This is the accessible text file for GAO report number GAO-09-882 entitled 'Tax Administration: IRS Has Implemented Initiatives to Prevent, Detect, and Resolve Identity Theft-Related Problems, but Needs to Assess Their Effectiveness' which was released on October 8, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2009: Tax Administration: IRS Has Implemented Initiatives to Prevent, Detect, and Resolve Identity Theft-Related Problems, but Needs to Assess Their Effectiveness: Tax Administration: GAO-09-882: GAO Highlights: Highlights of GAO-09-882, a report to congressional requesters. Why GAO Did This Study: Identity thieves may use a taxpayer’s name and social security number to fraudulently claim a refund or gain employment. This creates tax problems for the innocent taxpayer when the Internal Revenue Service (IRS) discovers a duplicate refund claim or unreported wage income. IRS is revising its strategy for preventing, detecting, and resolving identity theft-related tax problems. GAO was asked to (1) describe the extent of identity theft-related refund and employment fraud, (2) assess IRS’s actions to prevent and resolve such problems, and (3) describe IRS’s identity theft-related coordination with other agencies. GAO analyzed IRS data on identity theft cases, reviewed revisions to the Internal Revenue Manual and other agency documents, and interviewed IRS officials responsible for the new strategy. What GAO Found: IRS’s ability to detect identity theft-related refund and employment fraud is limited, but by the end of 2008, IRS had cataloged over 50,000 incidents. According to IRS, about 90 percent of fraudulently claimed refunds were stopped in 2008 with about $15 million issued before IRS became aware of the fraud. IRS does not know the amount of refund or employment fraud that goes undetected. In 2008, IRS began implementing four new initiatives in an effort to better detect and resolve identity theft cases. These include an identity theft indicator that IRS places on victims’ accounts so that IRS personnel can more easily recognize and assist the legitimate taxpayer in case of future account problems. The indicator further enables IRS to screen returns to prevent fraudulent refunds from being issued to identity thieves. IRS also decided to resolve legitimate taxpayers’ identity theft problems using a decentralized process--the activity that discovers a problem has the responsibility to resolve it. For the 2010 filing season, IRS is considering whether to expand its screening; however, IRS does not know how well its current strategy is working. IRS said it will develop performance measures, but it is not known whether the measures will be suitable for determining the effectiveness of the new initiatives, such as the number of false positives and negatives in the screening process or the success of the decentralized resolution process. Nor is it known when the new measures will be implemented. Measuring effectiveness matters because there have been glitches in implementing the initiatives. IRS is working to correct some discrepancies in the screening process and a GAO analysis of IRS data showed that some fraudulent refunds were issued even though taxpayers had indicators on their accounts. IRS’s coordination with other agencies is limited. Statutory Provisions protecting the privacy of tax data prohibit IRS from sharing taxpayer information with other agencies in many cases. Nor does IRS routinely receive identity theft case data because of concerns with substantiation. IRS has coordinated with other agencies on how to manage identity theft programs. Figure: Processes IRS Uses to Detect Identity Theft: [Refer to PDF for image: illustration] Processing tax returns: IRS performs procedures to determine whether tax returns are legitimate. When discrepancies are identified, IRS may contact taxpayers who may then conclude that they are victims of identity theft. Initiating compliance actions: IRS may initiate compliance actions, which may trigger responses from taxpayers that they are victims of identity theft. Self-reporting by taxpayers: Taxpayers can call the IRS identity theft hotline and report that they have been victims of identity theft. Identifying online fraud: IRS searches for online fraud and identifies victims involved in identity theft schemes. Sources: GAO analysis of IRS information; Art Explosion (clip art). [End of figure] What GAO Recommends: GAO recommends that IRS ensure that performance measures suitable for assessing the effectiveness of its identity theft initiatives, and associated data collection procedures, are in place at the beginning of the 2010 filing season. IRS agreed with GAO’s recommendation and provided comments on technical issues, which we incorporated into this report where appropriate. View [hyperlink, http://www.gao.gov/products/GAO-09-882] or key components. For more information, contact James R. White at (202) 512- 9110 or whitej@gao.gov. [End of section] Contents: Letter: Background: IRS's Ability to Detect and Catalog Current Identity Theft Incidents Is Limited and the Amount That Goes Undetected Is Not Known: IRS Has Implemented New Initiatives in an Effort to Detect and Resolve Identity Theft Cases, but Not Enough Is Known about How Well the Initiatives Are Working: Privacy and Other Laws Limit IRS's Coordination with Other Agencies on Identity Theft Cases: Conclusion: Recommendation for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Description of Indicator Codes Used to Identify Tax and Non-Tax Related Issues: Appendix III: Procedures Followed for Additional Screening of Certain Indicator Accounts: Appendix IV: Comments from the Internal Revenue Service: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Number of Verified Identity Theft Cases by IRS Activity Cataloged by December 31, 2008 (encompassing multiple tax years): Table 2: Number of Verified Identity Theft Cases by Type of Fraud, Cataloged as of December 31, 2008: Table 3: Suspected Identity Theft-Related Refund Fraud Identified and Stopped by IRS, Calendar Year 2008: Table 4: Numbers of Incidents and Taxpayers with Identity Theft-Related Indicators Cataloged as of December 31, 2008 (encompassing multiple tax years for 501 and 506 indicators): Table 5: Percentage of Suspected Identity Theft Refunds Stopped and Issued by IRS When Indicators Were on the Taxpayers' Accounts, Partial Calendar Year 2009: Table 6: Indicator Codes Used by IRS to Flag Taxpayer Accounts for Tax- and Non-Tax-Related Identity Theft Issues: Figures: Figure 1: Processes IRS Uses to Detect Identity Theft: Figure 2: Total Identity Theft Complaints Received by the FTC, 2004- 2008: Figure 3: Number of Fraudulent Web Sites Taken Down, 2006-2009: Figure 4: Process Followed to Run Tax-Related Accounts with Indicator Codes through Additional Screening Procedures: Abbreviations: CI: Criminal Investigation Division: DHS: Department of Homeland Security: DOJ: Department of Justice: FTC: Federal Trade Commission: IPSU: Identity Protection Specialized Unit: IRC: Internal Revenue Code: IRS: Internal Revenue Service: OFDP: Online Fraud Detection and Prevention: PIPDS: Office of Privacy, Information Protection and Data Security: QRP: Questionable Refund Program: SB/SE: Small Business/Self-Employed Division: SSA: Social Security Administration: SSN: Social Security Number: SAS: Statistical Analysis Software: TAS: Taxpayer Advocate Service: TC: Transaction Code: TIGTA: Treasury Inspector General for Tax Administration: W&I: Wage and Investment Division: [End of section] United States Government Accountability Office: Washington, DC 20548: September 8, 2009: The Honorable Max Baucus: Chairman: The Honorable Charles E. Grassley: Ranking Member: Committee on Finance: United States Senate: The Honorable John Lewis: Chairman: The Honorable Charles W. Boustany, Jr. Ranking Member: Subcommittee on Oversight: Committee on Ways and Means: House of Representatives: Identity theft is a serious and growing problem in the United States. According to the Federal Trade Commission (FTC), millions of people have been victims of the crime, some of whom may go years without knowing it. The crime takes many forms; identity thieves may obtain a credit card, rent an apartment, or establish a telephone account in the theft victim's name. The victim may not find out about the theft until being contacted by a debt collector, losing out on a job opportunity, or being denied a loan. Identity theft creates two main problems for taxpayers and IRS. A taxpayer may have his or her tax refund delayed if an identity thief files a fraudulent tax return seeking a refund using the legitimate taxpayer's name and Social Security number (SSN). In addition, a taxpayer may become subject to Internal Revenue Service (IRS) enforcement actions after someone else uses his or her identity to fraudulently obtain employment and the identity thief's income is reported to IRS by an employer on a Form W-2 (Wage and Tax Statement) or Form 1099 information returns in his or her name. In 2004, IRS developed a strategy to address the problem of identity theft-related tax administration issues. According to IRS, the strategy has evolved and continues to serve as the foundation for all of IRS's efforts to provide services to victims of identity theft and to reduce the effects of identity theft on tax administration. The original strategy was revised in