TIGTA: IRS Needs Better Security in Express Verification Program

Additional Security Processes Are Needed to Prevent Unauthorized Release of Tax Information Through the Income Verification Express Service Program

February 16, 2021

HIGHLIGHTS

Final Audit Report issued on February 16, 2021

What TIGTA Found

The IRS implemented corrective actions to help ensure that tax transcripts can be accessed only by authorized IVES Participants. For example, Secure Access for e-Services was implemented on December 10, 2017 to prevent unauthorized access to taxpayer data. This multifactor authentication process improves security and helps ensure that tax transcripts can only be accessed by authorized IVES Participants. In addition, on August 22, 2018, the IRS announced that it was implementing a new format for individual tax transcripts that would redact personally identifiable information from the transcripts to better protect taxpayer data.

TIGTA also found some key processes are not operating as intended to ensure that taxpayers authorize the release of their tax transcripts. For example, the IRS requires participants to provide an independent audit report on their electronic signature process by January 31^st each year. However, as of July 31, 2020, the IRS received this report from only 15 (2 percent) of the 748 participants. In addition, key requirements for participants' use and acceptance of electronic signatures were not addressed in the audit reports, and two reports were not prepared by an independent party.

The IRS is developing an online system to process IVES Participants' tax transcript request forms. The system will replace the current partially automated system, which requires employees to manually process the transcript requests. This new system will also allow the IRS to continue processing IVES transcript requests if the IRS experiences another crisis, like Coronavirus Disease 2019, which causes it to cease operations at its Tax Processing Centers.

The IRS did not revise its transcript request form to require IVES Participants to provide their clients' names to substantiate taxpayers express permission for the disclosure of their tax information to the clients. In addition, IVES Program analysts did not conduct compliance reviews in Fiscal Year 2019 to ensure that participants completed the required client certifications. These certifications are important because they validate the identity of clients that ultimately receive the transcripts.

Finally, the IRS did not conduct sufficient suitability checks on 577 IVES Participants that were “grandfathered” into the program in February 2016 when management implemented the suitability checks.

What TIGTA Recommended

TIGTA made 15 recommendations, including that the IRS allocate sufficient resources to the IVES Program to timely identify and suspend participants that do not complete the electronic signature certification and submit the annual independent audit report to the IRS.

IRS management agreed with all 15 recommendations.

---

February 16, 2021

MEMORANDUM FOR:
COMMISSIONER OF INTERNAL REVENUE

FROM:
Michael E. McKenney
Deputy Inspector General for Audit

SUBJECT:
Final Audit Report — Additional Security Processes Are Needed to Prevent Unauthorized Release of Tax Information Through the Income Verification Express Service Program (Audit # 202040511)

This report presents the results of our review to evaluate Internal Revenue Service (IRS) controls to validate transcript requests and implement Taxpayer First Act¹ sections related to the Income Verification Express Service Program. This review was part of our Fiscal Year 2020 Annual Audit Plan and addresses the major management and performance challenge of Security Over Taxpayer Data and Protection of IRS Resources.

Management's complete response to the draft report is included as Appendix III.

Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Russell P. Martin, Assistant Inspector General for Audit (Returns Processing and Account Services).

---

Table of Contents

Background

Results of Review

Appendices

Appendix I — Detailed Objective, Scope, and Methodology

Appendix II — Outcome Measure

Appendix III — Management's Response to the Draft Report

Appendix IV — Abbreviations

---

Background

In October 2003, the Internal Revenue Service (IRS) began deploying e-Services, which is a suite of web-based products allowing tax professionals, financial institutions, and other third parties to conduct business with the IRS electronically. One product, offered since May 2005, is the Transcript Delivery System, which allows external third parties to view and obtain tax transcripts for both individuals and businesses. The transcripts cannot be obtained unless the third party successfully registers for e-Services and participates in electronic tax return filing or is a participant of the Income Verification Express Service (IVES) Program. The Transcript Delivery System is also used by IRS employees to provide tax transcripts to taxpayers that request this information when visiting Taxpayer Assistance Centers² or by calling the IRS.

Registering for e-Services

For IVES Participants to receive transcripts, the principal individuals in the business must register with e-Services. Registration requires users to have an account secured by an identity proofing process called Secure Access, which includes an online authentication process. Secure Access protects taxpayer information through an identity proofing process to ensure that the persons registering are who they say they are. An IVES applicant must complete the following steps during the Secure Access authentication process to register with e-Services:

• The applicant must provide their first and last name as it appears on their most recent tax return, mobile phone number, and a current e-mail address.³ The IRS sends a one-time confirmation code to the e-mail address provided by the taxpayer, which the taxpayer must enter to proceed with the process.

• Once the applicant enters the code and verifies their e-mail address, they are prompted to enter additional personal information verified against IRS records, which includes date of birth, Social Security Number, and the filing status and mailing address from their most recently filed tax return.

• As another layer of identity proofing, the applicant is required to enter the account number for a financial account, i.e., credit card, which the IRS verifies using a credit reporting agency. Once the IRS verifies the information entered by the taxpayer, the taxpayer receives a six-digit activation code, via text message, which must be entered to complete the authentication process.

• To complete the process, the applicant is prompted to create a username and password. When logging into the e-Services application, users must enter their username and password and a security code received via text message.

Requesting tax transcripts through the Income Verification Express Service (IVES) Program

To participate in the IVES Program, an applicant must:

• Submit an enrollment application. The applicant must complete Form 13803, Application to Participate in the Income Verification Express Service Program. This form requires basic information about the business including the Employer Identification Number,⁴ name, address, telephone number, and fax number. Form 13803 also requires essential information for the principal and responsible official of the business, such as name, Social Security Number, date of birth, and address.

• Pass a suitability assessment. Prior to acceptance in the IVES Program, the IVES Program Office performs a one-time suitability assessment on the business as well as the business's principal and responsible official. The suitability assessment includes verifying that the business is legitimate and conducting a tax compliance check to ensure that the applicant is suitable to participate in the program.

• Complete a client certification form. In June 2016, the IRS established new certification requirements for IVES Participants who follow a “client-based” business model in which the participant acts as an intermediary between its clients and the IRS to obtain tax transcripts. As part of the client certification process, IVES Participants must verify and validate the identity of their clients for whom they request tax transcripts.

• Establish a secure electronic mailbox. As part of the e-Services registration process, the applicant establishes a secure electronic mailbox where the IRS sends the tax transcripts.

