GAO: IRS Should Strengthen Oversight of Its Identity-Proofing Program
James R. McTigue, Jr.:
IRS officials were unable to show us that they had independently documented measurable goals or objectives to manage the outcomes of its identity-proofing program. According to federal internal control standards, officials should define objectives clearly to enable the identification of risks and define risk tolerances. Without independently established measures and goals, IRS cannot determine whether the performance of ID.me’s solutions meets IRS needs.
Without goals or objectives set by IRS, it is also not clear which of the several measures that ID.me provides are the best matches for what IRS needs or what level of performance is appropriate for a given application. For example, ID.me’s true pass rate excludes both users who abandon the process and users identified as highly probable fraudulent. In establishing measurable goals, IRS could determine that information on such users are essential performance measures that need to be established. Furthermore, as IRS continues to expand online services that require identity proofing it will need to consider additional metrics for these services.
At some point I’m going to write a long post about Direct File and identity. Today is not that day. But expect this report to be cited when I do.
GAO reports are pretty technical, and it’s understandable that some of the early takes I’ve seen kind of miss the mark. This is the key point: the IRS abdicated its responsibility to define what good looks like, outsourcing that responsibility to its vendor.