Audit Finds Business Identity Theft Controls Still Lacking
A report from the Treasury Inspector General for Tax Administration (TIGTA) finds that despite measures by the Internal Revenue Service to flag possibly fraudulent business returns, a significant number of bogus returns are slipping through.
The agency’s first warning came three years ago, when TIGTA recommended the IRS install filters on its computer systems to screen for identity theft on business tax returns. At that time, the IRS agreed to install 25 such filters.
To be sure, the effort has shown results, identifying nearly 21,000 business returns as having identity-theft characteristics and their associated refund amounts totaling more than $2 billion.
Identity theft patterns are constantly evolving, however, as identity thieves and hackers change their tactics to avoid detection. So the Inspector General took a fresh look at the system—and found problems.
TIGTA found employment tax returns weren’t being screened for potential identity theft. In the 2017 processing year, their study found over 15,000 returns with refunds amounting to more than $200 million would have been flagged as potentially fraudulent if the IRS filters included this type of return.
The Inspector General’s report continues, “TIGTA also found that only 220 of 5,133 Employer Identification Numbers (EIN) on the IRS’s Suspicious EIN Listing had the associated tax accounts locked. Although the IRS issued internal guidelines requiring the locking of tax accounts associated with bogus/fictitious EINs after January 2017, these guidelines were not consistently being followed. Moreover, the IRS removed 1,097 EINs from the Suspicious EIN Listing after completing a systemic analysis of filing and payment history. However, TIGTA’s more in-depth analysis identified characteristics that indicate many of the EINs should not have been removed.”
Flawed Follow-Up
TIGTA also found that some business identity theft cases weren’t always processed accurately by the IRS. Their review of sample cases found 23 percent were not accurately processed. The report estimates some 188 cases were affected.
Some cases that had been locked due to initially being flagged for suspicious information were released by the IRS in error. The report identified more than 870 tax returns that were initially locked as identity theft returns for Processing Year 2016, but mistakenly released. Those returns carried refunds of more than $61 million.
TIGTA made 10 recommendations to improve the identification of business identity theft. The recommendations include:
- Expanding the use of business identity theft filters to employment tax returns
- Reviewing and updating the Suspicious EIN Listing on a periodic basis
- Ensuring all EINs deemed to be bogus or fictitious are locked
- Developing processes and procedures to ensure that tax examiners accurately process business identity theft cases
- Developing processes to ensure that refunds associated with Processing Year 2016 identity theft tax returns remain frozen
The Inspector General says the IRS has agreed with eight recommendations and partially agreed with the remainder. The IRS did not agree that all the accounts the study identified should be locked. The agency says it plans to lock accounts only when there are clear indications of identity theft fraud. It also believes the degree and the method of taxpayer contact should be determined on a case-by-case basis.