Be Ready for Your Next FTI Audit: Manage & Mask Your Sensitive Data

FTI audits are designed to ensure sensitive tax data is properly protected. But in modern enterprises, they’re about much more than passing inspections. Today, you need to manage FTI securely while still enabling fast, reliable access to data across DevOps, analytics, and increasingly, AI workflows. Treating FTI audits as part of a broader data strategy helps teams reduce risk without slowing innovation or creating bottlenecks. 

Based on my experience, companies do not struggle with why they need FTI; they struggle with controlling its exposure across systems, teams, and environments. The key is aligning data privacy controls to the specific use case, not applying a one‑size‑fits‑all approach. 

What is FTI? 

Federal tax information (FTI) is one of the notable categories of sensitive data held by organizations. From human resources to government entities, many organizations need FTI for their everyday operations and tasks. 

FTI includes (but is not limited to): 

• A taxpayer’s identity 
• The nature, source, or amount of income 
• Payments 
• Deductions 
• Exemptions 
• Credits 
• Assets 
• Liabilities 
• Net worth 
• Tax liability 
• Tax withheld 

Certain industries and companies — including government programs with greater regulatory scrutiny — have higher risk profiles and must act accordingly.  

FTI audits play a vital role in ensuring this sensitive information is properly protected. They help manage data privacy risk, identifyexposure, and reinforce compliance with mandates (including Publication 1075 guidelines on timely incident reporting).  

Who Uses Federal Tax Information? 

There are a variety of companies and industries that need FTI for the following use cases: 

1. Payroll & Employee Compensation: Employers, payroll processors, and HR systems use FTI for withholding and remitting federal income tax, calculating and reporting, W‑2 wages, FICA (Social Security & Medicare), verifying employee tax status (e.g., exemptions) 
2. Tax Filing & Regulatory Compliance: Finance, tax teams, external CPAs need access to FTI for preparing and filing corporate tax returns (Forms 1120, 1065) and information returns (1099s, 1095s), responding to IRS audits or inquiries, and meeting federal reporting requirements 
3. Benefits Administration: HR and benefits vendors leverage FTI to determine eligibility for health insurance subsidies, retirement contributions, and ACA reporting and compliance. 
4. Financial Reporting & Planning: Finance, financial planning and analysis, and accounting teams use FTI for tax provisioning, deferred tax calculations, forecasting tax liabilities, cash flow, and effective tax rate planning. 
5. Credit, Lending & Risk Assessment: If individuals consent to their FTI being used, banks, lenders, and fintechs verify income via tax returns, assess creditworthiness or repayment capacity, and prevent fraud. 
6. Government Programs & Contracts: Grant administrators and government contractors use FTI to determine eligibility for federal grants, subsidies, relief programs, and compliance with federal funding requirements. 
7. Legal & Audit Purposes: Legal teams and auditors need FTI for litigation, investigations, internal and external audits, and compliance with court of regulatory orders.  

In practice, FTI audits are most common for payroll and HR providers, government contractors, financial institutions, large enterprises with in-house tax systems, and SaaS platforms that handle tax related data. Even so, it’s important that all organizations with personally identifiable information (like tax information) conduct audits to ensure its safety. 

What Does an FTI Audit Entail? 

An FTI audit can be either “proactive" or “passive,” as explained by the IRS. Publication 1075 requires agencies to perform reactive auditing, which occurs after data exposure and breaches occur. Proactive audits happen before exposure to ensure agencies can timely and efficiently identify then respond to any unauthorized FTI access. Reactive auditing is required by Publication 1075, but proactive might start being required at a later date. 

Auditing includes reviewing audit logs and pinpointing any serious security events — which should be done weekly as mandated by Section 4.3. Every industry and organization’s audit will look a little different, but FTI processing environments will get assessed to check that you have the necessary physical access controls as well as protocols for data retention and disposal. Organizations should contain FTI in a controlled, limited-access environment to best protect it.  

I once worked with an organization where sensitive data (including federal tax information) was tightly secured in production.However, they treated non‑production environments as lower risk. The organization frequently refreshed databases to support payroll testing, reporting validation, and downstream analytics. While security policies existed, enforcement relied largely onperiodic reviews and trust. 

