Identity Theft:
IRS Needs to Strengthen Taxpayer Authentication Efforts
GAO-18-418: Published: Jun 22, 2018. Publicly Released: Jul 23, 2018.
Multimedia:
-
PODCAST: IRS Taxpayer Authentication Efforts
In the wake of well-publicized, large-scale data breaches, hacks, and cyberattacks affecting private and government organizations alike, we discuss what the IRS is doing to ensure they can authenticate taxpayers' identities and stay current in a changing cyber environment.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9110
mctiguej@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
IRS estimates that in 2016 criminals used false identities to try to claim billions in tax refunds. IRS kept $10.5 billion out of their hands, but criminals got at least $1.6 billion. To help address this high risk issue, IRS works to verify the identities of millions of taxpayers each year.
We reviewed IRS’s taxpayer authentication efforts and made 11 recommendations to help IRS stay ahead of fraudsters, including:
prioritizing its authentication initiatives,
estimating the funding and other resources it will need to implement these initiatives, and
developing a process to evaluate potential authentication technologies.
Photo of a person at a computer screen looking at a page on IRS.gov and holding a Social Security card and other forms of ID
Multimedia:
-
PODCAST: IRS Taxpayer Authentication Efforts
In the wake of well-publicized, large-scale data breaches, hacks, and cyberattacks affecting private and government organizations alike, we discuss what the IRS is doing to ensure they can authenticate taxpayers' identities and stay current in a changing cyber environment.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9110
mctiguej@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The Internal Revenue Service (IRS) has identified over 100 interactions requiring taxpayer authentication based on potential risks to IRS and individuals. IRS authenticates millions of taxpayers each year via telephone, online, in person, and correspondence to ensure that it is interacting with legitimate taxpayers. IRS's estimated costs to authenticate taxpayers vary by channel.
Taxpayers Authenticated for Selected IRS Programs, 2017
Notes: Numbers are rounded to the nearest hundred and represent successful authentications. Cost information is rounded to the nearest dollar unless otherwise noted. Data are for IRS's Taxpayer Protection Program, Get Transcript, Identity Protection Personal Identification Number, and taxpayer online accounts.
IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts. However, it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices. Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits. Further, while IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person, and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes. As a result, IRS may not identify current or emerging threats to the tax system.
IRS can further strengthen authentication to stay ahead of fraudsters. While IRS has taken preliminary steps to implement National Institute of Standards and Technology's (NIST) new guidance for secure digital authentication, it does not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget. As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. Further, IRS lacks a comprehensive process to evaluate potential new authentication technologies. Industry representatives, financial institutions, and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.
Why GAO Did This Study
Strong preventive controls can help IRS defend itself against identity theft refund fraud. These controls include taxpayer authentication—the process by which IRS verifies identities before allowing people access to a resource; sensitive data; or, in some cases, a tax refund. The risk of fraud has increased as more personally identifiable information has become available as a result of, for example, large-scale cyberattacks on various entities. IRS's ability to continuously monitor and improve taxpayer authentication is a critical step in protecting billions of dollars from fraudsters.
GAO was asked to examine IRS's efforts to authenticate taxpayers. This report (1) describes the taxpayer interactions that require authentication and IRS's methods; (2) assesses what IRS is doing to monitor and improve taxpayer authentication; and (3) determines what else, if anything, IRS can do to strengthen taxpayer authentication in the future.
To meet these objectives, GAO reviewed IRS documents and data, evaluated IRS processes against relevant federal internal control standards and guidance, and interviewed IRS officials and state and industry representatives.
What GAO Recommends
GAO is making 11 recommendations to IRS to estimate resources for and prioritize its authentication initiatives, address internal control issues to better monitor authentication, develop a plan to fully implement new NIST guidance, and develop a process to evaluate potential authentication technologies. IRS agreed with GAO's recommendations.
For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.
Recommendations for Executive Action
Status: Closed - Implemented
Priority recommendation
Comments: As of January 2020, IRS had estimated the resources required for the foundational initiatives and supporting activities in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS documentation states that as a first step in updating the original Roadmap, the Identity Assurance office worked with stakeholders to verify the progress made and current status of its 14 foundational initiatives. In addition, the Identity Assurance office collected existing information on high-level financial and human resource estimates for the 14 foundational initiatives and supporting activities that are currently underway or planned. Further, IRS documentation shows that it has completed five of the 14 foundational initiatives in its Roadmap; the remaining nine foundational initiatives are shown as "in progress" or "near complete." IRS stated that it intends to update its Roadmap annually to reflect changes in IRS priorities. IRS's continued monitoring of its foundational initiatives-and the resources required to complete them-will help ensure continued progress on its authentication efforts.
Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office, in collaboration with other IRS business partners, to estimate the resources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap. (Recommendation 1)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation
Comments: As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.
Recommendation: Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of November 2019, IRS officials had developed a draft policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, as we recommended. IRS officials stated that once this policy is approved, it will be used to develop a plan to perform risk assessments for these authentication channels. IRS's continued attention to this recommendation will help ensure that it is aware of emerging threats to the tax environment.
Recommendation: The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of November 2019, IRS officials stated that they will develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication by May 2020. Until IRS develops and implements this plan, these authentication channels may be more vulnerable to fraudulent activity, including unauthorized attempts to access taxpayer information.
Recommendation: Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of November 2019, IRS officials stated that the agency intends to implement this recommendation by spring 2020. Officials noted that developing a systemic solution for collecting data on all authentication outcomes is complex and involves multiple IRS business divisions. Until IRS fully addresses this recommendation, it will have limited insight into the number of taxpayers who fail authentication and the reason for failure.
Recommendation: The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of November 2019, IRS stated that it has planned enhancements to its authentication data collection procedures in AMS. Officials stated that by June 2020, they intend to implement improvements for ensuring data quality of authentication outcomes. Until IRS fully implements our recommendation, it will be limited in conducting systematic data analysis on taxpayer authentication outcomes.
Recommendation: The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of November 2019, IRS officials told us that IRS has explored options that will allow the agency to more effectively record, track, and monitor authentication outcomes. IRS officials said that they are developing and testing a tool to document Taxpayer Protection Program interactions, outcomes of taxpayer authentication, and the reasons for authentication failures. Officials stated that IRS plans to have this tool implemented by spring 2020, one year later than originally planned. Officials stated that the delay is due to additional technical programming to fully develop the tool. We will follow up on IRS's actions to determine the extent to which they implement our recommendation.
Recommendation: The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation
Comments: As of January 2020, IRS has taken steps to implement this recommendation. Efforts include developing plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials told us that they plan to work with external partners to perform additional testing on its new authentication platform this year, including a usability study to understand user experience. IRS officials also stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. IRS's timely implementation of NIST's guidance is critical to help the agency mitigate potential security weaknesses in its existing online authentication programs.
Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation
Comments: As of January 2020, IRS has taken steps to develop plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. As noted in our report, IRS's timely implementation of NIST's new guidance is critical, as it can help the agency mitigate potential security weaknesses in its existing online authentication programs.
Recommendation: In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.
Recommendation: The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.
Recommendation: Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11)
Agency Affected: Department of the Treasury: Internal Revenue Service
Explore the full database of GAO's Open Recommendations
»
Jan 14, 2021
-
Tax Administration:
Better Coordination Could Improve IRS's Use of Third-Party Information Reporting to Help Reduce the Tax GapGAO-21-102: Published: Dec 15, 2020. Publicly Released: Jan 14, 2021.
Nov 18, 2020
-
IRS Reorganization:
Planning Addressed Key Reform Practices, but Goals and Measures for the Plan Have Not Been FinalizedGAO-21-18: Published: Oct 19, 2020. Publicly Released: Nov 18, 2020.
Nov 9, 2020
-
Opportunity Zones:
Improved Oversight Needed to Evaluate Tax Expenditure PerformanceGAO-21-30: Published: Oct 8, 2020. Publicly Released: Nov 9, 2020.
Oct 19, 2020
-
Tax Administration:
Opportunities Exist to Improve Oversight of Hospitals' Tax-Exempt StatusGAO-20-679: Published: Sep 17, 2020. Publicly Released: Oct 19, 2020.
Sep 23, 2020
-
Taxpayer Service:
IRS Could Improve the Taxpayer Experience by Using Better Service Performance MeasuresGAO-20-656: Published: Sep 23, 2020. Publicly Released: Sep 23, 2020.
Aug 31, 2020
-
Abusive Tax Schemes:
Offshore Insurance Products and Associated Compliance RisksGAO-20-589: Published: Jul 30, 2020. Publicly Released: Aug 31, 2020.
Jun 29, 2020
-
Taxpayer Compliance:
More Income Reporting Needed for Taxpayers Working through Online PlatformsGAO-20-366: Published: May 28, 2020. Publicly Released: Jun 29, 2020.
Jun 16, 2020
-
Tax Exempt Organizations:
IRS Increasingly Uses Data in Examination Selection, but Could Further Improve Selection ProcessesGAO-20-454: Published: Jun 16, 2020. Publicly Released: Jun 16, 2020.
May 1, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial ReportingGAO-20-480R: Published: May 1, 2020. Publicly Released: May 1, 2020.
Apr 30, 2020
-
Priority Open Recommendations:
Internal Revenue ServiceGAO-20-548PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.
Looking for more? Browse all our products here