July 2008 and renamed IRS's Identity Protection Strategy by the Office of Privacy, Information Protection and Data Security (PIPDS), created by IRS to reach across all IRS organizations on issues of privacy, identity theft, and data security. The IRS strategy focuses on three priority areas that are fundamental to addressing the identity theft challenge: victim assistance, outreach, and prevention. In this context, you asked us to assess IRS's efforts to address the impact of identity theft on taxpayers. The objectives of this report are to (1) describe how much identity theft-related refund and employment fraud IRS faces and whether incidents of identity theft go undetected by IRS, (2) assess the actions IRS is taking to prevent and detect identity theft-related tax problems and to assist affected taxpayers, and (3) describe what IRS is doing to coordinate its identity theft-related efforts with those of other government and nongovernment entities. To meet our objectives, we analyzed IRS data on identity theft cases, reviewed documentation on IRS's identity theft strategy, and interviewed responsible IRS executives. More specifically, we reviewed documents on policies and procedures related to identity theft and relevant sections of the Internal Revenue Manual and interviewed officials from PIPDS, Wage and Investment Division (W&I), Small Business/Self-Employed Division (SB/SE), and Criminal Investigation Division (CI) to determine the processes and procedures used by IRS to prevent and detect identity theft-related tax issues and assist affected taxpayers. We also reviewed prior GAO and Treasury Inspector General for Tax Administration (TIGTA) reports on these procedures. We also reviewed IRS's Identity Protection Strategy. To assess whether IRS's initiatives were working as intended, we obtained data from the Taxpayer Advocate Service (TAS) and IRS to identify (1) the frequency with which suspected identity theft-related refund fraud reoccurred for taxpayers known to have had identity theft issues in the past and (2) how often taxpayers took identity theft-related tax problems to TAS after other IRS functions had determined that their issues were identity theft-related. We determined that the IRS data that we used for this analysis were sufficiently reliable for our purposes. We also interviewed PIPDS officials and reviewed PIPDS documents to obtain information on IRS's coordination efforts with law enforcement and other government entities. Detailed information about our methodology can be found in appendix I. We conducted this performance audit from October 2008 through August 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Identity theft describes a wide range of types of theft and uses of stolen information. According to the FTC, the most common form of identity theft is the use of another person's information to obtain credit and then acquire goods or services, not pay for them, and thus damage the credit rating of the identity theft victim. As already noted, identity theft most commonly becomes a tax administration problem for victims and IRS in two primary ways. First, an identity thief may use a legitimate taxpayer's identity to fraudulently file a tax return and claim a refund during the filing season. In these cases, the identity thief typically uses a stolen SSN to file a forged tax return and obtain a refund early in the filing season. The legitimate owner of the SSN may not be aware that this has occurred until he or she files a tax return later in the filing season and IRS discovers that two returns have been filed using the same SSN. In this instance, the legitimate taxpayer's refund will likely be frozen until IRS can determine the legitimate owner of the SSN. The second way that identity theft becomes a problem for taxpayers and for IRS is through employment fraud. This occurs when an identity thief uses someone else's name and SSN to obtain a job. In this instance, IRS would receive a Form W-2 or a Form 1099 reporting income on the taxpayer's account, which the rightful owner of the SSN had not earned and does not report as income to IRS. As a result, the taxpayer may be subject to enforcement action when, during the filing process, IRS matches what the employer and the taxpayer report and it appears that he or she earned more income than was reported on his or her tax return. In a related type of case, an identity thief uses just the SSN of a legitimate taxpayer and the thief's own or a made up name. This also creates tax administration problems (as well as problems for the Social Security Administration) because the same SSN is now associated with multiple names. The name and SSN information used by identity thieves to commit refund or employment fraud are typically stolen from sources beyond the control of IRS. In many cases, the source of the stolen information is unknown. Someone who makes up an SSN that does not match a legitimate SSN and uses it to gain employment has failed to comply with legal requirements to supply a valid SSN but has not committed identity theft because no person's identity was stolen. Identity theft can also involve IRS in other ways, such as when thieves masquerade as IRS in order to steal information over the Internet through phishing schemes--using e-mail or Web sites to impersonate IRS and ask for personal and financial information from unsuspecting victims. According to IRS, there are a variety of online schemes that victimize taxpayers. "Get Your Refund" phishing e-mails appear to be legitimate e-mails from IRS notifying a taxpayer that they are entitled to a refund and can claim it quickly by clicking on a fraudulent link within the e-mail and providing their personally identifiable information. Fraudulent free e-file Web sites claim to be legitimate free e-file Web sites. Once a taxpayer enters his or her tax information, the identity thief enters his or her own bank account number and then steals the refund along with the taxpayer's personal information, such as the SSN. Other schemes include surveys and malware.[Footnote 1] Surveys are usually sent through e-mails, where the fraudulent party masquerades as IRS asking taxpayers to rate their experience with IRS. Malware is an executable file sent through an e- mail, which asks the recipient to save and run a file. Once the file runs, information is pulled from the victim's computer and sent to the fraudulent party. Identity theft can also involve IRS when IRS loses taxpayer data in either electronic form, such as information stored on a lost laptop computer, or on paper, such as documents lost in transit when being sent from one IRS facility to another. However, lost taxpayer data will not result in identity theft unless the data were found by an identity thief who uses the data for personal gain. Figure 1 describes the ways that identity theft issues come to light for IRS and taxpayers. Figure 1: Processes IRS Uses to Detect Identity Theft: [Refer to PDF for image: illustration] Processing tax returns: IRS performs procedures to determine whether tax returns are legitimate. When discrepancies are identified, IRS may contact taxpayers who may then conclude that they are victims of identity theft. Initiating compliance actions: IRS may initiate compliance actions, which may trigger responses from taxpayers that they are victims of identity theft. Self-reporting by taxpayers: Taxpayers can call the IRS identity theft hotline and report that they have been victims of identity theft. Identifying online fraud: IRS searches for online fraud and identifies victims involved in identity theft schemes. Sources: GAO analysis of IRS information; Art Explosion (clip art). [End of figure] Federal and state legislatures have toughened laws that prohibit the theft of identities. In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act,[Footnote 2] which expanded the criminalization of fraud in connection with identification documents to cover the unlawful transfer and use of identification documents. The law addresses identity theft by including instances when someone "knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." According to the President's Identity Theft Task Force, all 50 states and the District of Columbia have some form of legislation that prohibits identity theft, and in all of those jurisdictions, except Maine, identity theft can be prosecuted as a felony. In addition to congressional efforts to combat identity theft, there have been administrative efforts as well. The President's Identity Theft Task Force was established in May 2006 by Executive Order 13402. [Footnote 3] The task force was created to coordinate federal agencies in their efforts against identity theft and to create a strategic plan to combat (increase awareness of, prevent, detect, and prosecute) identity theft. Victims of identity theft can file a complaint with the FTC. The FTC maintains an Identity Theft Data Clearinghouse, which is the sole national repository of consumer complaints on identity theft. In 2008, the FTC received 313,982 identity theft complaints, a large increase over the number reported in prior years, as shown in figure 2. Figure 2: Total Identity Theft Complaints Received by the FTC, 2004- 2008: [Refer to PDF for image: line graph] Tax year: 2004; Number of complaints: 246,882. Tax year: 2005; Number of complaints: 255,613. Tax year: 2006; Number of complaints: 