TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Review of the Use of the Electronic Filing Identification Number

 

 

 

March 30, 2011

 

Reference Number:  2011-40-031

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Redaction Legend:

2(e) = Law Enforcement Procedure

2(f) = Risk Circumvention of Agency Regulation or Statute

 

Phone Number   |  202-622-6500

Email Address   |  TIGTACommunications@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

HIGHLIGHTS

 

Highlights

Final Report issued on March 30, 2011

Highlights of Reference Number:  2011-40-031 to the Internal Revenue Service Commissioner for the Wage and Investment Division.

IMPACT ON TAXPAYERS

More than 60 million individual tax returns were electronically filed in Fiscal Year 2010 by Electronic Return Originators.  The electronic filing (e-file) Program enables tax returns to be sent to the Internal Revenue Service (IRS) in an electronic format via an authorized IRS e‑file Provider.  An e‑file Provider is generally the first point of contact for most taxpayers filing a tax return through the IRS's e‑file Program.  Insufficient system validations put at risk the integrity of the e‑file Program.

WHY TIGTA DID THE AUDIT

This audit originated from a *******************2(f)****************************.  The overall objective of this review was to determine whether controls over the e-file Program are sufficient to prevent unauthorized use of the EFIN.

WHAT TIGTA FOUND

****2(f)*******************************************************************************************************************************************************************************. 

From March 11, 2005, to October 21, 2010, there were 1,192 EFINs reported to the IRS as compromised.  *****2(f)*****.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS periodically match *****2(f)*****  In addition, the IRS should implement a process to ensure *****2(f)*****.  Furthermore, the IRS should ensure that all credentials (Provider Option Status, EFIN, and ETIN) are *****2(f)************and implement a process to ensure Transmitters are following IRS guidelines and regulations.

In their response to the report, IRS management agreed with four of six recommendations.  IRS management disagreed with  *****2(f)***** . IRS management also did not agree to *****2(f)*****because this requirement will not be needed after the implementation of the return preparer registration.  However, TIGTA disagrees that this requirement will no longer be necessary.  The IRS should continue to evaluate the need for this requirement as part of the implementation of the Return Preparer Strategy.

 

March 30, 2011

 

 

MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION

 

FROM:                   (for)  Michael R. Phillips /s/ Michael E. McKenney

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Review of the Use of the Electronic Filing Identification Number  (Audit # 201040052)

 

This report presents the results of our review to determine if controls over electronic filing are sufficient to prevent unauthorized use of the Electronic Filing Identification Number.  This audit originated from a referral from the Treasury Inspector General for Tax Administration Office of Investigations that identified a potential weakness in the verifications performed on electronic tax returns submitted to the Internal Revenue Service where a person could electronically file a Federal income tax return using another individual’s Electronic Filing Identification Number.  This audit was included in our Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Security.

Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services), at (202) 622-5916.

 

 

Table of Contents

 

Background

Results of Review

*****2(f)*****

Recommendation 1:

Recommendations 2 through 4:

Recommendation 5:

Recommendation 6:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Abbreviations

 

e-file

Electronic Filing

EFIN

Electronic Filing Identification Number

ERO

Electronic Return Originator

ETIN

Electronic Transmitter Identification Number

IRS

Internal Revenue Service

TIGTA

Treasury Inspector General for Tax Administration

 

 

Background

 

The Internal Revenue Service’s (IRS) electronic filing (e-file) Program offers taxpayers an alternative to filing a traditional paper tax return.  The e‑file Program enables tax returns to be sent to the IRS in an electronic format via an authorized IRS e‑file Provider.  An e‑file Provider is generally the first point of contact for most taxpayers filing a tax return through the IRS’s e‑file Program.  Figure 1 lists the types of authorized e-file Providers.

Figure 1:  Types of Authorized IRS E-File Providers

Electronic Return Originator (ERO)

EROs originate the electronic submission of income tax returns to the IRS. 

Intermediate Service Providers

Intermediate Service Providers assist with processing tax return information between an ERO (or the taxpayer in the case of Online Filing) and a Transmitter.