Once accepted in the IVES Program, participants can submit an authorization form to obtain tax transcripts for the individuals and businesses. Figure 1 provides the authorization form, permission granted to the third party, and information required for the IRS to process the form.

Figure 1: Authorization Form Used by Third Parties to Request Taxpayer Information

Form Number and Name	Authorization Granted	Requirements for Processing
Form 4506-T, Request for Transcript of Tax Return	Authorizes a third party to request and receive tax transcripts such as Forms 1040, U.S. Individual Income Tax Return; and Forms W-2, Wage and Tax Statement.	Form 4506-T must include elements such as the taxpayer(s) Social Security Number, name, address, and dated signature within the last 120 calendar days. The form must also specify the type of tax forms and specific period(s) requested.
Source: Form 4506-T and instructions on IRS.gov.

IVES Participants primarily serve as an intermediary by receiving tax transcript requests from their clients such as banks or mortgage companies, submitting the requests to the IRS for processing, receiving the tax transcripts from the IRS, and then providing them to their clients that use the transcripts to verify taxpayer income in a loan application process. On July 1, 2019, the IRS stopped mailing tax transcripts to third parties to better protect taxpayers' information.

This action was taken in response to our prior report issued in March 2018⁵ that found mailing the transcripts presents a risk to taxpayers' information. Tax transcripts ordered through the IVES Program are now delivered via the Transcript Delivery System to the IVES Participant's secure mailbox. Figure 2 shows that the IVES Program is a partially automated service in which the IRS manually processes transcript requests received via fax and systemically delivers the transcripts to IVES Participants.

The IRS generally provides the tax transcript within three business days to an IVES Participant that pays $2 per request.⁶ Participants log on to their e-Services account to access their secure mailbox and retrieve the transcripts. As of August 14, 2020, the IVES Program had 748 participants. Figure 3 provides the total user fees assessed and transcript requests processed by the program in Fiscal Years (FY) 2017 through 2019.

Figure 3: IVES User Fees and Transcript Requests for FYs 2017 Through 2019

FY	User Fees	Transcript Requests
2017	$50.1 million	25,036,834
2018	$38.1 million	19,032,140
2019	$29.0 million	14,508,105
Source: IRS Chief Financial Officer, Financial Management Office.

According to an IVES Participant Working Group,⁷ the number of transcript requests decreased in FY 2019 because lenders are communicating more with banks and financial companies to confirm borrowers' incomes. Another reason is that fewer individuals bought a home or refinanced their home mortgage due to higher interest rates.

Transcript types

Tax transcripts, if obtained by unscrupulous individuals, provide valuable tax information that can be used to prepare and file fraudulent tax returns. Tax transcripts available via the Transcript Delivery System include:

• Account Transcript — Provides financial tax account information such as payments, penalty assessments, and adjustments made by the taxpayer or the IRS.

• Return Transcript — Provides information related to most of the line items from a filed tax return.

• Record of Account — Provides the most detailed tax account information as it is a combination of the Account Transcript and Return Transcript.

• Wage and Income Transcript — Provides data from information returns such as Forms W-2; Forms 1099, income series; Forms 1098, expense series; or Forms 5498, IRA⁸ Contribution Information.

• Verification of Non-Filing — Provides confirmation that a taxpayer did not file a return for a specific requested tax year. This transcript is not available to IVES Participants.

The Taxpayer First Act⁹ requires the IRS to modernize the IVES Program and increase taxpayer protections

On July 1, 2019, the President signed the Taxpayer First Act, which aims to broadly redesign the IRS, expand and strengthen taxpayer rights, and enhance its cybersecurity. This Act includes the following four sections to further improve the IVES Program and increase taxpayer protections:

• Section 2202: Amends Internal Revenue Code (I.R.C.) Section 6103(c), effective December 28, 2019, to limit redisclosures and uses of consent-based disclosures of taxpayer information by adding, “Persons designated by the taxpayer under this subsection to receive return information shall not use the information for any purpose other than the express purpose for which consent was granted and shall not disclose return information to any other person without the express permission of, or request by, the taxpayer.” The section also established penalties for any unauthorized disclosures under the amended I.R.C. Section 6103(c).

• Section 2302: Amends I.R.C. Section 6061(b)(3) effective July 1, 2019, requiring the IRS to publish guidance by January 1, 2020, establishing uniform standards and procedures for the acceptance of taxpayers' signatures appearing in electronic form with respect to any request for disclosure of a taxpayer's return or return information under Section 6103(c) to a practitioner or any power of attorney granted by a taxpayer to a practitioner.

• Section 2304: Requires the IRS to authenticate users of e-Services not later than December 28, 2019, by verifying the identity of any individual opening an e-Services account before such individual is able to use the e-Services tools.

Results of Review

In March 2018, we reported that IVES certification requirements are not effective in addressing risks associated with the unauthorized release of tax transcripts to IVES clients, and that the IRS does not have processes and procedures to ensure that the legitimate taxpayers signed the Form 4506-T to authorize the release of their tax transcripts. Since our last review, the IRS implemented some security controls to address the recommendations in our prior report to protect taxpayer information from unauthorized disclosure. These include:

• The IRS implemented Secure Access for e-Services, on December 10, 2017, to prevent unauthorized access to taxpayer data. This multifactor authentication process improves security and helps ensure that tax transcripts can only be accessed by authorized IVES Participants. Multifactor authentication adds an extra layer of protection by requiring participants to enter a security code sent, via text message, to their cell phone in addition to entering their username and password to access their account.

• Masking of Personally Identifiable Information from tax transcripts was implemented to prevent unauthorized disclosure of taxpayer data. On August 22, 2018, the IRS announced that it was implementing a new format for individual tax transcripts that would redact Personally Identifiable Information from the transcripts beginning September 23, 2018, to better protect taxpayer data. Additionally, the IRS created a new Customer File Number, which is reflected on the redacted transcript that third parties can use as an identifying number instead of the taxpayer's Social Security Number.

However, the IRS will not have a process to ensure that the taxpayer signed the Form 4506-T to authorize release of their tax transcript until it develops an IVES online transcript request system. The system would also allow the IRS to continue processing Forms 4506-T if the IRS experiences another event or crisis such as the Coronavirus Disease 2019 (COVID-19) pandemic that resulted in the closure of Tax Processing Centers.

