The decision to make Direct File a permanent program comes after a pilot this year that allowed taxpayers in 12 states to electronically file their federal returns directly with the agency at no cost.

IRS Commissioner Danny Werfel said in a statement that taxpayers this filing season delivered a “clear message” to the agency in wanting “one no-cost option for filing electronically.”

“Giving taxpayers additional options strengthens the tax filing system,” Werfel said. “And adding Direct File to the menu of filing options fits squarely into our effort to make taxes as easy as possible for Americans, including saving time and money.”

More than 140,000 taxpayers — in Arizona, California, Florida, Massachusetts, Nevada, New Hampshire, New York, South Dakota, Tennessee, Texas, Washington and Wyoming — used Direct File in 2024, according to the agency, receiving more than $90 million in refunds and reporting $35 million in balances due.

The IRS said in a Direct File 2024 post-mortem last month that there was “steadily increasing interest” in the program, though Werfel had to “consult a wide variety of stakeholders” before rendering a decision on its future. 

Now that Treasury Secretary Janet Yellen has accepted Werfel’s recommendation that Direct File continue indefinitely, the agency said it is “examining options to broaden” the system’s availability across the country, “including covering more tax situations and inviting all states to partner with Direct File next year.”

There will be “no limit” on the number of participating states in 2025, the IRS noted, and going forward, Direct File will expand “to support most common tax situations, with a particular focus on those situations that impact working families.”

Werfel said Direct File’s user experience, both within the product and in state-wide systems integrations, “will continue to be the foundation” for the program. 

“Accuracy and comprehensive tax credit uptake will be paramount concerns to ensure taxpayers file a correct return and get the refund they’re entitled to,” he said. “And our North Star will be improving the experience of tax filing itself and helping taxpayers meet their obligations as easily and quickly as possible.”

Though the agency touted positive user feedback in the weeks after the conclusion of the 2024 filing season, Direct File wasn’t without its critics. A Government Accountability Office report last month found that estimated start-up costs for the program were incomplete and “a comprehensive accounting” was needed if the pilot were to be continued and expanded. 

“A review by the Treasury Inspector General for Tax Administration found that IRS had no documentation to support the underlying data, analysis, or assumptions used for Direct File cost estimates. We found this as well,” the GAO wrote. “Without collecting the information needed during the 2024 pilot to inform a comprehensive assessment of the costs associated with Direct File and its benefits, IRS risks making longer-term decisions without full information.”

The highly lucrative tax preparation industry has also been exceedingly critical of Direct File, calling the program “a solution in search of a problem” given other no-cost filing options. 

Those companies have sought to draw a contrast between the 140,000-plus Direct File pilot users and the millions that use their services each year. Derrick Plummer, an Intuit spokesperson, said in a statement to FedScoop that the company’s TurboTax program “has filed millions of completely free tax returns annually and has provided more than 124 million free tax returns over the past decade.”

Shortly after the Direct File announcement, Werfel made another move Thursday to bolster its taxpayer experience, naming Fumi Tamaki its chief taxpayer experience officer. Previously an adviser in the IRS Transformation and Strategy Office focused on “enterprisewide taxpayer journey improvement initiatives,” per an IRS announcement, Tamaki will now set the agency’s vision for continuously improving the taxpayer experience as part of the IRS’s larger digital transformation.

“This is a critical time for IRS, and I am excited to continue working with IRS leaders and our external partners in this role,” Tamaki said in a statement. “The Taxpayer Experience Office team and IRS have made tremendous strides in improving the taxpayer experience. I am committed to build on this work to deliver the experience that taxpayers expect and deserve.”

Billy Mitchell contributed to this article.

This story was updated May 30, 2024 with comments from an Intuit spokesperson.

The post IRS makes Direct File permanent, with plans for expansion appeared first on FedScoop.

In the report published Monday, the GAO announced that, along with the Treasury Inspector General for Tax Administration, it has concerns about the security of taxpayer data. The found weaknesses include a lack of maintenance for systems designed to protect taxpayer information, underperformed training from contractors and safeguards for transferring taxpayer information.

