An audit has found that the Internal Revenue Service has failed to notify taxpayers that they’ve been victims of a certain kind of identity theft. Making matters worse, the IRS isn’t always sending the Social Security Administration the required notice the SSA needs to help combat that kind identity theft.

Employment-related identity theft occurs when someone uses the identity of another person to gain employment. Taxpayers may first realize they’ve been a victim of identity theft when they get an IRS notice of a discrepancy in the income reported on their tax return.

Usually, the IRS’ computerized Automated Underreporter (AUR) program will identity discrepancies by matching taxpayer income reported on a W-2 (from the employer) to the amount reported by the taxpayer’s tax return.

Back in 2011 The Treasury Inspector General for Tax Administration (TIGTA) found that the IRS was in a unique position to identify cases of employment-related identity theft, and recommended that the IRS alerts taxpayers when it finds their identities have been stolen. This most recent review, however, found taxpayers are still not being notified.

From 2011 to 2015, the IRS identified more than a million taxpayers who were victims of employment-related identity theft. In 2014, the IRS devised a pilot program to notify taxpayers that they may be an identity theft victim. The latest audit, however, found the pilot was ineffective because it didn’t include a representative sample of employment-related identity theft victims.

TIGTA also found the Social Security Administration (SSA) may not be getting notifications from the IRS either. The SSA is required to receive a notice when the IRS’ AUR system confirms earnings that aren’t associated with a victim of employment-related identity theft. The newest review found that in 21 percent of confirmed identity-theft cases sampled, the Social Security Administration had no record of a notice from the IRS.

The IRS is taking corrective actions on TIGTA’s four recommendations in the report and says programming changes to their computer systems will be in effect in January, in time for the next tax season.