Processes Do Not Ensure That Taxpayers Authorize Release of Their Tax Information to IVES Participants

In addition to the previously mentioned security controls that the IRS implemented to better protect taxpayers' information, actions were completed to comply with Section 2302 of the Taxpayer First Act. For example, the IRS established uniform standards and procedures for the acceptance of taxpayers' signatures appearing in electronic form with respect to any request for disclosure of a taxpayer's return or return information. This guidance was published in the Internal Revenue Manual in December 2019 and addresses electronic signatures on forms used to request tax information, including Form 4506-T.

Although the IVES Program can accept a taxpayer's electronic signature, the IRS cannot authenticate that the legitimate taxpayer electronically signed the Form 4506-T. As such, until the IRS deploys its online IVES transcript request system (see Figure 4 on page 9), it has no assurance that the legitimate taxpayer authorized release of his or her tax transcript. In the interim, the IRS must rely on its current control in the IVES Program for validating electronic signatures. This control requires participants, who submit electronically signed Forms 4506-T, to undergo an independent audit of their electronic signature process and provide the IVES Program with the audit report by January 31^st each year. For example, if a participant submits Forms 4506-T to the IVES Program in Calendar Year (CY) 2019, the participant is required to submit an independent audit report of their electronic signature process by January 31, 2020.

Processes do not ensure that IVES Participants undergo the required independent audit of their electronic signature process

Although a key control for the IRS to validate electronic signatures, IRS management does not ensure that IVES Participants undergo the required independent audit of their electronic signature process. Our discussion with IVES Program management identified that processes have not been established to identify which participants are submitting electronically signed Forms 4506-T. As a result, management does not know which participants are required to provide an independent audit report of their electronic signature process. For example, as of August 14, 2020, the IVES Program had 748 participants but received an independent audit report from only five participants by January 31, 2020.

To participate in the electronic signature process, IVES Participants must validate that signers are who they say they are, obtain consent from the signer to receive and sign documents electronically, and ensure that the electronic signature establishes a person's intent to sign the Form 4506-T. After the electronic signature is collected, the document must be made tamper proof to ensure its validity, and an audit log of the electronic signing must be retained by the IVES Participant for two years.

On February 28, 2020, we issued an e-mail alert recommending that the program immediately require all participants to inform the IRS whether they are submitting electronically signed Forms 4506-T and acknowledge their agreement to provide the independent audit report of their electronic signature process. In response to our e-mail alert, the IRS notified all IVES Participants on March 23, 2020, that they must certify whether they are submitting electronically signed transcript requests and, if so, provide the required audit report by April 30, 2020. This deadline was subsequently postponed until August 7, 2020.

However, as of July 31, 2020, a majority of the 748 IVES Participants did not respond to the IRS's March 23, 2020, mandate. For example:

• Only 206 IVES Participants responded to the request to certify whether they are submitting electronically signed Forms 4506-T.

• Of the 53 participants who responded that they were using electronic signatures, 38 (72 percent) stated that they use electronic signatures but did not provide the required audit report. Only 15 participants submitted an audit report.

The IVES Program's notice to participants stated that failure to submit the certification and independent audit report, if using electronic signatures, would result in suspension and potential removal from the program. However, management had not taken these actions as of September 9, 2020. They stated that they are still working with the participants to submit the required certifications and independent audit reports. In addition, management cited their limited staff in the IVES Program to track the receipt of the certifications and audit reports, follow up with participants that did not respond, and review the audit reports for completeness.

Independent audit reports submitted by participants did not address the IVES Program's electronic signature requirements

Our review of the 15 audit reports that IVES Participants submitted to the IRS in response to its March 23, 2020, notification letter identified that 10 (67 percent) of the audit reports did not address all key electronic signature requirements of the IVES Program. Examples of requirements that were not addressed include:

• Form 4506-T must be made tamper proof to ensure its validity after the electronic signature is collected (six independent audit reports did not address this requirement).

• All audit logs as well as the transcript requests submitted to the IRS must be retained by the participant for two years (10 independent audit reports did not address this requirement).

In addition, two of the 15 audit reports provided were not prepared by an independent party. To address the insufficient details in the audit reports, IVES Program management plans to provide clear guidance to the IVES Participants regarding the required content of their audit reports. Management also stated that their approach for this year is to notify the participants of any missing items and begin enforcing the requirement to submit a complete and comprehensive independent audit report starting next year. IVES Program management explained that IVES Participants that do not provide an independently prepared audit report will be notified that they will not be allowed to submit electronically signed transcript requests.

An Online System Is Being Developed to Replace the Current Manual IVES Transcript Request Process

To comply with the requirements in the Taxpayer First Act, Section 2201, the IRS is developing an online system to process IVES Participants' Forms 4506-T. The system will replace the IRS's current partially automated system, which requires employees to manually process transcript requests received from IVES Participants. Under the current system, clerks in the IVES Units receive Forms 4506-T on dedicated fax machines, print and batch the forms, and input information from the forms into the Transcript Delivery System. The transcripts are then systemically delivered to IVES Participants' secure electronic mailboxes. Figure 4 provides the proposed system.

Once implemented, this system will eliminate the manual processes that require clerks to print and manually input each form in the Transcript Delivery System. Another significant improvement in the new system is that it will address the Taxpayer First Act requirement on electronic signatures. For example, taxpayers will submit all documents except for their Form 4506-T to their mortgage broker. The mortgage broker will create and send the unsigned Form 4506-T to the IVES Participant that will transmit it to the IRS. The mortgage broker will also notify the taxpayer to log in to their IRS Online Account to electronically sign the Form 4506-T. The IRS will hold the transcript until the taxpayer logs in to his or her account and verifies the Form 4506-T. The IRS will then electronically deliver the tax transcript, via the Transcript Delivery System, to the IVES Participant's secure electronic mailbox.

The Taxpayer First Act requires the IRS to implement this IVES system by January 1, 2023, and the IRS expects to meet this deadline. For example, the IRS has developed a high-level solution concept for the new system detailing the business process flow and system requirements. In October 2020, the IRS began the architecture and engineering design phase of its project development cycle and prepared a high-level system development and implementation schedule. As we previously reported, until this system is in place, the IRS will not have adequate IRS processes to ensure that the legitimate taxpayer signed Form 4506-T to authorize the release of his or her tax transcript.

