An audit into how the Internal Revenue Service responded to a 2015 security breach has found the agency hasn’t taken sufficient steps to ensure that such a breach doesn’t happen again.

The security breach was identified in May 2015, involving the IRS’s online tool that issues Identity Protection Personal Identification Numbers (IP PINs). These six-digit numbers are assigned to taxpayers, allowing their tax returns or refunds to be processed without delay and helps prevent the misuse of their Social Security Numbers on fraudulent federal tax returns.

The Treasury Inspector General for Tax Administration had recommended repeatedly that the IRS deactivate the IP PIN online application until stronger methods of online user authentication could be put in place.

TIGTA’s audit found that, instead of deactivating the IP PIN application, the IRS implemented its own risk mitigation processes, leaving the application in place and active. TIGTA reports it made repeated requests that the application be shut down, and advised the IRS that its risk mitigation processes weren’t always working as intended.

The Audit

TIGTA’s audit looked at more than 32,000 tax returns filed between Jan. 19 and May 24 in 2016. All the returns carried an IP PIN that was obtained online and should have been reviewed by an IRS employee. However, the audit found that nearly 37 percent – more than 12,000 returns – were not manually reviewed as required.

IP PINS, once granted, are to be generated for each affected taxpayer automatically each tax season. The report found that’s not always the case.

“TIGTA also identified that taxpayer accounts were not always consistently updated to ensure that IP PINs were generated for taxpayers as required,” the report states.  “The IRS did not generate an IP PIN for approximately 2 million taxpayers for whom the IRS resolved an identity theft case confirming the taxpayer was a victim.”

In addition, auditors found that the IP PIN notice mailed to taxpayers continues to contain inaccurate information. Nearly 3 million IP PIN notices were mailed out for processing in 2016 that wrongly instructed taxpayers not to use their IP PIN if they are claimed as a dependent on a tax return.

The IRS agreed with the audit’s recommendations to complete an authentication risk assessment after any future security breaches of an online application; develop consistent procedures for adding identity theft markers that create an IP PIN; ensure accurate information is provided to taxpayers in IRS notices; and to devise an outreach strategy to increase taxpayer awareness of the IRS’ Opt-In Program.

The Opt-In Program was designed to focus on taxpayers in locations with the highest rate of identity theft and offer them the opportunity to get an IP PIN before they actually become a victim of identity theft. The IRS differed with TIGTA’s recommendation to identify taxpayers in the high-risk locations.

Nevertheless, J. Russel George, the Treasury Inspector General for Tax Administration, views the IRS overall response as positive.

“As identity theft continues to represent one of the most serious ongoing threats to the Federal system of tax administration, the IRS must do everything in its power to aid victims of this crime,” George said.  “I am pleased that the IRS has agreed with TIGTA’s concerns and has developed a plan to implement our recommendations,” he added.