A significant risk for unauthorized disclosure of taxpayer information occurs when Internal Revenue Service (IRS) Customer Service Representatives (CSR) respond to telephone inquiries from taxpayers. Accordingly, the procedures for effectively authenticating a caller’s identity prior to disclosing taxpayer information are critical in protecting taxpayer privacy.

An IRS Inspection Service (now Treasury Inspector General for Tax Administration) report titled, Review of Protecting the Privacy of Tax Account Information (Reference Number 075202, dated September 30, 1997), noted weaknesses in the IRS’ procedures for authenticating the identity of callers. This current review was performed as a follow-up to the 1997 report to determine if management effectively implemented corrective actions to reduce the risk of unauthorized disclosure to taxpayers and suspended and disbarred practitioners.

The IRS’ Customer Service management effectively implemented corrective actions related to establishing clear policies and guidelines for dealing with suspended and disbarred tax practitioners. Customer Service management revised its national guidelines and prepared a job aid for use by the IRS’ field personnel. However, the unauthorized disclosure of taxpayer information remains at risk despite the corrective actions that were implemented to strengthen procedures for verifying the identities of taxpayers who telephone the IRS.

In response to the prior audit report, Customer Service management expanded the minimum number of items CSRs must request to authenticate the callers’ identities and defined high-risk situations that require additional verification. However, the risk of unauthorized disclosure of taxpayer information remains because CSRs have not complied with the revised procedures. Also, CSRs were not required, under the revised procedures, to use any of the items of authentication that would be confidential to only the caller and the IRS. In 65 of the 100 test calls we made, the CSRs either requested none (31 calls) or only 1 (34 calls) of the 2 additional verification items required for high-risk situations. Additionally, most of the identifying information that the CSRs asked for was available commercially from on-line Internet sources.

Customer Service management can strengthen authentication procedures by (1) providing CSRs with training on authenticating taxpayer identities, and (2) revising national guidelines to include authentication verifiers that would be known to only the IRS and the taxpayer.

Management’s Response: Customer Service management agreed with the first recommendation and will emphasize to CSRs the need to comply with existing authentication requirements when high-risk situations are encountered. This increased emphasis will involve providing additional training and reference material on disclosure/authentication requirements for all CSRs. In response to the second recommendation, IRS management stated that it believes adding more probes to authenticate call-in taxpayers will be burdensome to the taxpayers and CSRs. Therefore, IRS management proposed an alternative approach that focuses on mandatory requirements, improved job aids, and training.

Office of Audit Comment: While we understand management’s concern about the additional burden discouraging callers, IRS management needs to be prepared to step-up its controls if the proposed alternative enhancements do not work.