Treasury Inspector General Reports December, 2015

Transcription

1 Treasury Inspector General Reports December, 2015 Treasury Inspector General for Tax Administration Office of Audit Improved Tax Return Filing and Tax Account Access Authentication Processes and Procedures Are Needed Issued on November 19, 2015 The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals. Much of these data are detailed enough to enable circumvention of most authentication processes. As such, it is critical that the methods the IRS uses to authenticate individuals identities provide a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them. WHY TIGTA DID THE AUDIT Failure to adequately authenticate taxpayers filing a tax return and accessing tax account services can lead to identity theft. The increased availability of personal information warrants an assessment of the authentication risk across IRS services. TIGTA performed this audit to assess IRS efforts to authenticate individual taxpayers identities at the time tax returns are filed and when services are provided. WHAT TIGTA FOUND

2 Taxpayers continue to desire electronic products and services that enable them to interact and communicate with the IRS. However, the continued challenge in expanding its portfolio of electronic products and services is that the IRS must ensure that tax account-related information and services are provided only to individuals who are entitled to receive them. Although the IRS recognizes the growing challenge it faces in establishing effective authentication processes and procedures, it has not established a Service-wide approach to managing its authentication needs. The IRS should establish a function that is optimally placed in the organization and provide it with the authority needed to ensure that authentication policies and procedures are consistent and comply with Government information security standards Service-wide. The IRS recognizes the need to establish a Service-wide approach to managing its authentication needs and has established two groups that focus on taxpayer authentication. However, neither of these groups provides for cross-functional management, oversight, and continued evaluation of the IRS s existing authentication processes to ensure that they address current and future needs. In addition, authentication methods used for current online services do not comply with Government Information Security Standards. For example, TIGTA analysis of the e-authentication processes used to authenticate users of the IRS online Get Transcript and Identity Protection Personal Identification Number applications found that the authentication methods provide only single-factor authentication, despite the Government standards requiring multifactor authentication for such high-risk applications. As a result, unscrupulous individuals have gained unauthorized access to tax account information. WHAT TIGTA RECOMMENDED TIGTA recommended that the Deputy Commissioner for Services and Enforcement develop a Service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensure that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensure that

3 the authentication processes meet Government Information Security Standards. The IRS agreed to implement all three recommendations. Treasury Inspector General for Tax Administration Press Release December 21, 2015 The IRS Needs to Better Ensure That Refunds on Potentially Fraudulent Tax Returns Are Not Erroneously Released A computer programming error and the ineffective monitoring of potentially fraudulent tax returns resulted in the erroneous release of more than $46 million in refunds by the Internal Revenue Service (IRS) during Calendar Year 2014 before the information had been verified as correct. That is among the findings of an audit report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA). TIGTA initiated this audit because an IRS employee reported to the TIGTA Office of Investigations that the IRS was not working some taxpayer cases in which refunds were held. The Office of Investigations identified that the IRS did not timely address these tax accounts to

4 ensure that the refunds are not erroneously released. TIGTA assessed IRS processes to ensure that tax refunds are not erroneously released. The IRS s Return Integrity and Compliance Services organization is responsible for identifying, evaluating, and preventing the issuance of improper refunds. This mission includes protecting revenue by identifying potentially fraudulent tax returns and verifying the accuracy of reported income and withholding information. The IRS reported that the Integrity and Verification Operations function prevented more than $15 billion in refunds for over 2 million tax returns for confirmed identity theft or fraud during Calendar Year TIGTA identified that, because of a programming error, over $27 million of refunds were erroneously issued for 13,043 Tax Year 2013 tax returns. The programming error is overriding the IRS s two-week processing delay on some refund tax returns that the IRS identifies as potentially fraudulent. These are tax returns that the IRS Examination function also identified as claiming a questionable tax credit. The portion of the refund that the Examination function does not review is erroneously issued before the IRS can complete its verification of income and withholding. TIGTA also identified 3,910 Tax Year 2013 returns that the IRS selected for verification with no indication that tax examiners verified the returns. The IRS issued refunds totaling over $19 million for these tax returns. Refund holds were either not set correctly or not functioning as intended. While the IRS has made important strides in its programs that prevent the issuance of fraudulent refunds, our auditors found that it is not always ensuring that tax examiners timely complete their verification work before releasing refunds, said J. Russell George, Treasury Inspector General for Tax Administration. TIGTA recommended that the IRS: correct the programming that is erroneously overriding the twoweek return processing delay needed to ensure that refunds are not issued before screening and verifying the tax returns; develop a periodic reconciliation process to ensure that refunds associated with identified potentially fraudulent tax returns are not erroneously released;