“IRS relies on several outdated information systems, and hasn’t yet completed an inventory of all the systems that contain sensitive taxpayer data,” Jennifer Franks, GAO director of information technology and cybersecurity, said in a released video. “In addition to the cybersecurity concerns we found, there may be some taxpayer data in IT systems that the IRS hasn’t even accounted for.”

The IRS was found to have set an agencywide goal for employees to complete training on protecting taxpayer information, which was reported to be met at 97%. The contractors who contribute to the service’s goals, however, were not given a goal to reach and were “well below employee completion rates” at less than 75%. 

“IRS employees and contractors are supposed to complete several related training courses on cybersecurity information safeguards and more,” Jessica Lucas-Judy, GAO director of strategic issues, said in the video.

The review found other weaknesses, specifically those involving information systems, contractor oversight, information sharing, etc. The report also said that the IRS does not employ overall oversight efforts related to unauthorized access of contractors, even though multiple IRS offices oversee said contractors. 

Specifically, the IRS does not currently have any guidance that requires a risk assessment to be performed before taxpayer information is transferred to contractors. 

“Until IRS remediates these weaknesses, it will have limited assurance that taxpayer information is protected appropriately,” the report states. 

GAO found that the IRS was limited in monitoring unauthorized access because the service omitted seven tax processing systems from its inventory as of Dec. 2022. The agency requires an inventory of these systems to be maintained since they “store taxpayer information and mitigate weaknesses that lead to a higher risk of unauthorized disclosure of federal tax information.”

Due to these findings, the office issued 16 new recommendations, with one for Congress to consider. Of the new recommendations, the IRS disagreed with one. 

The report notes that “IRS disagreed with the recommendation to implement processes to determine when to delete taxpayer information in (Compliance Data Warehouse).” Instead, the IRS requested that the recommendation be revised to say “delete or archive” to match the other report wording. The GAO determined that the wording will remain how it was drafted. 

The GAO’s recommendations are comprehensive to cover the five National Institute of Standards and Technology cybersecurity core functions related to the “life cycle management of cybersecurity risk.” The reported recommendations are mostly related to the “protect” function. 

The post Taxpayer information is potentially at risk due to IRS oversight weaknesses, watchdog says appeared first on FedScoop.

In a report published Monday, the watchdog said it believes the IRS could continue to implement this recommendation without the need for additional statutory authority.

The watchdog disagreed with a prior assessment by agency officials, reiterated in February, that establishing security requirements for the IT systems of paid preparers and others who file returns electronically would require additional statutory authority, and that it would be inefficient.

It said: “To fully implement this recommendation, IRS needs to develop a structure to coordinate across seven different offices working on information security-related activities, such as updating existing standards, monitoring authorized e-file provider program compliance, and tracking security incident reports. Without this structure, it is unclear how IRS can respond to changing security threats and ensure threats are mitigated.”

The audit is the latest in a line of watchdog recommendations for improving cybersecurity at the agency. In February, the GAO called on the IRS to improve its IT modernization processes, with a particular focus on measuring progress with moving systems to the cloud more closely.

This came after the Treasury Inspector General for Tax Administration in September called on the agency to improve the scope of its insider threat monitoring capabilities. In a report, that watchdog said the IRS CIO should work to ensure the agency’s insider threat team has access to all necessary information to carry out its work.

The post IRS must improve oversight of third-party cybersecurity, watchdog says appeared first on FedScoop.

An annual assessment of the IRS‘s IT program found the agency needed to boost its abilities to detect cyber events through continuous monitoring and keep track of its hardware and software.

The American Rescue Plan (ARP) Act passed in March gave the IRS an additional $1 billion in funding, including provisions to modernize legacy systems. But conservative political groups have opposed further efforts to increase the tax collection agency’s budget, reported The Washington Post.

“The reliance on legacy systems and aged hardware and software, and its use of outdated programming languages, pose significant risks to the IRS’s ability to deliver its mission,” reads the inspector general’s report released Tuesday. “Modernizing the IRS’s computer systems has been a persistent challenge for many years and will likely remain a challenge for the foreseeable future.”

IT weaknesses could limit the IRS’s ability to collect the $4.1 trillion in taxes and process the $1.1 trillion in refunds and outlays it handled in fiscal 2021, as well as fairly enforce tax law, according to TIGTA.