The cost to develop online system has not been finalized, and a significant shortfall already exists in the estimated user fees to be collected to cover the development costs

The Taxpayer First Act, Section 2201, authorizes the IRS to charge a separate user fee over a two-year period (CYs 2020 and 2021) to fund the development of the new system. The fee can be charged for any qualified transcript request, i.e., a request used to verify the income or creditworthiness of a taxpayer that is a borrower in the process of a loan application. As previously noted, the IRS is in the early phase of developing its online transcript processing system and has not finalized the cost to develop, deploy, and maintain the system. Once the new system design is finalized, the IRS will produce the final cost estimate. Without knowing the final cost, the IRS cannot accurately calculate a user fee and must rely on estimates.

To establish the user fee amount, the IRS developed a preliminary cost estimate of $75.3 million to develop and deploy the new IVES system. The IRS also analyzed IVES historical transcript request volumes and worked with the IVES Participant Working Group to estimate 12 million Forms 4506-T would be submitted to the IVES Program in FY 2020. Based on these estimates, the IRS increased its transcript request fee from $2 to $5 starting on March 1, 2020. The fee increase was expected to raise $36 million in the first year, which is nearly one-half the $75.3 million estimated cost to develop the new system. However, as of July 31, 2020, the IRS spent more than $9.3 million developing the system and collected approximately $6 million in fees. This amount is well below the estimated fee revenue of $36 million expected for the first year. The significant shortfall is a direct result of the COVID-19 pandemic. For example, the IVES Program was shut down from March 27, 2020, until May 18, 2020, and operated at a reduced capacity until returning to normal operations on July 14, 2020. This disruption significantly reduced transcript request processing volumes and fees collected.

The Taxpayer First Act provides the IRS with two years to collect the additional fees to cover the cost of the new IVES system. When the IRS initially set the increased fee amount, it noted that the fee could be adjusted in the second year (CY 2021), as needed, based on the final cost estimate and actual transcript processing volume in FY 2020. In addition, IVES Program management stated they have monitored the fee collections and held two meetings with the Chief Financial Officer's Office to discuss the lower than projected number of transcript requests. Another meeting is planned in mid-October of CY 2020 to make a final determination on a change to the user fee. Any increased fee amount will be based upon an analysis of the actual transcript processing volumes and updated cost estimate for developing the system.

Manual Processing of IVES Transcript Requests Resulted in Significant Backlogs When Tax Processing Centers Closed in Response to Coronavirus Disease 2019

Deployment of the previously mentioned online system will also allow the IRS to continue to process IVES transcript requests should the IRS experience another event causing it to cease operations at its Tax Processing Centers. In response to COVID-19 and to protect the health and safety of its employees, the IRS closed its Tax Processing Centers in March and April 2020. To prevent IVES transcript requests from being submitted while the Tax Processing Centers were closed, the IRS turned off all IVES Program fax machines. When the last Tax Processing Center was closed on April 6, 2020, the IRS had approximately 332,000 IVES transcript requests in inventory that needed to be processed.

To address the backlog of Forms 4506-T, IVES Program management implemented an effective recovery plan. This included steadily increasing the number employees working remotely, i.e., teleworking. Management also worked with the Information Technology organization to create an electronic fax number that accepted Forms 4506-T and placed them in electronic folders that are accessible to employees working remotely. This enabled employees to process the forms from their remote locations.

On May 18, 2020, the IRS announced that it would start accepting new Forms 4506-T but limited IVES Participants to submit only 10 percent of the forms they had on hand. The participants were then directed to submit an incremental increase of their forms until June 24, 2020, when the IRS announced it would accept all Forms 4506-T that the participants had on hand. The IVES Program returned to normal operations on July 14, 2020. While only a small number of IVES Program employees began returning to the Tax Processing Centers on April 27, 2020, the IVES Program had addressed the backlog of transcript requests on hand by May 16, 2020.

Significant backlogs in taxpayer requests for tax returns and transcripts also resulted from closure of Tax Processing Centers and manual processing of these requests

As we previously stated, to protect the health and safety of its employees in response to COVID-19, the IRS closed its Tax Processing Centers. This included ceasing the processing of taxpayer requests for copies of their tax returns or tax return transcripts in its Return and Income Verification Services (RAIVS) Units, which are in the same four Tax Processing Centers as the IVES Program. The closure of the Tax Processing Centers resulted in significant backlogs in the RAIVS Units. For example, when the IRS ceased RAIVS processing on March 24, 2020, it reported that it had approximately 350,000 requests for tax returns and transcripts that needed to be processed. Since reopening the Tax Processing Centers, the RAIVS Units are faced with the ongoing challenge of working through this backlog while receiving an additional 664,000 requests since resuming RAIVS processing on July 20, 2020.

RAIVS Units are responsible for processing written taxpayer requests for copies of tax returns or tax return transcripts. The units provide tax information to taxpayers and/or their authorized representatives, Federal agencies, and other parties when they submit Form 4506-T or Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript. To reduce the volume of these written requests, the IRS encourages taxpayers to use the online Get Transcript application, which is on IRS.gov, or call the IRS. The Get Transcript application is marketed by the IRS on IRS.gov and listed on Form 4506-T. The following information is at the top of Form 4506-T:

You can quickly request transcripts by using our automated self-help service tools. Please visit us at IRS.gov and click on “Get a Tax Transcript . . .” under “Tools” or call 1-800-908-9946.

However, many taxpayers continue submitting written transcript requests to the RAIVS Units. As of September 25, 2020, the IRS estimates that it has nearly 399,000 taxpayer requests that still need to be processed. According to management, the RAIVS Unit in Austin, Texas, is almost back to its normal transcript processing time frame of 10 calendar days, while the remaining three units are processing the requests in about 130 to 140 calendar days. To help shorten this time frame, management authorized employees to work overtime.

When we asked management to explain the reasons for the long time frame for processing the backlog of RAIVS transcript requests, they stated that employees who process IVES requests are the same ones who work RAIVS requests, and management prioritized IVES requests. Management also stated that staffing limitations hinder the ability to address the backlog. For example, management explained that 100 (21 percent) of the 477 employees assigned to process transcript requests are still on weather and safety¹⁰ leave, as of October 2, 2020. These employees neither work in the office nor telework. Thus, the IRS announced on September 17, 2020, that effective October 13, 2020, only employees who provide appropriate medical documentation will be permitted to remain on weather and safety leave.

