IRS audit finds lack of privacy protection

IRS audit finds lack of privacy protection

IRS management agreed with the report's findings and recommendations and has completed or planned appropriate corrective actions, according to the auditors.
amaxwell@govexec.com

The IRS does not effectively protect taxpayers' privacy, an internal audit has concluded.

Auditors called IRS customer service centers and requested taxpayers' information with only names, addresses and Social Security numbers, which are easy to find publicly. The auditors posed as taxpayers, including a teacher, an IRS employee and a mayor, with their permission, the report said. Customer service representatives provided the auditors with tax and income information too readily, the auditors concluded.

"Better authentication techniques are needed during telephone contacts to reduce the risk of improper tax account disclosure," the auditors said. "Under current procedures, an impostor who knows a taxpayer's name, address and Social Security number can find out tax and income information from the Internal Revenue Service with a simple phone call."

The auditors conducted 109 test calls from 17 offices in the Northeast and West between July 1996 and February 1997. During the calls, auditors requested information such as gross income, taxable income, taxes withheld and refunds. Auditors requested that this information be provided over the phone, faxed or sent to an address different that the master file showed.

In 96 of 109 calls, customer service representatives disclosed tax account information to auditors by phone (in 79 cases), by sending it to an address different from that on master file (10 cases) or both (7 cases). In 32 of the 96 disclosures, the only identifying information requested was the caller's name, address and Social Security number. In 26 of the disclosures, the caller was asked to provide at least one other additional piece of information, such as date of birth, filing status or spouse's name.

"The growing concern of citizens and Congress regarding an individual's right to privacy reaffirms the IRS' need for effective disclosure practices and safeguards," the auditors concluded. "As customer service moves toward telephone-based service, the IRS needs to ensure that the authentication procedures minimize the risk of unauthorized disclosure."

The auditors recommended that the IRS:

  • Strengthen procedures for authenticating the identities of callers by more effectively using information available through the agency's Integrated Data Retrieval System.
  • Establish a clear policy to deal with disclosing tax account information to third parties.
  • Provide customer service representatives with more guidance and training.