What Is an IRS 1075 Audit and How Do You Prepare?

An IRS 1075 audit, formally known as a Safeguard Review, is an examination conducted by the IRS Office of Safeguards to verify that agencies receiving sensitive tax data are properly protecting it. This data, known as Federal Tax Information (FTI), includes any tax return or return information from the IRS or a secondary source. The review process ensures compliance with the security standards outlined in IRS Publication 1075.

Any government entity that handles FTI is subject to these audits, including state departments of revenue, child support enforcement agencies, and federal agencies like the Department of Education, as well as their contractors. The IRS mandates these protective measures under Internal Revenue Code Section 6103, making compliance a legal requirement for any agency to receive and use FTI.

Key Safeguard Requirements for Federal Tax Information

Secure Storage and Access Controls

Publication 1075 mandates stringent physical security for any area where FTI is stored or processed, including housing servers and paper documents in locked rooms or secure facilities. Access to these secured areas must be strictly controlled. This includes maintaining detailed visitor logs that document each person’s name, organization, entry and exit times, and purpose of visit.

Logical access controls for computer systems require every individual with access to FTI to have a unique user ID and password, prohibiting shared accounts. The principle of “least privilege” must be enforced, meaning users are granted only the minimum level of access necessary to perform their job duties. For electronic systems, agencies must also log and regularly review user activities, such as logging in, accessing FTI, and changing security settings.

Data Handling and Media Protection

The rules for handling FTI extend to its movement and storage. When FTI is transmitted electronically over any network, it must be encrypted using validated cryptographic modules. For FTI stored on portable devices like laptops or removable media such as USB drives, the data must be encrypted at rest. Publication 1075 also provides specific guidance on the commingling of FTI with other data, often requiring separation to prevent unauthorized access.

Proper Disposal

When FTI is no longer needed, Publication 1075 specifies acceptable methods for its destruction to ensure it is irrecoverable. For paper documents, this means shredding using cross-cut shredders or pulverizing the material. Electronic FTI requires equally thorough destruction methods, such as degaussing magnetic media or using approved wiping software to overwrite the data multiple times.

Security Training and Awareness

All personnel with access to FTI, including employees and contractors, must complete security awareness training annually. This training covers the policies and procedures for safeguarding FTI and ensures that staff understand their personal responsibility in protecting this data. This annual training must be documented for every individual, and auditors will check these records to verify completion.

Incident Response and Reporting

Agencies must have a formal, documented Incident Response Plan (IRP) that defines roles and responsibilities for handling a breach. The IRP must contain specific procedures for each phase of incident handling: preparation, detection, containment, and recovery. A component of the plan is the notification procedure, which must include contact information for internal stakeholders, the IRS Office of Safeguards, and the Treasury Inspector General for Tax Administration (TIGTA).

In the event of a suspected or confirmed loss, theft, or unauthorized disclosure of FTI, the agency must report it to the IRS Office of Safeguards and TIGTA within 24 hours of discovery.

Required Documentation and Reporting for Compliance

System Security Plan (SSP)

The System Security Plan is a comprehensive document detailing how an agency’s security controls and procedures meet Publication 1075 requirements. The SSP must describe the system’s operational environment, its purpose, and the types of FTI it processes. For every control, the plan must state whether it is in place and provide a detailed description of how it has been implemented.

Plan of Action & Milestones (POA&M)

The Plan of Action & Milestones is a management tool used to track and resolve security weaknesses. When an agency identifies a deficiency in its security controls, it must be documented in the POA&M. Each entry must include a description of the weakness, the specific control it relates to, a detailed plan for remediation, the individual or office responsible, and a target completion date.

Annual Reporting Requirements

Compliance with Publication 1075 involves ongoing reporting to the IRS Office of Safeguards. The primary report is the Safeguard Security Report (SSR), which must be submitted annually. This report provides the IRS with an update on the agency’s FTI safeguarding program. The report requires the agency to provide details about its current security posture, including any significant changes over the past year, and includes the updated POA&M.

Navigating the Safeguard Review

Audit Notification

The Safeguard Review process begins when the IRS Office of Safeguards issues a notification letter to the agency, typically several weeks or months in advance of the planned review. The letter confirms the agency’s selection and outlines the scope and objectives of the audit. Upon receipt, the agency should identify a primary point of contact to coordinate with the IRS auditors.

Pre-Audit Information Request

Shortly after the notification, the IRS audit team will send a detailed information request for the agency’s core compliance documents. The agency will be asked to submit its most current System Security Plan (SSP), Plan of Action & Milestones (POA&M), and Incident Response Plan (IRP). The request often includes network diagrams, lists of personnel with FTI access, and their annual security training records, which must be submitted by a specified deadline.

The On-Site Review

During the on-site review, auditors verify that documented controls are implemented and effective. Auditors will perform physical walkthroughs of facilities to inspect the security of areas where FTI is stored and processed. They will also conduct interviews with a selection of employees to confirm they have received security training and understand their responsibilities. The audit team will perform technical inspections of systems, reviewing server configurations, access control lists, and audit logs.

The Exit Conference

At the conclusion of the on-site fieldwork, the audit team holds an exit conference with agency management. During this meeting, the auditors present their preliminary findings and observations from the review. The exit conference is an opportunity for the agency to ask clarifying questions and provide additional context that may influence the final report.

Addressing Audit Findings and Corrective Actions

Receiving the Formal Report

Following the on-site review, the IRS Office of Safeguards will issue a formal Safeguard Review Report. This document provides the official results of the audit. The report will distinguish between recommendations for improvement and formal findings, which are specific instances of non-compliance that require mandatory action. Each formal finding will cite the specific requirement from Publication 1075 that the agency failed to meet.

Developing the Corrective Action Plan (CAP)

For every formal finding, the agency must develop a Corrective Action Plan (CAP). The CAP is a formal document that outlines the agency’s plan to resolve the identified deficiency. A comprehensive CAP must include:

• A detailed description of the corrective action that will be taken.
• The resources that will be allocated to the task.
• The specific individual responsible for ensuring the action is completed.
• A firm deadline for completion.

Submitting and Monitoring the CAP

The CAP must be submitted to the IRS Office of Safeguards for review and approval, typically within 30 to 45 days of receiving the formal report. Once the CAP is approved, the agency must provide regular status updates to the IRS, usually every 30, 60, or 90 days, detailing the progress made on each corrective action. This monitoring continues until all actions are completed, verified, and formally closed by the IRS Office of Safeguards.