Insufficient E-Services Controls May Put Taxpayer Information at Risk
June 29, 2012
Reference Number 2012-40-071
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
2(f) = Risk Circumvention of Agency Regulation or Statute
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / http://www.tigta.gov
HIGHLIGHTS
INSUFFICIENT E-SERVICES CONTROLS MAY PUT TAXPAYER INFORMATION AT RISK
Highlights
Final Report issued on June 29, 2012
Highlights of Reference Number: 2012-40-071 to the Internal Revenue Service Commissioner for the Wage and Investment Division.
IMPACT ON TAXPAYERS
By law, the IRS can generally disclose tax information only to a taxpayer or that taxpayer’s designee or attorney-in-fact. Taxpayers can authorize individuals to represent them and can authorize a designee or attorney-in-fact to receive confidential tax information. Taxpayers’ sensitive tax return information is at risk of unauthorized disclosure when controls are insufficient to ensure that tax professionals properly file a power of attorney with the IRS before it discloses taxpayer information to them.
WHY TIGTA DID THE AUDIT
This audit was initiated as a result of a referral from the TIGTA Office of Investigations that identified a potential e-Services control weakness over electronically submitted powers of attorney. E-Services is a suite of web-based products for tax professionals that provides multiple electronic IRS products and services. The overall objective of this review was to determine if controls over e‑Services are sufficient to prevent unauthorized access to taxpayer information.
WHAT TIGTA FOUND
Taxpayer information may be at risk of unauthorized disclosure and misuse when tax professionals electronically submit powers of attorney. Controls are insufficient to ensure: 1) tax professionals obtain a signed Form 2848, Power of Attorney and Declaration of Representation, before submitting it via e-Services Disclosure Authorization; 2) tax professionals use Form 2848 only for its intended purpose; and 3) only tax professionals who can file a power of attorney electronically have access to Disclosure Authorization.
Although the IRS requires tax professionals to obtain a taxpayer signature before filing the power of attorney, controls do not ensure tax professionals comply with the requirement. Tax professionals are also using a power of attorney for other than its intended purpose, such as obtaining a power of attorney solely for the purpose of ordering and providing tax return transcripts for individuals who request them online. In addition, tax professionals who have access to e-Services but are not permitted by the IRS to electronically file a power of attorney can circumvent this control ********2(f)***************************
Lastly, IRS employees have access to e‑Services online tools but are prohibited from participating in tax preparation activities. The IRS should not allow IRS employees to have access to Disclosure Authorization and the Transcript Delivery System without managerial authorization and a business need.
WHAT TIGTA RECOMMENDED
TIGTA recommended the IRS conduct periodic data analysis to identify tax professionals using Disclosure Authorization for purposes other than its intended purpose. The IRS should also **2(f)*********2(f)****** to verify tax professionals retain a signed power of attorney before submitting one through Disclosure Authorization. Also, the IRS should periodically review policies for granting Disclosure Authorization access to tax professionals, especially unenrolled tax return preparers and registered tax return preparers. Finally, the IRS should ensure unauthorized IRS employees do not have access to e-Services and monitor transactions of employees who are authorized access.
IRS officials agreed with the intent of three of the four recommendations and plan to take actions to improve internal controls for accessing and using Disclosure Authorization and the Transcript Delivery System. They did not agree tax professionals are misusing Disclosure Authorization by requesting transcripts; however, tax practitioners are obtaining powers of attorney with no intention of representing taxpayers before the IRS.
June 29, 2012
MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION
FROM: Michael E. McKenney /s/ Michael E. McKenney
Acting Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Insufficient E-Services Controls May Put Taxpayer Information at Risk (Audit # 201240033)
This report presents the results of our review to determine if controls over e-Services are sufficient to prevent unauthorized access to taxpayer information. This audit originated from a referral from the Treasury Inspector General for Tax Administration Office of Investigations that identified a potential weakness over electronically submitted powers of attorney that allows tax professionals with access to e‑Services to obtain tax account records without the taxpayer’s knowledge and/or authorization. This audit is included in our Fiscal Year 2012 Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.
Management’s complete response to the draft report is included in Appendix VII.
Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Randee Cook, Acting Assistant Inspector General for Audit (Returns Processing and Account Services), at (770) 617-6434.
Internal Revenue Service Employees Have Access to E-Services
Appendices
Appendix I – Detailed Objective, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix IV – Confirmation Letter Sent to Taxpayers
Appendix V – Confirmation Letter Sent to Tax Professionals
Appendix VI – Form 2848, Power of Attorney and Declaration of Representative
Appendix VII – Management’s Response to the Draft Report
Abbreviations
|
e-file(d), e-filing |
Electronically file(d); electronic filing |
|
IRS |
Internal Revenue Service |
In Calendar Year 2011, more than 112 million taxpayers opted to electronically file (e-file) their Federal tax returns by using commercial software to prepare and file their tax returns, by using the Internal Revenue Service’s (IRS) various e-filing products offered on its public Internet site (www.IRS.gov), or by e-filing through a paid tax return preparer. In order for tax professionals to conduct business electronically, including e-filing, the IRS developed a suite of web-based products, called e‑Services Online Tools for Tax Professionals (online tools), which provides multiple electronic products and services to tax professionals. The suite is not available to the general public; rather, only approved IRS business partners are eligible to participate. Figure 1 lists the e-Services products offered to tax professionals.
