The Internal Revenue Service is testing a new Return Review Program to help identify instances of tax return fraud, but the security of the system needs improvement, according to a new government report.
The
TIGTA found that during an IRS pilot test, the RRP models flagged potential identity theft fraud not detected by the EFDS models. During a 32-day test, the RRP Identity Theft Model identified 51,946 returns as potential identity theft cases. The IRS confirmed that 41,311 of those returns involved identity theft. However, of the confirmed identity theft cases, the IRS determined that 10,348 cases (or about 25 percent), totaling $43 million in refunds, were not detected by the EFDS or the Dependent Database.
In addition, IRS tests showed that 8 million tax returns a day can be loaded to the RRP database as required. For example, over a one-week period the RRP consistently loaded between 7 million and 9 million returns a day.
However, the IRS classified the RRP as a Level 3 system, that is, it is considered to be an information resource instead of a major system. Because the RRP was classified as a Level 3 Federal Information Security Management Act system, RRP-specific security issues may not be effectively addressed, TIGTA warned. In addition, identified security vulnerabilities were not remediated. For example, the October 2014 network scans identified two RRP servers that were still vulnerable to the Heartbleed bug six months after the vulnerability was announced.
“The RRP test results show potential improvements in the IRS approach to prevent, detect, and resolve pre-refund tax fraud,” said TIGTA Inspector General J. Russell George in a statement. “While these potential improvements are encouraging, the IRS must also ensure the system is properly classified and meets security requirements.”
TIGTA recommended that the IRS’s chief technology officer ensure that IRS personnel completing the Federal Information Security Management Act system classifications are familiar with the law’s requirements. The IRS should also make sure validation of system classification and reclassification is discussed, reviewed and documented during the biweekly cybersecurity management meeting, TIGTA suggested. All critical and high-risk RRP vulnerabilities should be resolved, said TIGTA.
The IRS agreed with TIGTA’s three recommendations. The agency plans to brief personnel on the Federal Information Security Management Act requirements for each level of classification; enhance its current process for the validation of system classification and reclassification as discussed, reviewed, and documented during the biweekly management meeting; and focus on resolving the critical vulnerabilities in production and then the lower environments.
“We remain committed to managing the security risks in our IT infrastructure as required by the Federal Information Security Management Act, National Institute of Standards and Technology guidance, and other appropriate standards,” wrote IRS chief technology officer Terence V. Milholland in response to the report. “We continue to actively monitor the IT environment and improve processes to ensure vulnerabilities are effectively prioritized and remediated.”
