Fast Facts

Thieves can claim a business’s tax refund by fraudulently using the business’s tax ID number and other identifying information.

Between January 2017 and August 2019, IRS’s efforts to prevent this type of fraud helped keep $384 million out of criminals’ hands.

However, we found that IRS could do more to combat this evolving threat. We made 6 recommendations to help IRS stay ahead of criminals who would steal businesses’ tax refunds, including designating an entity to provide oversight of its efforts and following leading practices to assess fraud risks.

A woman holding documents and looking at a computer screen superimposed on a background showing ones and zeros

A woman holding documents and looking at a computer screen superimposed on a background showing ones and zeros

Skip to Highlights
Highlights

What GAO Found

The Internal Revenue Service (IRS) has efforts in place to detect business identity theft refund fraud (business IDT), which occurs when thieves create, use, or try to use a business's identifying information to claim a refund. IRS uses computerized checks, or fraud filters, to screen incoming returns. From January 2017 to August 2019, IRS researched about 182,700 returns stopped by business IDT fraud filters. IRS determined that about 77 percent of returns (claiming $38.3 billion) were not business IDT and about 4 percent of returns (claiming $384 million) were confirmed business IDT. As of August 2019, IRS was reviewing the remaining returns.

The Fraud Reduction and Data Analytics Act of 2015 created requirements for agencies to establish financial and administrative controls for managing fraud risks. These requirements are aligned with leading practices outlined in GAO's A Framework for Managing Fraud Risks in Federal Programs ( Fraud Risk Framework) . IRS has taken steps to understand fraud risks associated with business IDT but has not aligned its efforts with selected components within the Fraud Risk Framework . First, IRS leadership has demonstrated a commitment to identifying and combating overall identity theft refund fraud, but has not designated a dedicated entity to design and oversee business IDT fraud risk management efforts agency-wide. This is because the program is relatively new. Without designating an entity to help guide agency-wide business IDT fraud risk efforts, it is not clear which entity would be responsible for assessing business IDT risks and documenting the results.

Second, IRS has not conducted a fraud risk assessment or developed a fraud risk profile for business IDT consistent with the Fraud Risk Framework's leading practices. Doing so would help IRS determine the likelihood and impact of risks, the level of risk IRS is willing to tolerate, and the suitability, costs, and benefits of existing fraud risk controls. IRS officials stated that they have not formally performed a fraud risk assessment or developed a risk profile because they have directed their resources toward identifying and addressing business IDT that is occurring right now and improving fraud detection efforts. Documenting a risk profile would also help IRS determine whether additional fraud controls are needed and whether to make adjustments to existing controls.

Third, IRS has not assessed which business-related tax forms or fraud scenarios pose the greatest risk to IRS and taxpayers. Current business IDT fraud filters cover the most commonly filed tax forms; however, IRS has not developed fraud filters for at least 25 additional business-related forms that may be susceptible to business IDT. Without additional data on business IDT, IRS cannot estimate the full size and scope of this problem.

IRS has procedures for resolving business IDT cases and has described general guidelines for resolving business IDT cases, but it does not resolve all cases within these guidelines. Further, IRS has not established customer service-oriented performance goals for resolving business IDT cases, which is inconsistent with federal guidance. Establishing performance goals may help IRS better serve taxpayers and minimize additional costs to the Treasury.

Why GAO Did This Study

Business IDT is an evolving threat to both taxpayers and IRS and if not addressed can result in large financial losses to the government. The risk of business IDT has increased due to the availability of personally identifiable information and general ease of obtaining business-related information online. This makes it more difficult for IRS to distinguish legitimate taxpayers from fraudsters.

GAO was asked to review IRS's efforts to combat business IDT. This report (1) describes IRS's current efforts to detect business IDT, (2) evaluates IRS's efforts to prevent business IDT against selected fraud risk management leading practices, and (3) assesses IRS's efforts to resolve business IDT cases.

GAO reviewed IRS documents and business IDT fraud detection data, evaluated IRS's efforts to combat business IDT against two components of GAO's Fraud Risk Framework , analyzed case resolution data, and interviewed IRS officials.

Skip to Recommendations

Recommendations

GAO is making six recommendations, including that IRS designate a dedicated entity to manage its business IDT efforts, develop a fraud risk profile consistent with leading practices, implement additional fraud filters consistent with the profile, and establish customer service-oriented performance goals for resolving business IDT cases. IRS agreed with five recommendations. IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals, but stated it would take actions consistent with the recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service
Priority Rec.
This is a priority recommendation.
The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)
Open
As of February 2021, the Internal Revenue Service (IRS) had taken steps to designate a dedicated entity to provide oversight of its business identity theft (IDT) refund fraud efforts, as GAO recommended in January 2020. Business IDT refund fraud occurs when thieves create, use, or try to use a business's identifying information to fraudulently claim a tax refund. In September 2020, IRS stated that the Services and Enforcement Executive Steering Committee would be the lead oversight body for agency-wide efforts to detect, prevent, and resolve business IDT. However, in February 2021, IRS officials stated that the agency is restructuring the Executive Steering Committee and it had not assumed the oversight role for business IDT. IRS officials stated that it is currently finalizing the responsibilities of a new Enforcement Executive Steering Committee, which will be responsible for providing oversight to IRS's agency-wide IDT efforts. Officials stated that in the meantime, IRS's Return Integrity and Compliance Services division has continued to provide direction for business-related fraud detection efforts. IRS's continued attention to this action--including ensuring that the committee has defined responsibilities and authority for managing fraud risk--will help coordinate its efforts to combat the evolving threat of business IDT.
Internal Revenue Service
Priority Rec.
This is a priority recommendation.
The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)
Open
As of February 2021, the Internal Revenue Service (IRS) had taken steps to identify and assess business identity theft (IDT) fraud risks and develop a fraud risk profile, as GAO recommended in January 2020. Business IDT occurs when thieves create, use, or try to use a business's identifying information to fraudulently claim a tax refund. Specifically, in October 2020, IRS completed a fraud risk assessment of 35 business-related tax forms using six quantitative measures of IDT refund fraud risk. These measures included assessing the likelihood of business IDT fraud risks occurring and impact on IRS, and assessing any existing fraud controls to address the risk. As a result of this effort, IRS identified seven business-related tax forms that pose a significant fraud risk but currently lack meaningful IDT controls, such as effective fraud filters. IRS officials stated that this information will be used to determine priorities for implementing new fraud filters, as appropriate. However, as of February 2021, IRS has not provided evidence of any action to identify and assess other inherent fraud risks to business IDT, such as those GAO highlighted in January 2020. For example, GAO described the inherent fraud risk and vulnerabilities associated with IRS's Employer Identification Number (EIN) application process. A fraud risk assessment would help IRS establish a risk tolerance for the EIN process and determine if existing fraud controls are sufficient to address the vulnerabilities inherent to this process. We will continue to work with IRS officials and monitor additional efforts on this and related actions. By continuing to identify and assess fraud risks to business IDT, IRS will be better positioned to establish risk tolerances and determine the sufficiency of existing fraud controls.
Internal Revenue Service The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)
Open
As of February 2021, the Internal Revenue Service (IRS) had taken preliminary steps to develop, document, and implement a strategy for addressing fraud risks that it has identified, as GAO recommended in January 2020. Specifically, in October 2020, IRS completed a fraud risk assessment of 35 business-related tax forms using six quantitative measures of IDT refund fraud risk. As a result of this effort, IRS identified seven business-related tax forms that pose a significant fraud risk but currently lack meaningful IDT controls, such as effective fraud filters. IRS stated that its subject matter experts will further analyze the fraud risks associated with these forms to help identify potential IDT schemes. Further, IRS stated that, as appropriate, it may implement antifraud controls for at-risk forms based on the results of its assessment. In February 2021, IRS officials stated that each year they implement additional business-related fraud filters to help reduce the impact of IDT refund fraud on IRS, resources permitting. IRS's continued attention to implementing its strategy and controls for at-risk business forms would better protect IRS from potentially paying millions of dollars in fraudulent refunds and position IRS to estimate the full size and scope of business IDT.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)
Open
In December 2020, IRS provided information on its efforts to develop a fraud risk profile for business IDT which included information on business IDT fraud filters. We have reviewed this information and met with IRS officials in late January 2021. We will continue to meet with IRS officials to discuss their efforts in this area.
Internal Revenue Service The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)
Open
IRS agreed with the recommendation. In January 2021, IRS stated that it is working on an analysis of other authentication methods. We will continue to monitor IRS's efforts in this area.
Internal Revenue Service The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)
Open
IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. In January 2020, IRS stated that it will review its customer service-oriented performance goals and modify them, as warranted, to address the resolution of business identity theft cases. Doing so would meet the intent of our recommendation. In January 2021, IRS officials stated that due to the pandemic, there is a backlog of business IDT cases, and resolving these cases is a top priority. We will continue to monitor IRS's efforts to address this recommendation.

Full Report

GAO Contacts