Figure 1: E-Services Products
|
Disclosure Authorization |
Eligible tax professionals may complete authorization forms, view and modify existing forms, and receive acknowledgement of accepted submissions of tax returns immediately—all online. Disclosure Authorization allows tax professionals to electronically submit a power of attorney and Form 2848, Power of Attorney and Declaration of Representative, and Form 8821, Tax Information Authorization. This service expedites processing and issues a real-time acknowledgment of accepted submissions. |
|
E-File Application |
Applicants can complete the IRS e-file Application using the Internet. Applicants can start the process and save applications in progress so that modifications to a firm's application can be made quickly and easily without restarting the process. Users can check the status of the application as the IRS makes updates to the suitability check. Users can also easily adapt their application to the changes in their businesses. The application allows management of all Authorized IRS e-file Provider[1] information in one place and it more easily updates the information when changes occur. |
|
Electronic Account Resolution |
Electronic Account Resolution allows tax professionals to expedite closure on clients’ account problems by electronically sending/receiving account-related inquiries. Tax professionals may inquire about individual or business account problems, refunds, installment agreements, missing payments, or notices. Tax professionals must have a power of attorney on file before accessing a client’s account. The IRS delivers its response to a secure electronic mailbox within three business days. |
|
Taxpayer Identification Number Matching |
A prefiling service offered to payers and/or authorized agents who submit any of six information returns subject to backup withholding. With Interactive Taxpayer Identification Number Matching, authorized payers can match up to 25 payee Taxpayer Identification Number and name combinations against IRS records prior to submitting an information return. Bulk Taxpayer Identification Number Matching allows payers and/or authorized agents filing any of the six information returns to match up to 100,000 Taxpayer Identification Number and name combinations. |
|
Transcript Delivery System |
Eligible tax professionals may use the Transcript Delivery System to request and receive tax account transcripts,[2] wage and income documents, tax return transcripts, and verification of nonfiling letters for both individual and business taxpayers. Tax professionals must have a power of attorney authorization on file with the IRS before accessing a client's account (or use Disclosure Authorization to file an authorization on a new client and obtain Transcript Delivery System information immediately). |
Source: IRS.gov.
Only approved IRS business partners are eligible to participate in e-Services. When applying for access, applicants provide information the IRS can verify using existing taxpayer records. The applicant’s professional status determines the type of documentation that he or she must submit.
This audit originated as the result of a referral from the Treasury Inspector General for Tax Administration Office of Investigations. Investigators identified a potential control weakness that allows tax return preparers with access to e-Services to electronically submit powers of attorney and obtain taxpayers’ tax account records without taxpayer knowledge and/or authorization. Disclosure Authorization and the Transcript Delivery System allow e-Services participants to electronically file a power of attorney and then immediately submit and obtain taxpayers’ tax account information.
By law, the IRS can generally disclose taxpayers’ tax information only to the taxpayer or the taxpayer’s designee or representative. Taxpayers can authorize one or more individuals to represent them on tax-related issues and can authorize a designee or representative to receive confidential tax information. The IRS provides specific forms taxpayers and tax professionals can use for each situation.
· Form 2848, Power of Attorney and Declaration of Representative – Taxpayers can use this form to authorize an individual or individuals to represent them before the IRS. It authorizes the listed representative(s)[5] to receive and inspect confidential tax information and to perform all acts (that is, sign agreements, consents, waivers, or other documents) that taxpayers can perform with respect to matters described in the power of attorney. Form 2848 specifically states the IRS will not honor Form 2848 for any purpose other than representation before the IRS. In addition, when the IRS accepts the Form 2848, it supersedes any existing powers of attorney for the tax periods specified unless the taxpayer or tax professional indicates otherwise on the form and provides a copy of the previous power of attorney that needs to remain in effect.
· Form 8821, Tax Information Authorization – Taxpayers can use this form to authorize an individual or organization to receive or inspect confidential tax return information. By completing this form, the taxpayer does not authorize an individual or organization to represent him or her before the IRS.
· Form 4506-T, Request for Transcript of Tax Return – Taxpayers can use this form if they want to authorize an individual or organization to receive or inspect transcripts of confidential tax return information, but do not want to authorize the individual to represent them before the IRS. Taxpayers often use this form to authorize third parties to verify their compliance with Federal income tax requirements.
Tax professionals can use Disclosure Authorization only to submit Forms 2848 and 8821. They cannot use it to submit a Form 4506-T.
Since Fiscal Year 2004, e-Services users have submitted more than 899,000 Forms 2848 to the IRS via Disclosure Authorization and almost 16.9 million transcript requests from tax professionals using the Transcript Delivery System. Figure 2 shows the steady increase in the number of e-Services users, Forms 2848 filed electronically, and transcript requests.
Figure 2: Increases in
Usage of E-Services, Disclosure Authorization,
and the Transcript Delivery System Since Fiscal Year 2004
Figure 2 was removed due to its size. To see Figure 2, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
This review was performed at the Wage and Investment Division Headquarters in Atlanta, Georgia, during the period November 2011 through April 2012. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Controls Over E-Services Are Insufficient to Prevent or Detect Unauthorized Disclosure of Taxpayer Information
During Calendar Year 2011, tax professionals submitted more than 2.5 million transcript requests through e-Services. A statistical sample of 600 of the 2.5 million transcripts showed that controls are sufficient to ensure that tax professionals who request taxpayers’ tax return information file a power of attorney with the IRS before it disclosed taxpayer information to them. However controls are insufficient to ensure that:
During a two-month period between October 1 and November 30, 2011, tax professionals electronically submitted 153,224 Forms 2848 and subsequently requested at least one transcript for the period covered on those forms. We randomly selected 750 of the 153,224 Forms 2848 and sent 747 confirmation letters to the taxpayers for whom they were submitted.[7] We asked them to confirm that (1) they gave the tax professional listed on the Form 2848 permission to receive tax information about them for the specific tax year listed and (2) they signed a Form 2848 before the tax professional submitted it.
Of the 373 responses (50 percent response rate) received from taxpayers:
Figure 3 shows these results projected to the population.[8]
Figure 3: Analysis of Responses Received From Taxpayers
|
|
Sample of Forms 2848 |
Percentage |
Projections for Population |
|
Gave Permission Without Signing |
3 |
0.8% |
254–3,570 |
|
Signed Form 2848 After Submitted to Disclosure Authorization |
12 |
3.2% |
2,559–8,504 |
|
Did Not Give Permission |
16 |
4.3% |
3,785–10,542 |
|
No Issues |
342 |
91.7% |
136,197–144,783 |
|
Totals |
373 |
100% |
153,224 |
Source: Our analysis of taxpayers’ responses to our confirmation letters.