Online Providers

Online Providers allow taxpayers to self-prepare tax returns by entering return data directly on commercially available software, software downloaded from an Internet site and prepared offline, or through an online Internet site.

Reporting Agents

Reporting Agents originate the electronic submission of certain tax returns for clients and/or transmit the returns to the IRS.  A Reporting Agent must be an accounting service, franchiser, bank, or other entity that complies with Revenue Procedure 2007-38.[1]

Software Developers

Software Developers write either origination or transmission software according to the IRS e-file specifications.

Transmitters

Transmitters send the electronic return data directly to the IRS.  EROs and Reporting Agents may apply to be Transmitters and transmit return data themselves, or they may contract with an accepted third-party Transmitter that can transmit the data for them.  A Transmitter must have software and computers that allow it to interface with the IRS.

Source:  IRS manual.

As of the end of August 2010, there were 284,898 authorized EROs who e‑filed about 62 million (64 percent) of the approximately 97 million e-filed tax returns accepted in Calendar Year 2010.[2]  For this same time period,[3] there were 7,197 applicants who indicated on the e-file application that they wanted to be Transmitters; however, only 764[4] actually transmitted tax returns during the 2010 Filing Season.  These Transmitters transmitted almost 72 million U.S. Individual Income Tax Returns (Form 1040) to the IRS.  The primary means by which the IRS regulates e‑file Providers are the application screening process and the monitoring program. 

The application screening process is used to ensure individuals applying for entry into the e‑file Program meet required screening and verification checks before they are authorized to participate in the e-file Program.  To apply to the e-file Program, the applicant has to register for e‑Services,[5] complete the online Application to Participate in the IRS e‑file Program (Form 8633), and submit it and a fingerprint card to the IRS.  The IRS allows an individual with a professional certification to send a copy of the certification in lieu of a fingerprint card.  Certifications include Attorney, Certified Public Accountant, Enrolled Agent, and Banking Official. 

The requirements and suitability checks outlined in the IRS e-file Application and Participation (Publication 3112) include: 

·         Applicant must be a United States citizen or legal resident alien.

·         Applicant must be 21 years of age as of the date of the application.

Suitability checks may include:

·         Criminal background check.

·         Credit history check. 

·         Tax compliance check to ensure all required tax returns are filed and paid and to identify fraud and preparer penalties.

All authorized e-file Providers must meet requirements, and except those that function solely as Software Developers, must pass suitability checks prior to acceptance in the e-file Program. 

All applicants who are accepted into the e-file Program are assigned an Electronic Filing Identification Number (EFIN).  Each Transmitter, Software Developer, and Online Provider is also assigned an Electronic Transmitter Identification Number (ETIN).  EFINs and ETINs are unique identification numbers assigned utilizing the IRS e-file Application.  When the ETIN is generated by the Third Party Data Store[6] and an acceptance letter is generated, the Electronic Management System Login-ID is automatically generated and provided in a separate letter sent to the e-file Provider.

All applicants who complete an e-file application are assigned an EFIN.  Those who also transmit tax returns are assigned an ETIN.

Once approved, e-file Providers must maintain strict adherence to e-file Program requirements to ensure continued participation.  An e-file Provider may continue to participate in the IRS e-file Program if the business and its Principal(s) and Responsible Official(s) meet and adhere to IRS e‑file Program requirements.  These requirements are included in Revenue Procedure 2007-40, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns (Publication 1345), and Electronic Return File Specifications and Record Layouts for Individual Income Tax Returns (Publication 1346).  Requirements include the need to ensure tax returns are accurately filed, appropriate documentation is maintained, documentation is signed by the taxpayers, and security systems are in place to prevent unauthorized access to taxpayer accounts and personal information by third parties.

