The Internal Revenue Service’s program for destroying sensitive paper documents needs to be improved after an inspector general’s report found its contractor was leaving many of the documents easily accessible from open containers and storage bins.

The Treasury Inspector General for Tax Administration released a report Thursday faulting the IRS’s sensitive document destruction program. TIGTA found during some of its site visits to IRS facilities that sensitive documents had been stored in open containers. During other site visits, TIGTA discovered bin disposal slots that had been altered or left in poor condition, allowing ready access to discarded sensitive documents. TIGTA evaluators found bins in which they were able to reach their hands through the bin disposal slot and easily retrieve discarded sensitive documents.

TIGTA

The inspection came after TIGTA’s Office of Inspections and Evaluations received a referral from its Office of Audit regarding concerns about the IRS’s sensitive document destruction program. The evaluation found that improved management oversight is necessary to ensure sensitive documents are properly safeguarded prior to destruction. 

The problems seem to be related to a change in contract terms. The IRS changed its billing criteria in its national contract for sensitive document destruction in fiscal year 2022. The national contract, which covers 387 IRS facilities across the country, went from weight-based billing to billing based on the number and type of bins. 

“When the IRS pays for actual sensitive document destruction services rendered, it is being good stewards of its operating budget,” said the report. “In addition, the proper collection and destruction of sensitive documents ensures the protection of tax information until it is destroyed. However, when billing concerns arise or when sensitive documents get exposed to unauthorized disclosure or access prior to destruction, the IRS could be paying for services not received or disclosure law fines. In addition, the IRS could face an erosion of the public trust, which could adversely affect voluntary compliance, the foundation of our nation’s tax system.”

The report comes at a critical time for the IRS, when it faces the prospect of a $20.2 billion cut in its enforcement funding from the Inflation Reduction Act because the continuing resolution that Congress passed last week to avoid a government shutdown repeated language from an earlier continuing resolution that had mandated a previous $20.2 billion cut. 

TIGTA noted that the IRS receives and creates a significant volume of sensitive documents and is responsible for protecting sensitive documents from receipt to disposal. It found the IRS has not established or communicated to personnel at its various facilities the standard operating procedures for sensitive document destruction to ensure uniformity and consistency. IRS officials did not know what specific sensitive document destruction procedures were used at 110 of its facilities. 

The IRS no longer performs on-site inspections at facilities where sensitive documents are brought for destruction to ensure proper disposal, the report noted. Instead it seems to leave the job to its contractor and subcontractors. The IRS contracts the job to a national vendor that relies on local subcontractors to complete the destruction of sensitive documents. 

But the IRS didn’t put in place appropriate processes and procedures to ensure billing with its main contractor was accurate. TIGTA’s review of invoices paid for October 2023 found charges for more bins than reported by the vendor as being retrieved for destruction. The IRS didn’t determine the optimal number, type or size of bins needed at its facilities. 

TIGTA made 12 recommendations in the report, suggesting the chief of facilities management and security services at the IRS should develop standard operating procedures for sensitive document safeguarding and destruction; immediately evaluate the 110 facilities to ensure sensitive document safeguards and destruction procedures are in place; replace bins that have been damaged and altered; perform annual inspections of all facilities used by subcontractors for sensitive document destruction; complete a cost-benefit analysis to ensure optimal bin size and number of bins at all facilities; and develop processes and procedures to ensure that the IRS is only paying for full bins serviced. IRS officials agreed with seven of TIGTA’s 12 recommendations and agreed in principle to the other five recommendations. 

The IRS’s most recent contract includes provisions requiring site inspections by a National Association for Information Destruction certified inspector, the IRS noted in response to the report. The IRS contract now requires for the first time that all vendors be NAID certified. 

“IRS staff who discard [sensitive but unclassified] materials with regular trash and recycling are violating long-established policies on which they were trained during orientation and about which they receive refresher training annually,” wrote Julia Caldwell, acting chief of facilities management and security services at the IRS, in response to the report.

The IRS agreed to establish a communication plan to provide more frequent periodic reminders to employees as well as put up posters on sensitive document destruction at all IRS locations. 

Caldwell noted that due to a change in industry standards from billing by weight to billing by bin, bin fill rate data are not required for contract performance, and contended that requiring the contractor to document bin fill rates for all bins serviced would not add value to the sensitive document destruction process. Her department does not have enough personnel to staff every IRS location, she pointed out, especially the smaller, remote locations, and it would be too costly to travel to those locations to verify service on the document bins.

The risks accountants face multiply and morph over time, and keeping up with them — and the insurance necessary to protect your firm from them — can be difficult.