We also sent letters to the 560 tax professionals who electronically submitted 736 of the 750 Forms 2848 and requested hardcopies of the signed Forms 2848.[9] Before tax professionals submit an electronic power of attorney request through e-Services, they are required to obtain a signature from the taxpayer on a Form 2848 and retain it. They are also required to provide the IRS a copy of the Form 2848 upon request. We received responses from tax professionals for 625 (85 percent) of the 736 Forms 2848. Figure 4 shows the results of the confirmation letters sent to tax professionals, projected to the population.[10]
Figure 4: Analysis of Responses Received From Tax Professionals
|
|
Sample of Forms 2848 |
Percentage |
Projections for Population |
|
No Copy Provided With Response or Incorrect Copy Provided |
154 |
20.9% |
27,565–36,555 |
|
No Response to Request |
91 |
12.4% |
15,307–22,582 |
|
Total Documents Not Provided or Incorrect |
245 |
33.3% |
45,798–56,213 |
|
No Issues |
471 |
64.0% |
92,571–103,359 |
|
Post Office Returned as Undeliverable |
20 |
2.7% |
2,367–5,960 |
|
Totals |
736 |
100% |
153,224 |
Source: Our analysis of tax professionals’ responses to our request for documentation.
A copy was incorrect if it did not contain evidence of the taxpayer approving submission of a power of attorney before the tax professional submitted it on Disclosure Authorization. For example, we considered a copy to be incorrect if it did not have a taxpayer signature with a date on or before the date the tax professional submitted the power of attorney electronically or if there was not a taxpayer signature at all.
The IRS risks unauthorized disclosures of taxpayer information when tax professionals obtain access to taxpayer data without a signed Form 2848. When tax professionals use Form 2848 for purposes other than for what it is intended, they are circumventing IRS controls in place to protect taxpayer information. When tax professionals are able to circumvent Disclosure Authorization controls that prevent them from filing powers of attorney electronically, they may be obtaining powers of attorney for taxpayers they have no right to represent.
***************************************************2(f)**************************************** ********************2(f)***********************
Although the IRS requires tax professionals to obtain a signed copy of a Form 2848 before they submit a power of attorney through Disclosure Authorization, ****************2(f)******** *********************2(f)********************. In fact, many tax professionals may be unaware of requirements to maintain a hardcopy Form 2848.
After receiving our confirmation letters, five tax professionals called us and stated they were not aware of requirements to maintain a signed Form 2848. Two tax professionals stated they had called the e-Help desk[11] for clarification, and assistors advised them there was not a requirement to maintain the signed Form 2848.
On January 27, 2012, we advised the IRS of the situation. The IRS took immediate action; therefore, we are not making any further recommendations at this time. The IRS responded that it would remind assistors of and reinforce the requirement for tax professionals to maintain a signed Form 2848 when they submit powers of attorney through Disclosure Authorization by:
Tax professionals are not required to send the IRS the original or a copy of the Forms 2848 they use to electronically submit a power of attorney through Disclosure Authorization. Additionally, the IRS ************************************2(f)***************************** *************************************2(f)************************************** ************************2(f)**********************. The IRS does conduct compliance reviews of tax return preparers, **********************2(f)**********************.
These controls come with costs. Requiring tax professionals to mail or fax signed Forms 2848 has limitations and would be costly. **************************2(f)*************** *****************************************2(f)***************************************************************************2(f)***************************************************************************2(f)********************************* ***********2(f)*************. This effort could also be part of the IRS’s annual filing season visitations to return preparers to heighten awareness of preparer responsibilities. **********************************2(f)***************************************************************************2(f)************************************************2(f)*************.
E-Services Disclosure Authorization and Transcript Delivery System are being used for other than their intended purposes
Tax professionals are using e-Services to circumvent standard IRS procedures and controls by submitting Form 2848 for the sole purpose of ordering and providing transcripts for taxpayers. This allows them to obtain an account transcript for taxpayers within minutes. Form 2848 states that the IRS will not honor it for any purpose other than representing a taxpayer before the IRS. Figure 5 provides an excerpt from Form 2848.
Figure 5: Excerpt From Form 2848
Figure 5 was removed due to its size. To see Figure 5, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
Commercial Internet websites offer to provide taxpayers, for a fee, tax account information. To obtain taxpayers’ tax return information, taxpayers are asked to provide the information needed to submit a Form 2848 through Disclosure Authorization. After submitting the power of attorney via Disclosure Authorization, tax professionals can immediately obtain tax account transcripts through e-Services Transcript Delivery System. We identified websites that charged taxpayers as much as $39.95 or more for this service.
Personally Identifiable Information includes an individual’s:
· Name.
· Address.
· E-mail Address.
· Social Security Number.
· Telephone Number.
· Bank Account Number.
· Date and Place of Birth.
· Mother’s Maiden Name.
· Biometric Data (e.g., height, weight, eye color, finger prints).
The IRS has established procedures and controls to safeguard a taxpayer’s Personally Identifiable Information, which includes the information contained on a tax account transcript. When taxpayers want to obtain their tax account transcripts, they can obtain their own records for free by:
In most cases, the taxpayer would receive the account transcript in approximately two weeks. However, taxpayers can obtain an account transcript the same day they visit a local IRS office.
Regardless of the method used to obtain a transcript, taxpayers must authenticate themselves. If ordering online or via an app on a mobile device, the IRS will mail the tax return information only to the taxpayer’s address of record. Therefore, individuals other than the taxpayer who may have the taxpayer’s information will not be able to have a transcript sent to them.
