Identity Theft and Tax Fraud:

IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program

GAO-16-508: Published: May 24, 2016. Publicly Released: Jun 23, 2016.

Multimedia:

Additional Materials:

Contact:

James R. McTigue, Jr
(202) 512-9110
mctiguej@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Taxpayer Protection Program (TPP). While the Internal Revenue Service (IRS) has made efforts to strengthen TPP—a program to authenticate the identities of suspicious tax return filers and prevent identity theft (IDT) refund fraud—fraudsters are still able to pass through and obtain fraudulent refunds. TPP authenticates taxpayers by asking questions only a real taxpayer should know; however, fraudsters can pass by obtaining a taxpayer's personally identifiable information (PII). IRS estimates that of the 1.6 million returns selected for TPP, it potentially paid $30 million to IDT fraudsters who filed about 7,200 returns that passed TPP authentication in the 2015 filing season; however, GAO's analysis suggests the amount paid was likely to be higher. Although IRS conducted a risk assessment for TPP in 2012, IRS has not conducted an updated risk assessment that reflects the current threat of IDT refund fraud—specifically, the threat that some fraudsters possess the PII needed to pass authentication questions. Federal e-authentication guidance requires agencies to assess risks to programs. An updated risk assessment would help IRS identify opportunities to strengthen TPP. Strengthened authentication would help IRS prevent revenue loss and reduce the number of legitimate taxpayers who become fraud victims.

IRS Estimates of Attempted IDT Refund Fraud, 2014

IRS Estimates of Attempted IDT Refund Fraud, 2014

IDT Refund Fraud Cost Estimates. In response to past GAO recommendations, IRS adopted a new methodology in an effort to improve its 2014 IDT refund fraud cost estimates. However, the estimates do not include returns that fail to meet specific refund thresholds. IRS officials said the thresholds allow them to prioritize IRS's enforcement efforts. However, using thresholds could result in incomplete estimates. Improved estimates would help IRS better understand how fraud is evading agency defenses. The GAO Cost Guide states that cost estimates should include all relevant costs. Additionally, IRS's estimates of refunds it protected from fraud are based on the Global Report , which counts each time a fraudulent return is caught by IRS and thus counts some returns multiple times. IRS uses this data source because it is IRS's official record of IDT refund fraud. The GAO Cost Guide states that agencies should use primary data for estimates and the data should contain few mistakes. By using the Global Report , as opposed to return-level data, IRS produces inaccurate estimates of IDT refund fraud, which could impede IRS and congressional efforts to monitor and combat this evolving threat.

Why GAO Did This Study

IRS estimates that, in 2014, it prevented or recovered $22.5 billion in attempted IDT refund fraud, but paid $3.1 billion in fraudulent IDT refunds. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when a refund-seeking fraudster obtains an individual's identifying information and uses it to file a fraudulent tax return. Despite IRS's efforts to identify and prevent IDT refund fraud, this crime is an evolving and costly problem.

GAO was asked to examine IRS's efforts to combat IDT refund fraud. This report (1) evaluates the performance of IRS's TPP and (2) assesses IRS's efforts to improve its estimates of IDT refund fraud costs for 2014. To evaluate TPP, GAO reviewed IRS studies, reviewed relevant guidance, and met with agency officials. Further, GAO conducted a scenario analysis to understand the effect of different assumptions on IRS's TPP analysis. To assess IRS's IDT cost estimates, GAO evaluated IRS's methodology against selected best practices in the GAO Cost Guide.

What GAO Recommends

GAO recommends that IRS update its TPP risk assessment and take appropriate actions to mitigate risks identified in the assessment. GAO also recommends that IRS improve its IDT cost estimates by removing refund thresholds and using return-level data where available. IRS agreed with GAO's TPP recommendations and will update its risk assessment. IRS took action consistent with GAO's IDT cost estimate recommendations.

For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: As of December 2017, IRS had conducted risk assessments for its TPP online and phone options. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. According to officials, in January 2017, IRS held a workshop to assess TPP's risks in all channels, including TPP's phone option. In August 2017, IRS held a second workshop to analyze TPP risks realized during the 2017 filing season. IRS also completed its post-season analysis of potential refunds paid to fraudsters and identified additional analyses to identify identity theft trends.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRS conducted a risk assessment for TPP's online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP's online authentication option offline while working to improve the option's authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factor authentication, that mitigate risks identified in the 2016 assessment. In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phone option. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments, IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.

    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: Beginning with its 2015 Taxonomy estimates reported in October 2016, IRS has removed refund thresholds from criteria used to develop Taxonomy estimates for refunds paid to known and likely identity thieves.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: In response to our recommendation, in August 2016, IRS reported that the agency did not agree with GAO's recommendation and noted that the agency does not think that adopting a different methodology for Taxonomy estimates is an effective use of agency resources. As we reported in May 2016, by not using return-level data, IRS risks overcounting the incidence of fraud, which could potentially lead to biased resource allocations and other decisions. In contrast, as of April 2018, IRS has taken some steps to use return-level data to reduce overcounting in its Taxonomy estimates. In developing its 2015 Taxonomy, IRS began using return-level data to improve estimates related to e-file rejects. While this demonstrates progress, IRS needs to take additional steps to use return-level data to further reduce the potential effect of overcounting on other Taxonomy estimates. We reported in May 2016 that IRS may be overcounting refunds for returns detected by IRS's identity theft defenses. More specifically, refunds for returns that are detected by multiple defenses can be counted multiple times in IRS's estimates. In its most recent 2017 taxonomy, IRS states that it has taken steps to reduce this overcounting. We are in the process of assessing these new steps.

    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Apr 12, 2019

Apr 1, 2019

Mar 26, 2019

Feb 19, 2019

Nov 8, 2018

Oct 29, 2018

Oct 22, 2018

Oct 3, 2018

Sep 26, 2018

Looking for more? Browse all our products here