Identity Theft: IRS Needs to Better Assess the Risks of Refund Fraud on Business-Related Returns
Thieves can claim a business’s tax refund by fraudulently using the business’s tax ID number and other identifying information.
Between January 2017 and August 2019, IRS’s efforts to prevent this type of fraud helped keep $384 million out of criminals’ hands.
However, we found that IRS could do more to combat this evolving threat. We made 6 recommendations to help IRS stay ahead of criminals who would steal businesses’ tax refunds, including designating an entity to provide oversight of its efforts and following leading practices to assess fraud risks.
A woman holding documents and looking at a computer screen superimposed on a background showing ones and zeros
What GAO Found
The Internal Revenue Service (IRS) has efforts in place to detect business identity theft refund fraud (business IDT), which occurs when thieves create, use, or try to use a business's identifying information to claim a refund. IRS uses computerized checks, or fraud filters, to screen incoming returns. From January 2017 to August 2019, IRS researched about 182,700 returns stopped by business IDT fraud filters. IRS determined that about 77 percent of returns (claiming $38.3 billion) were not business IDT and about 4 percent of returns (claiming $384 million) were confirmed business IDT. As of August 2019, IRS was reviewing the remaining returns.
The Fraud Reduction and Data Analytics Act of 2015 created requirements for agencies to establish financial and administrative controls for managing fraud risks. These requirements are aligned with leading practices outlined in GAO's A Framework for Managing Fraud Risks in Federal Programs ( Fraud Risk Framework) . IRS has taken steps to understand fraud risks associated with business IDT but has not aligned its efforts with selected components within the Fraud Risk Framework . First, IRS leadership has demonstrated a commitment to identifying and combating overall identity theft refund fraud, but has not designated a dedicated entity to design and oversee business IDT fraud risk management efforts agency-wide. This is because the program is relatively new. Without designating an entity to help guide agency-wide business IDT fraud risk efforts, it is not clear which entity would be responsible for assessing business IDT risks and documenting the results.
Second, IRS has not conducted a fraud risk assessment or developed a fraud risk profile for business IDT consistent with the Fraud Risk Framework's leading practices. Doing so would help IRS determine the likelihood and impact of risks, the level of risk IRS is willing to tolerate, and the suitability, costs, and benefits of existing fraud risk controls. IRS officials stated that they have not formally performed a fraud risk assessment or developed a risk profile because they have directed their resources toward identifying and addressing business IDT that is occurring right now and improving fraud detection efforts. Documenting a risk profile would also help IRS determine whether additional fraud controls are needed and whether to make adjustments to existing controls.
Third, IRS has not assessed which business-related tax forms or fraud scenarios pose the greatest risk to IRS and taxpayers. Current business IDT fraud filters cover the most commonly filed tax forms; however, IRS has not developed fraud filters for at least 25 additional business-related forms that may be susceptible to business IDT. Without additional data on business IDT, IRS cannot estimate the full size and scope of this problem.
IRS has procedures for resolving business IDT cases and has described general guidelines for resolving business IDT cases, but it does not resolve all cases within these guidelines. Further, IRS has not established customer service-oriented performance goals for resolving business IDT cases, which is inconsistent with federal guidance. Establishing performance goals may help IRS better serve taxpayers and minimize additional costs to the Treasury.
Why GAO Did This Study
Business IDT is an evolving threat to both taxpayers and IRS and if not addressed can result in large financial losses to the government. The risk of business IDT has increased due to the availability of personally identifiable information and general ease of obtaining business-related information online. This makes it more difficult for IRS to distinguish legitimate taxpayers from fraudsters.
GAO was asked to review IRS's efforts to combat business IDT. This report (1) describes IRS's current efforts to detect business IDT, (2) evaluates IRS's efforts to prevent business IDT against selected fraud risk management leading practices, and (3) assesses IRS's efforts to resolve business IDT cases.
GAO reviewed IRS documents and business IDT fraud detection data, evaluated IRS's efforts to combat business IDT against two components of GAO's Fraud Risk Framework , analyzed case resolution data, and interviewed IRS officials.
GAO is making six recommendations, including that IRS designate a dedicated entity to manage its business IDT efforts, develop a fraud risk profile consistent with leading practices, implement additional fraud filters consistent with the profile, and establish customer service-oriented performance goals for resolving business IDT cases. IRS agreed with five recommendations. IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals, but stated it would take actions consistent with the recommendation.
Recommendations for Executive Action
|Internal Revenue Service||
Priority Rec.The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)
IRS agreed with the recommendation, but it has provided conflicting information on its implementation plans. In September 2020, IRS initially assigned oversight of its agency-wide efforts on business IDT to an executive steering committee. However, in February 2021, IRS officials stated that the agency is restructuring this executive steering committee and the restructured executive steering committee had not assumed the oversight role for business IDT. In May 2021, IRS officials stated that the committee would continue to serve as an interim oversight body on business IDT until IRS fully establishes the role of Chief of Identity Theft and Fraud, a new role described in its January 2021 Taxpayer First Act Report to Congress. As of May 2022, IRS has not shown how the executive steering committee serves as the oversight body for business IDT. Instead, IRS described work developing fraud filters at the business unit level. Although IRS characterized this as a coordinated approach, these units have limited authority to oversee business IDT, as we reported in January 2020. IRS officials stated that transitioning oversight to the new chief position may take up to 2 years. To fully implement this recommendation, IRS needs to demonstrate that the new leadership position has defined responsibilities and authority for managing fraud risk. We continue to monitor whether IRS is providing centralized oversight consistent with leading practices for fraud risk management in the interim. IRS's continued attention is important for coordinating its efforts to combat the evolving threat of business IDT.
