Treasury Inspector General for Tax Administration
May 17, 2010
TIGTA - 2010-18
Contact: Karen Kraushaar
WASHINGTON - The IRS needs to improve security on the Registered User Portal used by tax preparers to submit and retrieve tax-related information and electronically file (e-file) tax returns, according to a new report publicly released today by the Treasury Inspector General for Tax Administration.
TIGTA reviewed whether the IRS established effective access controls to the Portal. Access controls include determining who can log on to the system and what they are authorized to do after they log on, and identifying what actions they took while they were logged on. The IRS conducts a suitability check of tax preparers who apply for e-filing privileges to determine whether applicants have filed their own tax returns, have complied with e-file requirements (if they are e-file providers), and whether they pass a criminal history check.
TIGTA found that the IRS allows principals and responsible officials at tax preparation firms to delegate their access rights to other individuals. These "delegates" may be members of the firm or persons with whom the firm has a business relationship. This allows any individual to become a delegated user and access the Portal without undergoing a suitability check.
The report also stated that the IRS does not consistently follow its own procedures for approving e-file applicants who failed criminal background checks.
The IRS does not require complex user passwords because it wants to make the Portal user-friendly and accommodate tax preparation firms, the report found.
"Taxpayers entrust the IRS with their sensitive financial and personal data and expect the IRS to protect these data from unauthorized disclosure," said J. Russell George, the Treasury Inspector General for Tax Administration. "It is imperative that the IRS take appropriate measures to minimize the risk of misuse of or unauthorized access to taxpayers' personal tax data."
TIGTA recommended that the IRS:
The IRS agreed to: conduct suitability checks on delegated users, create an Executive Review Board to assess whether to deviate from the IRS Criminal Investigation Division's decisions, and to require more complex passwords.
To view the report, including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/auditreports/2010reports/201020027fr.pdf..
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.