The Internal Revenue Service needs to strengthen its taxpayer authentication efforts to combat identity theft, according to a new report from the Government Accountability Office.
The GAO noted that criminal were able to get at least $1.6 billion in 2016 by using false identities to claim tax refunds, although the IRS was able to keep $10.5 billion out of their hands.
The report acknowledged the IRS has made progress on monitoring and improving its taxpayer authentication efforts, including developing an authentication strategy with high-level strategic efforts. The IRS authenticates millions of taxpayers each year by telephone, online, in person and through correspondence to ensure it’s interacting with legitimate taxpayers. The estimated costs of authenticating taxpayers vary by channel. However, the IRS hasn’t prioritized the initiatives supporting its strategy nor has it identified the resources required to complete them, consistent with program management leading practices. Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits, the GAO pointed out. In addition, while the IRS regularly assesses risks to and monitors its online authentication applications, it hasn’t set up equally rigorous internal controls for its telephone, in-person, and correspondence channels, including ways to collect reliable, useful data to monitor the outcome of its authentication efforts. As a result, the IRS might not identify current or emerging threats to the tax system.
The IRS can do more to strengthen authentication to stay ahead of fraudsters, according to the GAP. While the IRS has taken some preliminary steps to implement the National Institute of Standards and Technology’s new guidance for secure digital authentication, it doesn’t have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget. As a result, the IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. On top of that, the IRS lacks a comprehensive process to evaluate potential new authentication technologies. Industry representatives, financial institutions and government officials told the GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.
The GAO made 11 recommendations in the report, including prioritizing its authentication initiatives, estimating the funding and other resources it will need to implement these initiatives, and developing a process to evaluate potential authentication technologies.
The IRS defended its taxpayer authentication efforts, while acknowledging it needed to do more. “We believe tangible progress has been made in protecting our systems and laying the framework for sound processes that will improve our ability to anticipate and defend against ever-evolving threats,” wrote Kiersten Wielobob, deputy commissioner for services and enforcement at the IRS, in response to the report. “We understand we still have much work to do and appreciate the recognition that a needed next step is defining both the scope of that work and the resources needed to complete it. We agree with the recommendations in the report and are taking action to address them.”