IRS fails to notify victims and Social Security Administration of identity theft cases

By Sally P. Schreiber, J.D.

Although it has identified over a million victims of employment-related identity theft, the IRS has not notified the victims or the Social Security Administration (SSA) in many cases, the Treasury Inspector General for Tax Administration (TIGTA) reported on Wednesday (TIGTA Rep’t No. 2016-40-065). Employment-related identity theft occurs when a person uses a stolen Social Security number (SSN) when seeking employment.

According to TIGTA, taxpayers may first realize they have been a victim of this type of identity theft when they receive an IRS notice about a discrepancy in the income they reported on their tax return. The IRS identifies these discrepancies by using its Automated Underreporter Program, which matches income reported on third-party information returns (e.g., Form W-2, Wage and Income Statement) with amounts taxpayers report on their individual income tax returns.

In July 2011, TIGTA noted that the IRS was in a unique position to identify employment-related identity theft but has no procedures in place to notify the victims. TIGTA at that time recommended that the IRS implement procedures to timely alert taxpayers when the IRS becomes aware that their identity was stolen. From February 2011 to December 2015, the IRS found almost 1.1 million victims of employment-related identity theft. In April 2014, the IRS began a pilot program to notify victims, but that pilot has been canceled. In addition, TIGTA’s review of the pilot notification initiative found that the IRS did not design the pilot to include a representative sample of employment identity theft victims. As a result, the IRS was unable to identify the costs, problems, and issues that would arise from implementing a permanent program to notify taxpayers of employment-related identity theft.

The IRS also has not developed a process to ensure the SSA is notified of the fraudulent wages. TIGTA reviewed a statistically valid sample of tax year 2013 Automated Underreporter Program cases involving identity theft and found that the SSA has no record of receiving an IRS notice for 21% of the cases. Taking this statistic and extrapolating it to all of the IRS’s cases, TIGTA projected that the IRS had failed to notify the SSA of incorrect wages in 397 cases. TIGTA also identified a number of cases that were incorrectly processed.

TIGTA made four recommendations to the IRS. (The fourth was completely redacted from the report.)

First, TIGTA recommended that the IRS develop processes and procedures to notify all individuals identified as victims of employment-related identity theft, including those whose identities were stolen before January 2017. The IRS agreed with this recommendation.

The second recommendation, which the IRS also agreed to, was to develop a tracking process to ensure that the required Form 9409, IRS/SSA Wage Worksheet, which notifies the SSA of wages that have been fraudulently reported, are completed by tax examiners and sent to the SSA via traceable mail with a return receipt requested.

The third recommendation was to notify the SSA of the specific cases of identity theft that TIGTA had discovered in its review, which the IRS did on July 20, 2016.

Sally P. Schreiber ( is a JofA senior editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.