Treasury Inspector General for Tax Administration

Office of Audit

TELEPHONE AUTHENTICATION PRACTICES NEED IMPROVEMENTS TO BETTER PREVENT UNAUTHORIZED DISCLOSURES

Issued on March 31, 2010

Highlights

Highlights of Report Number:  2010-40-045 to the Internal Revenue Service Commissioner for the Wage and Investment Division.

IMPACT ON TAXPAYERS

In February 2009, the Federal Trade Commission reported that for the ninth year in a row identity theft was the number one consumer complaint nationwide.  Identity theft occurs when someone uses Personally Identifiable Information, such as an individual’s name or Social Security Number to commit fraud and other crimes.  Taxpayers need to be assured that the Internal Revenue Service (IRS) is taking every precaution to protect their private information from inadvertent disclosure. 

WHY TIGTA DID THE AUDIT

The telephone continues to be one of the primary methods taxpayers use to communicate with the IRS.  This audit was to determine whether current procedures to authenticate taxpayers who call the toll-free telephone lines reduce the risk of unauthorized disclosure of taxpayer Personally Identifiable Information.

WHAT TIGTA FOUND

IRS guidelines require assistors to fully authenticate callers before assisting them.  Assistors are not always authenticating taxpayers who call the IRS’ toll-free telephone number for tax account information. 

From a statistical sample of 180 contact recordings, assistors did not properly follow procedures when authenticating 29 callers, increasing the risk of unauthorized disclosures.  This included 9 assistors that did not ask callers the 2 additional authentication probes (high-risk questions) when the situation required, 8 assistors that did not ask callers all 5 required authentication questions, and 12 assistors that did not authenticate callers for various other reasons.

TIGTA auditors were able to hear parts of assistors’ conversations with other callers in 48 of the 180 sampled calls.  This happened because assistors did not put callers on hold when they were researching the taxpayers’ accounts.  For 26 calls, assistors repeated the Social Security Number back to the caller on the telephone. 

The IRS has a new IRS-wide Authentication Strategy and its vision is to promote data protection and enable ease of access to maintain public confidence and improve customer service.  The IRS also has a future strategy called Authentication Retention to reduce the number of times a caller is authenticated.  Authentication Retention will allow caller’s authentication information to be readily available to each assistor who provides help to the caller.  However, in Fiscal Year 2009, the IRS decided not to fund Authentication Retention, but will reconsider it in future budget requests. 

WHAT TIGTA RECOMMENDED

TIGTA recommended the IRS revise guidelines to require assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes.  During assistor training, it should emphasize that assistors are not to prematurely authenticate callers and the importance of controlling calls and placing callers on hold while conducting research.  Guidelines should require assistors to ask callers to repeat Personally Identifiable Information if clarification is needed.  Finally, the IRS should incorporate available technology to authenticate callers in the queue as part of the development of Authentication Retention.

The IRS agreed with two and partially agreed with one of our four recommendations.  The IRS plans to emphasize during training the proper use of hold procedures.  Guidance and training will be developed to instruct assistors to request callers repeat Personally Identifiable Information.  The IRS also plans to submit a technology request to incorporate available technology to authenticate callers prior to their reaching an assistor.

The IRS did not agree to revise guidelines to require assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes.  However, when callers incorrectly answer the address or date of birth probes, training materials will continue to emphasize that inadequate caller identity authentication could result in an unauthorized disclosure.

TIGTA maintains that requiring assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes is warranted to reduce risk of unauthorized disclosures. 

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:  

http://www.treas.gov/tigta/auditreports/2010reports/201040045fr.html. 

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov