Skip to main content

Identity Theft and Tax Fraud: Enhanced Authentication Could Combat Refund Fraud, but IRS Lacks an Estimate of Costs, Benefits and Risks

GAO-15-119 Published: Jan 20, 2015. Publicly Released: Feb 19, 2015.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Identity Theft (IDT) Refund Fraud Cost Estimates. The Internal Revenue Service's (IRS) fraud estimates met several GAO Cost Guide best practices, such as documenting data sources and detailing calculations. However, the estimates do not reflect the uncertainty inherent in measuring IDT refund fraud because they are presented as point estimates. Best practices suggest that agencies assess the effects of assumptions and potential errors on estimates. Officials said they did not assess the estimates' level of uncertainty because of resource constraints and methodological challenges. Because making different assumptions could affect IDT fraud estimates by billions of dollars, a point estimate (as opposed to, for example, a range) could lead to different decisions about allocating IDT resources. Reporting the uncertainty that is already known from IRS analysis (and conducting further analyses when not cost prohibitive) might help IRS communicate IDT refund fraud's inherent complexity.

IRS Estimates of Attempted IDT Refund Fraud, 2013

IRS i

While IRS's fraud estimates note the relevant cost assumptions used to develop estimates, they do not provide the rationale or analysis to support them. Officials stated they did not document the rationale because of the time and resources required. Best practices suggest that agencies should document assumptions. Given the evolving nature of IDT refund fraud, documenting assumptions' rationale would help IRS management and policymakers determine whether the assumptions remain valid or need to be updated.

Taxpayer Authentication. IRS recently created a group aimed at centralizing several prior ad hoc efforts to authenticate taxpayers across its systems. IRS's planning documentation contains goals and short- and long-term priorities (including implementation plans). However, a commitment to cost, benefit and risk analysis is not documented in the group's short- and long-term priorities. The draft planning documentation makes no mention of where such analyses would be included in IRS's priorities. Office of Management and Budget guidance states that agencies should use cost-benefit analyses that consider alternatives to promote efficient resource allocation and that agencies should ensure that authentication processes provide the appropriate level of assurance by assessing risks. Without analysis of costs, benefits and risks, IRS and Congress will not have quantitative information that could inform decisions about whether and how much to invest in the various authentication options. Cost, benefit and risk estimates for authentication would have the additional benefit of allowing comparisons with other options for combating IDT refund fraud. IDT options could have significant costs for taxpayers and IRS, so more information about the tradeoffs would help inform IRS and congressional decision making.

Why GAO Did This Study

IRS estimated it prevented $24.2 billion in fraudulent identity theft (IDT) refunds in 2013, but paid $5.8 billion later determined to be fraud. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when an identity thief uses a legitimate taxpayer's identifying information to file a fraudulent tax return and claims a refund.

GAO was asked to review IRS's efforts to combat IDT refund fraud. This report, the second in a series, assesses (1) the quality of IRS's IDT refund fraud cost estimates, and (2) IRS's progress in developing processes to enhance taxpayer authentication.

GAO compared IRS's IDT estimate methodology to GAO Cost Guide best practices (fraud is a cost to taxpayers). To assess IRS's progress enhancing authentication, GAO reviewed IRS documentation and interviewed IRS officials, other government officials, and associations representing software companies, return preparers, and financial institutions.

Recommendations

GAO recommends IRS improve its fraud estimates by (1) reporting the inherent imprecision and uncertainty of estimates, and (2) documenting the underlying analysis justifying cost-influencing assumptions. In addition, IRS should estimate and document the economic costs, benefits and risks of possible options for taxpayer authentication. IRS agreed with GAO's recommendations and provided technical comments that GAO incorporated, as appropriate.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by documenting the underlying analysis justifying cost-influencing assumptions.
Closed – Implemented
In January 2017, IRS provided documentation that the agency documents the underlying assumptions in its Identity Theft Taxonomy estimates, which is consistent with GAO Cost Guide best practices. Specifically, IRS's Identity Theft Taxonomy documents the assumptions IRS used when creating its estimates of both identity theft fraud paid and identity theft prevented in 2015, such as criteria for identifying identity theft refunds to include in its estimates.
Internal Revenue Service To improve the reliability of Taxonomy estimates for future filing seasons, the Commissioner of Internal Revenue should follow relevant best practices outlined in the GAO Cost Guide by reporting the inherent imprecision and uncertainty of the estimates. For example, IRS could provide a range of values for its Taxonomy estimates.
Closed – Implemented
In January 2017, IRS provided information that the agency documents inherent imprecision and uncertainty in its Identity Theft Taxonomy estimates, which is consistent with GAO Cost Guide best practices. IRS has met the intent of our recommendation to incorporate uncertainty into the Taxonomy cost estimates. By conducting sensitivity analysis and uncertainty analysis of its estimates, IRS is better able to convey the inherent imprecision in its estimating methodology. Documenting the results in a decision memorandum that is signed by the organization's director is an indication that senior decision makers understand the range of values about estimates for each Taxonomy category.
Internal Revenue Service
Priority Rec.
To ensure relevant information is available to decision makers, the Commissioner of Internal Revenue should estimate and document the costs, benefits and risks of possible options for taxpayer authentication, in accordance with Office of Management and Budget and National Institute of Standards and Technology guidance.
Closed – Implemented
In May 2017, the Internal Revenue Service (IRS) implemented a business decision model to analyze and improve online taxpayer authentication tools, and provided GAO with results from one analysis. IRS's analysis (1) identifies expected costs for implementing an authentication tool, including IRS information technology costs and taxpayer burden; (2) compares the potential benefits to taxpayers and IRS for implementing versus not implementing the tool; and (3) identifies the risks associated with the project, the steps IRS has taken to mitigate them, and potential areas of increased risk if IRS were to implement the tool, consistent with GAO's January 2015 recommendation. Further, this analysis discusses how the tool aligns with IRS's strategic goals and includes a decision justification. IRS officials told GAO that this analysis served as the basis for IRS management's decision to approve implementing a new authentication tool. Further, IRS officials told GAO they find this analysis extremely useful and have also created a shorter cost-benefit-risk analysis template to facilitate decision making on smaller, day-to-day authentication issues.

Full Report

GAO Contacts

Topics

AuthenticationBest practicesComputer securityCost analysisDocumentationFraudIdentity theftInternal controlsPersonal identification numbersReporting requirementsRisk assessmentStrategic planningTax administrationTax refundsTax returnsTaxesCost estimates