Executive Summary

Objective and Scope

Background

Results

In fiscal year 1997, the Service received over 1.1 million requests for tax return information from the public. Requests are made for photocopies of tax returns or for transcripts of tax return information. Financial institutions and the Federal government generally request tax information for income verification purposes prior to granting loans.

Beginning October 1, 1994, the Service offered to provide taxpayers with transcripts of return information free of charge as an alternative to providing photocopies of returns at a cost to the taxpayer of $14. Providing transcripts of return information has increased the potential for unauthorized disclosure of tax information.

The Service is extremely vulnerable to unauthorized disclosure of tax return information.

Four significant issues warrant management’s attention:

• Processing controls are not adequate to prevent unauthorized disclosures.

• Requirements for the release of tax return transcripts need strengthening to prevent unauthorized disclosure of tax information.

• Taxpayer written requests for tax return information is not properly maintained to protect the Service from unauthorized accesses.

We also found that required letters are not consistently issued to taxpayers when their requests for tax information are not processed within 30 days.

The following summarizes the specific recommendations contained in this report. The Service should:

• Establish a review process that will accurately measure the quality of work completed, correctly identify unauthorized disclosures and procedural errors, and prevent their recurrence.
• Revise instructions to require the taxpayer to provide his/her name, address, and SSN before the request can be processed.
• Update guidelines for processing requests submitted on forms not developed by the Service.
• Revise Form 4506 to have the taxpayer include the filing status and number of exemptions.
• Require managerial reviews be conducted to ensure that supporting documentation is available for all completed requests.
• Require timeliness of issuing interim letters be included in any quality review process established.

Management Response: Management has agreed to take appropriate corrective action in response to each recommendation in the report. Management’s actions are summarized in the body of the report and the entire response is included as Attachment II.

This review was initiated as a result of a local research project which disclosed controls over tax information to prevent unauthorized disclosure may need improvement. The audit fieldwork was conducted between June 1997 and March 1998 at two service centers in the Northeast Region (NER), one service center in the Southeast Region (SER) and one service center in the Western Region (WR), and was conducted in accordance with generally accepted government auditing standards.

The overall objective of the audit was to evaluate the Service’s process for responding to taxpayer requests for disclosing tax return information and ensuring that legal and procedural requirements were met. Also, determine whether the Service evaluated the legal impact of receiving information on potentially non-compliant taxpayers from third parties.

A detailed description of the specific objectives and audit coverage is included in Attachment I.

Taxpayers may request a copy of their tax return or an official tax return transcript be disclosed to a third party. The request, or consent, must be in the form of a written document and signed and dated by the taxpayer who filed the return. Generally, taxpayers use Form 4506 (Request for copy or Transcript of Tax Form). The service centers process these written requests under the provisions of the Internal Revenue code (IRc) 6103.

Financial institutions evaluate loan applications and one of their standard procedures is to verify the applicant’s income from Internal Revenue Service (IRS) records. Some financial institutions, instead of directly contacting the IRS for taxpayer data, send taxpayer requests through a centralized credit institution who, in turn, obtains the information from the IRS for the institutions or taxpayers and forwards the information to whomever the taxpayer designates.

The Small Business Administration (SBA) requests a transcript of a taxpayer’s return in order to process federally funded disaster loans. This government agency receives preferential treatment in order to process the requests as quickly as possible.

The financial institutions and SBA have taxpayers complete a request form for a copy or transcript of their tax return. Taxpayers can authorize other third parties permissions to receive the same information.

The general public expects the Service to take measures to protect the confidentiality of tax return information. The Service has the responsibility to make certain that disclosures of federal tax return information be made as authorized by laws and regulations. Taxpayers may bring civil suit action for damages against the United States if Service employees violate disclosure laws.

In fiscal year 1997 the Return and Income Verification Services (RAIVS) functions processed 691,000 requests for transcripts of tax information. Small Business Administration Disaster Program accounted for 188,000 of the requests. Also, the RAIVS functions processed 468,000 requests for photocopies of returns. The Service charges a $23 fee for each photocopy of a return but transcripts of tax information are provided free of charge.