In addition, management stated that processing the RAIVS transcript requests will be delayed because no additional new hires are expected in CY 2020. As a result, management does not expect to return to its normal processing time frame of 10 calendar days for the transcript requests until early in CY 2021, as new employees are hired. Although taxpayers are advised that it may take the IRS 30 calendar days to provide their transcript and 75 calendar days for a copy of their tax return, the lengthy processing delays increase taxpayer burden and may result in taxpayers not receiving loans or financial aid for which the information is being requested.

Processes Do Not Ensure Taxpayer Consent When IVES Participants Disclose Tax Transcripts to Clients As Required by the Taxpayer First Act

Section 2202 of the Taxpayer First Act limits redisclosures and uses of tax return information without a taxpayer's consent. I.R.C. Section 6103(c) requires the express permission of the taxpayer prior to any disclosure of his or her tax information. Although this requirement was to be put in place by December 28, 2019, the IRS has not revised Form 4506-T to require client information be provided to substantiate a taxpayer's express permission for the IVES Participant to redisclose the tax information to the client. Therefore, the IRS does not require the name of the client, to whom the transcript will ultimately be provided, in cases in which the IVES Participant requests the transcript on behalf of a client. Internal guidelines only require Form 4506-T to include IVES Participant information to process the form signed by the taxpayer. As a result, neither the IRS nor the taxpayer may know the name of the third party, i.e., client, that ultimately receives the tax transcript.

Management's position is that there is no legal requirement for the IRS to request IVES Participants to provide the name of the client that will ultimately receive the taxpayer transcripts

We issued an e-mail alert to the IRS on March 3, 2020, raising our concern that while the Form 4506-T includes a line for third-party information, the client's name is not required on the form and is usually excluded when submitted by IVES Participants on behalf of their clients. Without the client's name on Form 4506-T, the taxpayer only grants consent to the IVES Participant to receive their tax information. Therefore, we recommended that the IRS update the form and internal procedures to require the client's name in cases in which a participant submits Form 4506-T on behalf of a client. The IRS published a new transcript request form in September 2020 for IVES Participants to request tax transcripts. However, this new Form 4506-C still does not require the client's name. Instead, Form 4506-C only requires the name and address of the IVES Participant.

Management stated that Section 2202 in the Taxpayer First Act adds no new legal requirement for the IRS. Moreover, management stated that participants certify that they have additional security requirements for their clients, and the IRS took steps to better protect taxpayer data by moving its e-Services platform behind Secure Access, i.e., multifactor authentication, in CY 2017 and partially masking the taxpayer's Personally Identifiable Information in CY 2018. Finally, management noted that some IVES Participants stated that they are in a highly competitive industry and do not want to disclose their clients' names.

We recommended in our March 2018 report that IVES Participants should identify the client that is requesting the tax transcript to allow the IRS to better prevent unauthorized release of taxpayer information and monitor the specific clients for whom the transcripts are ultimately provided. IVES certification procedures require IVES Participants to maintain a list of clients requesting and receiving IRS tax transcripts on behalf of taxpayers. As such, IVES Participants should already have lists of their clients that the IRS can request. The IRS's receipt of these lists, along with the implementation of a process by which IVES Participants enter the name of their client, could enable the IRS to verify and monitor the specific clients for whom the tax transcript information is ultimately provided. Although the IRS disagreed with our recommendation, the client's name is necessary for both the IRS and the taxpayer to know which third party is ultimately receiving the transcript. Implementing our recommendation would protect taxpayers and safeguard the IVES Program.

Compliance reviews are not conducted to ensure that IVES Participants complete required client certifications to validate the identity of clients that request and receive taxpayer transcripts

As previously noted, the IRS cites not needing client information on the Form 4506-T because IVES Participants certify that they have additional security requirements for their client via a process the IRS refers to as Client Certification. This is where IVES Participants are required to validate the identity of their clients for whom they request transcripts. To ensure that participants properly conduct these client certifications, IVES Program analysts conduct compliance reviews on a sample of participants each year.

Our review identified:

• For FY 2017, the IVES Program selected a judgmental sample of 70 participants for compliance reviews, which were conducted via correspondence with the participant. A correspondence review includes requiring the participants to provide a response detailing their procedures to 1) verify user identities in the participant's computer system, 2) limit disclosure of taxpayer information, 3) ensure system security, and 4) validate electronic signatures. No in-person compliance reviews were conducted.

• For FY 2018, the IVES Program judgmentally selected 77 participants for a correspondence review. The participants were approved for the program in FY 2018 and requested a small number of transcripts. The IVES Program also selected 24 participants for an in-person compliance review. These participants were picked for an in-person review because they submitted a significant number of transcript requests. However, the reviews were not completed until late FY 2019.

• For FY 2019, the IVES Program did not conduct compliance reviews.

Based on the results of the compliance review, the IVES Program Office issues the participant one of the following letters:

• No Infractions Letter — Participant is notified that no infractions were found.

• Warning Letter — Minor infraction(s) were found. The most common infractions are insufficient documentation and vague responses to the questionnaire.

• Removal Letter — Participant is notified that enough infractions were found for removal from the program, or the participant failed to respond to the questionnaire.

Figure 5 summarizes the results of the compliance reviews.

Figure 5: IVES Program Compliance Review Results for FYs 2017 and 2018

Resulting Action	FY 2017	FY 2018
No Infractions Letter	43	84
Warning Letter	21	11
Removal Letter	4	3
Withdrawals11	2	3
Total Reviews	70	101
Source: IVES Program Office Compliance Review results.

Our review also identified that IVES Program analysts did not conduct a follow-up review of the 11 participants that were issued a warning letter in FY 2018. The analysts were required to follow up with the participants in FY 2019 to ensure that they improved their process for validating the identity of their clients. Without these follow-ups, the IRS is unaware if the 11 participants made the necessary improvements. IVES Program management attributed the delay in completing the FY 2018 compliance reviews and failure to complete the FY 2019 reviews to a lack of staff and competing priorities. The program has only three analysts.

The IVES Program initiated its compliance reviews in response to our prior audit, in which we recommended the program protect taxpayer information and strengthen authentication standards by validating the quality of client certifications. To complete a client certification, a representative of an IVES Participant's company must sign a document certifying that 1) their company has policies and procedures to validate the identities of the client's officials, 2) the client has sufficient procedures and policies to authenticate the identities of all individuals authorized to submit and retrieve IRS transcripts on behalf of the client, and 3) their company is compliant with additional IVES Program requirements, which include maintaining evidence of verifying the identities of their clients.

