U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

May 17, 2010
TIGTA - 2010-18
Karen Kraushaar
karen.kraushaar@tigta.treas.gov
TIGTA-PAO@tigta.treas.gov
(202) 622-6500

TIGTA Report: IRS Needs to Improve Security On Website Used by Paid Tax Preparers

WASHINGTON - The IRS needs to improve security on the Registered User Portal used by tax preparers to submit and retrieve tax-related information and electronically file (e-file) tax returns, according to a new report publicly released today by the Treasury Inspector General for Tax Administration.

TIGTA reviewed whether the IRS established effective access controls to the Portal. Access controls include determining who can log on to the system and what they are authorized to do after they log on, and identifying what actions they took while they were logged on. The IRS conducts a suitability check of tax preparers who apply for e-filing privileges to determine whether applicants have filed their own tax returns, have complied with e-file requirements (if they are e-file providers), and whether they pass a criminal history check.

TIGTA found that the IRS allows principals and responsible officials at tax preparation firms to delegate their access rights to other individuals. These "delegates" may be members of the firm or persons with whom the firm has a business relationship. This allows any individual to become a delegated user and access the Portal without undergoing a suitability check.

The report also stated that the IRS does not consistently follow its own procedures for approving e-file applicants who failed criminal background checks.

The IRS does not require complex user passwords because it wants to make the Portal user-friendly and accommodate tax preparation firms, the report found.

"Taxpayers entrust the IRS with their sensitive financial and personal data and expect the IRS to protect these data from unauthorized disclosure," said J. Russell George, the Treasury Inspector General for Tax Administration. "It is imperative that the IRS take appropriate measures to minimize the risk of misuse of or unauthorized access to taxpayers' personal tax data."

TIGTA recommended that the IRS:

  • conduct a suitability check on delegated users who e-file tax returns
  • specify that the IRS Criminal Investigation Division has the final authority on whether to allow an e-file applicant with a criminal record, and
  • require stronger passwords.

The IRS agreed to: conduct suitability checks on delegated users, create an Executive Review Board to assess whether to deviate from the IRS Criminal Investigation Division's decisions, and to require more complex passwords.