After receiving additional funding, the IRS released an ARP Modernization document in June detailing initiatives for tech innovation and faster rollout of capabilities. The plan would accelerate Phase 2 of the IRS Integrated Modernization Business Plan.

But the agency continues to struggle with maintaining a comprehensive inventory of information systems, TIGTA said, and it hasn’t completed Phase 1 of the federal Continuous Diagnostics and Mitigation program, which involves implementing a scanning tool for identifying unnecessary hardware and software.

TIGTA found most laptops and desktops the IRS provides employees are sanitized prior to disposal, but the process to verify that is ineffective.

The IRS implemented most baseline security controls for its Get My Payment application, but the use of weak cryptographic ciphers could allow an attacker to compromise the system, according to the report. And the agency has the tools needed to detect vulnerabilities in the app but failed to readily remediate 17 critical and 169 high-risk vulnerabilities within the mandated 90 days.

Other IRS success include the agency creating a roadmap for finding encryption solutions for the systems it’s developing, deploying Release 1 of its Enterprise Case Management solution and defining the role and responsibilities of its chief information officer.

“However, the chief information officer is not notified of all significant information technology acquisitions,” reads the report. “Problems were also reported with the IRS’s information technology acquisitions, asset management, human capital, project management, risk management, implementation of corrective actions, modernizing operations, and the coronavirus disease 2019 response.”

The post IRS cyber deficiencies leave taxpayer data at risk, IG report says appeared first on FedScoop.

The Treasury Inspector General for Tax Administration agreed to a Sept. 24 request from Sens. Ron Wyden, D-Ore., and Elizabeth Warren, D-Mass., to review the IRS‘s warrantless use of the Venntel database between 2017 and 2018, in a letter first obtained by Motherboard.

While this isn’t the first instance of federal law enforcement seeking access to citizens’ phone location data, it is for the nation’s tax collector, which has recently come under fire for targeting poorer Americans with audits.

“We are going to conduct a review of this matter, and we are in the process of contacting the CI division about this review,” reads Inspector General J. Russell George’s Sept. 30 letter to the senators. “Upon completion, to the extent allowable under the law, we will advise you of the results.”

At issue is the IRS’s lack of any court order when using the Venntel database, a violation of the 2018 Supreme Court ruling in Carpenter v. the United States that collecting significant quantities of historical phone location data constitutes a search requiring a warrant.

The IRS ignored “multiple follow-up requests” for documentation of the legal analysis of the situation, following the revelation by IRS officials on a June oversight call. Wyden and Warren requested that the analysis be examined to see if an “obvious violation” of privacy rights was approved but also that IRS-CI use of other databases containing citizens’ information be investigated.

“The IRS is not above the law and the agency’s lawyers should never provide IRS-CI investigators with permission to bypass the courts and engage in warrantless surveillance of Americans,” reads the senators’ earlier request.

The post IRS under investigation for use of citizens’ phone location data appeared first on FedScoop.

The Treasury Inspector General for Tax Administration detailed in a Nov. 14 report how the IRS’s Return Integrity and Compliance Services (RICS) organization — which oversees efforts to assist tax preparers in identifying and mitigating data breaches on their networks to prevent identity theft — didn’t record and monitor some 89 external data breaches reported to it in 2017.

The 89 incidents represent 17 percent of the breaches identified in the report, but they potentially affect the information of thousands of taxpayers.

The RICS organization provides email addresses for tax preparers and payroll service providers to alert the IRS when they have experienced a data breach that has exposed a taxpayer’s personally identifiable information or if the preparers are receiving potential phishing emails.

If a breach occurs, the IRS stakeholder liaison then coordinates with the tax preparers or payroll providers who have been breached to gather information about those affected — such as names, Social Security Numbers and Employer Identification Numbers for breaches impacting business taxpayers.

The stakeholder liaison then feeds the information to the RICS organization, which monitors it against possible fraudulent returns and other criminal activity through its Incident Management Tracker Matrix data system.

RICS then assigns a risk assessment score based on what taxpayer information has been compromised, including Taxpayer Identification Numbers (TINs), in conjunction with the PII exposed.

