Software has advanced rapidly in the past few years to the
extent that large-scale data analysis can now identify specific
markers in tax filings that can help to detect companies that
should be audited. Not all authorities are leveraging this
technology effectively yet, but there is no doubt that they
"Something that's been increasingly important in the work we
do here in the IRS and LB&I is the use of advanced data
analytics to understand what is happening," says Doug
O'Donnell, head of the large business and international tax
(LB&I) division at the IRS. "It is amazing to think that we
could ask a few questions of the data that could help us look
across the whole filing population that we're responsible
How will tax authorities use taxpayer data in the
In the old world of cash transactions and paper documents,
assets could be easily hidden and tax avoided. But in today's
digital era, the tax authorities are able to use data analytics
to shine a spotlight on taxpayers who may be hiding assets. So,
what are tax authorities doing with the data?
"A lot of the discussion centres on what the effective ways
to identify risk are," says O'Donnell. "With financial
accounts, for example, you can imagine we'd be talking to one
another about where we expected to see information reported,
"You see a lot of investment by persons from the United
States in 'X' jurisdiction, but very low reporting accounts
from that jurisdiction," he adds. "Or you see financial
institutions that are not reporting that you think should be.
It's about looking for the things that aren't there."
The capability to better analyse data comes at a time when
tax authorities will soon have more data available to them than
ever before. Country-by-country reporting (CbCR), the Foreign
Account Tax Compliance Act (FATCA), automatic exchange of
information (AEOI), the common reporting standard (CRS) and
numerous other initiatives mean vast amounts of data will be at
the fingertips of tax officers everywhere. Advanced data
analytics tools and artificial intelligence are the only
feasible options to analyse it.
Last year, accountancy firm EY ran a campaign on digital
awareness entitled "Are tax authorities better at analytics
than you?" The answer, in most cases, is a resounding yes. The
good news is that this isn't necessarily a bad thing for
"In the CbCR environment… the OECD countries and a
number of others that are participating in the inclusive
framework have begun to talk about how this information will be
used, and there's a small pilot that was started in January
called the International Compliance Assurance Programme
– ICAP," says O'Donnell.
The idea behind ICAP is to see if it is possible to use CbCR
data multilaterally, with taxpayers, to identify which areas of
their businesses do not merit further enquiry by tax
authorities. Remaining areas of the business could then be
audited as usual, or companies and authorities could work
together to forge advance pricing agreements (APAs), for
The notion is not so much to use data to build cases against
large multinational taxpayers, but to better understand their
business models and cooperate with them to minimise fruitless
work. An audit of a fully compliant company is a waste of time
for both parties.
"The idea is to try and improve risk detection and rapidly
determine what to do about risks that are present, while
stepping away from those that we believe are not worth
responding to," says O'Donnell.
In the first part of our cover story, O'Donnell speaks
exclusively to ITR in an in-depth interview exploring
a wide range of the large business and international division's
functions, and detailing how his department identifies
Double-edged data sword
The problem with all of this data, once the tools to
establish it and the way to use it are determined, is keeping
Tom Brandt, chief risk officer at the IRS, says data
breaches at external entities is now on its risk register. The
concern "manifested itself last fall with a data breach at
Equifax," he tells ITR in another exclusive
On September 8 2017, Equifax, a US-based credit report
company, announced that it had been the victim of a criminal
cyberhack. Data including social security numbers, home
addresses and dates of birth were taken, with more than 145
million customers in the US, Canada and the UK affected. The
company's stock dropped 35% in just six business days, as the
company's core business was compromised.
"We had identified that as one of our top risks in last
year's risk assessment over the summer, and then that
manifested much more quickly than we expected," says
By November, Equifax was on the receiving end of a 50-state
class action lawsuit. Its potential future liabilities mean its
share price has still not recovered.
In February 2018, the company announced that hackers had
taken more data than initially thought, with tax identification
numbers also stolen.
The IRS has also been a victim of cybercriminals. In 2015,
hackers coupled information they had gleaned elsewhere with the
functionality of the IRS's website to gain access to more than
700,000 taxpayer accounts and fraudulently claim tax
Learning from its mistake, the IRS is keen to present itself
as a secure organisation, and its "Don't Take the Bait"
campaign to keep taxpayers safe is just one example of its
In the second part of our cover story, Brandt talks through
an array of risks that the IRS faces, from tight resources to
US tax reform and, of course, data risks and cybersecurity.
He also speaks about his time as the head of the tax
administration unit at the OECD's Forum on Tax Administration
and the guidelines the IRS and OECD are putting in place to
keep taxpayer data safe in the new collaborative international
Doug O’Donnell speaks to Joe Stanley-Smith
about how he runs his large business and international
department in the rapidly changing arenas of US and
Joe Stanley-Smith sits down with Tom Brandt, chief risk
officer at the IRS, to discuss managing budget cuts, tax
reform and the growing threat of cybersecurity.