******************************************2(f)***************************** ***************************************2(f)*****************************************************2(f)**************************. In addition, taxpayers could be unaware the tax professional is first submitting a power of attorney to the IRS, which:
The IRS is not conducting trending or data analysis that would identify the tax professionals engaged in this practice. However, it maintains records of every power of attorney submitted via Disclosure Authorization and every transcript request made via the Transcript Delivery System. The IRS could use these records to identify tax professionals who may be misusing Form 2848 to order account transcripts.
The IRS must be able to assure taxpayers it is protecting their confidential tax return information. It should have sufficient internal controls that detect potential misuse of its systems that disclose taxpayer information to third parties, including controls to identify transactions that may not meet its policies and procedures.
Taxpayers who do not wish to obtain their own tax return information can allow third parties to obtain them by completing a Form 4506-T
Form 4506-T allows taxpayers to give interested third parties the authority to obtain their confidential tax return information without giving them a power of attorney. Taxpayers may complete a Form 4506-T and either send it to the IRS or have the third party send it to the IRS.
Additionally, the IRS offers the Income Verification Express Services Program, in which third parties can verify income information on behalf of a taxpayer. For third parties to obtain transcripts, taxpayers can complete and provide the third party with either a completed Form 4506-T or a Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript. See Figure 6 for an excerpt of Form 4506-T.
Figure 6: Excerpt From Form 4506-T
Figure 6 was removed due to its size. To see Figure 6, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
The request must include the name, address, and telephone number of the third party to whom the IRS should send the income information. Income Verification Express Service participants pay $2.00 per request and FAX a Form 4506-T to the IRS. In turn, the IRS e-mails the requested information to the participant’s secure e‑Services mailbox.
Tax professionals who are not authorized are using Disclosure Authorization to file powers of attorney
The IRS allows only certain tax professionals to access and use Disclosure Authorization. They include:
· Attorneys, certified public accountants, or enrolled agents who may represent taxpayers in proceedings before the IRS.
· Electronic Return Originators who have e-filed five or more accepted returns.
However, although they can access Disclosure Authorization, the IRS does not permit Electronic Return Originators who are unenrolled tax return preparers or registered tax return preparers to submit powers of attorney electronically. The IRS requires that Forms 2848 be submitted on paper so that it can review the request to ensure unenrolled tax return preparers and registered tax return preparers meet the requirements to represent the taxpayer.
To circumvent this control and obtain immediate powers of attorney and transcripts, ***2(f)*** ****************************************2(f)********************************** ****************************************2(f)********************************* ****************************************2(f)********************************* *********************************2(f)*******************.
********************************2(f)**************************************:[12]
The IRS *******************************2(f)********************************** ********************************2(f)***************************.
The IRS originally granted e-Services access to tax return preparers who met e-file requirements as part of an incentive program to persuade tax return preparers to e-file their clients’ tax returns. However, the IRS has not recently reviewed its policies for granting Disclosure Authorization access to the various types of tax professionals to determine if they need access to e-Services online tools. Specifically, it has not determined if unenrolled tax return preparers or registered tax return preparers who do not qualify as attorneys, certified public accountants, or enrolled agents should continue to have access to e-Services online tools. **************2(f)**** *******************************************2(f)****************************** ****************************************2(f)******************************************************2(f)************.
If the IRS decides not to change its access policies for unenrolled and registered tax return preparers, *******************************2(f)******************************** *************************************2(f)************************************ *************************************2(f)*************.
Recommendations
The Commissioner, Wage and Investment Division, should:
Recommendation 1: Identify tax professionals using Disclosure Authorization for purposes other than its intended purposes. This will allow the IRS to take appropriate corrective actions, such as deactivating access to Disclosure Authorization, for tax professionals who present a risk. The IRS may identify tax professionals who submit unusually large volumes of Forms 2848, especially if they are not preparing tax returns, and determine if they used the powers of attorney to circumvent the IRS’s process for requesting transcripts.
Management’s Response: IRS management did not agree tax professionals are improperly using Disclosure Authorization by requesting transcripts. The instructions to the Form 2848 state that authorization of an eligible representative will allow that individual to receive and inspect confidential tax information.
Office of Audit Comment: IRS management did not agree tax professionals are improperly using Disclosure Authorization by requesting transcripts; however, that is not the basis of our conclusion or recommendation. Tax professionals are using Disclosure Authorization to obtain a power of attorney for the sole purpose of obtaining a tax transcript. As stated at the top of Form 2848, the purpose of a power of attorney is to designate a person or persons to represent a taxpayer before the IRS. The IRS states it will not honor the power of attorney if it is submitted for any other purpose. While a representative may need to obtain tax transcripts when representing a taxpayer, a representative should not obtain a power of attorney for the sole purpose of obtaining tax transcripts without intending to represent the taxpayer before the IRS. The IRS already has a process in place that allows a taxpayer to authorize tax professionals to obtain tax transcripts without the same potential for circumventing privacy controls, giving tax professionals additional powers, or unintentionally superseding any existing powers of attorney.
Recommendation 2: ***********2(f)*************** to verify that tax professionals are obtaining and retaining a signed power of attorney before submitting one through Disclosure Authorization. ************************************2(f)*********************** ****************************************2(f)******************************.
Management’s Response: IRS management agreed that some tax professionals may be unaware of the requirements to obtain and maintain a hard copy of the signed Form 2848. The IRS will take actions to better educate Disclosure Authorization users of the requirement to obtain a signed Form 2848 prior to its electronic submission and to maintain the signed copy in the authorized representative’s files.
Office of Audit Comment: IRS management did not agree to develop a confirmation program. While taking actions to better educate Disclosure Authorization users of the requirements to obtain and maintain signed Forms 2848 prior to electronic submissions will address the issue, management will not be able to measure the effectiveness of these steps or ensure continuing compliance with them without developing a confirmation program to verify that tax professionals are complying with the requirements.