Service records showed that the RAIVS functions processed over 1.1 million requests for tax return information in fiscal year 1997. However, the quality of the work processed by the RAIVS functions needs improvement to prevent possible unauthorized disclosure of tax return information.

The following significant issues warrant management’s attention:

• Processing controls are not adequate to prevent unauthorized disclosures.
• Requirements for the release of tax return transcripts needs improvement to prevent unauthorized disclosure of tax information.
• Taxpayer written requests for return information are not properly maintained to protect the Service from unauthorized accesses.

We also found that required letters are not consistently issued to taxpayers when their requests for tax information are not processed within 30 days.

Based on a recommendation from the Assistant chief counsel (Disclosure Litigation) the Service should consider obtaining customer authorizations that meet the requirements of the Right to Financial Privacy Act if income verification information is provided to the Service by lenders.

Unauthorized disclosure of tax return information can subject the Service to civil damages, undermine taxpayers’ confidence in the Service and result in reduced voluntary compliance. Taxpayers’ satisfaction with the customer service provided is reduced when they are not timely advised of the status of their requests.

The Service is required to fill all requests for tax return information if the request is made in accordance with the Internal Revenue code (IRc) and Treasury Regulations, and as long as the disclosure will not seriously impair the federal tax administration. The IRc requires a written request before tax return information can be disclosed to a third party and allows additional requirements to be established by regulation. Treasury Regulations require that the request:

• Be signed and dated by the taxpayer who filed the return;
• Be signed within 60 days of the date it was received by the Service;
• Pertain solely to the authorized disclosure;
• Specify the type of return (or portion of the return) or return information (and the particular data);
• Specify the taxable year covered;
• contain the taxpayer’s name, address and taxpayer identification number or a combination of these items; and
• Identify who should receive the information.

Management did not adequately perform quality review of requests before providing tax return information to third parties. Requests that were not signed by the taxpayers, did not have valid powers of attorney, or did not meet other requirements established to protect taxpayer information from improper disclosure were processed by the RAIVS function.

Internal audit reviewed the processing of requests for tax return transcripts by preparing and submitting requests based on fictitious taxpayer accounts maintained by Inspection, and by analyzing completed taxpayer requests.

We received responses to 24 invalid written requests submitted to two NER service centers. Twelve responses were received from each of the two centers. The Service made an unauthorized disclosure of tax information in eleven (46%) of the 24 requests.

One service center incorrectly released tax return transcripts for 11 of the 12 requests as follows:

• Five Forms 4506 that were not signed and tax return transcripts were sent to third parties.
• Four Forms 4506 that had the signatures of third parties that were not authorized to represent the taxpayers; tax return transcripts were sent to third parties.
• Two Forms 4506 that were not signed by the taxpayers and had addresses that were different from the Master File addresses; the transcripts were sent to the taxpayers at the new addresses.

The second service center in NER did not improperly release any tax return transcripts in the responses we received.

One NER service center processed approximately 56% of all requests for tax return information and all disaster program requests in fiscal year 1997. Our review of 186 requests submitted by taxpayers to this service center showed that 18 (10%) tax return transcripts were released to third parties without properly completed requests. The RAIVS function did not follow written guidelines for 11 of the requests as follows:

• One request that was not signed.
• Four requests that were signed more than 60 days prior to the date they were received by the service center.
• Six requests that were signed but not dated.

Also, seven requests were submitted on a form developed by a third party and processed by the RAIVS function. The form included both an authorization for the Service to release tax return information to the third party, and an authorization for the third party to release income information to the Service. One of the seven requests did not contain the taxpayer’s signature on the request form, but on an attachment to the form. The Service guidelines do not adequately address the processing of requests submitted on forms that include two authorizations.

The service centers in SER and WR processed approximately 2% and 6% of all requests respectively. Our review at these service centers did not identify any problems with processing requests for tax return transcripts.

Our review of 431 requests for photocopies of tax returns showed 13 the Service incorrectly processed (3%).