For a look at some of the profession’s biggest risks, see our feature story, and our story on the best approach to buying appropriate coverage.

For a deeper dive on some other new and emerging risks, Stephen Vono, senior vice president at McGowanPro, put together a panel of experts to answer additional questions regarding the current liability scene for accountants. In addition to Vono, the team consists of Gary Sutherland, a head underwriter at McGowanPro, Anthony Carolei, the risk manager for Hanover Insurance, and attorney Ralph Picardi, a defense attorney for accounting firms with Picardi LLC.

The team highlighted a number of areas of risk:

Today’s market for professional liability insurance is similar to markets in other industries in that it reflects the changes that the profession is undergoing. As the profession evolves, so does the market. 

“As the CPA profession evolves and new services are offered, it makes for different risks,” explained Candace Coach, small firms sales manager at Aon, the manager for the AICPA Professional Liability Insurance program. 

Among the factors to consider when shopping for a policy, she advises the prospective purchaser to consider whether the insurance carrier has the financial stability to take on the risk. 

thodonal – stock.adobe.com

“For some carriers, the risk is too large, leading them to exit the market,” she said. “For example, we haven’t seen any claims yet for the beneficial ownership filing requirements, but it could result in large claims down the road. We are one of the only carriers that offer coverage for this; however some CPA firms will go ahead and offer these services and assume they are covered.” 

Coach anticipates that claims will be coming in as a result of firms offering services for BOI filing. 

“We don’t know what the claims will look like, but there are specific guidelines that have to be followed, which could result in exorbitant fines assessed against the filer. Clients will be looking to the CPA to pick up the fee or the fine. As far as the market is concerned, some carriers will feel as though it is best for them to non-renew certain policies, and exit the market altogether and downsize to less risky professional services.”

Prospective buyers should look for “premium modifiers” that can lower the cost of a policy. These include claims-free history, continuing education, and various types of “best practices.”

The liability market is softening up a little, according to Stephen Vono, senior vice president at McGowanPro. 

“It’s still somewhat of a hard market in large metropolitan areas,” he said. “A hard market is when there is a lot of claim activity and premiums go up. In a soft market there is less claim activity and premiums go down. It depends on the kind of services that are offered. Cyber is a little on the hard side, but it is beginning to see some softening because insurers have become better at underwriting guidelines in the last few years.”

“You should look for a carrier with an AM Best rating of ‘A’ or better,” said John Raspante, CPA, senior risk manager at McGowanPro. “It’s also best to get a carrier that has been in the space for at least five years. If they’re in it for five years or more, they’re familiar with the types of claims, policy limits, and other factors that might affect the decision.”

“In pricing a policy, they look at a number of factors,” he explained. “These include total revenue, loss history, number of staff, and areas of practice. Always look at ‘outside the policy’ options. If you have a million-dollar policy, legal expenses can exceed that very quickly, so it might be a good idea to get an extra million  just for legal and defense costs. A traditional policy is inside the limit. If you have a $1 million policy, $250,000 in legal fees will reduce the limit to $750,000. So I recommend an outside-the-limit policy to cover legal and defense expenses, to preserve the underlying $1 million. It does cost more, but I recommend a buyer to go for the outside-the-limit addition if the difference in premium is not significant.” 

Although it may not be particularly entertaining, it is important to actually read the policy, Raspante urged. 

“You need to read the policy, especially the endorsements,” he said. “They either weaken or toughen the policy. If it says that in addition to the underlying coverage it will also apply to employment practice, that increases the insurer’s exposure. It may throw in a sublimit for nonprofessional liability exposure that doesn’t cover the full limit — that’s why you need to read the whole policy. When you get close to the end it looks like a lot of legalese, but you have to read the entire document. For example, on the last page there might be a service exclusion for international work, which means that anything outside the U.S. is not covered.”

The panel of experts put together by McGowanPro’s Vono, which includes underwriter Gary Sutherland, Anthony Carolei, the risk manager for Hanover Insurance, and CPA defense attorney Ralph Picardi, recommends the following factors to consider when assessing liability policies:

• Make sure the professional services definition is as broad as possible.
• Does the broker or insurance company understand what you do?
• Consider if your limits are sufficient, as legal defense costs are going up.
• Is your deductible appropriate? If you have a large deductible, will you struggle to pay that deductible in the event of a claim?
• Does the broker or insurance company provide supportive risk management services and education? 
• Do not rely on your professional liability insurance policy to be the coverage for all your exposure. There are exposures that are better covered on a separate standalone insurance policy.  Separate directors & officers liability insurance and separate cyber liability, employment practices liability, commercial crime, and fiduciary liability policies should be considered to cover all exposures for your firm.