This review was performed at the IRS National Headquarters in Washington, D.C., during the period September through November 2010.  We conducted this performance audit in accordance with generally accepted government auditing standards.  However, the completion of this audit was delayed due to difficulty obtaining the necessary information from the Modernization and Information Technology Services (MITS) division.  Managers and liaisons did not provide direct access to employees or provide the sources of information when requested.  In addition, they sometimes provided incorrect information.  Furthermore, management withheld a report by a contractor on the same subject matter until the audit work was completed.  We have discussed these issues with MITS senior management and they have agreed to provide guidance to managers and liaisons to ensure a sufficient level of cooperation and direct access.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

*****2(f)*****

*****2(f)*****.

*****2(f)******.

The IRS requires authorized e-file Providers to protect their EFIN and ETIN from unauthorized use.  Further, e‑file Providers are prohibited from transferring their EFINs or ETINs to another individual or entity during the sale of their business, as a gift, or other disposition.  Transmitters are also required to ensure they are transmitting only for authorized IRS e-file Providers.

Nevertheless, *****2(f)***** Internal controls should provide reasonable assurance of compliance with all applicable laws and regulations.

The IRS does have procedures in place for an e-file Provider to call the IRS’s E-Help Desk[7] to report that his or her EFIN has been compromised.  The assistor is instructed to deactivate the compromised EFIN and issue the caller a new EFIN.  As of October 21, 2010, there were 1,192 EFINs reported[8] to the IRS as compromised.[9]  *****2(f)*****

*****2(f)***** 

When electronic tax returns are submitted to the IRS, it captures the name of the ERO and the EFIN.  However, it may not be possible to effectively match this information against its records because EROs may not use the exact name to submit tax returns that they used when they applied.  For example, IRS records may show Jonathon A. Doe as the name of the ERO assigned EFIN 123456, but the tax return was transmitted using the name John Doe.

Additionally, individuals may have multiple EFINs or be associated with more than one EFIN.  For example, a preparer may have two EFINs—one for each office or site where he or she prepares tax returns—or an individual could be listed as the responsible official on more than one e-file Provider application.

IRS records show that since Fiscal Year 2006[10] there have been at least 14 closed criminal investigation cases involving EFINs.  The IRS Criminal Investigation Division’s management information system does not include how many false tax returns were involved with these cases or the amount of the refunds.  Four of the 14 criminal investigations were prosecuted, and the individuals involved were ordered to serve prison time and/or pay restitution.  All four investigations involved *****2(f)***** to file false or questionable tax returns.

One investigation involved an individual *****2(f)*****.

*****2(f)*****

The IRS verifies that all new applicants are not deceased,*****2(f)*****.  When a final tax return is filed for a deceased e-file Provider, the IRS does systemically identify the transaction; however, IRS employees then must manually review the e-file application and the final tax return information *****2(f)*****  A match of current Social Security Numbers to Social Security Administration records showed that there are *****2(f)*****.  These individuals are associated with 1,944 EFINs.

The IRS could use the Social Security Administration database to periodically check e‑file Providers to ensure *****2(f)*****.  This would *****2(f)*****. 

*****2(f)***** 

Publication 3112 requires that Transmitters ensure they are transmitting only for authorized IRS e-file Providers.  Transmitters should request that other e-file Providers submit information to ascertain that they are authorized IRS e-file Providers.  Transmitters can also confirm EROs using the ERO Locator Service on the IRS Internet site, IRS.gov.  The IRS E-Help Desk can also be called to verify an authorized e-file Provider.  However, *****2(f)*****

IRS monitoring visits to Transmitters are limited

The IRS conducts monitoring visits as part of its quality review of e-file Providers to ensure they are following all regulations and procedures.  However, *****2(f)*****.  The IRS will also look into referrals that involve Transmitters who have violated security and/or advertising requirements for e-file Providers.  In these instances, the IRS usually addresses the problem(s) with a telephone call to the Transmitter. 

The following is a prioritized list of the four types of monitoring visits: 

  • Referrals:  Referral visits are used to look into allegations, complaints, and warnings against authorized IRS e-file Providers from internal or external sources. 
  • Follow ups:  Follow-up visits result from a prior year’s issuance of a warning or reprimand letter.  Guidelines require that all e-file Providers who are issued written reprimands be subject to follow-up monitoring visits in the subsequent tax return filing season to ensure corrective actions have been taken.
  • Targeted:  Targeted monitoring visits are made based on selection criteria which indicate that e-file compliance issues may be present. 
  • Random:  Random visits are used to determine general compliance within IRS e-file and are based upon non-discriminatory sampling of active providers.

