WASHINGTON – Internal Revenue Service (IRS) controls for verifying and validating tax transcript requests through the Transcript Delivery System (TDS) do not comply with Federal Government information security standards and do not sufficiently protect taxpayers against unauthorized release of their tax information, according to an audit report that the Treasury Inspector General for Tax Administration (TIGTA) issued today.
The TDS allows external third-party customers to view and obtain tax information on both individuals and businesses. Tax transcripts cannot be obtained using the TDS unless a requester successfully registers for e-Services, and participates in electronic filing or is a participant of the Income and Verification Express Services (IVES) Program. During Calendar Years 2014 through 2016, a total of more than 168 million tax transcripts were requested.
In an effort to improve authentication, in November 2016, the IRS implemented an interim process that required existing e-Services TDS users to re-authenticate their identity. However, management did not ensure that such users who did not complete the required interim authentication had their privileges revoked. TIGTA's analysis of tax transcript request logs from October 1, 2015, to March 31, 2017, identified 4,022 e-Services TDS users who requested tax transcripts and were not sent a letter to notify them of the new interim authentication requirements. As a result, 1,507 of the 4,022 users continued to request a total of 96,639 tax transcripts without being required to re-authenticate in compliance with the interim requirements.
In addition, tax transcript request processes and procedures do not minimize the risk of unauthorized release of tax transcript information. TIGTA's review of the TDS audit logs of tax transcript requests made between January 1, 2014, and December 31, 2016, identified anomalies that could be an indication of either misuse of the system or potentially suspicious activity. For example, there were 169 TDS participants that registered with e Services using e-mail addresses that had been identified during a previous audit as suspicious, and associated with potential identity theft victims.
Finally, TIGTA identified that the IRS has ineffective processes and procedures to ensure that legitimate taxpayers in fact authorized the release of their tax transcript information to IVES Program participants or their clients.
TIGTA made nine recommendations in the report. IRS management agreed with four recommendations and took action to address the concerns of another two. For the remaining three, the IRS did not agree or adequately address the recommendations.