Inspector general

FOR tax






October 13, 2017






FROM:                         J. Russell George /s/ J. Russell George

                                     Inspector General


SUBJECT:                   Management and Performance Challenges Facing the Internal Revenue Service for Fiscal Year 2018



The Reports Consolidation Act of 2000[1] requires that the Treasury Inspector General for Tax Administration (TIGTA) summarize, for inclusion in the annual Department of the Treasury Agency Financial Report, its perspective on the most serious management and performance challenges confronting the Internal Revenue Service (IRS).

Each year, TIGTA evaluates IRS programs, operations, and management functions to identify the areas of highest vulnerability to the Nation’s tax system.  For Fiscal Year (FY) 2018, the IRS’s top management and performance challenges, in order of priority, are:

1.          Security Over Taxpayer Data and Protection of IRS Resources;

2.          Identity Theft and Impersonation Fraud;

3.          Providing Quality Taxpayer Service and Expanding Online Services;

4.          Upgrading Tax Systems;

5.          Implementing Tax Law Changes;

6.          Improving Tax Compliance;

7.          Reducing Fraudulent Claims and Improper Payments;

8.          Impact of Global Economy on Tax Administration;

9.          Protecting Taxpayer Rights; and

10.      Achieving Program Efficiencies and Cost Savings.

TIGTA’s assessment of the major IRS management challenges for FY 2018 has changed from the prior fiscal year.  The changes include reprioritizing challenges three through seven and revising three challenges to reflect the current nature of the challenges.

Although not listed separately, human capital is also a significant concern and it affects the IRS’s ability to address the above challenges.  It remains a serious, underlying issue with wide-ranging implications for both the IRS and taxpayers.  Between FYs 2011 and 2016, the IRS budget decreased by more than $900 million and it lost approximately 12,000 full-time equivalents, including many employees with substantial institutional knowledge and technical expertise.  The IRS will continue to be challenged to allocate sufficient resources to deliver its priority program areas, including customer service and enforcement activities.

The following information detailing the management and performance challenges is provided to promote economy, efficiency, and effectiveness in the IRS’s administration of the Nation’s tax laws.


The IRS relies extensively on its computer systems to support both its financial and mission-related operations.  These computer systems collect and process large amounts of taxpayer data.  However, the threat landscape continues to evolve and bad actors are persistent in their pursuit of monetary gain and identity information.  Recent cyber events against the IRS have illustrated that these bad actors are continually seeking new ways to attack and exploit IRS systems and processes in order to access tax information for the purpose of identity theft and filing fraudulent tax refunds.  From the exploitation of IRS’s Get Transcript application to the Data Retrieval Tool exploitation, the IRS has closed one systemic weakness only to find that criminals have discovered another means to access tax information from the IRS.  In addition, the recent breach at Equifax that exposed sensitive personal information, including Social Security Numbers (SSN), could increase the risk of identity theft.  As a result, we believe that protecting the confidentiality of taxpayer information will continue to be a top concern for the IRS.

TIGTA has assessed the IRS’s electronic authentication platforms and made recommendations to develop a Service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensures that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensures that the authentication processes meet Government Information Security Standards.[2]  The IRS continues to take steps in response to TIGTA’s recommendations to provide more secure authentication, including the implementation of two-factor authentication and the strengthening of application and network controls.[3]  However, we remain concerned about the IRS’s logging and monitoring capabilities over all connections to IRS online services.  TIGTA is currently assessing the IRS’s efforts to improve its authentication processes and has identified areas in which the IRS still needs improvement.[4]  Specifically, the IRS has still not fully implemented network monitoring tools designed to improve prevention and detection of automated attacks and is not effectively monitoring audit logs for suspicious activity.  Due to the importance of secure authentication of individuals’ identities, we are planning to conduct additional reviews in this area.

The IRS also shares sensitive data with various outside entities, including other Federal, State, and local agencies; financial institutions; and contractors for tax administration purposes.  However, TIGTA found that the IRS did not ensure that encryption requirements are being enforced or that applicable protocols are being used to fully protect sensitive information during transmission.[5]  In addition, the IRS did not remediate high-risk vulnerabilities or install security patches on its servers used to transmit data in a timely manner.

In addition to external threats, the IRS must ensure that its systems and data are protected against internal threats.  These threats may appear in the form of malicious insiders or disgruntled employees who seek to misuse their access to taxpayer data or sensitive IRS business practices for personal gain.  These threats may also come in the form of employees who unintentionally do something to create a security weakness that may be exploited by others or unnecessarily expose data to unauthorized disclosure.  For example, audits of various internal systems have identified that users have been given more access privileges than their job requires, systems have not been updated with security patches on a timely basis, and high-risk security vulnerabilities have not been mitigated as required.[6]

Additionally, TIGTA’s Office of Investigations’ data analysis techniques have identified IRS employees who access taxpayer records without authorization and then use the information to engage in illegal activities.  In one recent investigation, TIGTA identified an IRS employee who accessed thousands of names, dates of birth, and SSNs from IRS data systems and then filed hundreds of fraudulent returns that claimed more than $550,000 in fraudulent tax refunds.  The IRS employee worked with two co-conspirators to cash the refunds.[7]  As a result of TIGTA’s investigation, the former employee was sentenced to serve over nine years in Federal prison and was ordered to pay more than $438,000 in restitution.[8]  We believe that the IRS must make significant gains in its deployment of audit trails for all of its data systems to enable TIGTA and the IRS to identify IRS employees who abuse their access authority in order to steal or improperly manipulate taxpayer data.

Besides safeguarding a vast amount of sensitive financial and personal data, the IRS must also protect its employees and more than 550 offices.  In the last several years, threats directed at the IRS have remained the second largest component of the Office of Investigations’ work.  Recent incidents involving taxpayers who threatened or assaulted IRS employees underscore the dangers that these employees face each day.  For example, a taxpayer mailed a device to the IRS campus in Ogden, Utah in July 2017 that appeared to be a pipe bomb.  This incident caused the IRS to shut down the campus while the bomb squad examined the device.[9]  Physical violence, harassment, and intimidation of IRS employees continue to pose challenges to the implementation of a fair and effective system of tax administration.