The IRS performs monitoring visits on EROs.  *****2(f)*****

Monitoring visits could be used to ensure Transmitters are following other IRS e-file requirements

IRS requirements state that Transmitters, when participating in online filing,[11] must ensure that they *****2(f)*****.  The IRS implemented this requirement in Fiscal Year 1998 because it did not want tax return preparers to *****2(f)*****.  The IRS still wanted to allow individuals to prepare their own and their families’ tax returns and believed that *****2(f)*****.

The IRS *****2(f)*****.

The IRS *****2(f)*****.  When asked if Transmitters or Software Developers have controls, the IRS reached out to the Transmitter/Software Developer community by email.  The IRS asked the companies if they had controls to ensure they do not transmit or accept for transmission *****2(f)*****.  Fourteen out of the 20 companies contacted responded but 6 did not.  Of the 14 that responded:

  • 12 stated that they do have mechanisms in place to check this information.
  • 1 stated that it believed it had a mechanism in place, but when the IRS questioned company officials, they found there was an error in their program.  They subsequently fixed the problem.
  • 1 stated that it did not have a mechanism in place, but would now implement one.

Although some Transmitters/Software Developers have a check in place to ensure *****2(f)*****.

Including Transmitters in e-file Provider monitoring visits would help ensure they are adhering to IRS policies and regulations.  Because the IRS has ********2(f)*****

E-File Provider EFINs and any related ETINs *****2(f)*****

The e-file Provider Option Status is the main indicator the IRS uses to determine the status of an e-file Provider.  The IRS *****2(f)*****.  The Provider Option Status of an e-file Provider is placed into a status other than Accepted for reasons such as the IRS determining during a monitoring visit that the e-file Provider was noncompliant or the e-file Provider has become inactive.

The IRS does have a process during the annual EFIN clean-up to check for any ETINs that are inactive, so EFINs can be deactivated.  However, *******2(f)*****.

A November 19, 2010, revision to internal guidelines for compromised EFINs requires that the ETIN be deactivated at the time an EFIN is deactivated.  *****2(f)*****.  Neither the IRS nor TIGTA *****2(f)*****.

The IRS is aware *****2(f)*****

IRS officials stated they are aware *****2(f)*****.  However, they added that they do not know the extent of the problem, nor have they conducted any analyses to determine the extent of the problem.  The IRS must determine the extent of the problem so it can prioritize and determine where to focus its limited resources.

The IRS contracted with a private company to analyze the existing e-file Enrollment and Participation Trust Model[12] and develop recommendations to update the Model to support IRS risk management activities.  A report was issued in May 28, 2010, reporting the following:[13]

·         *****2(f)*****.  Significantly, t*****2(f)*****.

·         Although the IRS uses the EFIN as part of an electronic signature, as well as to otherwise link e-file Providers to electronically filed tax returns, *****2(f)*****.

Although developing an alternative to the EFIN was beyond the scope of the contract, the contractor recommended that the IRS undertake an analysis of EFIN abuse to determine if an alternative to the EFIN is desirable based on the risks and develop an alternative.

As of December 2010, the IRS had not taken steps to address the recommendations made by the contractor regarding EFINs because resources were focused on other policy concerns.  In addition, the IRS has not analyzed the information obtained from E-Help Desk calls.  The E‑Help Desk procedures instruct assistors to provide IRS Monitoring Coordinator contact information to callers who claim their EFINs were misused.  The IRS also has procedures that allow E-Help Desk assistors to make referrals directly to the IRS Monitoring Coordinators if they believe an IRS e-file Provider is violating IRS e-file rules.  In most instances, the IRS leaves it up to the person calling the E-Help Desk about a possible misuse of an EFIN to make the referral to have a monitoring visit performed by the IRS.  The IRS function that conducts the monitoring visits stated that if this type of referral was received, a mandatory visit would be conducted to the person who misused the EFIN, whether or not they were an e-file Provider.

Employees responsible for the E-Help Desk have noted an increase in the number of compromised EFINs.  In April 2010, the IRS held a meeting to discuss how EFINs can be compromised and used by more than one individual and to recommend solutions.  Possible solutions included:

  • *****2(f)*****. 
  • *****2(f)*****.
  • Strengthening the language in Publication 3112 and/or strongly communicating to Transmitters that it is their responsibility to protect their EFINs and to ensure that the correct EFIN is used to transmit returns.