5 develop a process to ensure that tax examiners verify a potentially erroneous refund claimed by a taxpayer within the refund hold period or place an unexpiring refund hold on the taxpayer s account until verification can be completed as required; and identify why refund holds placed on some accounts were not delaying processing of the tax returns and address the causes. The IRS agreed with all recommendations and stated that it was taking corrective action. Treasury Inspector General for Tax Administration Office of Audit Treasury Inspector General for Tax Administration - Federal Information System Modernization Act Report for Fiscal Year 2015 Issued on September 25, 2015 The Federal Information Security Management Act of 2002, and its recent amendment, the Federal Information Security Modernization Act (FISMA) of 2014, were enacted to strengthen the security of information and systems within Federal Government agencies. The IRS collects and maintains a significant amount of personal and financial information on each taxpayer. As custodians of taxpayer information,

6 the IRS has an obligation to protect this sensitive information against unauthorized access or loss in accordance with FISMA requirements. WHY TIGTA DID THE AUDIT As part of the FISMA legislation, the Offices of Inspectors General are required to perform an annual independent evaluation of each Federal agency s information security programs and practices. This report presents the results of TIGTA s FISMA evaluation of the IRS for Fiscal Year WHAT TIGTA FOUND The IRS s Information Security Program generally complied with the FISMA requirements. Three program areas met all FISMA performance attributes specified by the Department of Homeland Security: Risk Management, Incident Response and Reporting, and Contingency Planning. Four other security program areas met all attributes with the exception of two or fewer program attributes that were not met: Security Training, Plan of Action and Milestones, Remote Access Management, and Contractor Systems. However, three security program areas failed to meet FISMA requirements overall due to not meeting many of the performance attributes specified by the Department of Homeland Security: Continuous Monitoring Management, Configuration Management, and Identity and Access Management. Until the IRS takes steps to improve its security program deficiencies and fully implement all security program areas in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. WHAT TIGTA RECOMMENDED TIGTA does not include recommendations as part of its annual FISMA evaluation and reports on only the level of performance achieved by the IRS using the guidelines issued by the Department of Homeland Security for the applicable FISMA evaluation period.

7 Treasury Inspector General for Tax Administration December 1, 2015 TIGTA Releases Review of IRS FISMA Compliance The Treasury Inspector General for Tax Administration (TIGTA) performed its annual evaluation of the information security programs and practices of the Internal Revenue Service (IRS), as required by the Federal Information Security Modernization Act (FISMA). This report presents the results of TIGTA s evaluation for Fiscal Year TIGTA found that the IRS s Information Security Program generally complied with the FISMA requirements. Three program areas met all FISMA performance attributes as specified by the Department of Homeland Security: Risk Management, Incident Response and Reporting, and Contingency Planning. Four other security program areas met all attributes, with the exception of two or fewer program attributes that were not met: Security Training, Plan of Action and Milestones, Remote Access Management, and Contractor Systems. However, three security program areas failed to meet FISMA requirements overall due to not meeting many of the performance attributes specified by the Department of Homeland Security:

8 Continuous Monitoring Management, Configuration Management, and Identity and Access Management. Until the IRS takes steps to improve its security program deficiencies and fully implement all security program areas in compliance with FISMA requirements, taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. The IRS collects and maintains a significant amount of personal and financial information about taxpayers, said J. Russell George, Treasury Inspector General for Tax Administration. As custodians of this sensitive information, the IRS has an obligation to protect it against unauthorized access or loss, he added. TIGTA does not include recommendations as part of its annual FISMA evaluation and reports on only the level of performance achieved by the IRS using the guidelines issued by the Department of Homeland Security for the applicable FISMA evaluation period. Treasury Inspector General for Tax Administration Office of Audit Annual Assessment of the Internal Revenue Service Information Technology Program Issued on September 30, 2015

