Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts
Fast Facts
IRS estimates that in 2016 criminals used false identities to try to claim billions in tax refunds. IRS kept $10.5 billion out of their hands, but criminals got at least $1.6 billion. To help address this high risk issue, IRS works to verify the identities of millions of taxpayers each year.
We reviewed IRS’s taxpayer authentication efforts and made 11 recommendations to help IRS stay ahead of fraudsters, including:
prioritizing its authentication initiatives,
estimating the funding and other resources it will need to implement these initiatives, and
developing a process to evaluate potential authentication technologies.
Photo of a person at a computer screen looking at a page on IRS.gov and holding a Social Security card and other forms of ID
Highlights
What GAO Found
The Internal Revenue Service (IRS) has identified over 100 interactions requiring taxpayer authentication based on potential risks to IRS and individuals. IRS authenticates millions of taxpayers each year via telephone, online, in person, and correspondence to ensure that it is interacting with legitimate taxpayers. IRS's estimated costs to authenticate taxpayers vary by channel.
Taxpayers Authenticated for Selected IRS Programs, 2017
Notes: Numbers are rounded to the nearest hundred and represent successful authentications. Cost information is rounded to the nearest dollar unless otherwise noted. Data are for IRS's Taxpayer Protection Program, Get Transcript, Identity Protection Personal Identification Number, and taxpayer online accounts.
IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts. However, it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices. Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits. Further, while IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person, and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes. As a result, IRS may not identify current or emerging threats to the tax system.
IRS can further strengthen authentication to stay ahead of fraudsters. While IRS has taken preliminary steps to implement National Institute of Standards and Technology's (NIST) new guidance for secure digital authentication, it does not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget. As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. Further, IRS lacks a comprehensive process to evaluate potential new authentication technologies. Industry representatives, financial institutions, and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.
Why GAO Did This Study
Strong preventive controls can help IRS defend itself against identity theft refund fraud. These controls include taxpayer authentication—the process by which IRS verifies identities before allowing people access to a resource; sensitive data; or, in some cases, a tax refund. The risk of fraud has increased as more personally identifiable information has become available as a result of, for example, large-scale cyberattacks on various entities. IRS's ability to continuously monitor and improve taxpayer authentication is a critical step in protecting billions of dollars from fraudsters.
GAO was asked to examine IRS's efforts to authenticate taxpayers. This report (1) describes the taxpayer interactions that require authentication and IRS's methods; (2) assesses what IRS is doing to monitor and improve taxpayer authentication; and (3) determines what else, if anything, IRS can do to strengthen taxpayer authentication in the future.
To meet these objectives, GAO reviewed IRS documents and data, evaluated IRS processes against relevant federal internal control standards and guidance, and interviewed IRS officials and state and industry representatives.
Recommendations
GAO is making 11 recommendations to IRS to estimate resources for and prioritize its authentication initiatives, address internal control issues to better monitor authentication, develop a plan to fully implement new NIST guidance, and develop a process to evaluate potential authentication technologies. IRS agreed with GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Internal Revenue Service |
Priority Rec.
The Commissioner of Internal Revenue should direct the Identity Assurance Office, in collaboration with other IRS business partners, to estimate the resources (i.e., financial and human) required for the foundational initiatives and supporting activities identified in its Identity Assurance Strategy and Roadmap. (Recommendation 1)
|
As of January 2020, IRS had estimated the resources required for the foundational initiatives and supporting activities in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS documentation states that as a first step in updating the original Roadmap, the Identity Assurance office worked with stakeholders to verify the progress made and current status of its 14 foundational initiatives. In addition, the Identity Assurance office collected existing information on high-level financial and human resource estimates for the 14 foundational initiatives and supporting activities that are currently underway or planned. Further, IRS documentation shows that it has completed five of the 14 foundational initiatives in its Roadmap; the remaining nine foundational initiatives are shown as "in progress" or "near complete." IRS stated that it intends to update its Roadmap annually to reflect changes in IRS priorities. IRS's continued monitoring of its foundational initiatives-and the resources required to complete them-will help ensure continued progress on its authentication efforts.
|
Internal Revenue Service |
Priority Rec.
Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)
|
As of December 2020, the Internal Revenue Service (IRS) had prioritized its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS's November 2020 update to its Roadmap shows that IRS prioritized its 14 foundational initiatives (now called capabilities) based on benefits to taxpayers and potential for operational efficiencies; level of complexity and known risks; and the extent to which implementing one capability is dependent on other capabilities. For example, IRS determined that developing consistent authentication policies for identity proofing and authentication across channels was a top priority because these policies will impact the types of tools IRS uses to authenticate taxpayers. Further, IRS's documentation stated that this prioritization can be used to advocate for project funding. IRS's continued monitoring of its authentication capabilities and new or emerging priorities will help ensure continued progress in improving taxpayer authentication.
|
Internal Revenue Service | The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3) |
As of August 2021, IRS provided information to show that they addressed this recommendation. First, in February 2020, IRS issued interim guidance to help staff understand the concepts behind the authentication risk assessment process, while IRS developed more detailed policies and procedures for completing risk assessments for telephone, in-person, and correspondence authentication. Then, in July 2021, IRS updated its Internal Revenue Manual with the new authentication risk management policies and procedures and developed a new risk assessment template. IRS's policy requires IRS business units to assess risks for telephone, in-person, and correspondence authentication every three years, and to document, mitigate and monitor identified risks. Additionally, IRS's policy states that responsible business units are to follow up on identified deficiencies or unacceptable risks every 6 months until they are determined to be acceptable or resolved. These polices are consistent with key practices.
|
Internal Revenue Service | Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4) |
As of August 2022, IRS had addressed this recommendation. In July 2021, IRS updated its Internal Revenue Manual with the new authentication risk management policies and procedures. It also developed a risk assessment template for telephone, in-person, and correspondence authentication. IRS's policy requires IRS business units to assess risks for telephone, in-person, and correspondence authentication every three years, and to document, mitigate and monitor identified risks. In August 2022, IRS provided documentation showing that it performed initial risk assessments for several programs that require taxpayers to authenticate via telephone, in-person, or correspondence, including the Taxpayer Protection Program. Additionally, IRS's documentation shows that it plans to complete additional risk assessments from September 2022 through March 2023. IRS's efforts to establish a policy and a schedule for performing risk assessments for telephone, in-person, and correspondence authentication will help the agency monitor these channels for potential emerging threats to the tax environment.
|
Internal Revenue Service | The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5) |
As of May 2022, IRS had addressed this recommendation. IRS officials provided documentation showing that in October 2020, IRS implemented enhanced data collection functionality in its authentication tool to track outcomes of taxpayer authentication that occurred on the phone or in person. This tool enables IRS to capture information on, for example, who provided answers to the authentication questions (primary taxpayer, spouse, authorized third party), the questions the customer service representative asked the taxpayer, and the results. In a written response from May 2022, IRS stated that it is not able to use this system for capturing outcomes of correspondence-based authentication, but that it has other mechanisms in place to monitor the status and results of correspondence-based authentication. IRS's efforts to address this recommendation has enabled it to monitor taxpayer authentication rates and reasons why taxpayers may have difficulty authenticating their identity.
