IRS Testing New Program to Fight Tax Fraud

IRS Testing New Program to Fight Tax Fraud

The Internal Revenue Service is testing a new Return Review Program to help identify instances of tax return fraud, but the security of the system needs improvement, according to a new government report.

The report, publicly released Tuesday by the Treasury Inspector General for Tax Administration, said the IRS chartered the initiation of the Return Review Program, or RRP, in 2009 to replace the Electronic Fraud Detection System, also known as the EFDS. The IRS paused the development of the RRP in January of last year to allow more time to evaluate the performance and design of the parallel-processing database in the system and to revisit the IRS’s strategic business fraud detection goals. 

TIGTA found that during an IRS pilot test, the RRP models flagged potential identity theft fraud not detected by the EFDS models. During a 32-day test, the RRP Identity Theft Model identified 51,946 returns as potential identity theft cases. The IRS confirmed that 41,311 of those returns involved identity theft. However, of the confirmed identity theft cases, the IRS determined that 10,348 cases (or about 25 percent), totaling $43 million in refunds, were not detected by the EFDS or the Dependent Database.

In addition, IRS tests showed that 8 million tax returns a day can be loaded to the RRP database as required. For example, over a one-week period the RRP consistently loaded between 7 million and 9 million returns a day.

However, the IRS classified the RRP as a Level 3 system, that is, it is considered to be an information resource instead of a major system. Because the RRP was classified as a Level 3 Federal Information Security Management Act system, RRP-specific security issues may not be effectively addressed, TIGTA warned. In addition, identified security vulnerabilities were not remediated. For example, the October 2014 network scans identified two RRP servers that were still vulnerable to the Heartbleed bug six months after the vulnerability was announced. Read more on Accounting Today.