9 In Fiscal Year 2014, the IRS collected about $3.1 trillion in Federal tax payments, processed hundreds of millions of tax and information returns, and paid about $374 billion in refunds to taxpayers. In addition, the IRS employs almost 87,000 people in 551 facilities nationwide. The IRS relies extensively on computerized systems to support its financial and mission-related operations. Weaknesses within the IRS s Information Technology Program could result in computer operations that become compromised, disrupted, or outdated, which could adversely affect the IRS s ability to meet its mission of providing America s taxpayers with top-quality service by helping them understand and meet their tax responsibilities and enforcing the law with integrity and fairness to all. WHY TIGTA DID THE AUDIT TIGTA annually assesses and reports on an evaluation of the adequacy and security of IRS information technology as required by the IRS Restructuring and Reform Act of Our overall objective was to assess the progress of the IRS s Information Technology Program including security, modernization, and operations for Fiscal Year WHAT TIGTA FOUND Cybersecurity remains a major challenge for the Federal Government, and the IRS continues to work toward securing tax information and maintaining taxpayer privacy. TIGTA identified weaknesses within the IRS s Cybersecurity program pertaining to continuous monitoring, configuration management, identity and access management, privacy impact assessments, external connections, and audit trails. In addition, the IRS is developing a new system that uses data analytics to combat identity theft and tax fraud. During its pilot in Calendar Year 2014, the Return Review Program identified 10,348 identity theft cases totaling $43 million in refunds and an additional 350,000 potentially fraudulent returns that were not detected by the existing fraud detection system. However, the IRS has not planned for the retirement of its existing fraud detection system. The IRS continues to develop or upgrade its systems to meet its obligation as the Nation s tax administrator. TIGTA identified concerns with Windows workstation and server upgrades, Integrated

10 Enterprise Portal operations, and the Customer Account Data Engine 2 program. Finally, the IRS made significant progress developing new systems supporting the Affordable Care Act. However, TIGTA identified issues with the Coverage Data Repository, the Affordable Care Act Verification Service, interagency testing, and the Final Integration Test program. WHAT TIGTA RECOMMENDED Because this report was an assessment report of the IRS s Information Technology Program based on TIGTA audit reports issued during Fiscal Year 2015, TIGTA did not make any recommendations. Treasury Inspector General for Tax Administration Office of Audit Improvements Are Needed in the Identity Protection Specialized Unit to Better Assist Victims of Identity Theft Issued on October 27, 2015 As part of the IRS s strategy to reduce taxpayer burden caused by identity theft, the Identity Protection Specialized Unit (IPSU) was formed in October The IPSU is a dedicated unit to enable victims of identity theft to have their questions answered and obtain assistance in having their issues resolved quickly and effectively.

11 WHY TIGTA DID THE AUDIT In May 2012, TIGTA reported that the IRS should reassess the role of the IPSU because it was not meeting its original purpose of providing taxpayers with a single assistor to work with each identity theft victim to answer questions and resolve his or her issues. This audit was initiated to follow up on the current effectiveness of the IPSU in meeting its goals. The objective of this review was to determine whether the IPSU results in a streamlined process to help resolve identity theft cases, including providing victims with a single point of contact. WHAT TIGTA FOUND The majority of identity theft victims are no longer provided with an IPSU single point of contact. The IRS indicated that budgetary constraints do not allow for a single employee to be assigned to each identity theft victim. However, the IRS has stated that it remains committed to continuing to provide victims of identity theft with the centralized IPSU hotline to obtain assistance. The IRS noted that obtaining assistance via contact with the hotline does not depend on the availability of a single customer service representative, who may be unavailable because he or she is performing other casework. In addition, required acknowledgement and case status letters were not always issued to taxpayers. Our review of a statistically valid sample of 51 IPSU cases from the 24,509 that were closed in Fiscal Year 2014 identified 19 cases (37 percent) for which the customer service representative either did not send or timely send the taxpayer one or more of the required letters. Also, research is not always effectively conducted to identify and assist taxpayers who submit identity theft claim documentation without their Social Security Number. Our review of a statistically valid sample of 51 cases from a population of 2,612 individuals identified 18 (35 percent) for which IRS information could have been used to identify the Social Security Number. Instead, the IRS closed the case as not having sufficient information from the individual to enable the IRS to identify a corresponding Social Security Number.

12 Finally, a comprehensive process has not been established to ensure that IPSU customer service representatives timely address taxpayer voic messages. WHAT TIGTA RECOMMENDED TIGTA recommended that the IRS ensure that required acknowledgement and case status letters are timely sent to victims of identity theft. In addition, the IRS should ensure that cases submitted without a complete Social Security Number are properly researched and that a process is developed whereby customer service representatives timely respond to taxpayers voic messages. The IRS agreed with all three recommendations and plans to conduct ongoing quality and managerial reviews to identity opportunities to improve the timeliness of acknowledgements sent to taxpayers. The IRS stated that additional training was provided to employees on how to properly research cases for the full Social Security Number. In addition, the IRS plans to issue updated guidance with specific procedures that address voic s related to identity theft.