IRS subcontractors left sensitive paper documents exposed before destroying them

The Internal Revenue Service’s program for destroying sensitive paper documents needs to be improved after an inspector general’s report found its contractor was leaving many of the documents easily accessible from open containers and storage bins.

The Treasury Inspector General for Tax Administration released a report Thursday faulting the IRS’s sensitive document destruction program. TIGTA found during some of its site visits to IRS facilities that sensitive documents had been stored in open containers. During other site visits, TIGTA discovered bin disposal slots that had been altered or left in poor condition, allowing ready access to discarded sensitive documents. TIGTA evaluators found bins in which they were able to reach their hands through the bin disposal slot and easily retrieve discarded sensitive documents.

The inspection came after TIGTA’s Office of Inspections and Evaluations received a referral from its Office of Audit regarding concerns about the IRS’s sensitive document destruction program. The evaluation found that improved management oversight is necessary to ensure sensitive documents are properly safeguarded prior to destruction. 

The problems seem to be related to a change in contract terms. The IRS changed its billing criteria in its national contract for sensitive document destruction in fiscal year 2022. The national contract, which covers 387 IRS facilities across the country, went from weight-based billing to billing based on the number and type of bins. 

“When the IRS pays for actual sensitive document destruction services rendered, it is being good stewards of its operating budget,” said the report. “In addition, the proper collection and destruction of sensitive documents ensures the protection of tax information until it is destroyed. However, when billing concerns arise or when sensitive documents get exposed to unauthorized disclosure or access prior to destruction, the IRS could be paying for services not received or disclosure law fines. In addition, the IRS could face an erosion of the public trust, which could adversely affect voluntary compliance, the foundation of our nation’s tax system.”

The report comes at a critical time for the IRS, when it faces the prospect of a $20.2 billion cut in its enforcement funding from the Inflation Reduction Act because the continuing resolution that Congress passed last week to avoid a government shutdown repeated language from an earlier continuing resolution that had mandated a previous $20.2 billion cut. 

TIGTA noted that the IRS receives and creates a significant volume of sensitive documents and is responsible for protecting sensitive documents from receipt to disposal. It found the IRS has not established or communicated to personnel at its various facilities the standard operating procedures for sensitive document destruction to ensure uniformity and consistency. IRS officials did not know what specific sensitive document destruction procedures were used at 110 of its facilities. 

The IRS no longer performs on-site inspections at facilities where sensitive documents are brought for destruction to ensure proper disposal, the report noted. Instead it seems to leave the job to its contractor and subcontractors. The IRS contracts the job to a national vendor that relies on local subcontractors to complete the destruction of sensitive documents. 

But the IRS didn’t put in place appropriate processes and procedures to ensure billing with its main contractor was accurate. TIGTA’s review of invoices paid for October 2023 found charges for more bins than reported by the vendor as being retrieved for destruction. The IRS didn’t determine the optimal number, type or size of bins needed at its facilities. 

TIGTA made 12 recommendations in the report, suggesting the chief of facilities management and security services at the IRS should develop standard operating procedures for sensitive document safeguarding and destruction; immediately evaluate the 110 facilities to ensure sensitive document safeguards and destruction procedures are in place; replace bins that have been damaged and altered; perform annual inspections of all facilities used by subcontractors for sensitive document destruction; complete a cost-benefit analysis to ensure optimal bin size and number of bins at all facilities; and develop processes and procedures to ensure that the IRS is only paying for full bins serviced. IRS officials agreed with seven of TIGTA’s 12 recommendations and agreed in principle to the other five recommendations. 

The IRS’s most recent contract includes provisions requiring site inspections by a National Association for Information Destruction certified inspector, the IRS noted in response to the report. The IRS contract now requires for the first time that all vendors be NAID certified. 

“IRS staff who discard [sensitive but unclassified] materials with regular trash and recycling are violating long-established policies on which they were trained during orientation and about which they receive refresher training annually,” wrote Julia Caldwell, acting chief of facilities management and security services at the IRS, in response to the report.

The IRS agreed to establish a communication plan to provide more frequent periodic reminders to employees as well as put up posters on sensitive document destruction at all IRS locations. 

Caldwell noted that due to a change in industry standards from billing by weight to billing by bin, bin fill rate data are not required for contract performance, and contended that requiring the contractor to document bin fill rates for all bins serviced would not add value to the sensitive document destruction process. Her department does not have enough personnel to staff every IRS location, she pointed out, especially the smaller, remote locations, and it would be too costly to travel to those locations to verify service on the document bins.