Tax-related identity theft continues to have a significant impact on tax administration.  Identity theft for the purpose of tax fraud occurs when an individual uses another person’s name and Taxpayer Identification Number (TIN), generally a SSN, to file a fraudulent tax return to obtain a tax refund.  Unscrupulous individuals are stealing identities at an alarming rate for this purpose.  The IRS lists identity theft as one of the top “Dirty Dozen” tax scams.[10]  

Since 2012, TIGTA has issued a series of reports assessing the IRS’s efforts to detect and prevent fraudulent tax refunds resulting from identity theft.  Our ongoing audit work shows that the IRS is making progress in detecting and resolving identity theft issues and providing victim assistance.  Most recently, we reported in February 2017 that IRS efforts are resulting in improved detection of identity theft individual tax returns at the time returns are processed and before fraudulent tax refunds are released.[11]

However, because new identity-theft patterns are constantly evolving, the IRS needs to continuously adapt its detection and prevention processes.  For example, identity theft also affects businesses.  In September 2015, TIGTA determined that processing filters could be developed to identify business tax returns containing certain characteristics that could indicate potential identity theft cases.[12]  In June 2017, TIGTA concluded that IRS processes are still not sufficient to identify all employment identity theft victims.[13]  Specifically, the IRS did not identify instances in which identity thieves electronically filed tax returns with evidence that the thieves had used the victims’ SSNs to gain employment.  Further, we determined that IRS processes do not identify employment identity theft when processing paper tax returns.

In addition, the IRS must work to protect taxpayers by educating them on the numerous schemes employed by criminals posing as IRS employees that attempt to deceive taxpayers into providing their personal financial information or coerce them into paying money on phony tax obligations through wire transfers or preloaded debit cards.  One of these schemes, the telephone impersonation scam, continues to be one of TIGTA’s top priorities and has also landed at the top of the IRS’s “Dirty Dozen” tax scams.  The number of complaints TIGTA has received about this scam continues to climb, cementing its status as the largest, most pervasive impersonation scam in the history of our agency.  As of September 1, 2017, more than two million people have reported to TIGTA that they received an impersonation call, and more than 11,500 victims have reported that they have paid the impersonators more than $60 million.

These criminals continuously change their tactics, hoping to ensnare even more victims.  According to the victims we have interviewed, scammers demand that the victims immediately pay the money using Apple iTunes® gift cards,[14] Target gift cards, prepaid debit cards, wire transfers, Western Union payments, or MoneyGram® payments in order to avoid being immediately arrested.  Because of the complexity of the scammers’ call center operations, the telephone impersonation scam will continue to pose a challenge to both the IRS and TIGTA, given that scams such as these are not typically resolved quickly and place a strain on limited IRS and TIGTA resources.  Many taxpayers are aware of the impersonation scam through public service announcements and other outreach efforts which, in turn, create other challenges for the IRS when those taxpayers question legitimate IRS employees who are conducting official IRS business.  Taxpayers have even threatened employees or called the police because they thought IRS employees were impostors.

TIGTA investigations have resulted in more than 90 individuals being arrested or criminally charged for their involvement in this scam and numerous investigations are still underway.  In addition to criminal prosecutions, we have created and instituted an “Advise and Disrupt” strategy to thwart scammers using robo-dialers.  Sustained investigative efforts and ongoing outreach to ensure that people do not become victims in the first place are critical to ensure continued success in combating this scam.

In addition to the telephone impersonation scam, taxpayers also fall victim to other scams.  We continue to receive reports of people who have become victims of lottery winning scams and are also seeing an uptick in the number of reported phishing attempts.[15]  The lottery scam starts with an unsolicited e-mail or telephone call from an impersonator to an unsuspecting victim.  The caller tells the intended victims that they have won a lottery or other valuable prize; however, in order to collect their prizes, the victims are advised that they must send money to prepay the tax on their “winnings” to the IRS.  A new phishing scheme involves scammers sending e-mails purporting to be a business’s Chief Executive or Financial Officer.  These e-mails notify the employees that there is an error on their Form W-2, Wage and Tax Statement, and direct the employees to either e-mail their Form W-2 to the sender, or provide information that is on the Form W-2 for verification.  Both approaches result in the theft of the employee’s personal identifying information.


Providing taxpayers with quality customer service is a key component in the IRS’s mission.  Ensuring that taxpayers understand and meet their tax responsibilities is crucial for the IRS in its effort to encourage voluntary compliance with the tax laws.  Resolving questions before tax returns are filed helps taxpayers avoid unintentional errors and noncompliance, and also reduces the burden on both taxpayers and the IRS that results from the issuance of notices and correspondence.  Successfully addressing and resolving taxpayer inquiries through a quality customer service process allows the IRS to direct its limited resources more efficiently. 

Taxpayers have multiple options to choose from when they need assistance from the IRS.  These include toll-free telephone lines, face-to-face assistance at Taxpayer Assistance Centers (TAC) or Volunteer Program sites, and self-assistance using and other social media channels (e.g., Twitter, Facebook, and YouTube).  For the 2017 Filing Season, the IRS transitioned all the TACs to appointment service.  The IRS indicated that budget cuts, the transition to appointment service, and continued promotion of alternative service options will result in the reduction of the number of TAC employees available to assist taxpayers.  The IRS estimated it would assist approximately 3.4 million taxpayers at the TACs in FY 2017, down more than two million from FY 2015 when it assisted 5.6 million taxpayers.  In addition, although the IRS reported 376 TACs for the 2017 Filing Season, 24 of those were not open because they had not been staffed. 

To address declining budgets, the IRS continues to increase its dependence on technology-based services and external partners in an effort to direct taxpayers to the most cost-effective method to provide the needed service.  The IRS notes that this approach allows it to focus limited telephone and walk-in resources on customer issues that can be best resolved with person-to-person interaction.  The IRS’s Future State[16] initiative, which includes expanding online tools available to taxpayers, will play a significant part in the IRS’s effort to modernize the taxpayer experience and allow its limited staff to better serve taxpayers who require one-on-one assistance.  The IRS’s goal is to eventually provide taxpayers with dynamic online tax account access that will allow them to view recent payments, make minor changes and adjustments to their tax accounts, and correspond digitally with the IRS.