During a routine internal assessment, the team discovered that a recent refresh had propagated unmasked tax data into a QA environment accessible by a broader group, including external contractors. The issue had not triggered any alerts and would likely have gone unnoticed until a formal audit. 

Rather than waiting for an audit finding or breach, the organization used this discovery as an opportunity to strengthen its security posture. They implemented Perforce Delphix as a single, secure platform, enforcing automated data masking on every non‑production refresh.  

With Delphix masking in place, sensitive tax fields became irreversibly masked before data reached QA, UAT, or vendor environments — without disrupting application functionality or testing timelines. 

The result was twofold: The company eliminated a major exposure risk and, just as importantly, identified and closed a systemic weakness in how data was handled outside production. 

Watch how Delphix conducts its sensitive data discovery in this demo from my colleague Felipe Casali: 

Best Practices for a Successful FTI Audit 

In alignment with regulatory and data privacy standards, organizations should maintain these best practices: 

Limit Access to the Real Information 

As mentioned, FTI audits include an assessment of the environment where you hold FTI. The IRS recommends you have access control, restricting the number of times information is accessed, at what time of day it can be accessed, and any needless name searches for cases the employee is not assigned to. 

You can help mitigate FTI risk with:  

• Dedicated jobs monitoring. 
• Tag-enabled role-based access control. 
• Sensitive data discovery heatmap. 
• Centralized visibility and control of sensitive data and compliance traceability. 

Take payroll & employee compensation use cases, for example. They often pose a FTI risk because sensitive filings get copied for validation, reporting, and audit support.  

Delphix has experience helping HR organizations like ADP balance compliance with quality assurance and application development. Delphix Data Control Tower within the DevOps Data Platform can give you governance over refreshes, access, and usage, resulting in data minimization and third-party risk controls.  

Consider financial reporting and planning, too. Detailed tax data can be exposed when only aggregates are required. Enforcing purpose-based access to datasets will reduce unnecessary exposure while maintaining reporting accuracy.  

Ensure Data Outside of Controlled Environment is Masked 

Data being taken out of production environments and into non-production should always be anonymized in one way or another. Irreversible static data masking can guarantee that fraudsters cannot reidentify the information, therefore rendering the data useless if it’s stolen. Data masking, luckily, ensures that the information retains it referential integrity and can be used in non-production use cases. 

Delphix data masking within the platform can prevent unauthorized vendor access to FTI, including for benefits administration, ACA reporting platforms, and legal and audit purposes. You can use that masked information for analytics and reporting environments. 

AMN Healthcare is a good example of using data masking to achieve compliance and operational efficiency. They use a combination of data masking and data virtualization to protect patient data and easier access to masked data. 

Lock Down Information During a Reactive FTI Audit 

Breaches and exposures happen. During reactive FTI audits, it’s important to lock down data and limit any further risk. Once your data is effectively protected, you can assess what happened and go into recovery mode. 

With Delphix’s single, secure platform, you also leverage additional data protection. With these solutions, you can automate sensitive data discovery, provide clear snapshots from prior to attack, immutably protect data, and recover it. 

Keep Audit Logs & Documentation 

Maintaining audit logs is a huge part of an FTI audit. It’s important that during any audit, you have the documentation to back up your compliance claims.  

With Delphix’s single, secure platform, you also gain data compliance solutions. By using Delphix, you can conduct risk assessments, generate synthetic data, control data access, enforce policy enforcement, and get universal reporting and insights. You can present the information to FTI auditors as evidence of the steps you’re taking to protect the data. 

What are the Penalties for Failing an FTI Audit? 

Failing an FTI audit means that you’ve experienced a notable data breach or compromise, with proven negligence or failure to report it. If not reported in a timely manner, a FTI breach can damage your organization’s reputation, result in fines, and open you up to lawsuits.  

*Source: "IDC Business Value White Paper, sponsored by Delphix, by Perforce, The Business Value of Delphix, #US52560824, December 2024"