GAO is no longer assessing this action separately as it was consolidated under Action 9 in the 2018 Area 19 Tax Fraud and Noncompliance Action Tracker area and consideredaddressed.
As of December 2017, IRS had addressed GAO's August 2014 recommendation by developing timeliness metrics for managing leads, holding six feedback sessions with financialinstitutions participating in the External Leads Program, and sharing information through the Security Summit. In November 2015, IRS reported that it had developed a databaseto track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to providefeedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External LeadsProgram, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agencysent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financialinstitutions. In March 2017, IRS officials told GAO they were holding more frequent, monthly, feedback sessions with financial institutions. Additionally, IRS providesfeedback and information sharing to financial institutions through the Security Summit. IRS provided information on the Security Summit's Financial Services Working Groupmet weekly to discuss new and emerging fraud trends, new ideas on fraud prevention and overall statistics for the External Leads Program to the Security Summit's FinancialServices Working Group participants. In December 2017, 8 of the 11 financial institutions who responded to GAO's outreach said that IRS's feedback was timely, meaningful,and actionable. Further, one organization told GAO that IRS's feedback was substantially improved from 2014. Accurate, timely, and actionable feedback to external partiesparticipating in the External Leads Program informs them if the leads they provide to IRS are useful and enables them to assess their success in identifying identity theftrefund fraud and improve their detection tools.
In May 2017, IRS implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS'sanalysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potentialbenefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigatethem, and potential areas of increased risk if IRS were to implement tool, consistent with GAO's January 2015 recommendation. Further, this analysis discusses how thetool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision toapprove implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-riskanalysis template to facilitate decision making on smaller, day-to-day authentication issues.
As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRSconducted a risk assessment for TPP's online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP's onlineauthentication option offline while working to improve the option's authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factorauthentication, that mitigate risks identified in the 2016 assessment. In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phoneoption. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments,IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.
As of January 2020, IRS had estimated the resources required for the foundational initiatives and supporting activities in its Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. IRS documentation states that as a first step in updating the original Roadmap, the Identity Assurance office worked withstakeholders to verify the progress made and current status of its 14 foundational initiatives. In addition, the Identity Assurance office collected existing information onhigh-level financial and human resource estimates for the 14 foundational initiatives and supporting activities that are currently underway or planned. Further, IRSdocumentation shows that it has completed five of the 14 foundational initiatives in its Roadmap; the remaining nine foundational initiatives are shown as "in progress" or"near complete." IRS stated that it intends to update its Roadmap annually to reflect changes in IRS priorities. IRS's continued monitoring of its foundationalinitiatives—and the resources required to complete them—will help ensure continued progress on its authentication efforts.
As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementationdocuments for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority forIRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends toupdate its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensurethat in-progress authentication initiatives are prioritized and completed.
As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options forimproving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects tofinalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership.IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authenticationimprovements in a timely manner.
As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options forimproving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap(Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentationstates that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensurethat it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.