractors don’t use any paper files—if they are accessing information electronically, there’s no reason to print it out and create a paper record.
What are you seeing in terms of penalties for noncompliance?
It’s different from IRS audits, because there are not necessarily financial penalties in these cases, but if the IRS goes through several audits with a contractor or agency and they are not taking the compliance seriously, then the IRS can cut off access to the information, and that will certainly create problems for that entity. The IRS will make themselves available to anyone who wants more information on improving their security. We also offer consulting services here in Ohio, and help agencies do a gap assessment and create tailored remediation plans or policies.
Mr. Watson draws attention to yet another federal government mandate requiring prudent security practices—in this case, securing federal tax information whether it’s digital or on paper. Given that tax time is right around the corner this topic is especially relevant for any business that supports local, state and federal agencies with the processing of IRS governed tax records. Even Al Capone learned not to mess with the IRS!