246,174. Tax year: 2007; Number of complaints: 259,266. Tax year: 2008; Number of complaints: 313,982. Source: GAO analysis of FTC data. [End of figure] Intending to strengthen IRS's enterprisewide approach to identity theft and data security, IRS established PIPDS in July 2007. PIPDS includes four offices with roles defined by IRS as follows: * Privacy. Promotes the protection of individual privacy and integrates privacy into business practices, behaviors, and technology solutions. * Identity Protection. Identifies risks and reduces vulnerabilities of identity information, enhances services and reduces burden and harm to identity theft victims, and increases collaboration and communication with IRS stakeholders and external partners. * Incident Management. Assesses and reduces IRS data loss incidents, promotes protection of personal identity information by IRS employees, and informs taxpayers of identity theft risks discovered by the IRS. * Online Fraud Detection and Prevention. Reduces and prevents online fraud against IRS and taxpayers. PIPDS collaborates with IRS activities[Footnote 4] that deal with identity theft cases and issues. A technical working group was formed to provide a forum for developing recommendations on how processes and procedures can be improved to address and reduce the burden on taxpayers who are victims of identity theft. Additionally, IRS established two advisory committees to oversee Identity Theft and Incident Management and Online Fraud Detection and Prevention activities. The advisory committees include executive management from Small Business/Self-Employed (SB/SE), Wage and Investment (W&I), Criminal Investigation (CI), and the Taxpayer Advocate Service (TAS). IRS's Ability to Detect and Catalog Current Identity Theft Incidents Is Limited and the Amount That Goes Undetected Is Not Known: IRS began systemically cataloging data on identity theft incidents in January 2008, but limitations on the data mean that the data provides an incomplete picture of the amount of identity theft-related fraud occurring at IRS. IRS catalogs identity theft incidents after identifying a possible case, validating that identity theft-related fraud occurred, and substantiating the identity of the victim taxpayer. Because of the timing of tax return filing, IRS is often unable to detect suspicious cases until well after the fraud occurred. Validating the identity theft and substantiating the victim's identity takes further time. For example, IRS may not be able to detect potential employment fraud until after the following year's tax filing deadline of April 15 when it matches Form W-2 information against filed tax returns. It is only after IRS notifies a taxpayer of unreported income that IRS may learn from the taxpayer that the income was not his or hers and that someone else must have been using his or her identity. By the time both the victim and IRS determine that an identity theft incident occurred, well over a year may have passed since the employment fraud.[Footnote 5] Time lags are not the only issue obscuring a complete picture of identity theft tax cases at IRS. Some cases go undetected altogether. One reason for this is that IRS does not investigate every case of potential employment fraud. Because of the large volume of mismatches between what is reported on a Form W-2 or a Form 1099 information return and what is reported on an income tax return, and also because of IRS's limited resources, IRS does not pursue some mismatches. Consequently, IRS is not in a position to detect any underlying identity theft in those cases. Also, if an identity thief steals the identity of a person with no tax filing obligation, such as a child, and files returns and pays taxes using the name and SSN of that person, IRS may have no way of detecting the identity theft. From IRS's point of view, a tax return has been filed with a name and SSN that match and the income on the tax return matches income reported by an employer. Many IRS Activities Detected Identity Theft: Table 1 shows the tax-related identity theft incidents that IRS cataloged as of December 31, 2008. Most of the incidents in the table are for identity thefts that occurred since 2005, but some incidents go back many years. The incidents shown in table 1 include open tax-related identity theft cases reported by various IRS activities. A case is considered open if the taxpayer continues to have identity theft-related issues. For all of the incidents shown in table 1, IRS validated that the identity theft-related fraud occurred and substantiated the identity of the victim taxpayer. The table demonstrates that IRS detects identity theft throughout the course of normal tax administration activities, including processing tax returns, examining returns to verify compliance, and collecting tax debt. Table 1: Number of Verified Identity Theft Cases by IRS Activity Cataloged by December 31, 2008 (encompassing multiple tax years): IRS activity: Criminal Investigations: Investigates questionable refunds and fraudulent refund schemes; Number of incidents[A]: 17,836; Number of taxpayers affected: 16,696. IRS activity: Automated Underreporter: Compares amounts reported by third parties to amounts reported on individual income tax returns; Number of incidents[A]: 10,536; Number of taxpayers affected: 9,527[B]. IRS activity: Field Assistance: Provides face-to-face assistance to taxpayers at Taxpayer Assistance Centers; Number of incidents[A]: 10,792; Number of taxpayers affected: 7,671[B]. IRS activity: Accounts Management: Responds to taxpayer inquiries and works to resolve cases of duplicate tax returns; Number of incidents[A]: 3,486; Number of taxpayers affected: 2,691[B]. IRS activity: Taxpayer Advocate Service: Assists taxpayers who are experiencing economic harm or seeking help in resolving tax problems that have not been resolved through normal channels; Number of incidents[A]: 2,308; Number of taxpayers affected: 1,827[B]. IRS activity: Correspondence Exam: Conducts audits of individual tax returns by mail; Number of incidents[A]: 1,549; Number of taxpayers affected: 1,434[B]. IRS activity: Automated Substitute for Return: Creates a substitute tax return where none was filed and makes a tax assessment; Number of incidents[A]: 2,621; Number of taxpayers affected: 1,304[B]. IRS activity: Automated Collection System: Contacts taxpayers by telephone to collect and resolve delinquent tax cases; Number of incidents[A]: 1,709; Number of taxpayers affected: 983[B]. IRS activity: Compliance Service Collections Operations: Contacts taxpayers by correspondence to collect and resolve delinquent tax cases; Number of incidents[A]: 828; Number of taxpayers affected: 492[B]. IRS activity: Other[C]; Number of incidents[A]: 37; Number of taxpayers affected: 32[B]. Source: GAO analysis of IRS data. [A] The number of incidents of identity theft is higher than the number of taxpayers because a taxpayer can have more than one incident of identity theft. [B] A taxpayer may have been identified as a victim of identity theft through different tax administration activities in different tax years by different IRS activities; therefore, a taxpayer may be counted more than once. According to IRS data, the total number of taxpayers double counted was 1,779. [C] Other includes Field Examination, Field Collection, and Office of Privacy and Information Protection. [End of table] The 51,702 incidents cataloged in table 1 are primarily refund or employment fraud, as shown in table 2. Table 2: Number of Verified Identity Theft Cases by Type of Fraud, Cataloged as of December 31, 2008: Type of fraud: Refund fraud; Number of incidents: 23,124; Number of taxpayers affected[A]: 21,047. Type of fraud: Employment fraud; Number of incidents: 24,925; Number of taxpayers affected[A]: 17,645. Type of fraud: Both; Number of incidents: 1,036; Number of taxpayers affected[A]: 793. Type of fraud: Other[B]; Number of incidents: 2,617; Number of taxpayers affected[A]: 2,016. Source: GAO analysis of IRS data. [A] A taxpayer may be counted more than once if he or she has been identified as a victim of identity theft through different IRS activities or in different time periods. According to IRS data, the number of taxpayers double counted was 623. [B] The "Other" category includes identity theft incidents that cannot be identified as related to any current year tax administration issue, such as issues that occurred in tax year 2007 but were not detected until 2008. [End of table] IRS identifies refund fraud primarily through the Questionable Refund Program (QRP) in CI. QRP was established to identify fraudulent returns, stop the payment of fraudulently claimed refunds, and, in some cases, refer fraudulent refund schemes to CI's field investigation offices. CI may ultimately refer refund schemes to the Department of Justice (DOJ) for possible criminal prosecution. According to data from CI, the median amount of suspected identity theft-related refunds identified during the 2009 filing season was about $3,400.[Footnote 6] Over the past 4 years, CI has investigated a number of tax-related identity theft cases that DOJ successfully prosecuted. For example, a former Girl Scout troop leader is now serving 10 years in federal prison for using children's identities to defraud the government. The defendant pleaded guilty to multiple counts of filing fictitious tax refund claims and identity theft. The defendant created fake medical release forms for her troop members and told their parents that she needed the girls' SSNs in case of an emergency. The scheme helped her claim more than $87,000 in fraudulent tax refunds. According to CI data, in 2008, IRS stopped about 90 percent of suspected identity theft-related refunds it identified as shown in table 3.[Footnote 7] For the other 10 percent, a majority of the refunds were issued to suspected identity thieves before the legitimate taxpayer filed their return. It is only when IRS finds a duplicate tax return (a second return filed using the same name and SSN) that IRS has an indication of potential refund fraud. Table 3: Suspected Identity Theft-Related Refund Fraud Identified and Stopped by IRS, Calendar Year 2008: Fraudulent tax returns identified by IRS; Number: 30,328; Dollars: $179,129,228. Fraudulent tax returns stopped by IRS; Number: 26,385; Dollars: $163,819,228. Percent stopped; Number: 87%; Dollars: 91%. Source: GAO analysis of IRS data. Note: Not all tax returns identified were verified as identity theft related during 2008. [End of table] As shown in table 3, about $15 million in fraudulent refund payments were issued in calendar year 2008. IRS officials said that they could not determine how many of those refunds have been recovered. They said that in instances where CI opens a criminal investigation and the government successfully prosecutes the identity thief, upon conviction the perpetrator may be ordered by the court to pay restitution. However, this process may take a long time, and it is rarely possible to associate any restitution paid with a specific refund fraud incident because these prosecutions generally involve more than fraudulent refund schemes. Officials also noted that in cases that do not result in criminal prosecutions, IRS does not often recover the stolen refund. IRS Has Implemented New Initiatives in an Effort to Detect and Resolve Identity Theft Cases, but Not Enough Is Known about How Well the Initiatives Are Working: In 2008 and 2009, IRS implemented four initiatives to detect and resolve identify theft cases: identity theft account indicators, screening procedures for returns with indicators, the Identity Protection Specialized Unit (IPSU), and call centers with an identity theft telephone hotline. Identity Theft Indicators Placed on Taxpayer Accounts: In January 2008, IRS began placing identity theft indicators, Transaction Code (TC) 971, on taxpayers' accounts where IRS determined there to be current or potential identity theft issues. The indicators are visible to all IRS personnel with account access. The purpose is to help both IRS and the taxpayer by making sure all IRS activities know that the taxpayer is an identity theft victim so that the taxpayer does not have to repeatedly explain this or prove his or her identity. The indicator also will alert IRS personnel that a future account problem may be the result of a previous identity theft incident; IRS expects this to help expedite future problem resolution. In tax year 2008, IRS detected incidents of identity theft and placed indicators on those taxpayer accounts, as shown in table 4. The TC 971 is shown by one of four indicators that indicate taxpayers are victims of identity theft. The indicator used by IRS depends on the circumstances in which IRS receives indication of an identity theft- related problem.[Footnote 8] Table 4: Numbers of Incidents and Taxpayers with Identity Theft-Related Indicators Cataloged as of December 31, 2008 (encompassing multiple tax years for 501 and 506 indicators): Action code: 501; Definition of indicator: Taxpayer receives indications from IRS activity about potential problems on their account and the taxpayer believes they may be a victim of identity theft; Number of incidents: 33,866[A]; Number of taxpayers affected: 24,182. Action code: 504; Definition of indicator: Taxpayer's identify information is stolen (the theft does not involve IRS), but taxpayer notifies IRS as a precaution; Number of incidents: [B]; Number of taxpayers affected: 643[C]. Action code: 505; Definition of indicator: IRS loses taxpayer data, which may result in identity theft-related issues for the taxpayer; Number of incidents: 149; Number of taxpayers affected: 911. Action code: 506; Definition of indicator: IRS determines that a taxpayer is a victim of identity theft through review of taxpayer account and return; Number of incidents: 17,836[A]; Number of taxpayers affected: 16,696. Source: GAO analysis of IRS data. [A] The number of incidents of identity theft is higher than the number of taxpayers because a taxpayer can have more than one incident of identity theft. [B] The number of incidents was not available. [C] Only 3 months of data are provided because IPSU was not established until October 2008. [End of table] Once IRS substantiates the identity theft and the identity of the innocent taxpayer,[Footnote 9] either through IRS processes or the taxpayer providing documentation of the identity theft, IRS will place the indicator on the taxpayer's account and will notify the taxpayer. [Footnote 10] In the case of the 501 or 504 indicators, if the taxpayer does not substantiate the identity theft, IRS will not place the indicator on the taxpayer's account. IRS processes do not require substantiation for a 505 or 506 indicator because, in those cases, IRS independently determines the taxpayer's identity. IRS will remove an indicator after 3 consecutive years if there are no incidents on the account or will remove an indicator sooner if the taxpayer requests it. Screening 2009 Returns for Possible Identity Theft-Related Refund Fraud: During the 2009 filing season, IRS screened returns filed in the names of taxpayers with 501 and 506 indicators looking for characteristics indicating that a return was filed by an identity thief instead of the legitimate taxpayer. IRS did not run the 504 and 505 indicators through the screening procedures in 2009. IRS officials told us in August 2009 that they plan to use the results of the 2009 screening as they consider whether to expand the screening to include 504 and 505 indicators in the 2010 filing season. The purpose of the screening was to prevent false returns from posting and to allow legitimate returns to quickly be placed back in regular return processing. Identity theft subject matter experts created the screen based on patterns they identified as being typical of identity thieves attempting to fraudulently gain refunds. If a return failed the screening, it was subject to additional reviews by IRS personnel. (See figure 4 in appendix III for a graphical representation of this process). From January 2009 through June 2009, 18,183 returns had not passed the screening procedures; as of July 2009, 2,503 of these returns were still being analyzed to determine which were legitimate and which were filed by identity thieves. Identity Protection Specialized Unit: In October 2008, IRS established IPSU to serve as a central point of contact primarily for taxpayers who had their identity stolen and wanted to notify IRS as a precaution before they had tax-related identity theft problems. IPSU processes these taxpayers' substantiation documentation and places a 504 indicator on their accounts. In some cases, taxpayers contact the IPSU after another IRS activity has already identified an identity theft issue, or the taxpayer may send his or her identity theft substantiation documentation to the IPSU instead of the IRS activity responsible for resolving the problem. IPSU forwards such information to the correct IRS activity and monitors the taxpayer's account to see if the other activity substantiates the identity theft, places a 501 indicator on the account, and resolves identity theft-related issues. From October 2008 through June 2009, IPSU monitored 19,910 cases with tax-related identity theft issues. IPSU does not monitor accounts where the taxpayer deals directly with another IRS activity unless contacted by the taxpayer. Nor does IPSU resolve taxpayers' identity theft-related issues. Problem resolution responsibility stays with the IRS activity where the problem originated. IRS officials concluded that it would slow down resolution of taxpayer issues and require more staff time to transfer problems from the activity that found the problem to IPSU for resolution. Based on a recommendation from TAS,[Footnote 11] IPSU sampled a small number of identity theft cases with the 501 indicator to look for evidence of identity theft-related problems that neither IRS nor the taxpayer have identified. For each sampled case, IPSU looked across the taxpayer's account and found a majority of these accounts had other identity theft issues. Subsequently, IPSU retroactively reviewed all cases with a 501 indicator. Based on this assessment, IPSU will take on an additional role starting in August 2009 by doing a similar review of all cases where a 501 indicator was placed on an account. If IPSU identifies a new identity-theft related issue on an account that they cannot resolve, IPSU will forward the information to the proper IRS activity to resolve. Call Centers Supporting a Dedicated Identity Theft Hotline: Taxpayers who know of or suspect identity theft can call a dedicated toll-free number, established in October 2008, where customer service representatives