U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

February 8, 2018
TIGTA-2018-04
Karen Kraushaar, Director of Communications
Karen.Kraushaar@tigta.treas.gov
(202) 622-6500

Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented

WASHINGTON – The Internal Revenue Service (IRS) has made progress in improving its controls for secure access electronic authentication, but more needs to be done, according to an audit report that the Treasury Inspector General for Tax Administration (TIGTA) issued today.

As part of its Future State initiative, the IRS continues to enhance its existing online applications and self-help tools by increasing the amount of tax information and services available to taxpayers on IRS.gov. These online applications may process and store Personally Identifiable Information and tax return data for millions of taxpayers. Because this information is considered extremely valuable, the IRS has become a target of cyber criminals and identity thieves. Proper electronic authentication controls are needed to prevent identity thieves from succeeding at impersonating taxpayers and gaining improper access to tax records.

TIGTA found that the IRS has made progress in improving its electronic authentication controls. It deployed a more rigorous electronic authentication process that provides two-factor authentication via a security code sent to text-enabled mobile phones. It completed or updated electronic authentication risk assessments for 28 of its online applications to determine appropriate levels of authentication assurance, and enhanced its network monitoring and audit log analysis capabilities.

However, TIGTA auditors also found that the network monitoring tools that the IRS purchased to improve the prevention and detection of automated attacks were not fully implemented due to issues related to resources, incompatibility, and higher priorities. In addition, controls to prevent a fraudulent user from improperly creating profiles were not fully implemented. Further, the IRS is not fulfilling requirements for monitoring audit logs for suspicious activity due to inadequate processes for generating and reviewing audit log reports; nor is it ensuring that reports are useful for investigating and responding to suspicious activities.

TIGTA made four recommendations in the report. IRS management agreed with all four recommendations, including coming up with a plan to ensure that remaining issues preventing full implementation of network monitoring tools are addressed and continuing to implement the capability to generate reports from the audit logs, which will enable on-demand audit review, analysis, and after-the-fact investigations.

Read the report.