Our review of 144 requests for photocopies of tax returns processed by a service center in SER showed that 12 (8%) photocopies of tax returns were released to third parties without proper authorization as follows:

• Nine requests the taxpayers did not date as required.
• Three requests where individuals claiming to have power of attorney did not have proper documentation attached nor on record with the Service.

At a service center in NER, our review of 134 requests for photocopies of tax returns showed one request was processed and a copy of a taxpayer return was released to a third party who did not have a valid power of attorney for the release of the information. At the WR service center we did not identify any requests that were released to a third party without proper authorization.

Without verifying the validity of the requests for copies of tax returns and/or return information, the Service can not be assured that only authorized disclosures are made. As a result, the Service can be liable for civil damages if tax return information is knowingly or negligently disclosed. The liability is $1,000, or the actual damages plus the cost of the action.

1. We recommend that the Service establish a review process that accurately measures the quality of the work completed, correctly identifies unauthorized disclosures and procedural errors, and prevents these from reoccurring.
2. We recommend that Service guidelines be updated to provide clear instructions on requests that are submitted on forms that were not developed by the Service.

Management’s Response:

1. The Quality Assurance and Management Support Division at the service center identified as not following operating guidelines, performed a product review of the RAIVS function. Managerial review of a selection of each employee's work was put in place. Additionally, action is being taken to ensure all available review processes are utilized appropriately nationwide, including the new customer Service Peer Review process established for 1998.
2. Management rewrote the RAIVS Internal Revenue Manual (IRM) procedures to more clearly define "sole purpose" authorizations. In addition, procedures were added to honor forms designed by external customers only on an exception basis, and only after review by local Disclosure Officers.

Service guidelines allows the RAIVS function to conduct research to add information that is not provided by the taxpayer on the request, including the taxpayer’s Social Security Number (SSN). Individuals can obtain the tax return transcripts of a taxpayer even if they do not know the taxpayer’s SSN. The individual would only have to provide the taxpayer’s name and address and sign the request as the taxpayer.

The risk of a fraudulent signature being identified is minimal because the tax return with the taxpayer’s signature is not available to match to the signature on the request when the request is processed. Also, Service guidelines allow destruction of completed requests 45 days after the cases are closed. In contrast, the signature on the tax return can be matched to the signature on the request for a photocopy of a tax return, and these requests are maintained for six years and three months after the processing year. These issues were also raised in the Service’s Income Verification Taskforce Report dated February 7, 1997.

Using fictitious accounts maintained by Inspection to prepare requests for tax return transcripts to be sent to third parties we submitted requests signed as the taxpayers, but without taxpayers’ SSNs. We received six responses to requests sent to two NER service centers. consistent with Service guidelines, the RAIVS functions provided the tax return transcripts to the third parties in five (83%) of the six requests.

1. We recommend that the Service revise instructions to require the taxpayer to provide his/her name, address, and SSN before the request can be processed.
2. We recommend that Form 4506 be revised to include the taxpayers’ filing status and number of exemptions.

Management’s Response:

Service guidelines require requests submitted with remittances (photocopies of tax returns) be stored for six years and three months after the processing year. Also, requests submitted without remittances (including tax return transcripts) should be stored for 45 days after the cases are closed and then destroyed.

Neither internal audit nor the RAIVS functions could locate the Forms 4506 or other request documents to support 59 (5%) computer accesses for tax return transcripts and document requests (original tax returns, photocopies of tax returns or information from tax returns). Employees at three service centers accessed the accounts for taxpayer information. The following is a breakdown of the computer accesses that did not have supporting documents available.

Documentation was not maintained to support the use of computer accesses for all tax return documents and transcripts. The documentation should be readily available for review and maintained in accordance with Service guidelines. Without properly maintaining documentation, the Service can not be assured that only authorized disclosure of tax return and/or return information is made.

Management’s Response:

The Service considers a final response timely if it is initiated within 30 calendar days of the received date. As a method to improve customer service, procedures were established that require an interim letter if a final response that accurately addresses all issues cannot be timely initiated. Instructions on the request inform the taxpayer that it could take up to 60 calendar days to get a copy of a tax return.

