Identity Theft and Tax Fraud:

IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program

GAO-16-508: Published: May 24, 2016. Publicly Released: Jun 23, 2016.

Multimedia:

Additional Materials:

Contact:

James R. McTigue, Jr
(202) 512-9110
mctiguej@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Taxpayer Protection Program (TPP). While the Internal Revenue Service (IRS) has made efforts to strengthen TPP—a program to authenticate the identities of suspicious tax return filers and prevent identity theft (IDT) refund fraud—fraudsters are still able to pass through and obtain fraudulent refunds. TPP authenticates taxpayers by asking questions only a real taxpayer should know; however, fraudsters can pass by obtaining a taxpayer's personally identifiable information (PII). IRS estimates that of the 1.6 million returns selected for TPP, it potentially paid $30 million to IDT fraudsters who filed about 7,200 returns that passed TPP authentication in the 2015 filing season; however, GAO's analysis suggests the amount paid was likely to be higher. Although IRS conducted a risk assessment for TPP in 2012, IRS has not conducted an updated risk assessment that reflects the current threat of IDT refund fraud—specifically, the threat that some fraudsters possess the PII needed to pass authentication questions. Federal e-authentication guidance requires agencies to assess risks to programs. An updated risk assessment would help IRS identify opportunities to strengthen TPP. Strengthened authentication would help IRS prevent revenue loss and reduce the number of legitimate taxpayers who become fraud victims.

IRS Estimates of Attempted IDT Refund Fraud, 2014

IRS Estimates of Attempted IDT Refund Fraud, 2014

IDT Refund Fraud Cost Estimates. In response to past GAO recommendations, IRS adopted a new methodology in an effort to improve its 2014 IDT refund fraud cost estimates. However, the estimates do not include returns that fail to meet specific refund thresholds. IRS officials said the thresholds allow them to prioritize IRS's enforcement efforts. However, using thresholds could result in incomplete estimates. Improved estimates would help IRS better understand how fraud is evading agency defenses. The GAO Cost Guide states that cost estimates should include all relevant costs. Additionally, IRS's estimates of refunds it protected from fraud are based on the Global Report , which counts each time a fraudulent return is caught by IRS and thus counts some returns multiple times. IRS uses this data source because it is IRS's official record of IDT refund fraud. The GAO Cost Guide states that agencies should use primary data for estimates and the data should contain few mistakes. By using the Global Report , as opposed to return-level data, IRS produces inaccurate estimates of IDT refund fraud, which could impede IRS and congressional efforts to monitor and combat this evolving threat.

Why GAO Did This Study

IRS estimates that, in 2014, it prevented or recovered $22.5 billion in attempted IDT refund fraud, but paid $3.1 billion in fraudulent IDT refunds. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when a refund-seeking fraudster obtains an individual's identifying information and uses it to file a fraudulent tax return. Despite IRS's efforts to identify and prevent IDT refund fraud, this crime is an evolving and costly problem.

GAO was asked to examine IRS's efforts to combat IDT refund fraud. This report (1) evaluates the performance of IRS's TPP and (2) assesses IRS's efforts to improve its estimates of IDT refund fraud costs for 2014. To evaluate TPP, GAO reviewed IRS studies, reviewed relevant guidance, and met with agency officials. Further, GAO conducted a scenario analysis to understand the effect of different assumptions on IRS's TPP analysis. To assess IRS's IDT cost estimates, GAO evaluated IRS's methodology against selected best practices in the GAO Cost Guide.

What GAO Recommends

GAO recommends that IRS update its TPP risk assessment and take appropriate actions to mitigate risks identified in the assessment. GAO also recommends that IRS improve its IDT cost estimates by removing refund thresholds and using return-level data where available. IRS agreed with GAO's TPP recommendations and will update its risk assessment. IRS took action consistent with GAO's IDT cost estimate recommendations.

For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: As of August 2017, IRS was taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. According to officials, in February 2017, IRS implemented a new authentication process for TPP's phone authentication. Officials also told GAO they plan to finalize their review and risk assessment of TPP's phone, mail, and in-person authentication by October 2017. Once this assessment is finalized, GAO will review the assessment and determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards will enable IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment for its fraud detection efforts.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: As of August 2017, IRS was taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. According to officials, in February 2017, IRS implemented a new authentication process for TPP's phone authentication. Officials also told GAO they plan to finalize their review and risk assessment of TPP's phone, mail, and in-person authentication by October 2017. Once this assessment is finalized, GAO will review the assessment and determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards will enable IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment for its fraud detection efforts.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: As of October 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: In August 2016, IRS reported that the agency did not agree with GAO's recommendation and noted that the agency does not think that adopting a different methodology for Taxonomy estimates is an effective use of agency resources. According to IRS, the agency established the Global Identity Theft Report (Global Report) as a standardized report that uses return-level data for most of the identity theft protected categories and summary data elsewhere. Further, IRS reported that the agency will continue to improve the Global Report, which will flow into the Taxonomy. However, as we reported in May 2016, by using the Global Report to calculate Taxonomy estimates for refunds prevented, IRS may have overestimated the refunds protected or recovered. For example, electronically filed returns that are rejected are overcounted because the same return can be rejected multiple times. Additionally, IRS already has a count of known and potential identity theft returns in its modeling dataset that the agency could use to help calculate the refunds protected estimates. As of October 2017, GAO is analyzing IRS's 2015 Taxonomy estimates to determine the extent to which GAO's recommendation has been implemented.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 6, 2017

May 18, 2017

May 17, 2017

Apr 27, 2017

Apr 26, 2017

Mar 8, 2017

Jan 31, 2017

Jan 27, 2017

Jan 9, 2017

Sep 13, 2016

Looking for more? Browse all our products here