can review his or her information and account history, answer questions, and explain what documentation is needed to substantiate the identity theft. From October 2008 through June 2009, the specialized call centers received 87,138 calls and provided service to 82,470 taxpayers. These numbers do not include identity theft- related calls received on IRS's general toll-free number. IRS Implemented Its Identity Theft Initiatives Without Measures to Assess How Well They Are Working: IRS has not assessed the value of its new initiatives. IRS officials said they want to make such assessments. However, currently IRS has not defined measures that would provide an empirical basis for answering questions such as those listed below. This list of questions is not meant to be exhaustive. * How many false positives (cases where a legitimate return is flagged as being fraudulent) and false negatives (cases where a fraudulent return is not flagged) are generated by the screening process? * How long does it take and what is the cost to resolve cases that do not pass the screening and get reviewed by IRS personnel? This is important to taxpayers because refunds are held up while the review is conducted. * How well does the current division of responsibility for resolving identity theft cases work or would a more centralized process work better? * How well are taxpayers' questions answered and issues resolved using the hotline?[Footnote 12] IRS has developed objectives for its Identity Protection Strategy, which is a step towards effective performance measurement: * reduce taxpayer burden while addressing and resolving identity theft cases, * protect Treasury revenue by identifying suspicious filings before the refunds are generated, and: * increase operational efficiency of IRS by detecting and processing reported identity theft incidents as early and consistently as possible. Further, PIPDS has recently developed one identity theft-related performance measure, "Increase revenue protected from erroneous refunds to identity thieves" and is reviewing the results of returns that were run through the business rules to capture data for this measure. PIPDS also stated that it has contracted with a consultant to help develop a suite of performance measures by the end of 2009. However, at the time we concluded our work, it was not known whether the performance measures will answer the types of questions we outlined above. Furthermore, for the measures to be in place in time to assess the initiatives performance during the 2010 filing season, timely action will be required. The measures will need to be developed early enough to give IRS time to develop a plan for capturing the data needed to implement the measures. The answers to questions such as those listed above were not available when IRS designed its identity theft initiatives. IRS did not have an empirical basis for knowing what approach, such as having IRS activities rather than IPSU resolve cases, would work best. Furthermore, there have been some glitches with implementation. PIPDS officials told us that they are aware that some IRS activities have not been consistent in how they applied the identity theft indicators, causing some discrepancies in how returns were run through the screening procedures. For example, some activities would put the indicator on the taxpayer's account before ensuring that the information by the identity thief was removed from the taxpayer's account. Therefore, this resulted in legitimate taxpayer's returns failing the business rule screening and may have delayed the taxpayer's refund. In June 2009, PIPDS officials subsequently met with the different IRS activities to revise their procedures for placing indicators on taxpayer accounts before the 2010 filing season. Our own review of the effectiveness of the identity theft indicator and screening process also uncovered some possible issues. We compared IRS data from PIPDS and CI to test whether IRS issued refunds to suspected identity thieves in cases where there was already a 501 or 506 identity theft indicator on the account of the innocent taxpayer. We used the limited data available for 2009 because we wanted to look at cases handled after the new initiatives were put in place. As shown in table 5, we found that IRS failed to prevent a fraudulent refund 15 times in early 2009 even though the account had an identity theft indicator. During the same period, CI stopped 3,281 refunds, 14 percent of which had an identity theft indicator on the associated taxpayer account. Our analysis covers only part of the year and the initiatives are still new, so it is not possible to know whether this represents the long- term effectiveness of the initiative or not. Table 5: Percentage of Suspected Identity Theft Refunds Stopped and Issued by IRS When Indicators Were on the Taxpayers' Accounts, Partial Calendar Year 2009: Number of returns: Refund stopped: 3,281; Refund issued: 559. Number of returns with indicators: Refund stopped: 474; Refund issued: 15. Percentage of returns with indicators: Refund stopped: 14; Refund issued: 3. Source: GAO analysis of IRS data. Note: The data used in this analysis are from January 1, 2009, through April 30, 2009. IRS identifies many refund fraud cases after the filing season is over, so this figure represents only a portion of the cases that will likely be identified in 2009. [End of table] Further, according to TAS officials, the number of TAS cases that involved identity theft issues in the first half of fiscal year 2009 was more than twice as high as it was in the same period in fiscal year 2008. Based on analyzing Taxpayer Advocate data, 8,880 taxpayers for whom TAS opened cases with identity theft issues in the first half of fiscal year 2009, 943 (about 11 percent) contacted TAS on their own initiative after another IRS activity had already placed a 501 or 506 indicator on their accounts. The presence of the indicator means that IRS was already working to resolve the taxpayer's tax problems before the taxpayer contacted TAS. As with our analysis of the screening process, these results need to be interpreted with caution. TAS policy is to always note identity theft problems in the TAS database, even when the taxpayer contacted TAS about a different problem. In addition, because the indicators were so new we cannot be sure that the TAS data reflect their long-term effects. Also, some of the communication with taxpayers about their identity theft issues included TAS contact information, and PIPDS officials noted that some taxpayers may have contacted TAS thinking that it was the IRS office to which they should direct their questions. Our analysis of screening program results and TAS data suggests that IRS's identity theft initiatives could be having a positive effect, but the evidence is not at all conclusive. The results do show that the initiatives have had some glitches; for example, some fraudulent refund payments were made despite the presence of an indicator. Overall, our analysis highlights the importance of IRS developing performance measures that will provide a basis for monitoring the effectiveness of the initiatives over time. IRS Processes to Prevent Identity Theft through Phishing or Security Breaches: IRS provides taxpayers with targeted information to increase their awareness of identity theft, tips and suggestions for safeguarding taxpayers' personal information, and information to help them better understand tax administration issues related to identity theft. A new segment of the IRS home page, [hyperlink, http://www.irs.gov], provides taxpayers with identity theft information including emerging trends, phishing sites, fraud schemes, and prevention strategies. According to IRS officials, they receive information on potential phishing schemes primarily from citizens sending IRS the information via phishing@irs.gov]. These officials said IRS is directing victims to the most up-to-date identity theft information to ensure that they know how to report identity theft crimes and have the necessary resources and support to recover their identities. Additionally, IRS has worked to revise its most widely used documents, such as Form 1040, to include information about identity theft. To raise awareness with paid preparers, IRS officials are making identity theft and phishing presentations at the annual nationwide tax forums held for preparers. In 2007, IRS created the Online Fraud Detection and Prevention (OFDP) office to reduce online fraud against IRS and taxpayers and provide a rapid response capability to detect and respond to such fraud. OFDP relies on tips from the public sent to phishing@irs.gov and other information sources. Once a fake electronic filing site is found, the team gathers information, such as screen shots of the site, and then passes it to CI and TIGTA for investigation. IRS sends a taxpayer identified as a possible victim a notification letter and a request asking the taxpayer to report the incident to FTC, contact the fraud departments of major credit bureaus, close any accounts that have been tampered with, and contact IPSU for further information. Additionally, officials stated that OFDP is currently investigating processes to securely transmit compromised credit card information to banks. In addition, OFDP contacts the Web site's hosting provider to notify them that one of their customers is hosting