Although fraudsters tried to claim $12.2 billion in fraudulent tax refunds, they were only able to succeed in getting the IRS to pay out $1.6 billion in 2016…still a considerable loss. A recent report by the Government Accountability Office finds that although the IRS has made progress, it needs to take additional steps to assure that claimants are legitimate taxpayers by improving their authentication efforts.
The IRS identified over 100 interactions that require a taxpayer to authenticate, or use data in some way to help identify themselves, when doing business with the IRS. In one year, the agency authenticates over 27 million taxpayers.
According to the report, the IRS has made progress on monitoring and improving authentication, including developing an authentication strategy with high-level strategic efforts. However, it has not prioritized the initiatives supporting its strategy nor identified the resources required to complete them, consistent with program management leading practices. Doing so would help IRS clarify relationships between its authentication efforts and articulate resource needs relative to expected benefits. Further, while IRS regularly assesses risks to and monitors its online authentication applications, it has not established equally rigorous internal controls for its telephone, in-person, and correspondence channels, including mechanisms to collect reliable, useful data to monitor authentication outcomes. As a result, IRS may not identify current or emerging threats to the tax system.
Additionally, while the IRS has taken preliminary steps to implement the National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication, it did not have clear plans and timelines to fully implement it by June 2018, as required by the Office of Management and Budget. As a result, IRS may not be positioned to address its most vulnerable authentication areas in a timely manner. Further, IRS lacks a comprehensive process to evaluate potential new authentication technologies.
Industry representatives, financial institutions, and government officials told GAO that the best authentication approach relies on multiple strategies and sources of information, while giving taxpayers options for actively protecting their identity. Evaluating alternatives for taxpayer authentication will help IRS avoid missing opportunities for improving authentication.