The RAIVS functions at service centers in NER and SER did not provide required interim responses to all taxpayers’ when document requests could not be timely processed. At a service center in WR, interim letters were issued for all requests for photocopies of tax returns when the requests were received in the RAIVS function.

Our review of 278 requests for photocopies of tax returns processed by two service centers (NER and SER) showed that the RAIVS functions did not timely provide interim letters to taxpayers for 122 (44%) requests which were not completed within 30 calendar days.

Our review of a sample of 144 requests for photocopies of tax returns processed at a SER service center showed that 131 (91%) requests were not completed within 30 calendar days. There was no documentation showing that interim letters had been provided for 101 (77%) of the requests. The requests required an average of 62 days to complete.

Our review of a sample of 134 requests for photocopies of tax returns processed at an NER service center showed that 21 (16%) requests were not completed within 30 calendar days. There was no documentation showing that interim letters had been provided to these taxpayers. The cases required an average of 41 days to complete.

The Service can not be assured that quality customer service is provided when established procedures to issue interim letters are not timely followed.

Management’s Response:

The Service considers the safeguarding of taxpayer information a fundamental part of its mission. In fiscal year 1997, the Service processed over 1.1 million requests for tax return information. Since the Service can be held liable for unauthorized disclosure of tax information it is essential that documentation is maintained for the release of return information. The Service needs to take actions to ensure that the RAIVS functions only release tax return information based on authorized requests from taxpayers.

Also, good customer service requires taxpayers be timely advised of the status of their requests for photocopies of tax returns.

Our overall objective was to evaluate the effectiveness of the Service’s process when responding to taxpayers’ written requests for disclosing tax return information to ensure legal and procedural requirements are being met. Our specific objectives were to determine whether Service policies and controls for processing and maintaining requests ensured legal requirements were met; Integrated Data Retrieval System (IDRS) research was conducted only for valid transcript/photocopy requests to ensure taxpayer privacy; cost/benefits associated with responding to taxpayer requests ensure efficient use of resources; and assess data reliability. We also determined whether the Service identified and evaluated the legal impact of receiving information on potentially non-compliant taxpayers from third party sources.

Our audit objectives were accomplished by performing the following audit tests:

1. To determine whether Service policies and controls for processing and maintaining taxpayer requests (transcript / photocopy) ensure legal requirements were met, we:
1. Identified and reviewed legal / policy requirements that the Service / taxpayers must meet for legal disclosure of tax return information.

1. Met with counsel, Disclosure and the Privacy Advocate offices to determine legal requirements.
2. Obtained any written opinions previously issued.
3. Identified and evaluated the scope and results of any previous/on-going task forces that addressed the issues outlined in this audit plan.

1. Identified and evaluated the Service’s procedures and controls for responding to taxpayers’ requests for tax return information.

1. Interviewed management in each of the service center locations selected, and headquarters office. Identified any guidelines (local, regional or national) for processing/responding to the taxpayers’ requests.
1. Obtained procedures gathered by the Internal Audit Southeast Region Integrity Project Team.
2. Identified other possible contacts from audit teams previously working on similar issues.
2. Developed a comprehensive understanding of the processing / response / record keeping controls by researching the Internal Revenue Manual.
3. Evaluated the controls identified in objective I.A. to ensure they supported the legal requirements.

1. Evaluated whether the Service needs to determine the legality of receiving potentially non-compliant taxpayer information from the third and fourth party sources.

1. Obtained procedures/guidelines for Internal Revenue Service (IRS) receipt of this information, including reimbursement procedures for informants.
2. Interviewed counsel to determine the legality of IRS receipt and any written opinions rendered.
3. Interviewed IRS management (New Jersey District) to identify the volume of actual cases received indicating potential fraud/non-compliance with tax laws. Also, developed an understanding of the project process through interviews with management.
4. contacted the IRS criminal Investigation Division to determine the volume of cases received, prosecuted, amounts collected, and reimbursement procedures for informants.