The IRS decided to send a reminder message to Transmitters that it is their responsibility to ensure that the ERO is using a valid EFIN.  On November 1, 2010, the IRS issued a QuickAlert[14] to tax professionals stating:

To safeguard IRS e‑file from fraud and abuse, Transmitters must ensure they are transmitting only for Authorized IRS e-file Providers.  Transmitters should request other Providers provide information to ascertain that they are Authorized IRS e-file Providers. 

More than 60 million individual tax returns were e-filed in Calendar Year 2010 by EROs.  This will increase significantly in the next 2 years because the President approved a Federal e-file mandate[15] that requires the e-file of any individual income tax returns prepared and filed by a specified tax return preparer.  Per the proposed regulations, the requirement will be phased in over 2 years.  As a result of the new rules, preparers will be required to start using IRS e-file beginning:

·         January 1, 2011, for those preparers who anticipate preparing 100 or more Federal individual or trust tax returns during the year.

·         January 1, 2012, for those preparers who anticipate preparing 11 or more Federal individual or trust tax returns during the year.

This mandate will significantly increase the number of e-file Providers.  Without additional validations to ensure tax returns are being filed by only authorized e-file Providers, the e-file system is vulnerable to unscrupulous individuals using another’s EFIN to prepare and e-file false tax returns. 

Recommendations

The Commissioner, Wage and Investment Division, should:

Recommendation 1:  Periodically match Social Security Administration records to e‑file Providers’ records to determine if*****2(f)*****.

Management's Response:  IRS management agreed with this recommendation and will perform queries periodically to *****2(f)*****.  The results of these queries will be used to *****2(f)*****.

Currently, the IRS checks with Social Security Administration records for the date of death when applicants apply to be an e-file Provider.  It periodically checks for IRS records to identify the filing of a final individual income tax return on behalf of a decedent.  It then deactivates the EFIN and any ETIN.

Recommendation 2:  *****2(f)*****.

Management's Response:  IRS management agreed with this recommendation.  The IRS currently requires firms to submit applications to participate in the IRS e-file Program, which includes providing information such as Employee Identification Numbers and Social Security Numbers that are then validated on IRS databases.  The IRS performs monitoring visits to ensure Providers are abiding by the rules and regulations and using the correct EFINs.  The IRS also performs EFIN and ETIN clean-up processes annually to deactivate EFINs and ETINs of Providers who have not e-filed returns in the last 2 years.

The IRS will assess the collective effect that implementation of corrective actions for Recommendations 1 and 3 have on its current process.  The IRS will also perform additional analysis of the Third Party Data Store to assess any remaining risks and identify mitigation strategies.

Recommendation 3:  Ensure calls to the E-Help Desk that are closed with the “Compromised EFIN” Solution are referred by the IRS for further analysis and/or investigation.

Management's Response:  IRS management agreed with this recommendation and will review all procedures and processes related to compromised EFINs to determine the appropriate actions necessary, including updating appropriate Internal Revenue Manual[16] procedures and any related referral processes.

Recommendation 4:  *****2(f)*****.

Management's Response:  IRS management disagreed with this recommendation.  *****2(f)*****.  In addition, there are Internal Revenue Manual procedures and systemic programming in place to address conditions requiring change.

Currently, when the Provider Option Status of a Transmitter is changed to noncompliant, the ETIN is deactivated on the Third Party Data Store and deleted from the Electronic Management System.  *****2(e)*****.    *****2(f)*****.  This contributes to the decision to allow a manual process to update credentials, and the current Internal Revenue Manual reflects the necessary procedures to update the status appropriately.

Office of Audit Comment:  Ensuring that *****2(f)**** are deactivated is essential to make certain that only valid e-file *****2(f)*****. The TIGTA recommended that ***2(f)*** be properly updated when a change is made to *****2(f)*****.  The example provided states that if *****2(f)*****. 

