Skip to main content

Identity Theft and Tax Fraud: IRS Needs to Update Its Risk Assessment for the Taxpayer Protection Program

GAO-16-508 Published: May 24, 2016. Publicly Released: Jun 23, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Taxpayer Protection Program (TPP). While the Internal Revenue Service (IRS) has made efforts to strengthen TPP—a program to authenticate the identities of suspicious tax return filers and prevent identity theft (IDT) refund fraud—fraudsters are still able to pass through and obtain fraudulent refunds. TPP authenticates taxpayers by asking questions only a real taxpayer should know; however, fraudsters can pass by obtaining a taxpayer's personally identifiable information (PII). IRS estimates that of the 1.6 million returns selected for TPP, it potentially paid $30 million to IDT fraudsters who filed about 7,200 returns that passed TPP authentication in the 2015 filing season; however, GAO's analysis suggests the amount paid was likely to be higher. Although IRS conducted a risk assessment for TPP in 2012, IRS has not conducted an updated risk assessment that reflects the current threat of IDT refund fraud—specifically, the threat that some fraudsters possess the PII needed to pass authentication questions. Federal e-authentication guidance requires agencies to assess risks to programs. An updated risk assessment would help IRS identify opportunities to strengthen TPP. Strengthened authentication would help IRS prevent revenue loss and reduce the number of legitimate taxpayers who become fraud victims.

IRS Estimates of Attempted IDT Refund Fraud, 2014

IRS Estimates of Attempted IDT Refund Fraud, 2014

IDT Refund Fraud Cost Estimates. In response to past GAO recommendations, IRS adopted a new methodology in an effort to improve its 2014 IDT refund fraud cost estimates. However, the estimates do not include returns that fail to meet specific refund thresholds. IRS officials said the thresholds allow them to prioritize IRS's enforcement efforts. However, using thresholds could result in incomplete estimates. Improved estimates would help IRS better understand how fraud is evading agency defenses. The GAO Cost Guide states that cost estimates should include all relevant costs. Additionally, IRS's estimates of refunds it protected from fraud are based on the Global Report , which counts each time a fraudulent return is caught by IRS and thus counts some returns multiple times. IRS uses this data source because it is IRS's official record of IDT refund fraud. The GAO Cost Guide states that agencies should use primary data for estimates and the data should contain few mistakes. By using the Global Report , as opposed to return-level data, IRS produces inaccurate estimates of IDT refund fraud, which could impede IRS and congressional efforts to monitor and combat this evolving threat.

Why GAO Did This Study

IRS estimates that, in 2014, it prevented or recovered $22.5 billion in attempted IDT refund fraud, but paid $3.1 billion in fraudulent IDT refunds. Because of the difficulties in knowing the amount of undetected fraud, the actual amount could differ from these point estimates. IDT refund fraud occurs when a refund-seeking fraudster obtains an individual's identifying information and uses it to file a fraudulent tax return. Despite IRS's efforts to identify and prevent IDT refund fraud, this crime is an evolving and costly problem.

GAO was asked to examine IRS's efforts to combat IDT refund fraud. This report (1) evaluates the performance of IRS's TPP and (2) assesses IRS's efforts to improve its estimates of IDT refund fraud costs for 2014. To evaluate TPP, GAO reviewed IRS studies, reviewed relevant guidance, and met with agency officials. Further, GAO conducted a scenario analysis to understand the effect of different assumptions on IRS's TPP analysis. To assess IRS's IDT cost estimates, GAO evaluated IRS's methodology against selected best practices in the GAO Cost Guide.

Recommendations

GAO recommends that IRS update its TPP risk assessment and take appropriate actions to mitigate risks identified in the assessment. GAO also recommends that IRS improve its IDT cost estimates by removing refund thresholds and using return-level data where available. IRS agreed with GAO's TPP recommendations and will update its risk assessment. IRS took action consistent with GAO's IDT cost estimate recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment
Closed – Implemented
As of December 2017, IRS had conducted risk assessments for its TPP online and phone options. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. According to officials, in January 2017, IRS held a workshop to assess TPP's risks in all channels, including TPP's phone option. In August 2017, IRS held a second workshop to analyze TPP risks realized during the 2017 filing season. IRS also completed its post-season analysis of potential refunds paid to fraudsters and identified additional analyses to identify identity theft trends.
Internal Revenue Service To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.
Closed – Implemented
As of December 2018, IRS had conducted risk assessments for TPP and implemented actions to mitigate risks identified in these assessments, as GAO recommended in May 2016. IRS conducted a risk assessment for TPP's online authentication option in May 2016 based on OMB and NIST guidance. As a result of this assessment, IRS took TPP's online authentication option offline while working to improve the option's authentication standard. IRS relaunched the option in October 2018 with improvements, such as two-factor authentication, that mitigate risks identified in the 2016 assessment. In 2017 IRS held a workshop to assess risks to other TPP authentication options, including the phone option. In February 2017 IRS implemented a new process for TPP phone authentication. By taking appropriate actions to mitigate risks identified in its TPP risk assessments, IRS will prevent fraudsters from passing TPP authentication and potentially receiving millions in refunds.
Internal Revenue Service To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.
Closed – Implemented
Beginning with its 2015 Taxonomy estimates reported in October 2016, IRS has removed refund thresholds from criteria used to develop Taxonomy estimates for refunds paid to known and likely identity thieves.
Internal Revenue Service To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.
Closed – Implemented
In developing its 2017 Taxonomy estimates in November 2018, the Internal Revenue Service (IRS) took steps to utilize return-level data to both reduce overcounting and improve the quality of Taxonomy estimates. IRS did so by updating the Taxonomy's methodology for estimating refunds detected by IRS's identity theft defenses. The updated methodology produces a count of returns detected as identity theft whereas the prior methodology produced a count of selections made by IRS's identity theft defenses and therefore led IRS to overcount returns selected by multiple defenses. This effort builds on IRS's 2016 effort to begin using-return level data to improve estimates of returns rejected by IRS's electronic filing system. By using return-level data to reduce overcounting, IRS can use Taxonomy information to better allocate resources and make more well-informed decisions.

Full Report

Office of Public Affairs

Topics

AuthenticationCrime preventionData integrityData storageFraudIdentity theftInternal controlsRisk assessmentTax administrationTax information confidentialityTax refundsTax returnsTaxesTaxpayersPersonally identifiable informationCost estimates