•  *   File retrieval and scanning processes contributed to delays and unnecessary requests for documents. For example, in 2 of 16 cases, resolution was delayed by at least 1 month while an assistor waited for another unit to retrieve and scan documents into IRS's system. In one of those cases, plus one other, the document request was unnecessary because the assistor closed the case without the document. Inefficient processes and unnecessary requests to retrieve and scan documents can delay case resolution and refunds to the legitimate taxpayer.

• * Potential weaknesses in IRS's internal control processes could lead to IRS paying refunds to fraudsters. In discussion groups with GAO, IRS assistors and managers said some assistors may release refunds even if indicators on the account show that the tax return is under review for IDT, or two returns have been filed for that taxpayer. Some participants said assistors answering telephone calls can release these holds because they do not understand the codes on the taxpayer's account. IRS officials said that these errors are not widespread and provided data to support their position. However, GAO identified weaknesses in those data, which IRS officials acknowledged. In response to this report, in January 2017 officials provided another analysis of IRS data that they said showed this type of error does occur but may not be as widespread as staff and managers suggested. GAO will continue to work with IRS to determine if these additional data are sufficient to address its recommendation.

• * IRS does not notify taxpayers when a dependent's identity appears on a fraudulent return. According to IRS officials, the agency does not consider a dependent to be a victim if his or her Social Security number had been used as a dependent on a fraudulent return. However, IRS has previously provided guidance to taxpayers when a dependent was a victim of identity theft. After one data breach in 2015, IRS notified taxpayers and provided information on actions that parents could take to protect a minor's identity when their dependents were also victims. By not notifying taxpayers that their dependents' information may have been used to commit fraud, IRS is limiting taxpayers' ability to take action to protect their dependents' identity.

The GAO said that the IRS should display customer service standards and performance online, review its retrieval and scanning processes, improve existing data or collect new data to monitor how and why staff release refunds before closing ID theft or duplicate return cases, and revise its notices to victims of ID theft. On this point, though, the IRS argued that the problem is not widespread and that current processes are sufficient, a point that the GAO disagreed with. The IRS did, however, agree with the other three recommendations.