a phishing site, and asks the hosting provider to voluntarily take down the site or remove the fraudulent content. According to the OFDP Director, the number of fraudulent Web sites taken down increased to 3,030 in 2008, as shown in figure 3. Figure 3: Number of Fraudulent Web Sites Taken Down, 2006-2009: [Refer to PDF for image: vertical bar graph] Tax year: 2006; Number of websites: 245. Tax year: 2007; Number of websites: 889. Tax year: 2008; Number of websites: 3,030. Tax year: 2009, through April; Number of websites: 949. Source: GAO analysis of IRS data. [End of figure] IRS faces challenges combating fraudulent Web sites. OFDP officials stated that schemes and Web sites that originate outside the United States are particularly challenging because of jurisdictional issues. However, the officials also said that IRS is working with TIGTA, [Footnote 13] DOJ, and other organizations to use existing authorities and relationships to assist with combating such fraud. Another challenge is the ability of fraudulent parties to use multiple computer IP addresses that change frequently, making it difficult to trace the perpetrator's actual IP address. Finally, according to officials, some institutions are reluctant to share specific information about online fraud perpetrated against them. To help overcome this, officials stated that they are working with organizations such as the National Cyber Forensics and Training Alliance, Anti-Phishing Working Group, and others, to facilitate and improve information sharing about fraud schemes. IRS has considered additional steps to help combat phishing and similar identity theft schemes such as providing a list of legitimate Web sites. However, such a list would be almost impossible to keep current. IRS Information Security Weaknesses: Although IRS does not know of any cases where information security weaknesses have led to actual identity theft, as was noted earlier in table 4 IRS had 149 incidents of lost data affecting 911 taxpayers in 2008. Perhaps more importantly, IRS has information security weaknesses that increase the likelihood of IRS employees committing identify theft.[Footnote 14] Specifically, in January 2009 we reported that IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. [Footnote 15] We noted that IRS did not always (1) enforce strong password management for properly identifying and authenticating users and (2) authorize user access, including access to personally identifiable information, to permit only the access needed to perform job functions. For example, the agency allowed authenticated users on its network access to shared drives containing taxpayer information as well as performance appraisal information for IRS employees including their SSNs. We made recommendations to IRS regarding ways to strengthen its information security practices. IRS agreed with the recommendations and stated that the agency is working to improve its security posture, and will develop a detailed corrective action plan addressing each of our recommendations. Until IRS addresses these weaknesses, there is an increased risk that someone could use his or her access to steal personally identifiable information and commit identity theft-related crimes. Privacy and Other Laws Limit IRS's Coordination with Other Agencies on Identity Theft Cases: Figure 20: Section 6103 of the Internal Revenue Code (I.R.C.) limits the types of information IRS can share with external parties, including identity theft victims, employers who may have workers using stolen identity information, or other government agencies, including law enforcement agencies. Under section 6103, tax returns and other information submitted to and, in some cases, generated by, IRS, are confidential and protected from disclosure, except as specifically authorized by statute. IRS can disclose identity theft-related events that occur on a taxpayer's account to the taxpayer, such as the fact that an unauthorized return was filed using the taxpayer's information or that the taxpayer's SSN was used on another return. However, IRS may only disclose to the taxpayer the taxpayer's own return information. Therefore, IRS cannot disclose any other information about a fictitious Form 1040 or an incorrect Form W-2 submitted to IRS, or any information about IRS's investigation into the civil or criminal tax liability of the perpetrator (whether refund fraud or employment fraud) to the victim. In addition, IRS cannot disclose information about the perpetrator's identity to the taxpayer. IRS can notify an employer whose employee has used a stolen SSN that the SSN on the Form W-2 filed for that employee does not belong to that individual. IRS can disclose to the employer that there is a mismatch between name and SSN and that the number belongs to someone else. However, IRS cannot disclose any further information such as the identity of the true owner of the SSN, to the employer. The employer is required to file a Form W-2 with accurate information and to file a corrected form if necessary. If an employer fails to file information returns or fails to include complete and correct information on them, IRS is authorized to penalize the employer. However, in prior work, we have reported that because of limited requirements for employers to verify and report accurate employee names and SSNs, few, if any, employers are likely to be penalized.[Footnote 16] For example, if employers establish reasonable cause for the incorrect Form W-2 information by showing they solicited an SSN from each employee one to three times, depending on the circumstances, and that they used this information to complete the wage statements, IRS will waive the penalties on the employers.[Footnote 17] In 2008, IRS carried out a servicewide analysis of its efforts related to notification of identity theft victims and employers and information sharing with other federal agencies. IRS sought to determine if it was fully utilizing its disclosure authority under section 6103 to address the problem of identity theft and assist victims. The working group conducting the analysis determined that IRS was appropriately using its disclosure authority, though it also identified a few areas where IRS had authority to expand victim/employer notification and information sharing with federal law enforcement, if doing so was deemed sound policy. IRS is in the planning phase of an initiative to notify victims of employment fraud. Section 6103 also limits the types of information indicating identity theft that the IRS can share with other agencies. For example, according to officials in IRS's Office of Chief Counsel, IRS can only share limited information about employment fraud with the Department of Homeland Security (DHS) and the Social Security Administration (SSA). A circumstance where IRS can share some information with federal law enforcement/immigration agencies is when IRS performs a criminal investigation. In these cases IRS can make investigative disclosures, i.e., the sharing of specific, limited information necessary for receiving information from other agencies that might support or further IRS's investigation. Disclosure of taxpayer information to state and local law enforcement agencies is even more limited. As mentioned previously, officials stated that IRS is currently investigating processes to securely transmit compromised credit card information to banks. IRS officials also noted that tax fraud is not one of the 11 felony offenses enumerated in 18 U.S.C. §1028A, the Aggravated Identity Theft Statute. This means that in federal identity theft prosecutions, identity thieves would not be subject to the enhanced sentencing prescribed in the statute, an additional 2-year term of imprisonment. They also stated that this may be one factor that deters other federal law enforcement agencies and federal prosecutors from referring identity theft cases to IRS to look for possible tax fraud or making identity theft-related tax fraud a priority when determining which cases to pursue. According to PIPDS officials, activities that place 501 and 504 indicators on taxpayer accounts do not routinely accept information about identity theft victims from other federal agencies or other external parties. IRS does not routinely accept this information because it does not meet IRS's substantiation requirements. Section 6103 does not limit IRS's ability to share more general information about how to manage identity theft. PIPDS has coordinated with private industry leaders, tax professionals, and other federal agencies on identity theft prevention, detection, and taxpayer assistance about how to handle tax-related identity theft issues and to share information about the increase in online fraud threats. PIPDS officials also meet with officials from other federal agencies such as SSA, FTC, and DHS and held a forum in July 2008 to share information on the effects of identity theft on victims and to identify best practices for preventing and resolving identity theft issues. According to PIPDS, one result of the forum was that IRS co-sponsored, along with the FTC, DHS, US Postal Inspection Service, Department of Commerce, DOJ, and the Securities and Exchange Commission, an educational website, [hyperlink, http://www.onguardonline.gov]. IRS is also coordinating with agencies to shut down phishing sites and online fraud schemes. According to CI and PIPDS, they