U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


March 23, 2018

Karen Kraushaar, Director of Communications
(202) 622-6500

Transcript Delivery System Authentication and Authorization Processes Do Not Adequately Protect Against Unauthorized Release of Tax Information

WASHINGTON – Internal Revenue Service (IRS) controls for verifying and validating tax transcript requests through the Transcript Delivery System (TDS) do not comply with Federal Government information security standards and do not sufficiently protect taxpayers against unauthorized release of their tax information, according to an audit report that the Treasury Inspector General for Tax Administration (TIGTA) issued today.

The TDS allows external third-party customers to view and obtain tax information on both individuals and businesses. Tax transcripts cannot be obtained using the TDS unless a requester successfully registers for e-Services, and participates in electronic filing or is a participant of the Income and Verification Express Services (IVES) Program. During Calendar Years 2014 through 2016, a total of more than 168 million tax transcripts were requested.

In an effort to improve authentication, in November 2016, the IRS implemented an interim process that required existing e-Services TDS users to re-authenticate their identity. However, management did not ensure that such users who did not complete the required interim authentication had their privileges revoked. TIGTA's analysis of tax transcript request logs from October 1, 2015, to March 31, 2017, identified 4,022 e-Services TDS users who requested tax transcripts and were not sent a letter to notify them of the new interim authentication requirements. As a result, 1,507 of the 4,022 users continued to request a total of 96,639 tax transcripts without being required to re-authenticate in compliance with the interim requirements.

In addition, tax transcript request processes and procedures do not minimize the risk of unauthorized release of tax transcript information. TIGTA's review of the TDS audit logs of tax transcript requests made between January 1, 2014, and December 31, 2016, identified anomalies that could be an indication of either misuse of the system or potentially suspicious activity. For example, there were 169 TDS participants that registered with e Services using e-mail addresses that had been identified during a previous audit as suspicious, and associated with potential identity theft victims.

Finally, TIGTA identified that the IRS has ineffective processes and procedures to ensure that legitimate taxpayers in fact authorized the release of their tax transcript information to IVES Program participants or their clients.

TIGTA made nine recommendations in the report. IRS management agreed with four recommendations and took action to address the concerns of another two. For the remaining three, the IRS did not agree or adequately address the recommendations.

Read the report.