What GAO Found
In March 2016, GAO reported that the Internal Revenue Service (IRS) had instituted numerous controls over key financial and tax processing systems; however, it had not always effectively implemented other controls intended to properly restrict access to systems and information, among other security measures. In particular, while IRS had improved some of its access controls, weaknesses remained in key controls for identifying and authenticating users, authorizing users' level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing facilities housing its information technology resources. These weaknesses were due in part to IRS's inconsistent implementation of its agency-wide security program, including not fully implementing prior GAO recommendations. GAO concluded that these weaknesses collectively constituted a significant deficiency for the purposes of financial reporting for fiscal year 2015. As a result, taxpayer and financial data continue to be exposed to unnecessary risk.
Identity theft refund fraud also poses a significant challenge. IRS estimates it paid $3.1 billion in these fraudulent refunds in filing season 2014, while preventing $22.5 billion (see figure). The full extent is unknown because of the challenges inherent in detecting this form of fraud.
IRS Estimates of Attempted Identity Theft Refund Fraud, 2014
IRS has taken steps to combat identity theft refund fraud such as improving phone service for taxpayers to report suspected identity theft and working with industry, states, and financial institutions to detect and prevent it. However, as GAO reported in August 2014 and January 2015, additional actions can further assist the agency in addressing this crime, including pre-refund matching of taxpayer returns with information returns from employers, and assessing the costs, benefits, and risks of improving methods for authenticating taxpayers. In addition, the Consolidated Appropriations Act 2016 includes a provision that would help IRS with pre-refund matching and also includes an additional $290 million to enhance cybersecurity, combat identity theft refund fraud, and improve customer service.
According to IRS and industry partners, the 2016 filing season has generally gone smoothly, with about 95 million returns and $215 billion in refunds processed through April 1, 2016. In addition, IRS increased its level of phone service to taxpayers, although it has not developed a comprehensive strategy for customer service as GAO recommended in December 2015.
Why GAO Did This Study
In collecting taxes, processing returns, and providing taxpayer service, IRS relies extensively on computerized systems. Thus it is critical that sensitive taxpayer and other data are protected. Recent data breaches at IRS highlight the vulnerability of taxpayer information. In addition, identity theft refund fraud is an evolving threat to honest taxpayers and tax administration. This crime occurs when a thief files a fraudulent return using a legitimate taxpayer's identity and claims a refund. In 2015, GAO added identity theft refund fraud to its high-risk area on the enforcement of tax laws and expanded its government-wide high-risk area on federal information security to include the protection of personally identifiable information.
This statement discusses (1) IRS information security controls over financial and tax processing systems, (2) IRS actions to address identity theft refund fraud, and (3) the status of selected IRS filing season operations. This statement is based on previously published GAO work as well as an update of selected data.
In addition to 49 prior recommendations that had not been implemented, GAO made 45 new recommendations to IRS to further improve its information security controls and the implementation of its agency-wide information security program. GAO has also made recommendations to help IRS combat identity theft refund fraud, such as assessing costs, benefits, and risks of taxpayer authentication options.