Tax Filing: IRS Needs a Comprehensive Customer Service Strategy and Needs to Better Combat Identity Theft Refund Fraud and Protect Taxpayer Data
Highlights
What GAO Found
The Internal Revenue Service (IRS) improved phone service to taxpayers during the 2016 filing season compared to last year. According to IRS, this is due in part to the additional $290 million in funding Congress provided to improve customer service, identity theft (IDT) refund fraud, and cybersecurity efforts. However, IRS expects its performance for the entire fiscal year will not reach the levels of earlier years. In 2012 and 2014, GAO made recommendations for IRS to improve customer service, which it has yet to implement. Consequently, in December 2015, GAO suggested that Congress require the Department of the Treasury (Treasury) to work with IRS to develop a comprehensive customer service strategy that incorporates elements of these prior recommendations.
IDT refund fraud poses a significant challenge. Although the full extent of this fraud is unknown, IRS estimates it paid $3.1 billion in IDT fraudulent refunds in filing season 2014, while preventing the processing of $22.5 billion in fraudulent refunds (see figure).
IRS Estimates of Attempted Identity Theft Refund Fraud, 2014
IRS has taken steps to combat IDT refund fraud, such as increasing resources dedicated to combating the problem. However, as GAO reported in August 2014 and January 2015, additional actions can further assist the agency, including assessing the costs, benefits, and risks of improving methods for authenticating taxpayers. In addition, the Consolidated Appropriations Act, 2016 included a provision to accelerate filings of W-2 information from employers to the IRS that would help IRS with pre-refund matching. GAO suggested that Congress provide Treasury with authority to lower the threshold for e-filing W-2s, which would further enhance pre-refund matching.
In March 2016, GAO reported that IRS had instituted numerous controls over key financial and tax processing systems; however, it had not always effectively implemented other controls intended to properly restrict access to systems and information, among other security measures. While IRS had improved some of its access controls, weaknesses remained in controls over key systems for identifying and authenticating users, authorizing users' level of rights and privileges, and encrypting sensitive data. These weaknesses were due in part to IRS's inconsistent implementation of its agency-wide security program, including not fully implementing 49 prior GAO recommendations. GAO concluded that these weaknesses collectively constituted a significant deficiency for the purposes of financial reporting for fiscal year 2015. As a result, taxpayer and financial data continue to be exposed to increased risk.
Why GAO Did This Study
IRS provides service to tens of millions of taxpayers and processes most tax returns during the filing season. It is also a time when legitimate taxpayers may learn that they are a victim of IDT refund fraud, which occurs when a thief files a fraudulent return using a legitimate taxpayer's identity and claims a refund. In 2015, GAO added IDT refund fraud to its high-risk area on the enforcement of tax laws and expanded its government-wide high-risk area on federal information security to include the protection of personally identifiable information. With IRS's reliance on computerized systems, recent data breaches at IRS highlight the vulnerability of sensitive taxpayer information.
This statement discusses IRS's efforts to address (1) customer service declines, (2) IDT refund fraud challenges, and (3) information security weaknesses. This statement is based on GAO reports issued between 2012 and 2016 and includes updates of selected data.
Recommendations
GAO previously suggested that Congress consider requiring that Treasury work with IRS to develop a customer service strategy, and providing Treasury with the authority to lower the annual threshold for e-filing W-2s. GAO made prior recommendations to IRS to combat IDT refund fraud, such as assessing the costs, benefits, and risks of taxpayer authentication options, and 45 new recommendations to further improve IRS's information security controls and the implementation of its agency-wide information security program.