Treasury Inspector General for Tax Administration
December 22, 2015
TIGTA - 2015-45
Contact: Karen Kraushaar, Director of Communications
WASHINGTON —Although the Internal Revenue Service (IRS) recognizes the growing importance of establishing effective authentication processes and procedures for individual taxpayers’ identities, it has not established a Service-wide approach to managing its authentication needs.
This is one of the key findings in an audit report published today by the Treasury Inspector General for Tax Administration (TIGTA). TIGTA performed this audit to assess IRS efforts to authenticate taxpayers’ identities at the time tax returns are filed and when services are provided.
Taxpayers continue to want electronic products and services that enable them to interact and communicate with the IRS, according to current IRS research. The IRS’s goal is to provide taxpayers with dynamic online account access that allows them to view their recent payments, make minor changes and adjustments to their accounts in real-time, and correspond digitally with the IRS to respond to notices or to complete required forms.
The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals. Much of these data are detailed enough to enable circumvention of most authentication processes.
The IRS recognizes the need to establish a Service-wide approach to managing its authentication needs and has established two groups that focus on taxpayer authentication. However, neither of these groups provides for cross-functional management, oversight, and continued evaluation of the IRS’s existing authentication processes to ensure that they address current and future needs.
In addition, authentication methods used for current online services do not comply with Government Information Security Standards. For example, TIGTA analysis of the e-Authentication processes used to authenticate users of the IRS online Get Transcript and Identity Protection Personal Identification Number applications found that the authentication methods provide only single-factor authentication despite the Government standards requiring multifactor authentication for such high-risk applications. As a result, unscrupulous individuals have gained unauthorized access to tax account information.
“It is critical that the methods the IRS uses to authenticate individuals’ identities ensure that tax information and services are provided only to individuals who are entitled to receive them,” said J. Russell George, Treasury Inspector General for Tax Administration. “The unauthorized disclosure of tax information can enable identity thieves to prepare identity theft tax returns that more accurately reflect a valid return increasing the risk that fraudulent returns will not be detected by the IRS,” he added.
TIGTA recommended that the Deputy Commissioner for Services and Enforcement develop a Service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensure that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensure that the authentication processes meet Government Information Security Standards. The IRS agreed to implement all three recommendations.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.