The Internal Revenue Service does not always properly authenticate the identity of taxpayers calling its toll-free assistance lines before providing them with confidential tax account information, according to a new government report.

The report, by the Treasury Inspector General for Tax Administration, found that taxpayers who call the IRS-toll-free lines are at risk of having their personally identifiable information inadvertently overheard and disclosed during conversations with IRS employees. TIGTA auditors listened to a sample of audio-taped calls between IRS employees and taxpayers and were able to hear parts of assistors' conversations with other callers.

 IRS guidelines require assistors to fully authenticate callers before assisting them. Assistors are not always authenticating taxpayers who call the IRS’ toll-free telephone number for tax account information.

From a statistical sample of 180 contact recordings, assistors did not properly follow procedures when authenticating 29 callers, increasing the risk of unauthorized disclosures. This included nine assistors who did not ask callers the two additional authentication probes (high-risk questions) when the situation required, eight assistors that did not ask callers all five required authentication questions, and 12 assistors who did not authenticate callers for various other reasons.

TIGTA auditors were able to hear parts of assistors’ conversations with other callers in 48 of the 180 sampled calls. This happened because assistors did not put callers on hold when they were researching the taxpayers’ accounts. For 26 calls, assistors repeated the Social Security number back to the caller on the telephone.

Millions of taxpayers call the IRS toll-free telephone service every year seeking answers to tax account questions. IRS employees are supposed to ask a series of questions to verify a caller's identity before answering questions about the taxpayer's account. This is done to protect the confidentiality of tax returns and return information. The information used to authenticate the taxpayer's identity, including his or her name, address, Social Security number, date and place of birth, is considered to be personally identifiable information, which can be used in identity theft.

TIGTA evaluated the IRS’s controls over the authentication of taxpayers who call the IRS’s toll-free telephone numbers to determine whether current procedures reduce the risk of unauthorized disclosures of taxpayer information, and found many instances where the information was divulged to people who may not have been authorized .

"As the telephone continues to be one of the primary tools taxpayers use to communicate with the IRS, taxpayers need to be assured that the IRS is taking every precaution to protect their personal information from inadvertent disclosure," said TIGTA Inspector General J. Russell George in a statement.

The IRS has a new agency-wide authentication strategy and its vision is to promote data protection and enable ease of access to maintain public confidence and improve customer service. The IRS also has a future strategy called authentication retention to reduce the number of times a caller is authenticated. Authentication retention will allow a caller’s authentication information to be readily available to each assistor who provides help to the caller. However, in fiscal year 2009, the IRS decided not to fund authentication retention, but will reconsider it in future budget requests.

TIGTA recommended that the IRS revise its guidelines to require assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes. During assistor training, it should emphasize that assistors are not to prematurely authenticate callers and the importance of controlling calls and placing callers on hold while conducting research. Guidelines should require assistors to ask callers to repeat personally identifiable information if clarification is needed. Finally, the IRS should incorporate available technology to authenticate callers in the queue as part of the development of authentication retention.

The IRS agreed with two and partially agreed with one of our four recommendations. The IRS plans to emphasize during training the proper use of hold procedures.Guidance and training will be developed to instruct assistors to request callers repeat personally identifiable information. The IRS also plans to submit a technology request to incorporate available technology to authenticate callers prior to their reaching an assistor.

The IRS did not agree to revise guidelines to require assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes. However, when callers incorrectly answer the address or date of birth probes, training materials will continue to emphasize that inadequate caller identity authentication could result in an unauthorized disclosure.

TIGTA said it maintains that requiring assistors to ask two additional high-risk probes when callers incorrectly answer the address or date of birth probes is warranted to reduce the risk of unauthorized disclosures.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access