The IRS stated that Internal Revenue Manual procedures and systemic programming are in place to address conditions requiring change.  The IRS has systemic clean‑ups of EFINs and ETINs.  However, *****2(f)*****.  The EFIN clean-up deactivates (1) EFINs of active EROs who are not active Transmitters and have not used the EFIN to e-file tax returns in 2 years and (2) all the related ETINs that are in an inactive or dropped status.  *****2(f)*****.

*****2(f)*****process could be in place to ensure all the related *****2(f)*****.   *****2(f)*****. 

Recommendation 5:  Update the requirements for Transmitters to limit the number of tax returns filed per person by a*****2(f)*****.

Management’s Response:  IRS management disagreed with this recommendation.  The requirement will not be needed after the implementation of return preparer registration.  The IRS implemented a requirement for Transmitters participating in online filing that does not allow transmission or acceptance of transmission for *****2(f)*****.   The IRS suitability reviews on all returns preparers, including the tax compliance and background checks, are scheduled to be completed by December 2013.  At that time, this requirement will no longer be needed to ensure *****2(f)*****.  In the interim, it is not practical to use resources to change a requirement that will be eliminated.

Office of Audit Comment:  We disagree that this requirement will not be necessary after the implementation of return preparer registration.  *****2(f)***** will not be addressed through the IRS conducting tax compliance and background checks on tax return preparers.  Additionally, *****2(f)*****.  The IRS should continue to evaluate the need for this requirement as part of the implementation of the Return Preparer Strategy.

Recommendation 6:  Implement a process to ensure Transmitters are following IRS e-file guidelines and regulations.

Management’s Response:  IRS management agreed with this recommendation.  The Electronic Tax Administration and Refundable Credits organization will review all rules and requirements attributable to Transmitters and develop procedures to provide additional outreach to the transmitting community with information related to IRS e-file rules and procedures.  The IRS will use its existing avenues of communication, such as industry calls and forums, to stress the importance of these regulations.  An analysis will be done to study the feasibility of performing monitoring visits in the future.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of our audit was to determine whether controls over the e-file Program are sufficient to prevent unauthorized use of the EFIN.  To accomplish our objective, we:

I.                   Evaluated the preventive controls the IRS has in place to ensure that EFINs are used only by the e-file Provider assigned the EFIN.

A.    Determined what process the IRS has in place to identify when an e-file Provider becomes deceased so the EFIN can be deactivated.

B.     Determined what information the IRS verifies when a Transmitter transmits tax returns to the IRS.

C.     Determined whether the IRS deactivates the Electronic Management System User ID and ETIN for individuals whose EFINs have been suspended.

D.    Compared all active e-file Providers from the Third Party Data Store[17] to the National Account Profile to determine if there was a date of death.  We assessed the accuracy of the Third Party Data Store file by matching seven records from the file to the actual data on the Third Party Data Store.

II.                Evaluated the controls the IRS has in place to ensure Transmitters verify that e-file Providers using their services are using their assigned EFINs.

A.    Determined what the IRS requires Transmitters to verify for EROs before they transmit their tax returns.

B.     Determined how the IRS oversees Transmitters and any verifications they are required to perform.

III.             Evaluated the controls the IRS has in place to detect when e‑file Providers are using another’s EFIN to file tax returns, and evaluated the subsequent enforcement actions the IRS takes when it identifies e‑file Providers that are using another’s EFIN.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  the IRS’s policies, procedures, and practices for processing e-filed tax returns and safeguarding EFINs.  We evaluated these controls by interviewing management, reviewing publications and the Internal Revenue Manual, and reviewing computer programs.

 

Appendix II

 

Major Contributors to This Report

 

Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services)

Augusta R. Cook, Director

Wilma Figueroa, Audit Manager

Pamela DeSimone, Lead Auditor

Lynn Faulkner, Auditor

Patricia Jackson, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Services and Enforcement  SE

Deputy Commissioner of Operations, Wage and Investment Division  SE:W

Director, Office of Professional Responsibility  SE:OPR

Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division  SE:W:ETARC

Director, Strategy and Finance, Wage and Investment Division  SE:W:S

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division

SE:W:S:PRA:PEI

 

Appendix IV

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

ATLANTA. GA 30308

 

               COMM1SSIONER

WAGE AND INVESTMENT DIVISION

 

March 15, 2011

 

 

MEMORANDUM FOR MICHAEL R. PHILLIPS

    DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                            Richard Byrd, Jr. /s/ Richard Byrd, Jr.

