What GAO Found
The Internal Revenue Service (IRS) has efforts in place to detect business identity theft refund fraud (business IDT), which occurs when thieves create, use, or try to use a business’s identifying information to claim a refund. IRS uses computerized checks, or fraud filters, to screen incoming returns. From January 2017 to August 2019, IRS researched about 182,700 returns stopped by business IDT fraud filters. IRS determined that about 77 percent of returns (claiming $38.3 billion) were not business IDT and about 4 percent of returns (claiming $384 million) were confirmed business IDT. As of August 2019, IRS was reviewing the remaining returns.
The Fraud Reduction and Data Analytics Act of 2015 created requirements for agencies to establish financial and administrative controls for managing fraud risks. These requirements are aligned with leading practices outlined in GAO’s A Framework for Managing Fraud Risks in Federal Programs ( Fraud Risk Framework) . IRS has taken steps to understand fraud risks associated with business IDT but has not aligned its efforts with selected components within the Fraud Risk Framework . First, IRS leadership has demonstrated a commitment to identifying and combating overall identity theft refund fraud, but has not designated a dedicated entity to design and oversee business IDT fraud risk management efforts agency-wide. This is because the program is relatively new. Without designating an entity to help guide agency-wide business IDT fraud risk efforts, it is not clear which entity would be responsible for assessing business IDT risks and documenting the results.
Second, IRS has not conducted a fraud risk assessment or developed a fraud risk profile for business IDT consistent with the Fraud Risk Framework’s leading practices. Doing so would help IRS determine the likelihood and impact of risks, the level of risk IRS is willing to tolerate, and the suitability, costs, and benefits of existing fraud risk controls. IRS officials stated that they have not formally performed a fraud risk assessment or developed a risk profile because they have directed their resources toward identifying and addressing business IDT that is occurring right now and improving fraud detection efforts. Documenting a risk profile would also help IRS determine whether additional fraud controls are needed and whether to make adjustments to existing controls.
Third, IRS has not assessed which business-related tax forms or fraud scenarios pose the greatest risk to IRS and taxpayers. Current business IDT fraud filters cover the most commonly filed tax forms; however, IRS has not developed fraud filters for at least 25 additional business-related forms that may be susceptible to business IDT. Without additional data on business IDT, IRS cannot estimate the full size and scope of this problem.
IRS has procedures for resolving business IDT cases and has described general guidelines for resolving business IDT cases, but it does not resolve all cases within these guidelines. Further, IRS has not established customer service-oriented performance goals for resolving business IDT cases, which is inconsistent with federal guidance. Establishing performance goals may help IRS better serve taxpayers and minimize additional costs to the Treasury.
Why GAO Did This Study
Business IDT is an evolving threat to both taxpayers and IRS and if not addressed can result in large financial losses to the government. The risk of business IDT has increased due to the availability of personally identifiable information and general ease of obtaining business-related information online. This makes it more difficult for IRS to distinguish legitimate taxpayers from fraudsters.
GAO was asked to review IRS’s efforts to combat business IDT. This report (1) describes IRS’s current efforts to detect business IDT, (2) evaluates IRS’s efforts to prevent business IDT against selected fraud risk management leading practices, and (3) assesses IRS’s efforts to resolve business IDT cases.
GAO reviewed IRS documents and business IDT fraud detection data, evaluated IRS’s efforts to combat business IDT against two components of GAO’s Fraud Risk Framework , analyzed case resolution data, and interviewed IRS officials.
What GAO Recommends
GAO is making six recommendations, including that IRS designate a dedicated entity to manage its business IDT efforts, develop a fraud risk profile consistent with leading practices, implement additional fraud filters consistent with the profile, and establish customer service-oriented performance goals for resolving business IDT cases. IRS agreed with five recommendations. IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals, but stated it would take actions consistent with the recommendation.
For more information, contact James R. McTigue, Jr. at (202) 512-9110 or firstname.lastname@example.org.