Identity Theft and Tax Fraud:

Enhanced Authentication Could Combat Refund Fraud, but IRS Lacks an Estimate of Costs, Benefits and Risks

GAO-15-119: Published: Jan 20, 2015. Publicly Released: Feb 19, 2015.

Multimedia:

  • GAO: AskGAOLive Chat on Tax Filing and Tax FraudVIDEO: AskGAOLive Chat on Tax Filing and Tax Fraud
    Online video chat with Jim White, Director, Strategic Issues.

Additional Materials:

Contact:

James R. White
(202) 512-9110
whitej@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Identity Theft (IDT) Refund Fraud Cost Estimates. The Internal Revenue Service's (IRS) fraud estimates met several GAO Cost Guide best practices, such as documenting data sources and detailing calculations. However, the estimates do not reflect the uncertainty inherent in measuring IDT refund fraud because they are presented as point estimates. Best practices suggest that agencies assess the effects of assumptions and potential errors on estimates. Officials said they did not assess the estimates' level of uncertainty because of resource constraints and methodological challenges. Because making different assumptions could affect IDT fraud estimates by billions of dollars, a point estimate (as opposed to, for example, a range) could lead to different decisions about allocating IDT resources. Reporting the uncertainty that is already known from IRS analysis (and conducting further analyses when not cost prohibitive) might help IRS communicate IDT refund fraud's inherent complexity.

IRS Estimates of Attempted IDT Refund Fraud, 2013

IRS i

While IRS's fraud estimates note the relevant cost assumptions used to develop estimates, they do not provide the rationale or analysis to support them. Officials stated they did not document the rationale because of the time and resources required. Best practices suggest that agencies should document assumptions. Given the evolving nature of IDT refund fraud, documenting assumptions' rationale would help IRS management and policymakers determine whether the assumptions remain valid or need to be updated.

Taxpayer Authentication. IRS recently created a group aimed at centralizing several prior ad hoc efforts to authenticate taxpayers across its systems. IRS's planning documentation contains goals and short- and long-term priorities (including implementation plans). However, a commitment to cost, benefit and risk analysis is not documented in the group's short- and long-term priorities. The draft planning documentation makes no mention of where such analyses would be included in IRS's priorities. Office of Management and Budget guidance states that agencies should use cost-benefit analyses that consider alternatives to promote efficient resource allocation and that agencies should ensure that authentication processes provide the appropriate level of assurance by assessing risks. Without analysis of costs, benefits and risks, IRS and Congress will not have quantitative information that could inform decisions about whether and how much to invest in the various authentication options. Cost, benefit and risk estimates for authentication would have the additional benefit of allowing comparisons with other options for combating IDT refund fraud. IDT options could have significant costs for taxpayers and IRS, so more information about the tradeoffs would help inform IRS and congressional decision making.

Why GAO Did This Study

IRS estimated it prevented $24.2 billion in fraudulent identity theft (IDT) refunds in 2013, but paid $5.8 billion later determined to be fraud. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when an identity thief uses a legitimate taxpayer's identifying information to file a fraudulent tax return and claims a refund.

GAO was asked to review IRS's efforts to combat IDT refund fraud. This report, the second in a series, assesses (1) the quality of IRS's IDT refund fraud cost estimates, and (2) IRS's progress in developing processes to enhance taxpayer authentication.

GAO compared IRS's IDT estimate methodology to GAO Cost Guide best practices (fraud is a cost to taxpayers). To assess IRS's progress enhancing authentication, GAO reviewed IRS documentation and interviewed IRS officials, other government officials, and associations representing software companies, return preparers, and financial institutions.

What GAO Recommends

GAO recommends IRS improve its fraud estimates by (1) reporting the inherent imprecision and uncertainty of estimates, and (2) documenting the underlying analysis justifying cost-influencing assumptions. In addition, IRS should estimate and document the economic costs, benefits and risks of possible options for taxpayer authentication. IRS agreed with GAO's recommendations and provided technical comments that GAO incorporated, as appropriate.

For more information, contact James R. White, (202) 512-9110, whitej@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: In April 2015, IRS reported that it would implement GAO's recommendation by mid-October 2016. IRS's most recent cost estimate based on 2014 returns included documentation of most but not all assumptions. For example, it does not note that some returns resulting in paid refunds were excluded because they were outside thresholds. In addition, the rationales supporting some assumptions, such as the estimated refund values associated with e-file reject returns, were not documented. IRS should document the cost-influencing assumptions that affect the estimates and the underlying analysis justifying these assumptions.

    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by documenting the underlying analysis justifying cost-influencing assumptions.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: In April 2015, IRS reported that it would implement GAO's recommendation by mid-October 2016. In its new estimate based on 2014 returns, IRS did present the estimates for refunds paid and not recovered as ranges. While these ranges account for risk surrounding known IDT returns that were paid to actual fraudsters, these ranges do not take into account the cumulative impact of additional assumptions on the estimate. For example, IRS's analysis does not account for the impact of omitting returns that did not meet thresholds. IRS should conduct additional analyses to understand the estimates' uncertainty and report the imprecision and uncertainty of the estimates.

    Recommendation: To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by reporting the inherent imprecision and uncertainty of the estimates. For example, IRS could provide a range of values for its Taxonomy estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: IRS agreed with our recommendation to estimate and document the costs, benefits, and risks of possible options for taxpayer authentication. Two incidents highlight the importance of IRS action in this area. In June 2015, unauthorized third parties gained access to taxpayer information through IRS's Get Transcript service and in March 2016, IRS stated that it suspended the Identity Protection Personal Identification Number (IP PIN) tool on IRS.gov. In both cases, thieves breached IRS's authentication checks. In November 2015, IRS developed guidance for its Identity Assurance Office to assess costs, benefits, and risk. IRS re-launched its Get Transcript online service on June 7, 2016, noting an enhanced authentication process that will provide a foundation for additional services in the future. IRS told us that it expects to complete an agency-wide strategic plan for taxpayer authentication by September 2016 and is analyzing how to apply guidance for risk analysis of online authentication to non-online authentication channels. While IRS is taking steps, it remains vulnerable until it completes and uses the results of its analysis of costs, benefits, and risks to inform decision-making.

    Recommendation: To ensure relevant information is available to decision makers, the Commissioner of Internal Revenue should estimate and document the costs, benefits and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget and National Institute of Standards and Technology guidance.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 13, 2016

Sep 6, 2016

Jul 29, 2016

Jul 7, 2016

Jun 27, 2016

Jun 23, 2016

Apr 19, 2016

Apr 13, 2016

Apr 7, 2016

Mar 28, 2016

Looking for more? Browse all our products here