Treasury Inspector General for Tax Administration
Office of Audit
IMPROVED TAX RETURN FILING AND TAX ACCOUNT ACCESS AUTHENTICATION PROCESSES AND PROCEDURES ARE NEEDED
Issued on November 19, 2015
Highlights of Report Number: 2016-40-007 to the Internal Revenue Service Deputy Commissioner for Services and Enforcement.
IMPACT ON TAXPAYERS
The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals. Much of these data are detailed enough to enable circumvention of most authentication processes. As such, it is critical that the methods the IRS uses to authenticate individuals’ identities provide a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them.
WHY TIGTA DID THE AUDIT
Failure to adequately authenticate taxpayers filing a tax return and accessing tax account services can lead to identity theft. The increased availability of personal information warrants an assessment of the authentication risk across IRS services. TIGTA performed this audit to assess IRS efforts to authenticate individual taxpayers’ identities at the time tax returns are filed and when services are provided.
WHAT TIGTA FOUND
Taxpayers continue to desire electronic products and services that enable them to interact and communicate with the IRS. However, the continued challenge in expanding its portfolio of electronic products and services is that the IRS must ensure that tax account-related information and services are provided only to individuals who are entitled to receive them.
Although the IRS recognizes the growing challenge it faces in establishing effective authentication processes and procedures, it has not established a Service-wide approach to managing its authentication needs. The IRS should establish a function that is optimally placed in the organization and provide it with the authority needed to ensure that authentication policies and procedures are consistent and comply with Government information security standards Service-wide.
The IRS recognizes the need to establish a Service-wide approach to managing its authentication needs and has established two groups that focus on taxpayer authentication. However, neither of these groups provides for cross-functional management, oversight, and continued evaluation of the IRS’s existing authentication processes to ensure that they address current and future needs.
In addition, authentication methods used for current online services do not comply with Government Information Security Standards. For example, TIGTA analysis of the e-Authentication processes used to authenticate users of the IRS online Get Transcript and Identity Protection Personal Identification Number applications found that the authentication methods provide only single-factor authentication despite the Government standards requiring multifactor authentication for such high-risk applications. As a result, unscrupulous individuals have gained unauthorized access to tax account information.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Deputy Commissioner for Services and Enforcement develop a Service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensure that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensure that the authentication processes meet Government Information Security Standards. The IRS agreed to implement all three recommendations.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500