data security concept

The Internal Revenue Service needs to improve its procedures to prevent the fraudulent use of third-party authorization forms, such as power of attorney filings, to obtain taxpayer information, according to a new report.

The report, from the Treasury Inspector General for Tax Administration, evaluated the IRS’s controls when authenticating requests from individuals who try to represent taxpayers and access taxpayer information, such as CPAs and enrolled agents, by filing a Form 2848, Power of Attorney and Declaration of Representative, or Form 8821, Taxpayer Information Authorization. It found the IRS doesn’t have sufficient processes and procedures in place to authenticate the validity of the forms. Tax examiner reviews of the forms also don’t include the necessary steps to verify that legitimate taxpayers submitted or signed the form to authorize access to their tax information.

TIGTA estimated the IRS has at least one unauthorized request form for every 1.1 million taxpayers who have an authorization in the Centralized Authorization File, or CAF. The IRS also didn’t protect 300 taxpayers after finding out that their Taxpayer Identification Numbers were obtained by fraudsters. The IRS should have placed the Taxpayer Identification Numbers on its Dynamic Selection List to monitor their use on any future tax returns submitted by the taxpayers.

TIGTA’s review also found the IRS didn’t do enough to prevent some taxpayer refunds from being erroneously issued to representatives. On top of that, IRS tax examiners aren’t following the agency’s internal guidelines that limit the assignment of one CAF number to a single representative per location.

TIGTA recommended the IRS develop a confirmation letter program to make sure taxpayers have indeed authorized the third-party access. The report also recommended the IRS revoke authorizations for any representatives and designees that taxpayers didn’t authorize. It said the IRS should develop a process to ensure all Taxpayer Identification Numbers associated with confirmed fraudulent CAF authorizations are forwarded to the appropriate office. The report suggested the IRS develop procedures for all functions involved with fraudulent authorization requests and stolen CAF numbers to report their findings to CAF management in a timely manner. The IRS should also remove the refund indicator from all 72,095 authorizations that were processed prior to January 2013, and ensure that tax examiners follow the guidelines to limit the issuance of CAF numbers to one CAF number per representative or designee at each office, the report recommended. The IRS also needs to correspond with representatives and designees who have been assigned multiple CAF numbers to let them know they are permitted to have one just CAF number per location, according to TIGTA.

The IRS agreed with six of TIGTA’s recommendations and partially agreed with its recommendation to correspond with representatives and designees who have been assigned multiple CAF numbers. IRS management plans to correspond only with those individuals it identifies as having used the multiple CAF numbers to see if there’s a need for the multiple numbers and identify those that can be removed.

“The CAF was developed and implemented in an era when most taxpayer and practitioner interactions with the IRS were transacted on paper,” wrote Kenneth C. Corbin, commissioner of the IRS’s Wage and Investment Division, in response to the report. “As the use of personal computers has transformed the business is now conducted, we have taken steps to fortify safeguards and defenses to ensure taxpayer information is protected from unauthorized disclosure.”