Recommendation 3: Reassess the policy for granting Disclosure Authorization access to unenrolled tax return preparers and registered tax return preparers. If the IRS decides not to grant them access to online tools, the IRS should ensure they no longer have access to Disclosure Authorization. If the IRS decides to continue granting access to unenrolled tax return preparers and registered tax return preparers, it should ********************2(f)*************** ************************************2(f)************************************* ************************************2(f)*******************************.
Management’s Response: *************************2(f)****************** **************************************2(f)****************************** **************************************2(f)**************************** ***********2(f)********. The IRS will reassess the current policy regarding access to Disclosure Authorization and the Transcript Delivery System for unenrolled and registered return preparers and will take appropriate follow-up action.
Internal Revenue Service Employees Have Access to E-Services
IRS employees have access to e-Services online tools, but are prohibited from participating in tax preparation activities.[13] The IRS should not allow IRS employees to have access to Disclosure Authorization and the Transcript Delivery System without managerial authorization and a business need.
The IRS should also take steps to ensure its new employees who previously worked as tax professionals do not have access to e‑Services. Employees could use their access capabilities to make unauthorized accesses of taxpayer information. Although the IRS electronically captures all Disclosure Authorization and Transcript Delivery System transactions by these employees, just as it does for all users, it does not have controls in place to monitor these transactions for unauthorized accesses of taxpayer information, and the system does not allow for comparisons to existing employee records.
Recommendation
Recommendation 4: The Commissioner, Wage and Investment Division, should ensure IRS employees do not have unauthorized access to e-Services online tools by periodically matching IRS personnel information to a listing of e-Services users. The IRS should revoke the e-Services access of employees not authorized to have it and monitor the transactions of employees who are authorized access.
Management’s Response: IRS management agreed that IRS employees should not have access to e-Services without a legitimate business need. The IRS requested the list of employees and the methodology used during the audit to determine if employees may have unauthorized e-Services access through the Registered User Portal. Once the IRS has received the information, it will further investigate and deactivate any accounts found to have unauthorized access.
Appendix I
Detailed Objective, Scope, and Methodology
Our overall objective was to determine if controls over e-Services are sufficient to prevent unauthorized access to taxpayer information. This included evaluating and assessing the internal controls of the e-Services Program and its online tools, including controls that prevent tax practitioners and other users from improperly obtaining access to taxpayer information by electronically filing fraudulent power of attorney and/or transcript requests. To accomplish this objective, we:
I. Determined if IRS policies and internal controls for providing tax professionals access to e-Services online tools limits the potential for fraud and unauthorized disclosures.
A. Determined if the current policies and rules for granting tax professionals access to e‑Services online tools minimize the risks of granting access to users who wish to commit fraud.
B. Identified and evaluated the internal controls that ensure e-Services users with access to the online tools are qualified to receive it.
II. Determined if the controls for processing transcript requests submitted via the Transcript Delivery System effectively detect and prevent unauthorized disclosures of taxpayer information.
A. Selected two statistically random samples, each with 300 third-party transcript requests, from the 2.5 million third-party transcript requests submitted via the Transcript Delivery System during Calendar Year 2011 for which the IRS provided the user with the requested information.
· The first sample included third-party transcript requests for which the Transcript Delivery System indicated that the Centralized Authorization File[14] was checked before completing the request.
· The second sample included third-party transcript requests for which the Transcript Delivery System indicated that the Centralized Authorization File was not checked before completing the request.
We based our sampling plans on a confidence level of 95 percent, expected error rates of 1 and 2 percent, and a precision of ±2 percent, resulting in minimum sample sizes of 95 and 188. We oversampled to 300 in each category to account for any unforeseen circumstances. We compared the samples to the Centralized Authorization File to determine if it contained a corresponding power of attorney for the specific tax period disclosed to the tax professional.
B. Determined if the IRS performs any electronic detection testing to identify improper disclosures.
III. Determined if the controls for processing Forms 2848, Power of Attorney and Declaration of Representative, submitted through Disclosure Authority effectively detect and prevent unauthorized disclosures by selecting a statistically valid sample of 750 Forms 2848 from the 153,224 Forms 2848 submitted by tax professionals in October and November 2011. We based our sampling plan on a confidence level of 95 percent, an expected error rate of 15 percent, and a precision of ±5 percent, resulting in a minimum sample size of 196. Expecting an approximate 30 percent response rate from taxpayers, we oversampled to 750 Forms 2848. To determine if tax professionals had received approval from taxpayers to request transcripts before ordering them, we:
A. Mailed letters to the 560 tax professionals who submitted 736 of the 750 Forms 2848 and asked them to send us paper copies of the Forms 2848 submitted.[15]
B. Mailed 747 letters to the taxpayers named on the 750 Forms 2848.[16] We asked the taxpayers to confirm that they gave the tax professional permission to file a power of attorney and that they signed a Form 2848.
IV. Determined if tax professionals not authorized to submit Forms 2848 using Disclosure Authorization actually submitted them using it.
A. Analyzed the IRS preparer file to identify those preparers who were not certified public accountants, attorneys, or enrolled agents and compared them to those who had submitted Forms 2848 using Disclosure Authorization during October or November 2011.
B. *************************************2(f)************************* *************************************2(f)******************************************************************2(f)******************************************************************2(f)*********************** *************************************2(f)*************************************************************2(f)***************.
V. We obtained Disclosure Authorization and Transcript Delivery System data processed from e-Services online tools and stored on the Data Center Warehouse. We evaluated the expected importance of the data and the anticipated level of risk in relying on the computer-generated data obtained from Forms 2848 filed by tax professionals. We also analyzed the dates of transactions to determine there was not missing data. In addition, we compared these data to information on the Integrated Data Retrieval System[17] and determined the validity of the data. Our analysis determined the data were sufficiently reliable for our audit purposes.
Internal controls methodology
Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined the following internal controls were relevant to our audit objective: the IRS’s policies, procedures, and practices for preventing unauthorized access to taxpayer information. We evaluated these controls by interviewing management, reviewing the Internal Revenue Manual, reviewing the IRS’s efforts to monitor e-Services online tools, and conducting a confirmation program to identify powers of attorney submitted by tax professionals with taxpayer permission.
