Identity Theft:
IRS Needs to Better Assess the Risks of Refund Fraud on Business-Related Returns
GAO-20-174: Published: Jan 30, 2020. Publicly Released: Mar 2, 2020.
Additional Materials:
- Highlights Page:
- Full Report:
Contact:
(202) 512-9110
mctiguej@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Thieves can claim a business’s tax refund by fraudulently using the business’s tax ID number and other identifying information.
Between January 2017 and August 2019, IRS’s efforts to prevent this type of fraud helped keep $384 million out of criminals’ hands.
However, we found that IRS could do more to combat this evolving threat. We made 6 recommendations to help IRS stay ahead of criminals who would steal businesses’ tax refunds, including designating an entity to provide oversight of its efforts and following leading practices to assess fraud risks.
A woman holding documents and looking at a computer screen superimposed on a background showing ones and zeros
Additional Materials:
- Highlights Page:
- Full Report:
Contact:
(202) 512-9110
mctiguej@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The Internal Revenue Service (IRS) has efforts in place to detect business identity theft refund fraud (business IDT), which occurs when thieves create, use, or try to use a business's identifying information to claim a refund. IRS uses computerized checks, or fraud filters, to screen incoming returns. From January 2017 to August 2019, IRS researched about 182,700 returns stopped by business IDT fraud filters. IRS determined that about 77 percent of returns (claiming $38.3 billion) were not business IDT and about 4 percent of returns (claiming $384 million) were confirmed business IDT. As of August 2019, IRS was reviewing the remaining returns.
The Fraud Reduction and Data Analytics Act of 2015 created requirements for agencies to establish financial and administrative controls for managing fraud risks. These requirements are aligned with leading practices outlined in GAO's A Framework for Managing Fraud Risks in Federal Programs ( Fraud Risk Framework) . IRS has taken steps to understand fraud risks associated with business IDT but has not aligned its efforts with selected components within the Fraud Risk Framework . First, IRS leadership has demonstrated a commitment to identifying and combating overall identity theft refund fraud, but has not designated a dedicated entity to design and oversee business IDT fraud risk management efforts agency-wide. This is because the program is relatively new. Without designating an entity to help guide agency-wide business IDT fraud risk efforts, it is not clear which entity would be responsible for assessing business IDT risks and documenting the results.
Second, IRS has not conducted a fraud risk assessment or developed a fraud risk profile for business IDT consistent with the Fraud Risk Framework's leading practices. Doing so would help IRS determine the likelihood and impact of risks, the level of risk IRS is willing to tolerate, and the suitability, costs, and benefits of existing fraud risk controls. IRS officials stated that they have not formally performed a fraud risk assessment or developed a risk profile because they have directed their resources toward identifying and addressing business IDT that is occurring right now and improving fraud detection efforts. Documenting a risk profile would also help IRS determine whether additional fraud controls are needed and whether to make adjustments to existing controls.
Third, IRS has not assessed which business-related tax forms or fraud scenarios pose the greatest risk to IRS and taxpayers. Current business IDT fraud filters cover the most commonly filed tax forms; however, IRS has not developed fraud filters for at least 25 additional business-related forms that may be susceptible to business IDT. Without additional data on business IDT, IRS cannot estimate the full size and scope of this problem.
IRS has procedures for resolving business IDT cases and has described general guidelines for resolving business IDT cases, but it does not resolve all cases within these guidelines. Further, IRS has not established customer service-oriented performance goals for resolving business IDT cases, which is inconsistent with federal guidance. Establishing performance goals may help IRS better serve taxpayers and minimize additional costs to the Treasury.
Why GAO Did This Study
Business IDT is an evolving threat to both taxpayers and IRS and if not addressed can result in large financial losses to the government. The risk of business IDT has increased due to the availability of personally identifiable information and general ease of obtaining business-related information online. This makes it more difficult for IRS to distinguish legitimate taxpayers from fraudsters.