In recent years, TIGTA has also identified a number of customer service issues related to taxpayers who were victims of identity theft.  In FY 2017, we completed a review to assess the IRS’s actions to improve and expand the Identity Protection Personal Identification Number (IP PIN)[17] Program.[18]  We identified approximately two million taxpayers for whom the IRS had resolved an identity theft case, but did not place a case resolution marker used to generate an IP PIN on the taxpayer’s account.  The IRS stated that this results from inconsistent case resolution guidance among different IRS functional areas in instances in which the victim’s address is unknown.  These inconsistent procedures will create burden for the two million taxpayers who do not have the marker on their account.  For example, while these individuals do not have a marker that will result in the generation of an IP PIN, they do have an identity-theft indicator because they are a confirmed victim of identity theft.  As such, when these taxpayers electronically file subsequent tax returns, they will experience delays while the IRS manually reviews and processes their returns.


Successful modernization of IRS systems and the development and implementation of new information technology applications are critical to meeting the IRS’s evolving business needs and to enhancing services provided to taxpayers.  The IRS’s reliance on legacy systems and its use of outdated programming languages pose significant risks to the IRS’s ability to deliver its mission. 

The IRS has a large and increasing amount of aged hardware, some of which is three to four times older than industry standards.  In the IRS’s FY 2016 President’s Budget, the IRS noted that its information technology infrastructure poses significant risk of failures, although it is unknown when these failures will occur, how severe they will be, or whether they will have material impacts on tax administration during the Filing Season.  Aged information technology hardware still in use introduces an unnecessary risk that excessive system downtime could occur due to hardware failures.  As information technology hardware ages, it becomes more difficult to obtain adequate support.  Aged hardware failures have a negative impact on IRS employee productivity, security of taxpayer information, and customer service. 

TIGTA reported that the IRS has not yet achieved its stated objective of reducing the percentage of its aged information technology hardware to an acceptable level of 20 to 25 percent.  In fact, the IRS’s percentage of aged information technology hardware has steadily increased from 40 percent at the beginning of FY 2013 to 64 percent at the beginning of FY 2017.[19]  

Further, the IRS has been using the Individual Master File (IMF), which uses an outdated assembly language code, for more than 50 years.  The IMF is the source for individual taxpayer accounts.  Within the IMF, accounts are updated, taxes are assessed, and refunds are generated.  Most of the IRS’s information systems and processes depend on the IMF, either directly or indirectly.  In 2009, the IRS began developing Customer Account Data Engine 2 (CADE 2) to address the issues regarding tax processing and to eventually replace the IMF.  CADE 2 is a key component of IRS systems modernization that establishes the foundation for capturing, storing, managing, and sharing taxpayer information.  CADE 2 is one of the most complex modernization programs in the Federal Government and involves major changes to several core information technology systems.  The IRS has implemented Transition State 1 for the CADE 2, which began in October 2009 and was completed in July 2014.  The first transition state provides daily processing and a single centralized relational database for all individual taxpayer accounts.  However, CADE 2 is currently still being developed, and the IRS does not have a firm date on when the target state (completion) of CADE 2 will be operational.  Therefore, the IRS will be relying on legacy systems for years to come.

Another area of concern regarding IRS systems modernization is ensuring that systems and data remain secure and reliable.  The IRS implemented the Integrated Production Model (IPM) to provide a single point of access to core taxpayer data (such as taxpayer accounts and tax returns).  The accuracy, completeness, and reliability of data on the IPM are essential to the IRS and its tax administration mission.  The IRS made significant changes to the IPM system, including moving data to different software and hardware platforms.  When these changes occurred, business ownership and security responsibilities of the IPM were moved to the Big Data Analytics General Support System.[20]  TIGTA found that the IRS did not follow its change management procedures when absorbing the IPM system into the Big Data Analytics General Support System.[21]  As a result, approximately 10 percent of security controls which previously protected IPM system data were not captured by the Big Data Analytics General Support System.  Without following the security change management process, there is an increased risk that changes could expose taxpayer data to additional security vulnerabilities.  Additionally, changes to operating environments or applications introduce new or increase existing security vulnerabilities, heightening risk to the overall information technology infrastructure.

Cloud computing holds tremendous potential for the Federal Government to deliver value to the public by increasing operational efficiency and responding faster to constituent needs.  In December 2010, the U.S. Chief Information Officer directed all Federal agencies to shift to a “cloud first” policy.  However, TIGTA reported that the IRS does not have an enterprise-wide cloud strategy.[22]  Although the IRS formed a working group in July 2016 to develop this strategy, it is not complete and no timeline has been established for completion.  In addition, the IRS did not comply with Office of Management and Budget guidance requiring agencies to use the Federal Risk and Authorization Management Program to conduct risk assessments, perform security authorizations, and grant Authorities to Operate for cloud services for the Form 990, Return of Organization Exempt From Income Tax, Cloud Project.  Without a documented strategy for the selection, management, and inventory of cloud services, there is an increased risk that deployed cloud services will not meet the IRS’s business and technical needs.


One of the continuing challenges the IRS faces each year in processing tax returns is the implementation of new tax laws as well as changes resulting from expired tax provisions.  Legislative actions generating the changes often occur late in the year, shortly before the filing season begins.  As a result, the IRS must act quickly to assess the change and determine the necessary actions to ensure that all legislative requirements are satisfied.  These actions may require revisions to various tax forms, instructions, and publications, as well as reprogramming computer systems to ensure that tax returns are accurately processed based on the changes.  Errors in the IRS’s tax return processing systems may delay tax refunds, affect the accuracy of taxpayer accounts, or result in incorrect taxpayer notices.

For the 2017 Filing Season, tax law changes included the continued implementation of the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act of 2010 (collectively referred to as the Affordable Care Act or ACA),[23] and those provisions of the Protecting Americans from Tax Hikes Act of 2015 (PATH Act)[24] specifically intended to reduce fraudulent and improper refundable credit claims.  The majority of the PATH Act’s provisions were effective January 1, 2016, and affect the processing of Tax Year 2016 returns.  The IRS has developed processes to implement key tax provisions of the PATH Act, including holding refunds for taxpayers claiming the Earned Income Tax Credit (EITC)[25] and Additional Child Tax Credit (ACTC)[26] until February 15 and identifying Child Tax Credit,[27] ACTC, and American Opportunity Tax Credit (AOTC)[28] claims filed by individuals with an inactive Individual Taxpayer Identification Number. 

In addition, the IRS was affected in the 2017 Filing Season by the Trade Preferences Extension Act of 2015 (Trade Act).[29]  The Trade Act retroactively extended the Health Coverage Tax Credit (HCTC) for Tax Year 2014 and continued the credit through Tax Year 2019.  The Trade Act required the IRS to provide HCTC advance monthly payments on behalf of eligible applicants starting in June 2016.  The IRS implemented an interim manual process to issue HCTC advance monthly payments on behalf of eligible applicants until the replacement systemic process was ready for use in January 2017.  However, TIGTA found that many of the individuals identified as potentially eligible may not meet requirements to receive or claim the HCTC.  Specifically, TIGTA identified 506,396 (57 percent) of the 896,213 individuals that the Pension Benefit Guaranty Corporation identified as potentially eligible to claim HCTC on the Tax Year 2015 return, as of December 2015, had a characteristic that disqualified them from claiming the HCTC.[30]

The Trade Act also requires that an individual claiming the AOTC, Lifetime Learning Credit, or the Tuition and Fees Deduction must receive a statement from the educational institution to claim these benefits.  This statement, which is generally on Form 1098-T, Tuition Statement, provides the name, address, and Employer Identification Number (EIN) of the educational institution.  This provision is effective for tax years beginning after June 29, 2015.  However, the IRS has not developed processes to identify all AOTC claims for which the student did not receive a Form 1098-T from the educational institution or for which the institution’s EIN is not provided. 

The ACA created the refundable Premium Tax Credit (PTC) to help offset the cost of health care insurance for those with low or moderate income.  Eligible individuals can elect to receive some, all, or none of the PTC in advance.  TIGTA verified the PTC claims made during the 2016 Filing Season and reported that the IRS accurately determined the amount of allowable tax credit on 97 percent of the returns.[31]  However, TIGTA found that not all the Exchanges[32] had provided the required Exchange Periodic Data to the IRS prior to the start of the 2016 Filing Season.  Without the required data, the IRS was unable to perform computer matches to verify filed claims or verify that individuals who received the advance PTC had filed a tax return as required.  In addition, TIGTA found that the IRS is sending erroneous notifications to the Exchanges and individuals indicating that the individuals had received the PTC in advance but did not file the required tax return.  This could result in denial of the advance PTC for the 2016 coverage year or delay the receipt of advanced credit payments while the individuals provided proof that they had filed a tax return.

TIGTA also reported that some of the processes to ensure that employers were in compliance with the Employer Shared Responsibility Provision[33] did not function as intended.[34]  Specifically, the IRS was unable to process paper information returns timely and accurately; the criteria used to identify validation errors in the submissions did not always work as intended; and the development and implementation of key systems needed to identify noncompliant employers have been delayed, not initiated, or cancelled.  As a result, the IRS did not have accurate and complete data to identify noncompliant employers. 


Despite IRS efforts to reduce it, the Tax Gap remains a serious and persistent challenge.  The Tax Gap is defined as the difference between the estimated amount taxpayers owe and the amount they voluntarily and timely pay for a tax year.  In FY 2016, the IRS issued Tax Gap estimates for Tax Years 2008 through 2010 that suggest compliance is substantially unchanged since the last estimate for Tax Year 2006.  The Tax Gap for Tax Years 2008 through 2010 is estimated to be $458 billion annually, compared to the $450 billion estimated for Tax Year 2006.  In an effort to lower the Tax Gap, the IRS identifies questionable tax returns to determine if any adjustments to the information reported on the tax returns are needed.  In addition, the IRS issues notices and contacts taxpayers to collect delinquent taxes.  If necessary, the IRS takes enforcement action, such as filing liens and seizing assets, to collect the taxes. 

The IRS’s compliance programs continue to be affected by reductions in the number of staff assigned to work cases, although enforcement revenue produced by these programs did not change significantly in FY 2016.  Specifically, the combined number of enforcement personnel decreased between 5 and 8 percent each year since FY 2012 (14,829) and resulted in the lowest number over the past 10 years in FY 2016 (11,195).  Unpaid assessments increased from $411.8 billion in FY 2015 to $421.8 billion at the end of FY 2016.  The IRS has projects underway to improve processes in a variety of areas, including contacting delinquent taxpayers earlier, developing new processes to deliver inventory to Collection and Examination functions, and optimizing outreach and communication.[35]

The Automated Substitute for Return (ASFR) Program is a key compliance program for the IRS and enforces filing compliance on taxpayers who have not filed individual income tax returns but appear to owe a significant tax liability.  Through the ASFR, the IRS secures a valid income tax return or prepares a Substitute for Return for taxpayers with a proposed tax assessment based on third-party information returns reported to the IRS combined with other internal data.  However, due to significant resource reductions, the Program is now used mainly as support for other key compliance programs.  ASFR inventory receipts and 30-day letter issuances decreased by 89 and 98 percent, respectively, between FYs 2009 and 2016.  With fewer cases entering inventory and ultimately being worked, the cases that are worked should be the highest priority cases.  However, TIGTA’s analysis showed the cases that have been worked have not resulted in more revenue per case.[36]  IRS collections from closed ASFR cases were approximately $2.9 billion (87 percent) less in the 2015-2016 period than in the 2010-2011 period, and 85 percent fewer ASFR cases were closed.  The decrease in tax dollars collected is significant and can be directly attributed to the decline in cases started and worked by the ASFR Program. 

Employment tax noncompliance also continues to steadily grow.  As of December 2015, 1.4 million employers owed approximately $45.6 billion in unpaid employment taxes, interest, and penalties.  The Trust Fund Recovery Penalty (TFRP) is an enforcement tool the IRS can use to discourage employers from continuing egregious employment tax noncompliance and provides an additional source of collection for unpaid employment taxes.[37]  In FY 2015, the IRS assessed the TFRP against approximately 27,000 responsible persons—38 percent fewer than just five years before, as a result of diminished revenue officer resources.  In contrast, the number of employers with egregious employment tax noncompliance (20 or more quarters of delinquent employment taxes) is steadily growing—it has more than tripled in a 17-year period.

We also reported in July 2017 that billions of dollars of potential underreported taxes are not being addressed because most discrepancy cases identified by the IRS are not worked.[38]  Discrepancy cases result when employers’ wage and withholding information reported on filed Forms W-2, Wage and Tax Statement, and Forms W-3, Transmittal of Wage and Tax Statements, do not match what was reported on the employers’ employment tax return.  Our analysis found that the IRS did not work discrepancy cases that had a potential underreported total tax difference of more than $7 billion. 


The Office of Management and Budget describes an improper payment as any payment that should not have been made, was made in an incorrect amount, or was made to an ineligible recipient.  The Improper Payment Information Act of 2002[39] requires Federal agencies, including the IRS, to estimate the amount of their improper payments and report to Congress annually on the causes of and the steps taken to reduce such improper payments.  The Improper Payment Elimination and Recovery Act of 2010[40] amended the 2002 Act by strengthening agency reporting requirements and redefining significant improper payments.

Although refundable credits provide benefits to individuals, the unintended consequence of these credits is that they can result in the issuance of improper payments and can be the targets of unscrupulous individuals who file erroneous claims.  Refundable credits can result in tax refunds even if no income tax is withheld or paid; that is, the credits can exceed an individual’s tax liability.  Consequently, they pose a significant risk as an avenue for those seeking to defraud the Government. 

The IRS issued an estimated $25 billion in potentially improper EITC, ACTC, and AOTC payments in FY 2016.  This represents a significant loss to both the Federal Government and taxpayers.  TIGTA remains concerned about the IRS’s inability to significantly reduce these payments. 

In April 2017, we reported that the IRS concluded that the ACTC and the AOTC presented a medium risk of improper payments for FY 2016.[41]  However, the IRS’s medium-risk rating continues to be contrary to its own compliance data, which shows that both the ACTC and AOTC programs present a high risk of improper payments.  Our review of these revised assessments found that they still do not include the use of available IRS compliance data to quantify erroneous payments.  Because the IRS does not rate these programs as high risk, it is not required to establish a corrective action plan to reduce the improper payments.

Using the IRS’s own compliance data, we computed the FY 2016 potential estimated improper payment rate for the ACTC and the AOTC.  We estimate that 25.2 percent ($7.2 billion) of ACTC payments were improper[42] and 24.1 percent ($1.1 billion) in AOTC payments were improper.[43]  The IRS is not required to perform a risk assessment of the EITC because it is designated as a high-risk program by the Office of Management and Budget.  For FY 2016, the IRS estimates EITC payments totaling $16.8 billion were issued improperly.

Congress enacted the PATH Act on December 18, 2015, which includes program integrity provisions intended to reduce fraudulent and improper EITC, Child Tax Credit, ACTC, and AOTC payments.  For example, one of the PATH Act’s provisions is intended to ensure that the IRS has the information and time needed to verify the income of individuals claiming the EITC and the ACTC before the related refund is issued.  According to the U.S. House of Representatives Committee on Ways and Means, these integrity provisions are projected to save roughly $7 billion over 10 years by reducing fraud, abuse, and improper payments in refundable credit programs. 

According to the IRS, approximately $1 billion (6 percent) of improper EITC payments are from program design limitations.  However, as we continue to report, IRS compliance resources are limited, and, consequently, the IRS does not address the majority of potentially erroneous EITC claims despite having established processes that identify billions of dollars in potentially erroneous EITC payments.  Although the PATH Act gives the IRS more time to verify EITC and ACTC claims before refunds are issued, it does not expand the IRS’s authority to systemically correct erroneous claims.  Currently, under the Internal Revenue Code, the IRS can use its math error authority to address erroneous EITC claims by systemically correcting mathematical or clerical errors on such claims.  For example, it can correct entries made on the wrong line on the tax return or mathematical errors made in computing income or the EITC.  However, the majority of potentially erroneous EITC claims that the IRS identifies do not contain the types of errors for which it has math error authority.  To address those potentially erroneous EITC claims identified that cannot be addressed using math error authority, the IRS must conduct an audit.  The IRS estimated that it costs $1.50 to resolve an erroneous EITC claim using math error authority compared to $278 to conduct a pre-refund audit.[44]

The IRS, in conjunction with the Assistant Secretary of the Treasury for Tax Policy, has in each year since FY 2013 set forth a legislative proposal requesting additional error correction authority as part of its annual budget submission.  Such authority, if provided by law, would allow the IRS to correct, during processing, tax returns when the information provided by the taxpayer does not match the information contained in Government databases (e.g., income information reported on the tax return does not match Forms W-2 from the Social Security Administration).  Without this additional error authority, billions of dollars in identified potentially erroneous claims will continue to go unaddressed each year.


The globalization of financial markets and the increased importance of multinational corporations are making it increasingly difficult for the IRS to administer and enforce tax compliance.  As the IRS noted in its most recent strategic plan, the evolution and proliferation of virtual commerce has expanded the exchange of goods, services, and currencies – real and virtual – across jurisdictions, further complicating tax administration.[45]  

As globalization and technological advancements continue to reduce barriers to cross-border commerce, tax authorities around the world have increased the sharing of tax-related information with other countries to administer and enforce the tax laws of their respective countries.  The information received from these other countries presents a potentially important source of data, including data indicating whether taxpayers have foreign income and/or assets, and assists the IRS in effectively administering and enforcing tax law compliance.  However, TIGTA found that the IRS did not have an adequate tracking system to account for the records that foreign countries sent on a regular basis and that access to the information is provided to a relatively small percentage of IRS compliance employees.[46] 

Additionally, expanding overseas activities of U.S. entities (individuals, trusts, and businesses) have increased certain opportunities for tax avoidance and/or evasion.  The IRS established an international enforcement program to address these issues and identified the Mutual Collection Assistance Request (MCAR) Program as a focus area.  An MCAR is a request for assistance from another country to collect taxes covered by the treaty of the other country.  While the MCAR Program is a useful collection tool, TIGTA found that the total dollar amount of U.S. liabilities collected by five mutual collection income tax treaty partners peaked in FY 2013 but dropped off significantly since then.  This is largely because the IRS does not use the MCAR Program to its full potential. 

Another area that has seen significant growth has been foreign investment in the U.S. housing market.  The National Association of Realtors provides estimates of nonresident alien individuals’ investment in U.S. property; based on those estimates, nonresident alien individuals’ investment in U.S. property increased from $34.8 billion during the 12-month period ending March 2013 to $43.5 billion during the 12-month period ending March 2016.[47]  With this increase comes a greater risk of noncompliance with tax laws and regulations.  TIGTA found that the IRS can improve controls to ensure that nonresident aliens are properly reporting rental income from their U.S. property.[48]  In a random sample of 149 nonresident aliens who rented their U.S. property in Tax Year 2013, TIGTA found 102 (68 percent) reduced their gross rental income without applying for a tax benefit by submitting an election statement.  As a result, almost $1.8 million in gross rental income should have been subject to a 30 percent tax withholding of $533,000, or $56.2 million when projected to the population.  The IRS needs to improve compliance checks for ensuring that election statements are made. 

The IRS also needs to improve tools for identifying nonresident aliens who are not reporting rental income from U.S. property they own.  From a sample of nonresident aliens owning property in five counties, TIGTA identified foreign property owners who appeared to have failed to report and pay tax on rental income earned.  TIGTA estimates that there is potentially unreported rental income of $60.9 million for the counties included in the sample. 


The IRS must balance its tax compliance activities against the rights of taxpayers to receive fair and equitable treatment.  This challenge will have increased significance now that the IRS has begun assigning certain taxpayer accounts to private debt collection companies, as mandated by the Fixing America’s Surface Transportation (FAST) Act.[49]  Enacted in December 2015, the FAST Act includes a provision that requires the IRS to use private debt collection companies to collect unpaid tax debts involving certain inactive tax receivables.  As a condition of receiving a contract, the private collection companies must respect taxpayer rights, including abiding by the consumer protection provisions of the Fair Debt Collection Practices Act.[50]  The IRS will need to ensure that collection company employees abide by these provisions and respect taxpayer rights during their contacts with taxpayers. 

The IRS continues to dedicate significant resources and attention to complying with taxpayer rights provisions of the IRS Restructuring and Reform Act of 1998 (RRA 98).[51]  As mandated by RRA 98, TIGTA conducts annual audits of a number of these taxpayer rights provisions.  In general, the IRS has improved its compliance with these statutory taxpayer rights provisions and is documenting its protection of taxpayer rights.  However, during the review of the IRS’s compliance with Notice of Federal Tax Lien due process procedures, TIGTA found that the IRS did not always notify taxpayers’ representatives of the Notice of Federal Tax Lien filings as required.[52]  Based on the sample results, TIGTA estimated that 28,913 taxpayers may have been adversely affected because the IRS did not follow procedures to notify taxpayers’ authorized representatives of the taxpayers’ rights related to the Notices of Federal Tax Lien.

We also continued to identify errors related to the determination of the Collection Statute Expiration Date (CSED) on taxpayer accounts during our review of the IRS Office of Appeals Collection Due Process Program.[53]  The CSED is the expiration of the time period established by law to collect taxes.  From a statistically valid sample, TIGTA identified instances in which the IRS incorrectly extended the CSED, allowing the IRS additional time it should not have had to collect delinquent taxes. 

In addition, TIGTA conducted an audit to evaluate the IRS’s use of seizures against property owners suspected of structuring currency transactions to avoid Bank Secrecy Act[54] reporting requirements.[55]  The Bank Secrecy Act requires financial institutions to report currency transactions in excess of $10,000.  This Federal law also makes it a crime for property owners to structure currency transactions in such a way as to avoid the filing of the report and subjects structured amounts to civil or criminal forfeiture proceedings.  TIGTA determined that the IRS enforced the Bank Secrecy Act’s anti-structuring provisions primarily against individuals and businesses whose income was legally obtained, and compromised the rights of some individuals and businesses in these investigations.  TIGTA determined that 91 percent of the 278 investigations in its sample in which source of funds could be determined were of businesses and individuals whose funds were obtained legally.  While the Bank Secrecy Act does not distinguish between legal and illegal sources of funds, IRS procedures dictate that the overall purpose of its civil forfeiture program is to disrupt and dismantle criminal enterprises.  Most people affected by the program did not appear to be criminal enterprises or engaged in other alleged illegal activity; rather, they were legal businesses such as jewelry stores, restaurant owners, gas station owners, and scrap metal dealers.  

As part of this audit, we reviewed all 28 criminal investigations during FY 2015 that resulted in asset seizures in which structuring was the primary criminal basis for the seizure to determine if the IRS complied with a new policy.  Under the new policy, the IRS will no longer pursue legal source structuring cases unless exceptional circumstances justify the seizure and the seizure is approved by the appropriate IRS executive.  We reviewed available supporting documentation and determined that for 20 of the 28 investigations, the seizures either conformed to policy, were not actually for structuring violations, or occurred well before the policy change.  However, for five cases, we believe that the actions taken by the Government were inconsistent with the new policy, and for three cases we did not find evidence that the IRS conformed to the new policy in making those seizures for structuring violations.


Continuing to identify and achieve greater program efficiencies and cost savings is imperative for the IRS as it strives to successfully accomplish its mission in a period of shrinking budgets and declining resources.  Implementing cost saving strategies is particularly critical as the IRS is tasked with additional responsibilities, often without additional budgetary funding. 

In its most recent strategic plan, which guides program and budget decisions, the IRS noted that it must meet the challenge of declining resources by working to achieve the optimal scale and scope for its programs and activities.  While the IRS has taken steps to reduce costs and improve program effectiveness, TIGTA has identified a number of areas in which the IRS can more efficiently use its limited resources and make more informed business decisions.

For example, TIGTA completed an audit to assess the IRS’s processes to ensure that employee salary overpayments or underpayments are prevented and detected when employees move into, within, and out of IRS pay bands.[56]  Based on a statistical sample of employees who received salary increases of greater than 10 percent for promotions into management positions between FYs 2006 and 2015, 31 percent of sampled employees were not paid correctly.  TIGTA estimates that the IRS overpaid more than 600 employees by approximately $4.2 million and underpaid more than 900 employees by approximately $2.7 million.

In another example of improving program efficiency, we also reported that the IRS has not effectively updated or implemented hiring policies to fully consider past IRS conduct and performance issues prior to making a tentative decision to hire former employees, including those who were terminated or separated during an investigation of a substantiated conduct or performance issue.[57]  While most employees who are rehired do not have prior conduct or performance issues, TIGTA found that more than 200 (approximately 10 percent) of the more than 2,000 former employees who were rehired between January 2015 and March 2016 had previously been terminated from the IRS or had separated while under investigation for a substantiated conduct or performance issue.  More than 150 (approximately 75 percent) of these employees were seasonal.  Although the IRS may have had a valid basis to rehire some of the more than 200 former employees with prior conduct and/or performance issues, TIGTA has serious concerns about the IRS’s decision to rehire certain employees, such as those who willfully failed to meet their Federal tax responsibilities.

In addition, we identified inefficiencies related to the IRS’s records retention processes.  Specifically, we determined that the IRS’s policies do not comply with certain Federal requirements that agencies must ensure that all records are retrievable and usable for as long as needed.[58]  For example, IRS e-mail retention policies are not adequate because e-mails are not automatically archived for all IRS employees.  Instead, the IRS’s current policy instructs employees to take manual actions to archive e-mails by saving them permanently on computer hard drives or network shared drives.  This policy has resulted in lost records when computer hard drives are destroyed or damaged. 

TIGTA also found that a more effective tax compliance strategy for ASFR casework would result in more efficient use of IRS resources.[59]  The IRS prioritized ASFR cases involving Refund Holds[60] over cases with potential high net tax due ($100,000 or more), even though the average dollars collected per case in cases with potential high net tax due is five times higher than all other cases.  TIGTA estimates that the IRS could collect $843 million over the next five years if it replaced 9 percent of Refund Hold inventory with high net tax due cases.

Similarly, we also reported that discrepancy case selection processes do not ensure that priority is given to working discrepancy cases with the highest potential tax assessment.[61]  The Combined Annual Wage Reporting (CAWR) Program compares the employee wage and withholding information reported to the IRS on employment tax forms to withholding documents filed with the Social Security Administration.  The purpose of the IRS-CAWR Program is to ensure that employers report the proper amount of employment taxes and Federal income tax withholding on their employment tax returns.  TIGTA’s analysis of the 114,088 TY 2013 unworked IRS-CAWR Program discrepancy cases showed that if the IRS had selected the 23,184 auto-generated cases with a higher average assessment potential to work, it would have selected cases with more than $128 million in assessment potential.  In addition to changing its selection methodology to work case types with the highest potential tax assessment, the IRS could further increase its return on investment by including prior year discrepancy cases when working current year discrepancy cases for the same employer.  TIGTA’s analysis found that 3,137 of the discrepancy cases identified in TY 2013 also had discrepancy cases in TY 2012, with potential underreported tax totaling more than $448 million for TY 2012.

TIGTA also reported that the IRS has not maintained standard pricing and terms and conditions for its software acquisitions, compiled a reliable baseline inventory of software licenses, or documented cost savings and cost avoidance attributable to improved software license management, as required by recent laws and regulations.[62]  Efficient and cost effective management of the IRS’s software assets is crucial to ensure that information technology services continue to support the IRS’s business operations and to help provide services to taxpayers efficiently. 


This memorandum is provided as our annual summary of the most serious major management and performance challenges confronting the IRS in FY 2018.  TIGTA’s Fiscal Year 2018 Annual Audit Plan contains our proposed reviews, which are organized in accordance with these challenges.  If you have any questions or wish to discuss our views on the challenges in greater detail, please contact me at (202) 622‑6500.


cc:      Assistant Secretary for Management

Deputy Chief Financial Officer

Commissioner of Internal Revenue

[1] 31 U.S.C. § 3516(d) (2006).

[2] TIGTA, Ref. No. 2016-40-007, Improved Tax Return Filing and Tax Account Access Authentication Processes and Procedures Are Needed (Nov. 2015).

[3] TIGTA, Ref. No. 2016-20-082, Improvements Are Needed to Strengthen Electronic Authentication Process Controls (Sept. 2016).

[4] TIGTA, Audit No. 201720004, Review of E-Authentication to IRS Online Services, report planned for October 2017.

[5] TIGTA, Ref. No. 2017-20-004, Improvements Are Needed to Ensure the Protection of Data Transfers to External Partners (Oct. 2016).

[6]TIGTA, Ref. No. 2017-20-061, The External Network Perimeter Was Generally Secure, Though the Security of Supporting Components Could Be Improved (Sept. 2017); TIGTA, Ref. No. 2017-20-004, Improvements Are Needed to Ensure the Protection of Data Transfers to External Partners (Oct. 2016); and GAO, Ref. No. GAO-17-395, Information Security: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data (July 26, 2017).

[7] N.D. Ala. Plea Agr. filed Feb. 8, 2016.

[8] N.D. Ala. Amended Judgment filed Oct. 14, 2016.

[9] W.D. Wash. Crim. Compl. filed July 7, 2017.

[10] Compiled annually, the “Dirty Dozen” lists a variety of common scams that taxpayers may encounter.

[11] TIGTA, Ref. No. 2017-40-017, Efforts Continue to Result in Improved Identification of Fraudulent Tax Returns Involving Identity Theft; However, Accuracy of Measures Needs Improvements (Feb. 2017).

[12] TIGTA, Ref. No. 2015-40-082, Processes Are Being Established to Detect Business Identity Theft; However, Additional Actions Can Help Improve Detection (Sept. 2015).

[13] TIGTA, Ref. No. 2017-40-031, The Number of Employment-Related Identity Theft Victims Is Significantly Greater Than Identified (June 2017).

[14] An Apple Inc.® gift card can be used to purchase anything available on the Apple App Store, iTunes Store, iBooks Store, or Mac App Store.

[15] A fraudulent attempt, usually made through e-mail, to steal an individual’s personal information by posing as a trustworthy person or entity.

[16] Preparing the IRS to adapt to the changing needs of taxpayers is described generally as the IRS Future State initiative.  A key part of this effort is for taxpayers to have a more complete online experience for their IRS interactions. 

[17] An IP PIN is a six-digit number assigned to taxpayers that allows their tax returns/refunds to be processed without delay and helps prevent the misuse of their SSNs on fraudulent Federal income tax returns.

[18] TIGTA, Ref. No. 2017-40-026, Inconsistent Processes and Procedures Result in Many Victims of Identity Theft Not Receiving Identity Protection Personal Identification Numbers (Mar. 2017).

[19] TIGTA, Ref. No. 2017-20-051, Sixty-Four Percent of the Internal Revenue Service’s Information Technology Hardware Infrastructure Is Beyond Its Useful Life (Sept. 2017).

[20] This system is a data warehouse.  It provides the ability to conduct rapid advanced analytics.

[21] TIGTA, Ref. No. 2017-20-029, The Big Data Analytics General Support System Security Controls Need Improvement (June 2017).

[22] TIGTA, Ref. No. 2017-20-032, The Internal Revenue Service Does Not Have a Cloud Strategy and Did Not Adhere to Federal Policy When Deploying a Cloud Service (Aug. 2017).

[23] Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029. 

[24] Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, Div. Q, (2015).

[25] The EITC was created in 1975 as part of the Tax Reduction Act of 1975 § 204, 26 U.S.C § 32.  The EITC is used to offset the impact of Social Security taxes on low-income families and to encourage them to seek employment.

[26] The ACTC is intended to reduce the individual income tax burden for families, better recognize the financial responsibilities of raising dependent children, and promote family values. 

[27] A tax credit for families with dependent children that is used to reduce the individual income tax burden for families, better recognize the financial responsibilities of raising dependent children, and promote family values. 

[28] The AOTC is intended to help offset the costs of higher education for taxpayers, their spouses, and dependents who qualify as eligible students. 

[29] Pub. L. No. 114-27, 129 Stat. 362.

[30] TIGTA, Ref. No. 2017-40-033, Implementation of the Health Coverage Tax Credit Enrollment and Systemic Advance Monthly Payment Process (May 2017).

[31] TIGTA, Ref. No. 2017-43-022, Affordable Care Act:  Verification of Premium Tax Credit Claims During the 2016 Filing Season (Mar. 2017).

[32] The Exchanges are where taxpayers find information about health insurance options, purchase qualified health plans, and, if eligible, obtain help paying premiums and out-of-pocket costs. 

[33] The Employer Shared Responsibility Provision requires employers with an average of 50 or more
full-time employees (including full-time equivalent employees) to offer health insurance coverage to
full-time employees and their dependents beginning in January 2015.

[34] TIGTA, Ref. No. 2017-43-027, Affordable Care Act:  Assessment of Efforts to Implement the Employer Shared Responsibility Provision (Apr. 2017).

[35] TIGTA, Ref. No. 2017-30-072, Trends in Compliance Activities Through Fiscal Year 2016 (Sept. 2017).

[36] TIGTA, Ref. No. 2017-30-078, A Significantly Reduced Automated Substitute for Return Program Negatively Affected Collection and Filing Compliance (Sept. 2017).

[37] TIGTA, Ref. No. 2017-IE-R004, A More Focused Strategy Is Needed to Effectively Address Egregious Employment Tax Crimes (Mar. 2017).

[38] TIGTA, Ref. No. 2017-40-038, Case Selection Processes Result in Billions of Dollars in Potential Employer Underreported Tax Not Being Addressed (July 2017).

[39] Pub. L. No. 107-300, 116 Stat. 2350.

[40] Pub. L. No. 111-204, 124 Stat. 2224.

[41] TIGTA, Ref. No. 2017-40-030, Revised Refundable Credit Risk Assessments Still Do Not Provide an Accurate Measure of the Risk of Improper Payments (Apr. 2017).

[42] We estimate that the potential ACTC improper payment rate for FY 2016 is between 22.7 percent and 27.8 percent and the potential amount of improper payments is between $6.5 billion and $7.9 billion.

[43] We estimate that the potential AOTC improper payment rate for FY 2016 is between 19.6 percent and 28.7 percent and the potential amount of improper payments is between $900 million and $1.3 billion.

[44] Cost to use math error authority as of June 25, 2014, as provided by the IRS.  The IRS provided the cost of a pre-refund audit based on FY 2010 financial data, which is the most current available.

[45] Internal Revenue Service Strategic Plan – FY 2014 - 2017, IRS Pub. 3744 (Rev. June 2014).

[46] TIGTA, Ref. No. 2017-30-077, Exchange of Information Capabilities Are Underutilized by the IRS (Sept. 2017).

[47] National Association of Realtors, Profile of International Activity in US Residential Real Estate, years 2013-2016,

[48] TIGTA, Ref. No. 2017-30-048, Additional Controls Are Needed to Help Ensure That Nonresident Alien Individual Property Owners Comply With Tax Laws (Aug. 2017).

[49] Pub. L. No. 114-94, Div. C, Title XXXII, § 32102, 129 Stat. 1312, 1733-36 (2015), codified in Internal Revenue Code § 6306. 

[50] 15 U.S.C. §§ 1601 note, 1692-1692p (2006).

[51] Pub. L. No. 105-206, 112 Stat. 685. 

[52] TIGTA, Ref. No. 2017-30-070, Fiscal Year 2017 Statutory Review of Compliance With Notice of Federal Tax Lien Due Process Procedures (Sept. 2017).

[53] TIGTA, Ref. No. 2017-10-055, Review of the Office of Appeals Collection Due Process Program
(Sept. 2017).

[54] Pub. L. No. 91-508, 84 Stat. 1114-4 (1970) (codified as amended in scattered sections of 12 U.S.C.,
18 U.S.C., and 31 U.S.C.).  Regulations for the Bank Secrecy Act and other related statutes are
31 C.F.R. §§ 103.11-103.77.

[55] TIGTA, Ref. No. 2017-30-025, Criminal Investigation Enforced Structuring Laws Primarily Against Legal Source Funds and Compromised the Rights of Some Individuals and Businesses (Mar. 2017).

[56] TIGTA, Ref. No. 2017-10-023, Some Managerial Salaries Were Calculated Incorrectly Due to Complex Pay-Setting Rules (Mar. 2017).

[57] TIGTA, Ref. No. 2017-10-035, The Internal Revenue Service Continues to Rehire Former Employees With Conduct and Performance Issues (July 2017).

[58] TIGTA, Ref. No. 2017-10-034, Electronic Record Retention Policies Do Not Consistently Ensure That Records Are Retained and Produced When Requested (July 2017).

[59] TIGTA, Ref. No. 2017-30-078, A Significantly Reduced Automated Substitute for Return Program Negatively Affected Collection and Filing Compliance (Sept. 2017).

[60] If a taxpayer files a tax return requesting an income tax refund, the IRS delays issuing the refund for up to six months while it investigates any delinquent returns filed within five years prior to the current filing year.

[61] TIGTA, Ref. No. 2017-40-038, Case Selection Processes Result in Billions of Dollars in Potential Employer Underreported Tax Not Being Addressed (July 2017).

[62] TIGTA, Ref. No. 2017-20-062, The Internal Revenue Service Is Not in Compliance With Federal Requirements for Software Asset Management (Sept. 2017).