Treasury Inspector General for Tax Administration
Office of Audit
Insufficient E-Services Controls May Put Taxpayer Information at Risk
Issued on June 29, 2012
Highlights of Report Number: 2012-40-071 to the Internal Revenue Service Commissioner for the Wage and Investment Division.
IMPACT ON TAXPAYERS
By law, the IRS can generally disclose tax information only to a taxpayer or that taxpayer’s designee or attorney-in-fact. Taxpayers can authorize individuals to represent them and can authorize a designee or attorney-in-fact to receive confidential tax information. Taxpayers’ sensitive tax return information is at risk of unauthorized disclosure when controls are insufficient to ensure that tax professionals properly file a power of attorney with the IRS before it discloses taxpayer information to them.
WHY TIGTA DID THE AUDIT
This audit was initiated because of a referral from the TIGTA Office of Investigations that identified a potential e-Services control weakness over electronically submitted powers of attorney. E-Services is a suite of web-based products for tax professionals that provides multiple electronic IRS products and services. The overall objective of this review was to determine if controls over e‑Services are sufficient to prevent unauthorized access to taxpayer information.
WHAT TIGTA FOUND
Taxpayer information may be at risk of unauthorized disclosure and misuse when tax professionals electronically submit powers of attorney. Controls are insufficient to ensure: 1) tax professionals obtain a signed Form 2848, Power of Attorney and Declaration of Representation, before submitting it via e-Services Disclosure Authorization; 2) tax professionals use Form 2848 only for its intended purpose; and 3) only tax professionals who can file a power of attorney electronically have access to Disclosure Authorization.
Although the IRS requires tax professionals to obtain a taxpayer signature before filing the power of attorney, controls do not ensure tax professionals comply with the requirement. Tax professionals are also using a power of attorney for other than its intended purpose, such as obtaining a power of attorney solely for the purpose of ordering and providing tax return transcripts for individuals who request them online. In addition, tax professionals who have access to e-Services but are not permitted by the IRS to electronically file a power of attorney can circumvent this control.
Lastly, IRS employees have access to e‑Services online tools but are prohibited from participating in tax preparation activities. The IRS should not allow IRS employees to have access to Disclosure Authorization and the Transcript Delivery System without managerial authorization and a business need.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS conduct periodic data analysis to identify tax professionals using Disclosure Authorization for purposes other than its intended purpose. The IRS should verify tax professionals are obtaining and retaining a signed power of attorney before submitting one through Disclosure Authorization. The IRS should also periodically review policies for granting Disclosure Authorization access to tax professionals. Lastly, it should ensure unauthorized IRS employees do not have access to e-Services and monitor transactions of employees who are authorized access.
IRS officials agreed with the intent of all but one of our recommendations and plan to take actions to improve internal controls for accessing and using Disclosure Authorization and the Transcript Delivery System. They did not agree tax professionals are misusing Disclosure Authorization by requesting transcripts; however, tax practitioners are obtaining powers of attorney with no intention of representing taxpayers before the IRS.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500