Appendix II
Major Contributors to This Report
Augusta R. Cook, Acting Assistant Inspector General for Audit (Returns Processing and Account Services)
Paula W. Johnson, Acting Director
Wilma Figueroa, Audit Manager
Kenneth Carlson, Acting Audit Manager
Pam DeSimone, Senior Auditor
Lynn Faulkner, Senior Auditor
Jack Forbus, Senior Auditor
Geraldine Vaughn, Senior Auditor
Nelva Usher, Auditor
James Avery, Chief, Modernized UNAX Development
Valerie Livingood, Information Technology Specialist
Joseph L. Katz, Ph.D., Contractor, Statistical Sampling Consultant
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Services and Enforcement SE
Deputy Commissioner for Services and Operations, Wage and Investment Division SE:W
Director, Office of Online Services SE:OLS
Director, Office of Professional Responsibility SE:OPR
Director, Return Preparer Office SE:RPO
Director, Customer Account Services, Wage and Investment Division SE:W:CAS
Director, Strategy and Finance, Wage and Investment Division SE:W:S
Director, Accounts Management, Wage and Investment Division SE:W:CAS:AM
Director, Submission Processing, Wage and Investment Division SE:W:CAS:SP
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PEI
Appendix IV
Confirmation Letter Sent to Taxpayers
DEPARTMENT OF THE TREASURY
WASHINGTON, D.C. 20220
INSPECTOR GENERAL
for TAX
ADMINISTRATION
Office of the Treasury Inspector General
For Tax Administration
c/o Ken Carlson - Office of Audit
4800 Buford Highway; Stop 15
Chamblee, GA 30341
OMB NO. 1505-217
Expires April 30, 2012
Month, date, year
Person to Contact: Wilma Figueroa
Telephone Number (Not Toll Free): (770) 452-4012
Email Address: auditinquiries@tigta.treas.gov
Control Number: <<ControlNumber>>
<<TPFirstName>><<TPLastName>>
<<TPAddress>>
<<TPCity>>, <<TP State>> <<TPZIPCode <<TPZIPCode4 <<TPZIPCode3>>
Dear <<TPFirstName>><<TPLastName>>,
The Department of the Treasury is conducting an independent review to ensure tax professionals who electronically submitted Forms 2828 (Power of Attorney and Declaration of Representative) to the Internal Revenue Service (IRS) obtained taxpayer approval and authorization. Form 2848 gives taxpayers the ability to authorize tax professionals to receive and inspect their confidential tax information and to act on their behalf in certain tax matters by allowing the IRS to disclose taxpayer information to an appointed taxpayer representative.
IRS records show that the tax professional named below electronically submitted a Form 2848 to the IRS on <<POADate>> for your
Tax Year <<TaxYear>> Individual Form 1040 Tax Return
<<POACompanyName>>
<<POAFirstName>> <<POALastName>>
We would appreciate your help in determining if you provided the tax professional(s) name above with permission to represent you. Please answer the three questions on the following page by checking the appropriate answer. Once completed, use the enclosed self-addressed, stamped envelope to return your answers to us.
We would appreciate your help in verifying the accuracy of the IRS’s records by answering the questions listed below. Your response is voluntary and there are no penalties for not replying. This letter is NOT a review of your tax records or a request for payment.
In addition, if we do not receive a response from you, we may call you using the telephone number that the IRS has on record for you. The telephone call should take no longer than 5 minutes.
|
Questions |
Answers (Check Just One Appropriate Answer per Question |
|
Did you give the tax professional(s) named above permission to receive tax information about you for the tax return listed? |
Yes No |
|
Did you sign a Form 2848 giving the tax professional(s) named above permission to receive tax information about you for the tax return listed? |
Yes No |
|
Did you sign the Form 2848 on or before <<POADate>> |
Yes No Not Applicable |
We may furnish the IRS the information you give to us; however, the law prohibit us from providing information concerning your tax account to third parties (other than the IRS) without your written permission.
The Treasury Inspector General for Tax Administration, which is part of the Department of the Treasury but independent of the ITS, conducts independent reviews of the IRS. To learn more about Treasury Inspector General for Tax Administration, please visit our Web site at www.treas.gov/tigta. In addition to general information about the services that TIGTA provides, you will be able to read the report written about responses to this request when we publish it later this year.
Thank you in advance for your cooperation.
Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
Privacy Act and Paperwork Reduction Act Notice
The Budget and Accounting Procedures Act of 1950 authorizes the Department of the Treasury to request this information for the purposes stated in the letter. You are not required to provide the information requested on a form that is subject to the Paperwork Reduction Act unless the form displays a valid Office of Management and Budget control number. The estimated average time to comply with this letter is 15 minutes. If you have any comments concerning the accuracy of this time estimate or suggestions for making this letter simpler, please write to either the:
Treasury Inspector General for Tax Administration
Office of Audit
1401 H Street Room, NW Suite 469
Washington, D.C. 20005
or
Office of Management and Budget
Paperwork Reduction Project (1591-0010)
Washington, D.C. 20503
Do not send your reply to this letter to either of these addresses –please use the self-addressed, stamped envelope.
Appendix V
Confirmation Letter Sent to Tax Professionals
DEPARTMENT OF THE TREASURY
WASHINGTON, D.C. 20220
INSPECTOR GENERAL
for TAX
ADMINISTRATION
Office of the Treasury Inspector General
For Tax Administration
c/o Ken Carlson - Office of Audit
4800 Buford Highway; Stop 15
Chamblee, GA 30341
OMB NO. 1505-217
Expires April 30, 2012
Month, date, year
Person to Contact: Wilma Figueroa
Telephone Number (Not Toll Free): (770) 452-4012
Email Address: auditinquiries@tigta.treas.gov
Control Number: <<ControlNumber>>
<<POAFirstName>><<POALastName>>
<<POAAddress>>
<<POACity>>, <<POAState>> <<POAZIPCode <<POAZIPCode4 <<POAZIPCode3>>
Dear <<POAFirstName>><<POALastName>>,
The Department of the Treasury is conducting an independent review to ensure tax professionals who electronically submitted Forms 2828 (Power of Attorney and Declaration of Representative) to the Internal Revenue Service (IRS) obtained taxpayer approval and authorization. Form 2848 gives taxpayers the ability to authorize tax professionals to receive and inspect their confidential tax information and to act on their behalf in certain tax matters by allowing the IRS to disclose taxpayer information to an appointed taxpayer representative.