are members of the Identity Theft Enforcement Interagency Working Group which shares information about leading identity theft activities, groups, and offenders with federal agencies that pursue identity theft cases. Conclusion: While identity theft is known to cause tax problems for a relatively small number of taxpayers, for those affected the problems can be severe and include refunds frozen and time wasted. In an effort to more efficiently identify refund fraud and employment fraud as well as to assist innocent taxpayers, IRS put in place four new initiatives. Although IRS management has begun to develop performance measures, it is not known how well the measures will assess the effectiveness of the four initiatives. Furthermore, it would be desirable to have the new measures in place for the 2010 filing season for at least two reasons. First, most refund fraud is committed during the filing season and also most employment fraud is detected as part of the filing process. Second, IRS is expanding the identity theft initiatives for the 2010 filing season. Without performance measures in place, neither Congress nor IRS management will know whether the 2010 changes are effective or if additional changes are needed. Recommendation for Executive Action: We recommend that the Commissioner of Internal Revenue ensure that performance measures suitable for assessing the effectiveness of its identity theft initiatives, and associated data collection procedures, are in place at the beginning of the 2010 filing season. Agency Comments: The Commissioner of Internal Revenue provided written comments on a draft of this report in an August 31, 2009, letter, which is reprinted in appendix IV. The Commissioner agreed with our recommendation. In his letter, the Commissioner discussed IRS's commitment to reduce the impact of identity theft on taxpayers and said that he has made it a priority at IRS to reduce the burden placed on the taxpayer and the tax system because of identity theft. IRS provided separate comments on technical issues, which we incorporated into this report where appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from its issue date. At that time, we will send copies to the Secretary of the Treasury; the Commissioner of Internal Revenue, and other interested parties. This report will also be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-9110 or whitej@gao.gov. Contact points for our offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix V. Signed by: James R. White: Director, Tax Issues Strategic Issues Team: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of this report were to (1) describe how much identity theft-related refund and employment fraud the Internal Revenue Service (IRS) faces and whether incidents of identity theft go undetected by IRS, (2) assess the actions IRS is taking to prevent and detect identity theft-related tax problems and to assist affected taxpayers, and (3) describe what IRS is doing to coordinate its identity theft- related efforts with other government and nongovernment entities. To understand how much identity theft-related refund and employment fraud IRS faces, we interviewed IRS officials from the Office of Privacy, Information Protection and Data Security (PIPDS), Wage and Investment Division (W&I), Small Business/Self-Employed Division (SB/ SE), Criminal Investigation Division (CI), and Submission Processing. We discussed the processes and systems used to identify identity theft- related refund fraud and IRS's use of the identity theft indicators. Additionally, we analyzed information from PIPDS on the number and characteristics of identity theft-related refund and employment fraud by cases and affected taxpayers, including the activity reporting the incident and the type of identity theft indicator placed on the taxpayer account. Based on the information we collected on the identity theft-related incidents and affected taxpayers, we also were able to discuss the outcomes of the identity theft-related refund fraud cases and identify the reasons which incidents of identity theft go undetected. To determine the reliability of the PIPDS data sets, we interviewed knowledgeable officials to discuss processes followed to upload the taxpayer data, collection methods, and the data reported on and for what purpose. We also reviewed related documentation to determine the accuracy of the 2008 year-end aggregate numbers of taxpayers affected and identity indicators placed on accounts. PIPDS provided us with monthly reports on the number of taxpayers affected and incidents reported as well as an annual report totaling these numbers. We compared the monthly reports to the aggregated data to identify any obvious errors in accuracy and completeness. We determined that the PIPDS data we used for this objective were sufficiently reliable for this assessment. To assess what actions IRS is taking to prevent and detect identity theft-related problems and to assist affected taxpayers, we interviewed officials from PIPDS, W&I, SB/SE, CI, the Online Fraud Detection and Prevention office (OFDP), and the Taxpayer Advocate Service (TAS). We discussed new initiatives IRS has implemented to detect and resolve identity theft as well as assist affected taxpayers and educate taxpayers about identity theft. We also reviewed prior GAO work to obtain information on identity theft-related issues in the federal government and on systems used to safeguard IRS data and to identify identity theft-related incidents, as well as Treasury Inspector General for Tax Administration (TIGTA) reports to obtain information on the identity theft-related processes and procedures used by IRS. Additionally, we collected and analyzed IRS's Identity Protection Strategy, policies and procedures related to identity theft prevention and detection and assistance, relevant sections of the Internal Revenue Manual and Internal Revenue Code, and governmentwide guidance on performance measures. To understand how IRS implemented some of the new initiatives, we visited the Andover, Massachusetts campus and reviewed processes followed by the Identity Protection Specialized Unit (IPSU) and the Baltimore call center to listen to calls taken by customer service representatives on the identity theft hotline. Additionally, we met with and reviewed the software used by the OFDP staff when taking down a fraudulent Web site. For these new initiatives, we collected data on the number of affected taxpayers whose records had identity theft indicators, the number of cases worked by the IPSU, information on calls received by the dedicated identity theft call-in number, and the number of fraudulent Web sites taken down by OFDP. We reviewed the data and documents provided by IRS in conjunction with discussions with IRS officials in order to describe these new initiatives as well as to understand the extent to which IRS had performance measures to determine the effectiveness of the new initiatives. We used previous GAO work and recommendations to describe systems and information security weaknesses and assessed how these weaknesses may translate to identity theft-related issues for IRS and taxpayers. To assess whether IRS's initiatives were working as intended, we interviewed PIPDS and TAS officials and used IRS and TAS data to identify (1) the frequency with which suspected identity theft-related refund fraud reoccurred for taxpayers known to have had identity theft issues in the past and (2) how often taxpayers took identity theft- related tax problems to TAS after other IRS functions had determined that their issues were related to identity theft. To assess whether the business rules were working as intended, we tested suspected identity theft-related refunds that were identified by CI to determine how many of the corresponding taxpayers had indicators on their accounts before the refunds were stopped or issued by IRS. To perform this assessment we received from PIPDS taxpayer data on all taxpayer accounts that had indicators on them. We also received from CI taxpayer data on all suspected identity theft-related refunds that were identified, stopped, and issued by IRS from January 1, 2009, through April 30, 2009. To assess how often taxpayers took their issues to TAS after an identity theft indicator had been placed on their accounts, we compared taxpayer data from TAS with identity theft as a primary or secondary issue code to data from PIPDS identifying all taxpayer accounts with identity theft indicators. We compared the dates the identity theft indicator was placed on the accounts to the dates when TAS received the cases. Additionally, we reviewed the reason why the cases came to TAS based on each identity theft indicator. We requested TAS cases received from October 1, 2008, through May 18, 2009, and PIPDS indicator data from calendar year 2008. We received taxpayer data from PIPDS, CI, and TAS. To ensure the reliability of the data, we performed an analysis using Statistical Analysis Software (SAS) to test for obvious errors in accuracy and completeness. Additionally, we reviewed related reports to determine if there were any discrepancies in the data we received. Any questions we had about the data were answered by knowledgeable officials with whom we also discussed the processes followed to upload the taxpayer data, collection methods, and the data reported on and for what