FAQ > Federal Tax Information Safeguards Program FAQs

Frequently Asked Questions

Questions

Answers

What is the Federal Tax Information Safeguards Program (FTISP)?
The Ohio Attorney General’s Office has been designated by the IRS as a taxing administration agency under 26 USC § 6103(d). As a result of this designation, we must ensure that the AGO safeguards the confidentiality of the federal tax information (“FTI”) it receives as if the information was still in the hands of the IRS. To achieve this mandate, the AGO is in the process of attaining compliance with IRS Publication 1075 entitled Tax Information Security Guidelines for Federal, State and Local Agencies. The publication can be found at www.irs.gov/pub/irs-pdf/p1075.pdf. Contractors of the AGO whose work will involve disclosing FTI in performing their duties are also required to be compliant with Publication 1075. This includes Special Counsel and Third Party Vendors who will or may come into contact with FTI as a part of their contracted services with the AGO.
 
FTISP is a framework developed by the AGO and designed to maintain compliance within the organization and with our business partners. There are reporting, inspection, training, screening, and logging requirements.  Additional and complete details are available in the FTISP Informational Packet.


Who is required to participate in FTISP?
Any contractor/vendor doing business with the office of the Ohio Attorney General :

• who as a part of their contracted duties will or may come into contact with FTI; and/or
• who will be less than the mandatory two barriers of protection as defined within the IRS’s Publication 1075 from FTI.

What does the reporting time line look like for FTISP?
There are several reports that you will generate and submit to the Office of the Ohio Attorney General: Linked to IA FTIS Compliance Cycle doc.
 
Ohio SPR (Ohio Safeguard Procedures Report) - This is the initial filing with the OAG to become a contractor that handles FTI.  Additionally, this report must be filed every six years or in anticipation of a significant change in the environment within your organization. Examples would be change of IT director, relocation of servers or office space, change of executive management, etc.  If you are unclear about when a new SPR is required email inquiries about your change to OhioFedTaxInfoSecAudit@OhioAttorneyGeneral.gov.
 
Ohio SAR (Ohio Safeguard Activities Report)- This annual filing will be due as part of your RFQ filing to show continued efforts to become compliant. Requests for clarification will be sent as needed and must be replied to within sixty days of receipt.
 
Ohio CAP  (Corrective Action Plan) - This report will be provided to your organization from the Internal Audit section of the Ohio Attorney General’s office; you will be required to file updates to the findings in this report every six months.  This report will be provided after your Onsite Inspection.
 
Internal Inspection Plan – This is a document your organization should develop detailing how you plan to inspect your internal controls to safeguard the FTI provided to you by the AGO. Inspections should be conducted on an annual basis and will be part of your Ohio SAR filing.
 
Ohio Plan of Action & Milestones (Ohio PoA&M) - This is an internal document that will be subject to inspection during your on site visit.  This should detail the source of a deficiency, when it was discovered, who reported it, plan to remediate, when remediation was completed, when and who validated the new control in place.


I read that one of the requirements under FTISP is an inspection of my business, what should I expect?
Routine inspections will occur every 18 months for some contractor/vendors and every 36 months for others. 

• You will be contacted by the Ohio Attorney General’s Office Internal Audit Section prior to a routine inspection by both phone, and email.
• After the initial contact we will establish an entrance conference, during which the scope, expectation, and schedule of the inspection will be defined.
• The nature of the work your organization performs for the AGO will determine the length of the inspections.  Normal situations will range from a few hours to two days. 
• Once the site visit is completed, we will return to prepare our report.
• You will receive immediate notification if there are any critical deficiencies uncovered during the inspection. Otherwise, a draft report will be sent for your review.
• Finally, the report will be issued with findings and recommendations; a follow up may be scheduled as needed.

What is subject to inspection?
Any and all aspects of your organization are subject to inspection for additional guidance see the following documents that will help you to understand the scope of the inspection, ultimately the Auditor will decide what controls need to be tested:
 

• IRS Publication 1075
• IRS Safeguards Homepage
• SCSEMS

How can I best prepare for an inspection under FTISP?
Your organization should prepare in the following manner:

• Prepare key staff members and ensure they are available to assist during the inspection as scheduled.
• Ensure records, logs, systems etc. are all available for quick simple access.
• Centrally locate policies, logs, contracts etc. in electronic form.
• Ensure your risk assessment and vulnerability testing is current.
• Review your Ohio CAP and Ohio PoA&M, be able to discuss the deficiencies you have found and how you are working toward compliance.

 


If I have questions regarding FTISP, how do I get them addressed?
Email your questions to OhioFedTaxInfoSecAudit@OhioAttorneyGeneral.gov.

How should I expect my questions to be answered regarding FTISP?
If your question is regarding the general process, your answer will be posted in this FAQ for the general good, and you will be notified via email.  Specific or sensitive matters will be responded to via email or a phone call to the appropriate party.

How long should I expect to wait for an answer to my questions?
The length of time may vary based on the nature and depth of the question, however you should be acknowledged within two business days.

What do you estimate will be the required financial impact on each agency to comply with this 1075 rule?
The required financial impact will vary greatly depending on the agency’s current state of compliance, size, number of contractors involved with FTI, whether the agency is solely dedicated to collecting for the OAG or has other functions in house, and how your agency implements measures to attain compliance. The OAG cannot provide an estimated cost for any agency. Internal Audit can provide some limited guidance on correcting any deficiency in compliance; however, we cannot recommend particular vendors, software, etc.


Will there be any resources made available to Special Counsel by the AG’s office for testing, legal procedures, questions etc. when dealing with IRS 1075? (Hotline, point person) ?
Internal audit will provide a number of resources to your agency and others as we work to attain and maintain compliance. However, these do not include legal assistance.

• www.OhioAttorneyGeneral.gov/FTISP is a site dedicated to the compliance process
• OhioFedTaxInfoSecAudit@OhioAttorneyGeneral.gov is a dedicated email box
• 614-466-2999 is the office number for the OAG IT Internal Auditor and lead auditor for compliance measures.  Calls are responded to as they come in and during the hours of 8-5 on business days
• We host events to answer questions about FTISP and the compliance process regarding IRS Publication 1075
• Internal Audit is planning onsite inspections of each Special Counsel and Third Party Vendor to validate controls and provide additional feedback