IRS records show you electronically submitted a Form 2848 to the IRS on <<POADate>> for the following taxpayer and tax period:
<<TPFirstName>> <<TPLastName>> for Tax Year <<POATaxYear>>
Please use the enclosed self-addressed, stamped envelope to send us a copy of the signed Form 2848 for the above taxpayer within 10 business days. Please do not send us the original document. You should maintain the original document in your records.
This request is NOT a review of the taxpayer’s tax records or a request for payment. The Treasury Inspector General for Tax Administration, which is part of the Department of the Treasury but independent of the ITS, conducts independent reviews of the IRS. To learn more about Treasury Inspector General for Tax Administration, please visit our Web site at www.treas.gov/tigta.
Thank you in advance for your cooperation.
Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
Privacy Act and Paperwork Reduction Act Notice
The Budget and Accounting Procedures Act of 1950 authorizes the Department of the Treasury to request this information for the purposes stated in the letter. You are not required to provide the information requested on a form that is subject to the Paperwork Reduction Act unless the form displays a valid Office of Management and Budget control number. The estimated average time to comply with this letter is 15 minutes. If you have any comments concerning the accuracy of this time estimate or suggestions for making this letter simpler, please write to either the:
Treasury Inspector General for Tax Administration
Office of Audit
1401 H Street Room, NW Suite 469
Washington, D.C. 20005
or
Office of Management and Budget
Paperwork Reduction Project (1591-0010)
Washington, D.C. 20503
Do not send your reply to this letter to either of these addresses –please use the self-addressed, stamped envelope.
Appendix VI
Form 2848, Power of Attorney
and Declaration of Representative
The form was removed due to its size. To see the form, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
Appendix VII
Management’s Response to the Draft Report
DEPARTMENT OF THE TREASURY
INTERNAL REVENUE SERVICE
ATLANTA, GA 30308
COMMISSIONER
WAGE AND INVESTMENT DIVISION
June 8, 2012
MEMORANDUM FOR MICHAEL R. PHILLIPS
DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM: Peggy Bogadi /s/ Peggy Bogadi
Commissioner, Wage and Investment Division
SUBJECT: Draft Audit Report- Insufficient E-Services Controls May Put Taxpayer Information at Risk (Audit# 201240033)
The IRS suite of web-based products, known as e-Services, allows tax professionals to conduct business with the IRS electronically. To ensure the security of taxpayer information, tax professionals are required to adhere to terms and conditions of use, as well as specific responsibilities as a registered user of e-Services. E-Services is available only for approved IRS business partners who are registered users of e Services.
The IRS has developed and implemented filters to address known and anticipated risks that may be associated with unauthorized persons circumventing controls to gain access to, or obtain unauthorized disclosure of, taxpayer information via e-Service applications. To mitigate such risks, IRS business partners are required to register and undergo a number of checks to ensure compliance with IRS and other legal requirements. The IRS takes steps to ensure that controls do not put taxpayer information at risk.
The audit report identified potential risks such as tax professionals submitting Forms 2848, Power of Attorney and Declaration of Representative, electronically without the taxpayer signing a paper form; e-Services Disclosure Authorization (DA) and Transcript Delivery System (TDS) being used for other than their intended purpose; and unauthorized tax professionals using DA to file powers of attorney.
We will continue to take steps to ensure that proper protocols are followed, but note that with respect to the issue of requesting transcripts after submission of Form 2848, a majority of the respondents indicated the tax professionals secured the taxpayer's signature on Form 2848 prior to electronic submission and had kept a paper copy on file. There is no indication that the tax professionals who did not provide a copy, or provided an incorrect copy, to your request, were obtaining access to taxpayer's information for inappropriate purposes. We also note an apparent inconsistency in the presentation of the results of the survey of taxpayers and tax professionals (Figures 3, and 4, respectively). In reporting the analysis of taxpayer responses, non-respondents and undeliverable surveys were excluded from the results which overstates the population of responses that are indicative of potential problems.
The report takes the position that use of Form 2848 to request a transcript is inappropriate and is not an intended purpose of the form. Note that the instructions to the Form 2848 state that authorization of an eligible representative will allow the individual to receive and inspect confidential tax return data.
Attached are our comments to your recommendations. If you have any questions, please contact me, or a member of your staff may contact Peter J. Stipek, Director, Customer Account Services, Wage and Investment Division, at (404) 338-8910.
Attachment
Attachment
The Commissioner, Wage and Investment Division, should:
RECOMMENDATION 1
Identify tax professionals using Disclosure Authorization for purposes other than its intended purposes. This will allow the IRS to take appropriate corrective actions, such as deactivating access to Disclosure Authorization, for tax professionals who present a risk. The IRS may identify tax professionals who submit unusually large volumes of Forms 2848, especially if they are not preparing tax returns, and determine if they used the powers of attorney to circumvent the IRS's process for requesting transcripts.
CORRECTIVE ACTION
We do not agree with the conclusion that tax professionals are improperly using Disclosure Authorization (DA) by requesting transcripts. The instructions to the Form 2848 state that authorization of an eligible representative will allow that individual to receive an inspect confidential tax information.