Although the IRS cites client certifications by IVES Participant as its justification to not add client information to Form 4506-T, our review found that IVES Program analysts do not always complete compliance reviews to ensure that the participants perform the client certifications. This is significant because participants frequently obtain the tax transcripts from the IRS and provide them to their clients. As we previously reported, IRS management is aware of the risk associated with the unauthorized release of taxpayer information by the IVES Program but continues to not require participants to provide the name of their clients on Form 4506-T.

Suitability Assessment Checks for IVES Participants Are Not Consistent With the Checks That Other Programs Complete on Their Participants

Our review identified that although the IVES Program poses similar risks to taxpayers as other IRS Programs, i.e., E-File Provider, Acceptance Agent, and Enrolled Agent programs, the suitability checks performed on IVES applicants are not as thorough as the checks performed on the other programs' applicants. For example, the suitability checks for IVES applicants focus on ensuring that the business is legitimate; the business activity warrants participation in the IVES Program; and the business, as well as the key individuals in the business, are tax compliant. Suitability checks are not conducted on the key individuals in the business when they register for e-Services. In comparison, before accepting individuals in other IRS programs, the IRS conducts extensive suitability checks, including:

• Criminal History. This can involve requiring the applicant to report any felonies committed, researching online court records, obtaining the applicant's fingerprints and forwarding them to the Federal Bureau of Investigation to identify any criminal history, and researching prisoner records to determine if the applicant is incarcerated.

• Citizenship. This involves researching citizenship information provided by the Social Security Administration to ensure that the applicant is a U.S. citizen or a resident alien lawfully admitted for permanent residence in the United States.

• Decedent. This involves researching information provided by the Social Security Administration to ensure that the applicant is not deceased.

In addition, the other IRS programs conduct either continuous suitability checks on the individuals in their program or require them to enroll periodically in the program to ensure that they remain suitable.

IVES Program management should implement controls to secure taxpayer data and protect taxpayers' rights, which are two of the top management challenges for the IRS. The limited scope of the one-time suitability checks on IVES Participants and lack of continuous suitability checks increases the risks of taxpayers becoming a victim of identity theft. In Processing Year¹² 2019, the IVES Program processed nearly 14 million tax transcript requests for 4.7 million taxpayers. When we raised this issue to management, they stated that they lack the resources to implement a more comprehensive suitability assessment process.

Suitability checks were not performed on IVES Participants “grandfathered” into the program

IVES management did not conduct suitability checks on 577 IVES Participants prior to accepting them in the IVES Program. These participants were “grandfathered” into the program in February 2016 when management implemented the suitability checks. As a result, no assessment was performed to ensure that the participants are suitable for the IVES Program. As of August 14, 2020, 319 of the 577 participants were still active in the program, and therefore capable of requesting and receiving tax transcripts.

Our analysis of transcript requests processed in Processing Year 2019 identified that 312 of the 577 participants “grandfathered” into the Program requested nearly 11.5 million (82 percent) of the total 14 million transcripts. Providing tax transcripts to IVES Participants that were not checked for suitability poses a significant risk to taxpayers and the IRS. While IVES management agreed with the risks these participants pose, they explained that the limited staff assigned to the IVES Program prohibits completing the suitability checks. We believe that the potential for unscrupulous individuals to obtain taxpayer information necessitates that the program conduct suitability checks on these participants.

Transcript Requests Were Processed Erroneously for Taxpayer Accounts That Contained Identity Theft Markers

We identified 8,754 tax transcripts that the IVES Program improperly issued to IVES Participants for 4,726 taxpayers during Processing Year 2019. Internal guidelines state that a transcript should not be provided if the taxpayer's account has an identity theft (IDT) marker. IVES employees use an Integrated Automation Technologies (IAT) tool to process Forms 4506-T. The tool automates research of the taxpayer's account for which the request was submitted and alerts the employee to reject the request if certain IDT markers are on the account. The employee must also send Form 14611, RAIVS/IVES Additional Actions Needed, to the taxpayer's address of record. In addition to IDT markers, other factors are also considered such as the type of transcript requested, e.g., record of account transcript, tax return transcript, wage and income transcript, and the tax year¹³ that has the IDT marker.

Our analysis of the 8,754 improperly issued transcripts found the following reasons for the errors:

• 5,207 (59 percent) improperly issued transcripts occurred because the IAT tool did not identify an IDT marker on the taxpayer's account for a tax year other than the tax year on the Form 4506-T. This resulted from the IAT tool programming not notifying the clerk to reject the transcript request due to the presence of the IDT marker on another tax year.

• 3,547 (41 percent) improperly issued transcripts occurred because some clerks did not follow procedures to reject requests when the IAT tool reported that an IDT marker is on the taxpayer's account.

On June 10, 2020, we alerted IVES management to our concerns. In response, management noted that they are working with the Identity Protection Office and an IAT Team to correct the tool's programming. To address those transcripts improperly issued as a result of clerk error, management issued an alert to all Tax Processing Centers on June 26, 2020, reminding employees that all tax years requested on Form 4506-T must be researched to ensure that requests are rejected when accounts with an IDT marker are identified.

Internal Guidelines Must Be Updated With Key IVES Program Processes and Procedures

Our review of IVES Program internal guidelines identified that a number of key processes and procedures are not documented and should include:

• The completion of suitability checks on program applicants by IVES analysts and the processing of client certifications prior to acceptance of applicants to the IVES Program.

• The compliance review process performed by IVES analysts to ensure that IVES Participants comply with the client certification requirements, including how often compliance reviews should be conducted, the scope of the reviews, the method for selecting participants for a review, and actions that analysts should take when a participant violates IVES Program requirements.

• The administration of the electronic signature program including the requirement for participants to submit the annual independent audit report on their electronic signature process, and the procedures IVES analysts should take for participants that do not meet the electronic signature requirements or do not submit the required independent audit report of their electronic signature process.

• The processes to identify and remove inactive IVES Participants from the program and to reinstate participants who seek to rejoin the program.

When we discussed the incomplete internal guidelines with IVES management, they stated that the procedures are documented in Standard Operating Procedures, which are located on their SharePoint site for use by IVES staff. However, these procedures should be documented in the Internal Revenue Manual, which provides a single, authoritative compilation of the policies and procedures affecting IRS work.