GAO was asked to review IRS's efforts to combat business IDT. This report (1) describes IRS's current efforts to detect business IDT, (2) evaluates IRS's efforts to prevent business IDT against selected fraud risk management leading practices, and (3) assesses IRS's efforts to resolve business IDT cases.
GAO reviewed IRS documents and business IDT fraud detection data, evaluated IRS's efforts to combat business IDT against two components of GAO's Fraud Risk Framework , analyzed case resolution data, and interviewed IRS officials.
What GAO Recommends
GAO is making six recommendations, including that IRS designate a dedicated entity to manage its business IDT efforts, develop a fraud risk profile consistent with leading practices, implement additional fraud filters consistent with the profile, and establish customer service-oriented performance goals for resolving business IDT cases. IRS agreed with five recommendations. IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals, but stated it would take actions consistent with the recommendation.
For more information, contact James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.
Recommendations for Executive Action
Status: Open
Priority recommendation
Comments: In January 2020, IRS agreed to designate a dedicated entity to provide oversight of agency-wide business IDT efforts and stated that it will determine the appropriate oversight structure and scope of authority.
Recommendation: The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation
Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.
Recommendation: The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.
Recommendation: The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.
Recommendation: The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: IRS agreed with the recommendation. In January 2020, IRS stated that it will complete an analysis of other authentication methods.
Recommendation: The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Open
Comments: IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. In January 2020, IRS stated that it will review its customer service-oriented performance goals and modify them, as warranted, to address the resolution of business identity theft cases. Doing so would meet the intent of our recommendation.
Recommendation: The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)
Agency Affected: Department of the Treasury: Internal Revenue Service
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 19, 2020
Tax Administration:
Opportunities Exist to Improve Oversight of Hospitals' Tax-Exempt StatusGAO-20-679: Published: Sep 17, 2020. Publicly Released: Oct 19, 2020.
Sep 23, 2020
-
Taxpayer Service:
IRS Could Improve the Taxpayer Experience by Using Better Service Performance MeasuresGAO-20-656: Published: Sep 23, 2020. Publicly Released: Sep 23, 2020.
Aug 31, 2020
-
Abusive Tax Schemes:
Offshore Insurance Products and Associated Compliance RisksGAO-20-589: Published: Jul 30, 2020. Publicly Released: Aug 31, 2020.
Jun 29, 2020
-
Taxpayer Compliance:
More Income Reporting Needed for Taxpayers Working through Online PlatformsGAO-20-366: Published: May 28, 2020. Publicly Released: Jun 29, 2020.
Jun 16, 2020
-
Tax Exempt Organizations:
IRS Increasingly Uses Data in Examination Selection, but Could Further Improve Selection ProcessesGAO-20-454: Published: Jun 16, 2020. Publicly Released: Jun 16, 2020.
May 1, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial ReportingGAO-20-480R: Published: May 1, 2020. Publicly Released: May 1, 2020.
Apr 30, 2020
-
Priority Open Recommendations:
Internal Revenue ServiceGAO-20-548PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.
Apr 1, 2020
-
Payment Integrity:
Selected Agencies Should Improve Efforts to Evaluate Effectiveness of Corrective Actions to Reduce Improper PaymentsGAO-20-336: Published: Apr 1, 2020. Publicly Released: Apr 1, 2020.
Feb 26, 2020
-
Individual Retirement Accounts:
IRS Could Better Inform Taxpayers about and Detect Noncompliance Related to Unconventional AssetsGAO-20-210: Published: Jan 27, 2020. Publicly Released: Feb 26, 2020.
Feb 25, 2020
-
Tax Cuts and Jobs Act:
Considerable Progress Made Implementing Business Provisions, but IRS Faces Administrative and Compliance ChallengesGAO-20-103: Published: Feb 25, 2020. Publicly Released: Feb 25, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Tax Policy and Administration
Explore our other Key Issues here