    Commissioner, Wage and Investment Division

 

SUBJECT:                     Draft Audit Report – *****2(f)*****(Audit # 201040052)

Thank you for the opportunity to comment on the draft report to assess the adequacy of controls over the IRS Electronic Filing Program (e-file) to prevent unauthorized use of Electronic Filing Identification Numbers (EFINs). The integrity of the e-file Program depends in large part on the ability to ensure the security of the system for the Authorized Providers and their clients. It is important to note that nothing in your report indicates that there are any security issues related to taxpayer information. It is vital to taxpayers and the IRS that the Providers carefully follow the IRS e-file requirements. The IRS has made many improvements to the IRS e-file system since its inception and is committed to rigorous monitoring for further improvements.

Your report methodically details the research conducted during this audit and makes six recommendations. We agree with four of the six recommendations and have identified actions to further safeguard EFINs and prevent unauthorized use.

To prevent against unauthorized use of EFINs, we will review our processes *****2(f)*****.  We will also analyze the need to more closely monitor Transmitters to ensure they are transmitting for authorized electronic return originators using the EFINs assigned to them.

We do not agree with the recommendation *****2(f)*****.

We do not agree with the recommendation to update the requirements for Transmitters to limit the number of tax returns filed per person by *****2(f)*****. This requirement will be phased out with the implementation of the Return Preparer Initiative. As part of this Initiative, we will perform suitability checks on all preparers to ensure preparers are not circumventing the e-file suitability process before they are submitted to the program.

We are committed to continually improving the IRS e-file Program to ensure all EFINs are being used correctly, by persons authorized to use them. Attached are our specific comments to your recommendations.

If you have any questions, please contact me, or a member of your staff may contact Cecille Jones, Acting Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division, at (202) 622-7990.

Attachment

Attachment

 

The Commissioner, Wage and Investment Division, should:

RECOMMENDATION 1

Periodically match Social Security Administration records to e-file Providers’ records to determine *****2(f)*****.

CORRECTIVE ACTION

We agree with this recommendation and will perform queries periodically *****2(f)*****. The results of these queries will be used to r*****2(f)*****.

Currently, we check Social Security Administration records for DOD when applicants apply to be an e-file Provider and then periodically check for IRS records to identify the filing of a final individual income tax return on behalf of a decedent. We then inactivate Electronic Filing Identification Number (EFIN) and any Electronic Transmitter Identification Number (ETIN).

IMPLEMENTATION DATE

February 15, 2012

RESPONSIBLE OFFICIALS

Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 2

*****2(f)*****.

CORRECTIVE ACTION

We agree with this recommendation. The IRS currently requires firms to submit applications to participate in IRS e-file, which includes providing information such as Employer Identification Numbers and Social Security Numbers which are then validated on our IRS databases. We perform monitoring visits to ensure Providers are abiding by the rules and regulations, and using the correct EFINs. We also perform EFIN and ETIN clean-up processes annually to inactivate EFINs and ETINs of Providers who have not e-filed returns in the last two years.  

We will assess the collective effect that implementation of corrective actions for Recommendations 1 and 3 have on our current process. We will also perform additional analysis of the Third Party Data Store to assess any remaining risks and identify migration strategies.

IMPLEMENTATION DATE

February 15, 2012

RESPONSIBLE OFFICIALS

Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 3

*****2(f)*****.

CORRECTIVE ACTION

We agree with this recommendation and will review all procedures and processes related to compromised EFINs to determine the appropriate actions necessary, including updating appropriate Internal Revenue Manual (IRM) procedures and any related referral processes.

IMPLEMENTATION DATE

February 15, 2012

RESPONSIBLE OFFICIALS

Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 4

*****2(f)*****.

CORRECTIVE ACTION

We do not agree with this recommendation. *****2(f)*****. In addition, there are IRM procedures and systemic programming in place to address conditions requiring change.