---

Appendix I

Detailed Objective, Scope, and Methodology

Our overall objective was to evaluate IRS controls to validate transcript requests and implement Taxpayer First Act sections for the IVES Program. To accomplish our objective, we:

• Determined if the IRS implemented effective controls to validate transcript requests received from IVES Participants.

  • Evaluated implementation of multifactor authentication and use of a secure mailbox to prevent cybercriminals from accessing taxpayer information.

  • Determined if taxpayer Personally Identifiable Information was properly redacted from transcripts provided to IVES Participants to prevent fraudulent filing of taxpayer returns.

  • Evaluated the effectiveness of the client certification program to ensure that IVES Participants verify and validate the identity of their clients.

  • Evaluated the effectiveness of the IVES Participant compliance review program to ensure that IVES Participants complied with all client certification requirements.

  • Evaluated the effectiveness of the electronic signature procedures used by the IVES Program, which included the independent audit requirement to ensure that the taxpayer actually signed the transcript requests.

  • Evaluated the effectiveness of the checks performed on IVES Participants to ensure their suitability to participate in the program.

  • Evaluated the effectiveness of the IAT tool¹⁴ used by IVES employees to prevent the processing of transcript requests for taxpayers with IDT indicators on their accounts.

• Evaluated the IRS's progress on implementing Taxpayer First Act Sections 2201, 2202, 2302, and 2304 related to the IVES Program.

• Evaluated the IRS's efforts to mitigate the impact of the suspension of transcript request processing due to IVES site closures and staffing shortages due to COVID-19.

Performance of This Review

This review was performed at the IRS's Tax Processing Centers in Fresno, California; Kansas City, Missouri; Austin, Texas; and Ogden, Utah, during the period January through October 2020. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

Major contributors to the report were Russell Martin, Assistant Inspector General for Audit (Returns Processing and Account Services); Allen Gray, Director; Van Warmke, Audit Manager; Erica Law, Lead Auditor; Taylor McDonald, Senior Auditor; and Mark Willoughby, Senior Auditor.

Validity and Reliability of Data From Computer-Based Systems

During this review, we relied on data from the Transcript Delivery System and the Individual Master File stored on the TIGTA Data Center Warehouse.¹⁵ To assess the reliability of the computer-processed data, we reviewed the data for obvious errors in accuracy and completeness. We also relied on data extracted from the External Services Authorization Management web application that were provided by the IRS. In addition, we selected random samples from each extract and verified that the data in the extracts were the same as the data captured in the IRS's Integrated Data Retrieval System. Based on the results of our testing, we determined that the data were valid and reliable for the purposes of this audit.

Internal Controls Methodology

Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: IVES Program processes and procedures for performing suitability checks on IVES Program applicants, conducting client certifications and compliance reviews, implementing the electronic signature program requirements, processing tax transcript request forms, and implementing Taxpayer First Act sections related to the IVES Program. We evaluated these controls by reviewing the IRS's Internal Revenue Manual and other desk guides containing IVES Program policies and procedures, interviewing IVES Program Office management and staff, and evaluating applicable management information reports and other key documentation related to the implementation of IVES Program-related sections of the Taxpayer First Act.

---

Appendix II

Outcome Measure

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

• Taxpayer Privacy and Security — Potential; 4,726 taxpayers with IDT markers¹⁶ on their accounts that had transcripts improperly issued by the IRS in Processing Year 2019 (see Recommendations 13 and 14).

Methodology Used to Measure the Reported Benefit:

We analyzed the tax accounts for the 4,571,845 individual taxpayers that had IVES transcript requests processed in Processing Year 2019. We applied the same Internal Revenue Manual criteria for rejecting specific types of transcript requests when certain IDT markers are present on the taxpayers' accounts. Our analysis identified 8,754 transcripts improperly issued for 4,726 taxpayers because the taxpayer's account had an IDT marker that should have prevented issuance of the transcript. Further analysis of the 8,754 improperly issued transcripts found that 5,207 (59 percent) occurred because the IAT tool used by IRS employees when processing IVES requests does not identify IDT indicators present on tax years other than the tax year(s) listed on Form 4506-T. The remaining 3,547 (41 percent) improperly issued transcripts occurred because some employees do not follow procedures to reject requests when the IAT tool reports that an IDT marker is on the taxpayer's account.

---

Appendix III

Management's Response to the Draft Report

January 25, 2021

MEMORANDUM FOR
MICHAEL E MCKENNEY
DEPUTY INSPECTOR GENERAL FOR AUDIT

FROM:
Kenneth C. Corbin
Commissioner, Wage and Investment Division

SUBJECT:
Draft Audit Report — Additional Security Processes Are Needed to Prevent Unauthorized Release of Tax Information Through the Income Verification Express Service Program
(Audit #202040511)

Thank you for the opportunity to review and comment on the subject draft report. We appreciate your evaluation of the controls and processes for the Income Verification Express Services (IVES) program and your recommendations. The IVES program was primarily created to service the lending industry and plays a critical role in providing income verification for various loan applications, namely home mortgages. Users within the IVES community represent a variety of financial institutions, professional firms, governmental agencies and other small business entities which requested more than 14 million transcripts for taxpayers in 2019.

As the report acknowledges, the IRS faces the challenge of limited resources and the impact it has on program staffing. To meet this challenge, we have taken actions to improve our controls and processes. We have strengthened our security requirements to further protect taxpayer information. In December 2016, we implemented additional steps all IVES participants are required to follow such as: more robust identity proofing of customers, mandating acceptable security protocols for transcript delivery and retention, and increasing awareness of program requirements. Subsequently, we developed compliance reviews to ensure these additional steps were implemented appropriately. As discussed during the audit, we will dedicate resources to conduct our reviews on an annual basis. Additionally, all IVES participants validated their identities using a rigorous two-factor authentication process called Secure Access. Secure Access is an important step in protecting against the growing threat of cybercriminals and the unauthorized access of taxpayer data. As part of a broader effort across all transcript delivery channels and products, the IRS implemented new transcript products to mask personally identifiable information.

To meet the requirements of Section 2201 of the Taxpayer First Act¹, we are modernizing the IVES program to deliver transcript requests in real time through the Internet, with enhanced safeguards to accommodate a fully automated process that meets customer needs. Automating the manual aspects of our program will eliminate processing errors and permit resources to be redirected elsewhere. Implementation of these program updates is expected to be completed by 2023.