IMPLEMENTATION DATE
N/A
RESPONSIBLE OFFICIAL
N/A
CORRECTIVE ACTION MONITORING PLAN
N/A
RECOMMENDATION 2
*************2(f)**************to verify that tax professionals are obtaining and retaining a signed power of attorney before submitting one through Disclosure Authorization. **************************************2(f)*********************************** ***********************************2(f)**********************************.
CORRECTIVE ACTION
We agree that some tax professionals may be unaware of the requirement to obtain and maintain a hard copy of the signed Form 2848. We will take actions to better educate users of DA of the requirement to obtain a signed Form 2848 prior to its electronic submission and to maintain the signed copy in the authorized representative's files.
IMPLEMENTATION DATE
October 15, 2013
RESPONSIBLE OFFICIAL
Director, Accounts Management, Wage and Investment Division
CORRECTIVE ACTION MONITORING PLAN
We will monitor this corrective action as part of our internal management control system.
RECOMMENDATION 3
Reassess the policy for granting Disclosure Authorization access to unenrolled tax return preparers and registered tax return preparers. If the IRS decides not to grant them access to online tools, the IRS should ensure they no longer have access to Disclosure Authorization. If the IRS decides to continue granting access to unenrolled tax return preparers and registered tax return preparers, it should ***************************2(f)************************ ************************************2(f)************************************ ********************************2(f)******************.
CORRECTIVE ACTION
***********************************2(f)**************************************** ***********************************2(f)**************************************** *****************************2(f)*********************. We will reassess the current policy regarding access to DA and TDS for unenrolled and registered return preparers, and will take appropriate follow up action.
IMPLEMENTATION DATE
October 15, 2013
RESPONSIBLE OFFICIAL
Director, Accounts Management, Wage and Investment Division
CORRECTIVE ACTION MONITORING PLAN
We will monitor this corrective action as part of our internal management control system.
RECOMMENDATION 4
The Commissioner, Wage and Investment Division, should ensure IRS employees do not have unauthorized access to e-Services online tools by periodically matching IRS personnel information to a listing of e-Services users. The IRS should revoke the e Services access of employees not authorized to have it and monitor the transactions of employees who are authorized access.
CORRECTIVE ACTION
We agree that IRS employees should not have access to e-Services without a legitimate business need. We have established procedures through our Online 5081 application to document authorization and to validate, regularly, employees' access to DA and TDS through the Employee User Portal. We have requested the list of employees and the methodology used during the audit to determine if they may have unauthorized e-Services access through the Registered User Portal. Once we have received the information, we will further investigate and deactivate any accounts found to have unauthorized access.
IMPLEMENTATION DATE
October 15, 2012
RESPONSIBLE OFFICIAL
Director, Accounts Management, Wage and Investment Division
CORRECTIVE ACTION MONITORING PLAN
We will monitor this corrective action as part of our internal management control system.
[1] E-file Providers are businesses and organizations that facilitate e-filing and can be an Electronic Return Originator, Intermediate Service Provider, Transmitter, or software developer. Electronic Return Originators originate the electronic submission of income tax returns to the IRS. An Electronic Return Originator electronically submits income tax returns that are either prepared by the Electronic Return Originator firm or received from a taxpayer. Intermediate Service Providers receive tax information, process it, and return it to an Electronic Return Originator, or forward it to a transmitter. Transmitters, once the return is prepared, send the income tax return data to the IRS. Software developers write the e‑file programs according to IRS file specifications and record layouts, making IRS e-file and Federal/State e-file possible.
[2] A tax account transcript provides basic information, including marital status, type of return filed, Adjusted Gross Income (gross income minus adjustments to income), taxable income, and later adjustments, if any.
[3] These professionals pass an IRS examination or present evidence of qualifying experience as a former IRS employee and have been issued an enrollment card.
[4] The e-file requirement is for tax professionals to electronically file five or more accepted individual and/or business returns.
[5] Appendix VI provides a copy of Form 2848. Part II of Form 2848 includes a list of representatives.
[6] Prior to 2010, the IRS did not regulate tax return preparers. All paid tax return preparers who do not have a professional certification must register with the IRS and pass a competency test before January 1, 2014, to prepare and file tax returns. Once they pass the competency test, they become registered tax return preparers. Unenrolled tax return preparers are those who currently are paid preparers but who are not an attorney, certified public accountant, lawyer, enrolled agent, or registered tax return preparer.
[7] We were unable to locate addresses for three taxpayers.
[8]A sample size of 373 responses from taxpayers and error rates of 0.8 percent, 3.2 percent, and 4.3 percent allowed us to project our results to the total population of 153,224 Forms 2848 at a 95 percent confidence level with standard errors of 0.46 percent, 0.91 percent, and 1.05 percent, respectively. A point projection of 91.7 percent for instances in which there were no issues allowed us to project our results at a 95 percent confidence level with a precision rate of ±2.8 percent.
[9] We were unable to mail requests for 14 of the 750 Forms 2848.
[10] A sample size of 736 requests to tax professionals and error rates of 20.9 percent, 12.4 percent, and 33.3 percent allowed us to project our results to the total population of 153,224 Forms 2848 at a 95 percent confidence level with precision rates of ±2.9 percent, ±2.4 percent, and ±3.4 percent, respectively. A point projection of 64 percent for instances in which there were no issues allowed us to project our results at a 95 percent confidence level with a precision rate of ±3.5 percent. For the 20 requests that were undeliverable, a 2.7 percent point projection allowed us to project our results at a 95 percent confidence level with a precision rate of ±1.2 percent.
[11] The e-Help desk assists e-Services users with questions and issues concerning e-products that are not account related.
[12] *****************************2(f)***********************************************.
[13] 5 C.F.R. § 3101.106.
[14] The Centralized Authorization File is a computerized system of records which houses authorization information from both powers of attorney and tax information authorizations.
[15] We were unable to mail requests for 14 of the 750 Forms 2848.
[16] We were unable to locate addresses for three taxpayers.
[17] IRS computer system capable of retrieving or updating stored information. It works in conjunction with a taxpayer’s account records.