Currently, when the Provider Option Status of a Transmitter is changed to non-compliant, the ETIN is inactivated on the Third Party Data Store and deleted from the Electronic Management System. *****2(f)*****.  This contributes to the decision to allow a manual process to update credentials and the current IRM reflects the necessary procedures to update the status appropriately.

IMPLEMENTATION DATE

N/A

RESPONSIBLE OFFICIALS

N/A

CORRECTIVE ACTION MONITORING PLAN

N/A

RECOMMENDATION 5

Update the requirements for Transmitters to limit the number of tax returns filed per person by a *****2(f)*****.

CORRECTIVE ACTION

We do not agree with this recommendation. The requirement will not be needed after implementation of return preparer registration. The IRS implemented a requirement for Transmitters participating in online filing, which disallows transmission or acceptance of transmission for *****2(f)*****.  The IRS suitability reviews on all return preparers, including the tax compliance and background checks, are scheduled to be completed by December 2013. At that time, this requirement will no longer be needed to ensure *****2(f)*****. In the interim, it is not practical to use resources to change a requirement that will be eliminated.

IMPLEMENTATION DATE

N/A

RESPONSIBLE OFFICIALS

N/A

CORRECTIVE ACTION MONITORING PLAN

N/A

RECOMMENDATION 6

Implement a process to ensure Transmitters are following IRS e-file guidelines and regulations.

CORRECTIVE ACTION

We agree with this recommendation. The Electronic Tax Administration and Refundable Credits organization will review all rules and requirements attributable to Transmitters and develop procedures to provide additional outreach to the transmitting community with information related to IRS e-file rules and procedures. We will use our existing avenues of communication such as industry calls and forums to stress the importance of these regulations. An analysis will be done to study the feasibility of performing monitoring visits in the future.

IMPLEMENTATION DATE

February 15, 2012

RESPONSIBLE OFFICIALS

Director, Electronic Tax Administration and Refundable Credits, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

The IRS will monitor this corrective action as part of our internal management control system.



[1] Internal Revenue Bulletin:  2007-25 June 18, 2007.

[2] Data are as of September 19, 2010.

[3] Data are as of August 2010.

[4] The IRS stated that many applicants indicate on the application that they want to be Transmitters, but they never complete the necessary steps to become a Transmitter.

[5] E-Services are a suite of web-based products that allow tax professionals and payers to conduct business with the IRS electronically.  These services are available 24 hours a day, 7 days a week via the Internet. 

[6] A secure, web-based database and application that is used to store and update all IRS e-file application information and generate EFINs, ETINs, letters, and reports.  The database is also used to store information for other e‑Services products as well.

[7] The E-Help Desk assists e-file Providers with e-filing and e‑Services.

[8] Neither the IRS nor the Treasury Inspector General for Tax Administration (TIGTA) has analyzed these 1,192 cases to determine if the compromised EFIN solution (i.e., issue) was properly selected by the E-Help Desk to close the case.

[9] This is for the period from March 11, 2005, when the Compromised EFIN Solution was created for the E-Help Desk, to October 21, 2010.

[10] Data are through November 2010.

[11] This refers to filing directly through the Internet.

[12] A trust model is a control mechanism for organizations that seek to delegate operations to external parties and that need to control the access, use, and disclosure of sensitive information.  A trust model is based on an agreement that specifies the terms and conditions necessary to establish, maintain, and possibly terminate a trust relationship between parties. 

[13] E-file Enrollment and Participation Trust Model Final Report (Version 1.0 Final, dated May 28, 2010).

[14] QuickAlerts is a free online service that disseminates mass e-file messages, within seconds, to all “subscribers.”  These messages will keep tax professionals up to date on events that affect e-file Transmitters, Software Developers, and authorized IRS e-file Providers. 

[15] Worker, Homeownership, and Business Assistance Act of 2009, Public Law No: 111-92.

[16] The Internal Revenue Manual is the IRS’s internal procedures manual.

[17] A secure, web-based database and application that is used to store and update all IRS e-file application information and generate EFINs, ETINs, letters, and reports.  The database is also used to store information for other e‑Services products as well.