Identity Theft and Tax Fraud:

IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program

GAO-16-508: Published: May 24, 2016. Publicly Released: Jun 23, 2016.

Multimedia:

Additional Materials:

Contact:

James R. McTigue, Jr
(202) 512-9110
mctiguej@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Taxpayer Protection Program (TPP). While the Internal Revenue Service (IRS) has made efforts to strengthen TPP—a program to authenticate the identities of suspicious tax return filers and prevent identity theft (IDT) refund fraud—fraudsters are still able to pass through and obtain fraudulent refunds. TPP authenticates taxpayers by asking questions only a real taxpayer should know; however, fraudsters can pass by obtaining a taxpayer's personally identifiable information (PII). IRS estimates that of the 1.6 million returns selected for TPP, it potentially paid $30 million to IDT fraudsters who filed about 7,200 returns that passed TPP authentication in the 2015 filing season; however, GAO's analysis suggests the amount paid was likely to be higher. Although IRS conducted a risk assessment for TPP in 2012, IRS has not conducted an updated risk assessment that reflects the current threat of IDT refund fraud—specifically, the threat that some fraudsters possess the PII needed to pass authentication questions. Federal e-authentication guidance requires agencies to assess risks to programs. An updated risk assessment would help IRS identify opportunities to strengthen TPP. Strengthened authentication would help IRS prevent revenue loss and reduce the number of legitimate taxpayers who become fraud victims.

IRS Estimates of Attempted IDT Refund Fraud, 2014

IRS Estimates of Attempted IDT Refund Fraud, 2014

IDT Refund Fraud Cost Estimates. In response to past GAO recommendations, IRS adopted a new methodology in an effort to improve its 2014 IDT refund fraud cost estimates. However, the estimates do not include returns that fail to meet specific refund thresholds. IRS officials said the thresholds allow them to prioritize IRS's enforcement efforts. However, using thresholds could result in incomplete estimates. Improved estimates would help IRS better understand how fraud is evading agency defenses. The GAO Cost Guide states that cost estimates should include all relevant costs. Additionally, IRS's estimates of refunds it protected from fraud are based on the Global Report , which counts each time a fraudulent return is caught by IRS and thus counts some returns multiple times. IRS uses this data source because it is IRS's official record of IDT refund fraud. The GAO Cost Guide states that agencies should use primary data for estimates and the data should contain few mistakes. By using the Global Report , as opposed to return-level data, IRS produces inaccurate estimates of IDT refund fraud, which could impede IRS and congressional efforts to monitor and combat this evolving threat.

Why GAO Did This Study

IRS estimates that, in 2014, it prevented or recovered $22.5 billion in attempted IDT refund fraud, but paid $3.1 billion in fraudulent IDT refunds. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when a refund-seeking fraudster obtains an individual's identifying information and uses it to file a fraudulent tax return. Despite IRS's efforts to identify and prevent IDT refund fraud, this crime is an evolving and costly problem.

GAO was asked to examine IRS's efforts to combat IDT refund fraud. This report (1) evaluates the performance of IRS's TPP and (2) assesses IRS's efforts to improve its estimates of IDT refund fraud costs for 2014. To evaluate TPP, GAO reviewed IRS studies, reviewed relevant guidance, and met with agency officials. Further, GAO conducted a scenario analysis to understand the effect of different assumptions on IRS's TPP analysis. To assess IRS's IDT cost estimates, GAO evaluated IRS's methodology against selected best practices in the GAO Cost Guide.

What GAO Recommends

GAO recommends that IRS update its TPP risk assessment and take appropriate actions to mitigate risks identified in the assessment. GAO also recommends that IRS improve its IDT cost estimates by removing refund thresholds and using return-level data where available. IRS agreed with GAO's TPP recommendations and will update its risk assessment. IRS took action consistent with GAO's IDT cost estimate recommendations.

For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: As of December 2017, IRS had conducted risk assessments for its TPP online and phone options. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. According to officials, in January 2017, IRS held a workshop to assess TPP's risks in all channels, including TPP's phone option. In August 2017, IRS held a second workshop to analyze TPP risks realized during the 2017 filing season. IRS also completed its post-season analysis of potential refunds paid to fraudsters and identified additional analyses to identify identity theft trends.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: As of December 2017, IRS had taken actions to mitigate risks, but needed to implement updates to its TPP authentication process. Based on the results of IRS's risk assessment, the agency took TPP's online authentication service offline and stated that officials are working to improve the level of assurance for the web application. In the interim, taxpayers authenticated their identities by phone or in-person. In February 2017, IRS implemented a new authentication process for TPP's phone authentication. In December 2017, officials told GAO they plan to re-launch TPP online authentication in two phases. IRS plans to launch the first phase in March 2018 to allow taxpayers to inform IRS that they did not file the return in question. The second phase, which IRS plans to launch in late 2018, will enable taxpayers who did file the returns in question to authenticate their identities and receive their refunds. Implementing improvements to strengthen TPP could help IRS prevent fraudsters from passing authentication and potentially receiving millions of dollars in refunds, as well as improve IRS's return on investment for its fraud detection efforts.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: Beginning with its 2015 Taxonomy estimates reported in October 2016, IRS has removed refund thresholds from criteria used to develop Taxonomy estimates for refunds paid to known and likely identity thieves.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: As of April 2018, IRS has taken steps to use return-level data to reduce overcounting in its Taxonomy estimates. For example, in developing its 2015 Taxonomy, IRS began using return-level data to improve estimates related to e-file rejects. However, IRS needs to further use return-level data to reduce the potential effect of overcounting on other Taxonomy estimates. As we reported in May 2016, IRS may be overcounting refunds for returns detected by IRS defenses because the agency uses the Global Identity Theft Report (Global Report) to calculate estimates for this category. More specifically, refunds for returns that are detected by multiple defenses can be counted multiple times in IRS's estimates. IRS already has a count of known and potential identity theft returns in its modeling dataset that the agency could use to help reduce overcounting for these estimates; however, IRS reported that it intends to use the Global Report for its upcoming 2017 Taxonomy. In August 2016, IRS reported that the agency did not agree with GAO's recommendation and noted that the agency does not think that adopting a different methodology for Taxonomy estimates is an effective use of agency resources.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Nov 8, 2018

Oct 29, 2018

Oct 22, 2018

Oct 3, 2018

Sep 26, 2018

Sep 18, 2018

Sep 10, 2018

Aug 23, 2018

Jul 31, 2018

Looking for more? Browse all our products here