Attached is a detailed response with our planned corrective actions to your recommendations. If you have any questions, please contact me, or a member of your staff may contact Dietra Grant, Director, Customer Account Services, Wage and Investment Division, at 470-639-3504.

Attachment

---

Attachment

Recommendations

The Commissioner, Wage and Investment Division, should:

RECOMMENDATION 1

Ensure that sufficient resources are allocated to the IVES Program to timely identify and suspend IVES Participants that do not complete the electronic signature certification and submit the annual independent audit report as required.

CORRECTIVE ACTION

We will complete our certifications and determine who is eligible to use e-signatures within the program. Sufficient resources will be identified and allocated to timely complete thee-signature certification process, annually, to ensure program compliance.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 2

Maintain a current list of all IVES Participants approved to submit electronically signed requests and that are meeting all electronic signature program requirements.

CORRECTIVE ACTION

A current listing of authorized e-signature users will be maintained and reviewed on an annual basis to ensure program compliance.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 3

Update the transcript request form to include a box indicating whether the form was signed electronically by the taxpayer, or require IVES Participants to submit electronically signed transcript requests in a separate batch from those that are not electronically signed.

CORRECTIVE ACTION

Form 4506-C, Request for Transcript of Tax Return, and its instructions will be updated to include a clear indication of whether it was electrically signed.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 4

Implement a process to compare electronically signed transcript requests received from IVES Participants to a current list of all IVES Participants allowed to submit electronically signed requests to prevent the processing of any requests submitted by IVES Participants that are not approved to participate in the electronic signature program.

CORRECTIVE ACTION

We will identify and develop a process to validate the use of electronic signatures received on requests against authorized e-signature users. More specifically, Form 4506-C and its instructions will be updated to provide a clear indication that an electronic signature was used, and it will be validated systemically against the current listing of authorized e-signature users. We expect the requisite programming for this work to be completed by January 1, 2023; however, it is subject to limited resources and competing priorities. Consequently, we cannot provide an implementation date.

IMPLEMENTATION DATE

N/A

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 5

Provide clear guidance on the content of the annual independent audit report to be submitted by IVES Participants using electronic signatures.

CORRECTIVE ACTION

Clear guidance will be issued to IVES participants to articulate the requirements of our annual independent audit report for electronic signature usage.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 6

Ensure that the project schedule and cost estimate are finalized and the user fee increase amount is adjusted as necessary to cover the development cost.

CORRECTIVE ACTION

We will finalize the project schedule and costing estimates, making any adjustments to the user fee as necessary.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 7

Update the transcript request form to include a separate line to identify the client, such as the client's business name, address, and telephone number.

CORRECTIVE ACTION

Form 4506-C and its instructions will be updated to include a line for client information if a client is requesting a transcript on behalf of an IVES participant. Clients will not be allowed to directly submit transcript requests or receive transcript products from the IVES program per our requirements.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 8

Update the transcript request form instructions to require identifying information for the client in cases in which the transcript request is submitted by an IVES Participant on behalf of their client that will ultimately receive the taxpayer's transcript.

CORRECTIVE ACTION

Form 4506-C and its instructions will be updated to include a line for client information if a client is requesting a transcript on behalf of an IVES participant. Clients will not be allowed to directly submit transcript requests or receive transcript products from the IVES program per our requirements.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 9

Update the cautionary language on the transcript request form to alert the taxpayer to ensure that the information for the business requesting their tax information is shown on the form prior to signing the form.

CORRECTIVE ACTION

Cautionary language was updated in September 2020 for Form 4506-C, instructing the taxpayer that third party information must be completed before signing.

IMPLEMENTATION DATE

Implemented

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 10

Allocate sufficient resources to the IVES Program to ensure that compliance reviews of participants are timely and consistently performed each fiscal year.

CORRECTIVE ACTION

We will ensure sufficient resources will be identified and allocated to the IVES Program to timely complete the annual compliance reviews. A report summarizing the results of our compliance reviews will be created after each fiscal year.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 11

Allocate sufficient resources to the IVES Program to perform suitability checks that are consistent with other IRS programs at the time of enrollment and implement a continuous tax compliance check to ensure that they remain suitable for the program.

CORRECTIVE ACTION

We will continue to perform tax compliance checks on our IVES participants and investigate an automated solution for performing continuous tax compliance. We expect the requisite programming of this work to be completed by January 1, 2022; however, it is subject to limited resources and competing priorities. Consequently, we cannot provide an implementation date.

IMPLEMENTATION DATE

N/A

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 12

Perform suitability assessment checks on the 319 IVES Participants that did not undergo suitability checks prior to acceptance and are still active in the IVES Program.

CORRECTIVE ACTION

We will perform suitability checks on the 319 IVES Participants identified in the report.

IMPLEMENTATION DATE

October 15, 2022

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 13

Ensure that the IAT tool programming is corrected to identify all IDT markers on taxpayers' accounts to alert the IVES Program employee to reject the transcript request.

CORRECTIVE ACTION

We updated the research instructions contained in Internal Revenue Manual (IRM) 3.5.20, Processing Requests for Tax Return/Return Information, to clarify the intended programming of the Integrated Automation Technologies tool in August 2020.

IMPLEMENTATION DATE

Implemented

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 14

Develop processes and procedures to ensure that clerks are rejecting transcript requests for accounts identified with an IDT marker.

CORRECTIVE ACTION

Processes and procedures will be evaluated to ensure transcript requests for accounts identified with an identity theft marker will be properly rejected.

IMPLEMENTATION DATE

October 15, 2021

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

RECOMMENDATION 15

Ensure that IVES Program internal guidelines are updated in the Internal Revenue Manual to include key processes and procedures.

CORRECTIVE ACTION

We will identify and update any key processes and procedures that need to be included in the IRM.

IMPLEMENTATION DATE

January 15, 2022

RESPONSIBLE OFFICIAL

Director, Submission Processing, Customer Account Services, Wage and Investment Division

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal management control system.

---

Appendix IV

Abbreviations

COVID-19	Coronavirus Disease 2019
CY	Calendar Year
FY	Fiscal Year
IAT	Integrated Automation Technologies
IDT	Identity Theft
I.R.C.	Internal Revenue Code
IRS	Internal Revenue Service
IVES	Income Verification Express Service
RAIVS	Return and Income Verification Service
TIGTA	Treasury Inspector General for Tax Administration