|
Internal Revenue Service | The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6) |
As of May 2022, IRS had addressed this recommendation. IRS officials provided documentation showing that in October 2020, IRS implemented enhanced data collection functionality in its authentication tool to track outcomes of taxpayer authentication that occurred on the phone or in person. IRS began collecting data from this tool as of January 2021. Additionally, IRS updated its written procedures for taxpayer authentication for customer service representatives to ensure that assistors consistently use the new functionality. In May 2022, IRS provided the results of an analysis it conducted on data from its authentication tool for calendar year 2021. This analysis showed that IRS is able to monitor authentication pass rates, and which authentication questions were more difficult for taxpayers to answer, among other things. In May 2022, IRS officials stated that continuous monitoring of the taxpayer authentication data and outcomes in its authentication tool will help them identify steps to further improve the quality of data collected and recorded by customer service representatives. IRS's efforts are consistent with federal standards for internal control to collect and use quality information to make informed decisions, and will help IRS monitor authentication outcomes for potential emerging fraud risks.
|
Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7) |
As of May 2022, IRS had addressed this recommendation. IRS officials provided documentation showing that in October 2020, IRS implemented enhanced data collection functionality in its authentication tool to track outcomes of taxpayer authentication that occurred on the phone or in person. According to IRS officials, the information collected by this tool is available to and accessible by IRS business units. Additionally, in May 2022, IRS officials stated that IRS staff can also access information on outcomes of correspondence-based authentication through its Account Management Services (AMS) system. By ensuring that business units have access to information on authentication outcomes, IRS is better positioned to monitor authentication performance and identify potential issues.
|
Internal Revenue Service |
Priority Rec.
The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)
|
As of April 2021, IRS has implemented this recommendation by (1) developing a plan that includes a timeline and milestones and (2) estimating the resources needed to implement the new National Institute of Standards and Technology (NIST) standards. Specifically, as of January 2021, IRS developed plans and began testing a new online taxpayer authentication capability, consistent with NIST guidance. IRS officials also told us that these efforts included a usability study to understand user experience. As of April 2021, IRS has also developed a timeline with milestones and has estimated financial and human capital resources for implementing changes to its online authentication programs consistent with new NIST guidance. IRS's timeline also tracks existing performance against the planned baseline. Developing a timeline with milestones and estimating financial and human capital resources will help IRS ensure it has the resources it needs to fully implement planned taxpayer authentication capabilities consistent with NIST guidance.
|
Internal Revenue Service |
Priority Rec.
In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)
|
As of March 2023, IRS provided documentation showing that it had migrated the online applications identified in its plans to IRS's new authentication platform, as GAO recommended in 2018. Specifically, IRS created a new online authentication platform to authenticate taxpayers' identities using external partners, consistent with National Institute of Standards and Technology guidance. IRS documentation shows that from November 2021, to October 2022, IRS migrated about 30 online applications identified in its plans to the new authentication platform. This included the online application used to authenticate taxpayers for IRS's Taxpayer Protection Program--one of IRS's key defenses in reducing the risk of IDT refund fraud. IRS's efforts to develop the new authentication platform and fully implement it will help minimize potential security risks to IRS's online applications requiring taxpayer authentication.
|
Internal Revenue Service | The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10) |
In February 2020, the Internal Revenue Service (IRS) developed a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS's authentication innovation process includes four steps--idea generation, research and prioritization, approval, and governance. IRS plans to generate ideas to improve authentication through workshops, vendor engagement, use cases, and research. An authentication innovation working group will then research and prioritize ideas and make recommendations for which ideas should be approved. Once IRS's authentication council approves an idea, it will be forwarded to IRS's appropriate governance body for approval and delegation. IRS's authentication governance board approved this process in February 2020. This process will help ensure that IRS has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.
|
Internal Revenue Service | Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11) |
As of February 2022, IRS has integrated its repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication into its authentication strategy, as GAO recommended in June 2018. In February 2020, IRS developed a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. IRS then incorporated this process into its authentication strategy. Specifically, IRS's February 2022 authentication strategy incorporates IRS's process to identify and evaluate authentication options. This strategy also lists and prioritizes one of the outputs from IRS's process to improve authentication. According to IRS's authentication strategy, IRS updates this strategy to ensure they remain current and enable the IRS to achieve authentication excellence based on government and industry best practices, standards, and emerging technologies. IRS's actions will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.
|