But the report found that 89 of the 527 reported breaches analyzed were not recorded or monitored by RICS analysts. The TIGTA report notes in the case of 70 of the breaches, analysts didn’t request a list of the TINs stolen and didn’t note whether they were able to obtain the numbers or not.

RICS analysts failed to record 15 of the breaches at all, leaving more than 11,000 affected Social Security Numbers off the agency’s Ultra High Dynamic Selection List, which allows affected taxpayers to authenticate their tax returns.

In the remaining four breaches, tax preparers denied RICS analysts a list of the affected TINs. However, the report says that the analysts failed to note that they were unable to secure the numbers or whether they tried to obtain them from taxpayer files.

In the report, TIGTA said the breaches were largely overlooked because the system used to track them didn’t include the functionality needed to note when TINs weren’t provided or whether analysts were unable to discover them, despite the IRS having policy procedures for both situations.

“The omission of the 89 data breaches from the Incident Management Tracker Matrix occurred primarily because RICS organization management did not establish a reconciliation process to ensure that analysts record all data breaches received,” the report said. “In addition, management does not have a process to monitor the receipt of a TIN list or to ensure that when this list is not received RICS analysts attempt to create a list.”

The report also found 105 breaches where RICS analysts failed to add TINs to the Dynamic Selection List. TIGTA officials said that RICS analysts may have left more than 28,000 TINs involved in breaches off the DSL. TIGTA officials later reduced that number to 27,270, but redacted their reasoning, and confirmed that 185 TINs were not on the list that should have been.

Another 2,976 TINs that scored from Ultra High to Medium High on risk assessments were not filtered to detect possible fraudulent returns.

TIGTA officials offered four recommendations:

• Record the 89 data breaches on the Incident Management Tracker Matrix Record, calculate an incident risk assessment score for each and apply appropriate treatments
• Develop processes to ensure all breaches are added to the Incident Management Tracker Matrix Record
• Research the 27,270 TINs and the 2,976 TINS we identified as potentially not being on the DSL to determine if they were previously added, and for those not added, include them on the DSL
• Add the 185 TINs that we identified to the DSL to allow detection of potential identity theft returns filed using the TINs

IRS officials said they agreed with all recommendations and had taken steps to implement them.

The post IRS identity theft trackers overlooked data breaches, report says appeared first on FedScoop.

According to a July 27 report from the Treasury Inspector General for Tax Administration (TITGA), the IRS CIO has not been involved in some of the agency’s major IT spending decisions. The CIO was instead delegating responsibilities to subordinates, following IRS rules that predate and conflict with FITARA.

In accordance with FITARA, agency CIOs have to be actively involved in the decision-making and review process for major IT contracts and acquisitions.

TITGA noted that the IRS CIO “does not review the acquisition and contract sections in the business cases” for major investments. Instead, an associate CIO presents information about these business proposals to the CIO annually, according to the report. But TITGA found that these annual presentations are scant in key information that the IRS CIO would need to know to meet FITARA requirements.

“However, these high-level acquisition data do not include vendors’ names, the purpose of the contracts, or contract dollar amounts,” TITGA reported, adding that it doesn’t believe this satisfies the CIO’s duties under FITARA.

In addition, the report said the CIO “broadly delegated” responsibilities for approving major IT acquisitions at the IRS. Instead of the CIO being actively involved in these decisions, the deputy CIOs and associate CIOs have been given the authority. Even some executives who report to those officials have some authority to approve IT purchases. TITGA says this flies in the face of FITARA.

“This delegation of authority as it relates to major information technology acquisitions is contrary to the basic principles of the FITARA,” the report says.

According to TITGA, the IRS’s current procedures for who in the agency has authority to make final decisions about IT spending date back to 2011. The IRS told TITGA that it plans to update the delegation order, according to the report.

In its report, TITGA recommended that the IRS comply with the Treasury Department’s FITARA guidance. That means that the responsibility to review IT acquisition and contract sections in IRS business cases goes to the CIO. The watchdog also recommended that the IRS establish a process for the approval of IT acquisitions that is in line with FITARA. The IRS agreed to the recommendations.

The post IRS CIO improperly delegated key IT spending responsibilities, watchdog says appeared first on FedScoop.