Treasury Inspector General for Tax Administration, Office of Audit determines, Inconsistent Processes and Procedures Result in Many Victims of Identity Theft Not Receiving Identity Protection Personal Identification Numbers.

IMPACT ON TAXPAYERS
To provide relief to identity theft victims, the IRS began issuing Identity Protection Personal Identification Numbers (IP PIN) to eligible taxpayers in Fiscal Year 2011.  An IP PIN is a six-digit number assigned to taxpayers that allows their tax returns/refunds to be processed without delay and helps prevent the misuse of their Social Security Numbers (SSN) on fraudulent Federal income tax returns.  In Processing Year 2016, the IRS issued approximately 2.7 million IP PINs to taxpayers for use in filing their tax returns.

WHY TIGTA DID THE AUDIT
This audit was initiated to assess IRS actions to improve and expand the IP PIN Program.  This includes assessing IRS corrective actions to TIGTA’s prior recommendations and the IRS’s decision to not deactivate the online IP PIN application after security weaknesses were identified.

WHAT TIGTA FOUND
The IRS did not deactivate the online IP PIN application after a security breach was identified on May 17, 2015.  Instead, risk mitigation processes were implemented.  TIGTA made repeated recommendations to shut down the application until a stronger level of online authentication could be implemented and advised the IRS that its risk mitigation processes were not always working as intended.

TIGTA’s review of 32,623 tax returns, filed between January 19 and May 24, 2016, with an IP PIN that was viewed online identified that 12,020 (36.8 percent) returns were not manually reviewed as required.

TIGTA also identified that taxpayer accounts were not always consistently updated to ensure that IP PINs were generated for taxpayers as required.  The IRS did not generate an IP PIN for approximately 2 million taxpayers for whom the IRS resolved an identity theft case confirming the taxpayer was a victim.  Additionally, the IP PIN notice continues to contain inaccurate information.  The IRS mailed approximately 2.7 million IP PIN notices to taxpayers for Processing Year 2016 erroneously instructing them not to use their IP PIN if they are claimed as a dependent on a tax return.

The IRS’s Opt-In Program was designed to focus on taxpayers in locations with the highest per capita rate of identity theft and offer them the opportunity to obtain an IP PIN before becoming a victim of tax-related identity theft.  However, the IRS has not updated its identification of locations that may now have the highest per capita rate based on identity theft complaints.  In addition, taxpayers in Opt-In Program locations may be unaware of the option to obtain an IP PIN.

WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS ensure that: 1) an authentication risk assessment is completed and documented subsequent to all future system security breaches to an online application; 2) all functions have consistent procedures for adding identity theft markers that create an IP PIN; 3) accurate information is provided to taxpayers on IRS notices; 4) processes are developed to identify taxpayers in locations with the highest per capita rate of identity theft; and 5) an outreach strategy is developed to increase taxpayer awareness of the Opt-In Program.

The IRS agreed with four recommendations but did not agree that processes need developing to identify taxpayers in locations with the highest per capita rate of identity theft.  TIGTA stated that this decision is contrary to the intent of the Opt-In Program, which is to focus on taxpayers in States and locations with the highest per capita rate of identity theft.