1. Evaluated the current retention schedule for documents pertaining to taxpayer consent and the subsequent disclosure to ensure the Service is protected in the event of a lawsuit for unauthorized disclosure.

1. To determine whether IDRS research was conducted only for valid transcript/ photocopy requests to ensure taxpayer privacy, we:
1. Evaluated the Return and Income Verification Services (RAIVS) function’s process and controls to ensure that for every command code (cc) RTFTP / ESTABD input to IDRS had a valid request by interviewing management at each location. Identified the location’s controls including the following:

• Signature verification
• 60 Day statute for a valid request
• Retention of request forms (i.e. Form 4506)
• cc: RTFTP / ESTABD usage
• correspondence with requesting taxpayers and third parties
• IDRS account profiles
• Quality Review

1. Identified the criteria for a valid request using the Internal Revenue Manual and Internal Revenue code Section 6103, and assessed the steps taken to make reasonable assurance of taxpayer consent and taxpayer’s designee.
2. Submitted requests (Forms 4506) using Internal Security data to determine whether controls were effective in identify invalid request.
3. Obtained an audit trail download representing the requests made by the RAIVS functions at three service centers (cc: RTFTP / ESTABD), and identified the volume of requests.
4. Identified command codes used when responding to taxpayer requests and the RAIVS functions’ IDRS unit numbers during the period under review.
5. Selected samples totaling 1,109 cases from the audit trail downloads of 16,584 requests made by employees in the RAIVS functions at three service centers.
0. Selected samples totaling 626 RTFTP cases from the 13,436 requests completed during the periods September 21 through October 18, 1997 and November 2 through November 8, 1997.
1. Selected samples totaling 483 ESTABD cases from the 3,148 requests completed during the period August 20 through September 27, 1997.
6. Evaluated the requests obtained for audit test F to determine whether the requests met both legal and procedural requirements.
7. Reviewed 24 cases where a valid request was not identified and determined whether the employee researched for information that should have been readily available on the request forms.

1. To determine the costs/benefits associated with responding to the taxpayers’ requests to ensure efficient use of resources, we:
1. Evaluated the costs/benefits associated with responding to taxpayer requests for tax return information.
1. Identified policies and/or guidelines outlining the Service’s application of user-fees.
2. Identified any and all user-fees charged to the taxpayers/third parties for disclosing tax return information i.e. photocopy, call-in, walk-in, account transcripts, tax return transcripts.
3. Identified the cost of responding to taxpayer return transcript requests, including the costs that would be incurred to collect and account for the user-fees.
4. Identified the accounting mechanism used to account for the user-fees.
5. Evaluated whether the Service takes steps to direct taxpayers to request the free transcript service rather than the photocopy process where the taxpayer must pay a user-fee.
6. Analyzed the download obtained in step III.B.3, and identified the volume of requests processed during a specified time period.
7. Estimated the Service’s opportunity cost by using the return transcript costs identified and the volume of requests processed.
8. Evaluated the benefits to the Service associated with responding to the taxpayers’ requests are identified and measured.
2. Assessed whether IRS locations responding to the taxpayer requests coordinated their efforts and took steps to reduce duplicate workload. Also, assessed the impact of any duplicate workload on the Service’s efforts to meet customer demand.
1. Identified guidelines (local, regional or national) that outline steps for the IRS to ensure duplicate efforts are minimized.
2. Interviewed management and determined any instances of duplicate coverage.
3. Obtained a national audit trail download of the command code RTFTP and compared the data obtained from each location to identify the volume of potentially duplicate coverage.
4. Analyzed the information obtained in Objective III.A.1 and III.B.3., determined the costs incurred by the IRS to process the potentially duplicate requests.
3. Interviewed management to identify the use of any automated information system unique to the other locations to process or maintain a record of the requests.
2. To assess the reliability of the data used to complete Objectives II and III, we reviewed the samples selected for Objectives II and III, and compared the data shown on the data files to the Forms 4506 selected, to verify that the information shown on the data files accurately represented the information shown on the Forms.

ATTAcHMENT II

The Management Response has been removed due to its size. To see the complete Response, please go to the Adobe PDF version of this report.