purpose. We determined that the PIPDS, CI, and TAS data we used for this analysis were sufficiently reliable to use for this assessment. To identify what IRS is doing to coordinate its identity theft-related efforts with those of other government agencies and other entities as well as to identify any lessons learned, we interviewed officials from IRS's PIPDS, Office of General Counsel, OFDP, and W&I. We also reviewed documentation provided by IRS officials, a recorded version of the IRS identity protection forum held in July 2008, and previous GAO work. We also reviewed an IRS general counsel analysis and discussion of Section 6103 of the Internal Revenue Code to determine the circumstances in which IRS can share information with other federal agencies, law enforcement employers, and the taxpayers for identity theft-related refund and employment fraud issues. We conducted this performance audit from October 2008 through August 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Description of Indicator Codes Used to Identify Tax and Non-Tax Related Issues: In January 2008, the Internal Revenue Service (IRS) began using indicator codes to identify taxpayers with identity theft-related issues. How the identity theft-related issue comes to IRS and the type of incident will dictate the indicator that will be placed on taxpayers' accounts. Based on the incidents, IRS can require additional documentation to substantiate the identity theft and run certain flagged accounts through additional screenings in subsequent years. See table 6 for a more detailed description of the indicators. Table 6: Indicator Codes Used by IRS to Flag Taxpayer Accounts for Tax- and Non-Tax-Related Identity Theft Issues: Indicator codes: Indication of identity theft; 501: Taxpayer receives indication from IRS program about potential problems on his or her account and believes that he or she may be a victim of identity theft; 504: Taxpayer's personal identifying information is stolen outside of IRS, but taxpayer wants to take precautionary measures on his or her account; 505: IRS loses taxpayer's personal identifying information, which could potentially cause identity theft issues for the taxpayer in the future; 506: CI determines that a taxpayer is a victim of identity theft based on review of taxpayer's account. Indicator codes: Tax related/Non-tax related; 501: Tax related; 504: Non-tax related; 505: Non-tax related; 506: Tax related. Indicator codes: Required documentation from taxpayer; 501: Substantiation of; identity theft; 504: Substantiation of; identity theft; 505: None; 506: None. Indicator codes: Business units placing indicator on the account; 501: Primarily W&I, SB/SE, TAS, and PIPDS; 504: W&I (through IPSU); 505: PIPDS; 506: Primarily CI. Indicator codes: Run through business rules; 501: Yes; 504: No; 505: No; 506: Yes. Indicator codes: Assistance to taxpayer; 501: Indicator will stay on taxpayer account for 3 years and account will go through additional screening procedures for 3 years; 504: Indicator will stay on taxpayer account for 3 years; 505: Indicator will stay on taxpayer account for 3 years and taxpayer can receive free credit monitoring, which includes insurance to cover damages resulting from identity theft; 506: Indicator will stay on taxpayer account for 3 years and account will go through additional screening procedures for 3 years. Source: GAO analysis of IRS information. [End of table] [End of section] Appendix III: Procedures Followed for Additional Screening of Certain Indicator Accounts: Taxpayer accounts with a 501 or 506 indicator are run through additional screenings in subsequent years to determine the legitimacy of the return filed. The Internal Revenue Service (IRS) initially decided to run the 501 and 506 indicators through additional screenings because IRS processes determined those accounts to have identity theft directly impacting IRS. Returns that pass the additional screening are sent through for regular processing. If a return fails the screening, the Unpostable Unit in Submission Processing will attempt to determine if the return was filed by the legitimate taxpayer or an identity thief. If the Unpostable Unit cannot resolve the problem, Accounts Management will conduct a more detailed analysis, which may include contacting the taxpayer. Once Accounts Management determines the owner of the return, they will forward the information back to the Unpostable Unit who will send the legitimate returns through for regular processing and mark any returns filed by identity thieves as bad. Figure 4: Process Followed to Run Tax-Related Accounts with Indicator Codes through Additional Screening Procedures: [Refer to PDF for image: illustration] [End of figure] [End of section] Appendix IV: Comments from the Internal Revenue Service: Commissioner: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: August 31, 2009: Mr. James R. White: Director, Tax Issues: Strategic Issues Team: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. White: Thank you for the opportunity to comment on the draft report, Tax Administration: IRS Has Implemented Initiatives to Prevent, Detect, and Resolve Identity Theft-Related Problems, but Needs to Assess Their Effectiveness (Government Accountability Office09-882). We appreciate that your draft report recognizes the progress that the Internal Revenue Service has made to prevent and detect identity theft-related problems and to assist affected taxpayers. The security and privacy of taxpayer information is of the utmost importance to the IRS. We are committed to reduce the impact of identity theft on taxpayers, I have made it a priority of this agency to reduce the burden placed on the taxpayer and the tax system because of identity theft. We appreciate GAO's continued work and focus on this issue. I agree that strong performance measures are critical for the long-term success of the program and the IRS will have them in place for the 2010 filing season. If you have any questions or would like to discuss our response further, please contact Deborah Wolf, Director, Privacy, Information Protection and Data Security, at (609) 2787732. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: James R. White, (202) 512-9110 or whitej@gao.gov: Acknowledgments: In addition to the individual named above, David Lewis, Assistant Director; Sabine Paul, Assistant Director; Mary Fike; Suzanne Heimbach; Sairah Ijaz; Laurie King; Sabrina Streagle; and James Ungvarsky made key contributions to this report. [End of section] Footnotes: [1] Malware (malicious software) is defined as programs that are designed to carry out annoying or harmful actions. They often masquerade as useful programs or are embedded into useful programs so that users are induced into activating them. [2] Pub. L. No. 105-318, 112 Stat. 3007 (1998). [3] Exec. Order No. 13,402 (May 10, 2006), 71 Fed. Reg. 27,945 (May 15, 2006). [4] We are defining activities to include IRS business operating divisions, functions, or programs. [5] Another reason a catalog of identity theft incidents is incomplete is because not all victims decide to substantiate the identity theft; IRS only catalogs a case if the victim is able to substantiate the theft. [6] CI provided data on fraudulent refunds stopped and issued from January 1, 2009, to April 30, 2009, and about $3,400 is the median amount from these data. [7] The number of refund fraud cases in table 3 is greater than the number of cases listed in tables 1 and 2 because the earlier tables list cases where the identity of the legitimate taxpayer had been determined. Table 3 includes cases where IRS was in the process of making those determinations. [8] IRS intends to develop additional indicators for the 2010 filing season, including indicators for SSN-related and employment fraud problems. [9] Substantiation documentation includes copies of photo identification and a police report or an FTC identity theft affidavit. [10] More information about which IRS activities assign which action codes can be found in table 6 in appendix II. [11] National Taxpayer Advocate, 2008 Annual Report to Congress (Washington, D.C: Dec 31, 2008). [12] IRS officials told us that they have not received any negative feedback from taxpayers; however, they have not specifically asked for feedback, for example, through surveys. [13] TIGTA audits and investigates IRS's operations to (1) promote economy and efficiency and detect and prevent fraud and abuse and (2) recommend actions for improvement. [14] GAO has not determined if an IRS employee has committed any identity theft as a result of these weaknesses. [15] GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [16] GAO, Tax Administration: IRS Needs to Consider Options for Revising Regulations to Increase the Accuracy of Social Security Numbers on Wage Statements, [hyperlink, http://www.gao.gov/products/GAO-04-712] (Washington, D.C.: Aug., 31, 2004). [17] Under Treas. Reg. § 301.6724-1; Publication 1586, Reasonable Cause Regulations and Requirements for Missing and Incorrect Name/TINs, establishing reasonable cause consists of making an initial request for the employee's name and SSN and, depending upon the circumstances, an annual solicitation thereafter. Employers must then show they have used this solicited information when submitting the information return(s) in question. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: