The Internal Revenue Service needs to do more work to refine its latest fraud detection system to catch the new schemes that its older system managed to detect, according to a government report.

The report, from the Treasury Inspector General for Tax Administration, found that a pilot program of the IRS’s replacement fraud detection system successfully identified tax returns involving identity theft that other IRS fraud detection systems did not identify. However, the other existing fraud detection systems identified tax returns involving identity theft that the replacement system did not select.

For example, the other IRS fraud detection systems identified 54,175 confirmed identity theft tax returns with refunds totaling more than $313 million not identified by the replacement system.

TIGTA noted that identity theft continues to be a serious and evolving issue which has a significant impact on tax administration. In February 2009, the IRS began developing the Return Review Program, or RRP, to replace its current system, the Electronic Fraud Detection System. The IRS conducted a pilot test of the RRP to assess its effectiveness in identifying potential identity theft tax returns during processing year 2014. Thanks to the positive pilot results, the IRS then expanded the use of the RRP’s identity theft detection for processing year 2015.

With the RRP, the IRS can change or adjust selection models for identity theft during the processing year. For example, the RRP provides the ability to change models to identify new or variations of identity theft schemes as they emerge. This capability is not possible with the detection system that the RRP will eventually replace.

“With identity theft continually evolving, it is important that the IRS advance its detection and prevention efforts into the next generation,” said TIGTA Deputy Inspector General for Audit Mike McKenney in a statement. “The IRS needs to make every effort to ensure that its replacement fraud detection system detects identity theft cases identified by existing systems, as well as improving upon its identity theft detection and prevention efforts.”

In response to TIGTA’s continued identification of large volumes of potentially fraudulent tax returns with tax refunds deposited into the same bank, the IRS implemented a new process to limit the number of deposits (three) to a single bank account. TIGTA’s review of this process identified programming errors that resulted in 5,516 direct deposits totaling almost $13.5 million that were not converted to paper refund checks. The IRS addressed two of the programming errors and plans to correct the remaining error by August 2016.

In addition, TIGTA believes the IRS needs additional procedures for processing checks returned as undeliverable. For example, TIGTA identified 113 tax refunds totaling $354,109 that were returned as undeliverable for which the IRS did not reissue a refund check as required after the taxpayer contacted the IRS and made an address change.

Finally, TIGTA identified 325 returned undeliverable tax refund checks totaling $309,068 in which the IRS did not identify the refund as associated with an identity theft tax return and did not take action to remove the fraudulent refund from the tax account.

TIGTA recommended that the commissioner in charge of the IRS’s Wage and Investment Division ensure that the RRP selects identity theft tax returns identified by other fraud detection systems and develop additional processes to resolve taxpayer accounts when checks are returned as undeliverable or remain uncashed.

The IRS agreed with three of the four recommendations in TIGTA’s report and partially agreed with the remaining recommendation, stating that processes are in place for addressing and resolving refund cancellations caused by refund checks not being cashed within fourteen months of issuance. However, the volume of taxpayer accounts with cancelled refund checks is not yet known. While the time for the check cancellation has not yet passed and the volume of converted refund payments that are ultimately cancelled is unknown, TIGTA continues to believe that appropriate next steps are to treat the taxpayer accounts as identity theft.

“We disagree with two of the three outcome measures cited in the report,” wrote Debra Holland, commissioner of the IRS’s Wage and Investment Division, in response to the report. “We believe the amount for the 5,516 requested direct deposits not converted to a paper refund check as required is overstated. Our data analysis in August 2015 confirmed that 1,522 of these refunds were not deposited into the taxpayer account because they were returned to the IRS by banks, which substantially lowers the refund amount. For the 325 tax refund checks returned undeliverable that had not been treated as IDT [identity theft], data analysis completed in August 2015 revealed that 70 of the 325 accounts cited did have an identity IDT indicator placed on the account.”