|Internal Revenue Service||
Priority Rec.The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)
As of August 2022, IRS provided documentation to show that it has addressed this recommendation. First, in September 2020, IRS documented that it completed its first business identity theft (IDT) fraud risk assessment. IRS used several quantitative factors, as we suggested, to assess the extent of potential fraud risk on 35 business tax forms, including the likelihood, impact, and significance of potential fraud. IRS also updated its business IDT fraud risk assessment in October 2021, and assessed one additional form for potential fraud risk. As a result of this effort, IRS identified several business-related tax forms that posed a high-fraud risk but currently lacked effective fraud controls. IRS subsequently implemented new fraud filters for these forms. In August 2022, IRS provided documentation on its efforts to assess inherent fraud risks to business IDT, as we recommended in our January 2020 report. For example, IRS provided a summary analysis of its methods for authenticating a business using its current paper correspondence process, versus potential authentication options via phone and online. IRS determined that its current process was appropriate, given the risks associated with the other two methods. In addition, IRS provided a risk assessment performed in 2019 and updated in June 2021 on its online Employer Identification Number (EIN) system. As of August 2022, IRS has a mitigation processes in place to ensure a sufficient audit trail and that the person requesting the EIN is not a bad actor. IRS also added new fraud filters to protect businesses from IDT during the COVID-19 pandemic, specifically related to newly implemented tax credits. By assessing and documenting fraud risks to business IDT, IRS has important information to establish risk tolerances and determine the sufficiency of existing fraud controls, particularly as new threats emerge in the tax environment.
|Internal Revenue Service||The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)||
IRS has taken several actions to address this recommendation. First, in September 2020, IRS documented that it completed its first business identity theft (IDT) fraud risk assessment on 35 business tax forms. Second, IRS updated its business IDT fraud risk assessment in October 2021 and assessed an additional form for potential fraud risk. As a result of this effort, IRS identified several business-related tax forms that posed a high-fraud risk, but currently lacked effective fraud controls. IRS subsequently implemented new fraud filters for these forms. In addition, in March 2022, IRS provided documentation of its first business IDT taxonomy, an in-depth analysis of the amount IRS has protected from, and lost to, business IDT. This effort also identified characteristics of business IDT on specific forms, which IRS will continue to monitor. IRS's continued efforts to monitor and implement fraud controls for at-risk business forms will better protect IRS from potentially paying millions of dollars in fraudulent refunds. Further, regular updates to IRS's business IDT taxonomy will help IRS monitor the full size and scope of business IDT.
|Internal Revenue Service||The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)||
In August 2022, IRS provided documentation showing that it had developed a framework to identify and assess fraud risks for the different business tax forms that it processes, as we recommended in January 2020. Further, in September 2020, IRS documented that it had implemented and completed its first business identity theft (IDT) fraud risk assessment. IRS used several quantitative factors, as we suggested, to assess the extent of potential fraud risk on 35 business tax forms, including the likelihood, impact, and significance of potential fraud. IRS officials stated that they plan to revisit the business IDT fraud risk assessment annually. In its most recent business IDT fraud risk assessment from October 2021, IRS assessed one additional form for potential fraud risk. IRS officials also stated that they have taken steps to automate the risk assessment process to assist IRS staff and help eliminate human error. IRS has used the business IDT assessment's results to identify business forms that are at higher risk of IDT refund fraud, and do not have fraud filters in place. Specifically, prior to the 2022 filing season, IRS implemented a fraud filter for a form that IRS determined to be a high fraud risk but did not have an existing fraud filter. By implementing this recommendation, IRS has taken important steps toward strengthening its business IDT refund fraud controls and protecting additional tax revenue.
|Internal Revenue Service||The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)||
In October 2021, IRS provided documentation to show it has addressed this recommendation. Specifically, IRS provided a summary analysis of its methods for authenticating a business using its current paper correspondence process, versus potential authentication options via phone and online. As a result of this analysis, IRS determined that its current correspondence process remains the best option for authenticating a business, due to risks associated with authenticating a person calling IRS on behalf of a business, and IRS's inability to provide a secure online authentication option for businesses at this time. In addition, IRS described efforts to improve the efficiency of processing business IDT correspondence, particularly due to mail backlogs created by the COVID-19 pandemic. In April 2020, IRS directed business taxpayers responding to requests to verify their identity to fax responses to IRS rather than send documents via mail. According to IRS officials, these responses went directly to IRS's business IDT workgroup, and staff were able to work on faxed responses electronically and in a remote environment. In addition, in December 2020, IRS began scanning all mailed business IDT responses from taxpayers, which can also be worked electronically. IRS officials stated that they will continue to look for ways to improve the paper-based authentication process, and authentication options for businesses. IRS's continued attention to this issue is critical, given the increase in unresolved business IDT cases since 2020. Specifically, as of October 2022, 66,000 business IDT cases remain unresolved in IRS's inventory, which is about three times more inventory than what IRS reported in October 2020 and October 2021.
|Internal Revenue Service||The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)||
IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. However, the Taxpayer First Act of 2019 required IRS, in collaboration with the National Taxpayer Advocate, to set standards for the management of identity theft cases, which may include an average time for a taxpayer to wait to have their identity theft victim assistance case resolved. In October 2021, IRS set a new 120-day average time frame standard for processing individual and business identity theft cases. However, IRS's guidance from March 2022 states its actual case resolution time frame is 350 days on average, due to challenges created by the COVID-19 pandemic and an increase in its identity theft inventories. As a result, IRS officials stated that they would not be able to achieve the120-day resolution time frame until October 2024. We will continue to monitor IRS's efforts on resolving business IDT cases to better meet taxpayer needs.