Office of Audit
transcript delivery system Authentication and authorization Processes Do Not ADEQUATELY PROTECT AGAINST Unauthorized release of Tax Information
Final Report issued on March 20, 2018
Highlights of Reference Number: 2018-40-014 to the Internal Revenue Service Commissioner for the Wage and Investment Division.
IMPACT ON TAXPAYERS
The Transcript Delivery System (TDS) allows external third-party customers to view and obtain tax information on both individuals and businesses. Tax transcripts cannot be obtained using the TDS unless a requester successfully registers for e-Services and participates in electronic filing or is a participant of the Income and Verification Express Services (IVES) Program. During Calendar Years 2014 through 2016, a total of more than 168 million tax transcripts were requested.
WHY TIGTA DID THE AUDIT
In June 2016, TIGTA was notified of a potential refund fraud scheme affecting corporations and involving tax transcript information. As a result, this audit was initiated to evaluate the IRS’s controls for verifying and validating tax transcript requests through the TDS.
WHAT TIGTA FOUND
TIGTA found that processes and procedures to authenticate e-Services users, including those users accessing the TDS application, do not comply with Federal Government information security standards. The IRS continued to use single-factor authentication to authenticate users even though a risk-assessment in both Calendar Years 2011 and 2015 rated e‑Services as requiring multifactor authentication.
In an effort to improve authentication, in November 2016, the IRS implemented an interim process that required existing e-Services TDS users to re-authenticate their identity. However, management did not ensure that e‑Services TDS users that did not complete the required interim authentication had their privileges revoked. Our analysis of tax transcript request logs from October 1, 2015, to March 31, 2017, identified 4,022 e-Services TDS users that requested tax transcripts that were not sent a letter to notify them of the new interim authentication requirements. As a result, 1,507 of the 4,022 users continued to request a total of 96,639 tax transcripts without being required to re-authenticate in compliance with the interim requirements.
In addition, tax transcript request processes and procedures do not minimize the risk of unauthorized release of tax transcript information. TIGTA’s review of the TDS audit logs of tax transcript requests made between January 1, 2014, and December 31, 2016, identified anomalies that could be either misuse of the system or suspicious activity.
Finally, the IRS has ineffective processes and procedures to ensure that legitimate taxpayers authorized the release of their tax transcript information to IVES Program participants or their clients and that the IRS has delayed actions to reduce unnecessary taxpayer information from being disclosed on tax transcripts.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Commissioner, Wage and Investment Division, implement multifactor authentication; implement procedures to ensure that legitimate taxpayers authorize the release of their tax transcripts; and redact sensitive information from tax transcripts. TIGTA made six other recommendations to improve controls for requesting tax transcript information.
The IRS agreed with four recommendations. Actions taken by the IRS addressed the underlying concerns of another two. For the remaining three, the IRS did not agree or adequately address the recommendations. The IRS did not agree to implement additional procedures to ensure that legitimate taxpayers authorize the release of their tax transcripts and to improve controls for requesting tax transcript information.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta