Management Report
Improvements Needed in IRS's Internal Controls
Gao ID: GAO-03-562R May 20, 2003
In November 2002, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of and for the fiscal years ending September 30, 2002 and 2001, and on the effectiveness of its internal controls as of September 30, 2002. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2002 audit regarding accounting procedures and internal controls that could be improved for which we do not presently have any recommendations outstanding.
During fiscal year 2002, IRS had a number of internal control issues that affected financial reporting, which includes safeguarding of assets. These issues concern policies and procedures related to (1) employee fingerprint records, (2) enforcement of courier service standards, (3) taxpayer receipt processing areas, (4) candling, (5) acceptance of tax payments in cash, and (6) structuring of installment agreements. Each of these control weaknesses posed added risks of losses, nonpayment of taxes, or potential burden to taxpayers.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-03-562R, Management Report: Improvements Needed in IRS's Internal Controls
This is the accessible text file for GAO report number GAO-03-562r
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls' which was released on May 21, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
May 20, 2003:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls:
Dear Mr. Everson:
In November 2002, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of and for
the fiscal years ending September 30, 2002 and 2001, and on the
effectiveness of its internal controls as of September 30,
2002.[Footnote 1] We also reported our conclusions on IRS's compliance
with significant provisions of selected laws and regulations and on
whether IRS's financial management systems substantially comply with
requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA). A separate report on the implementation status of
recommendations from our prior IRS financial audits and related
financial management reports will be issued shortly.
The purpose of this report is to discuss issues identified during our
fiscal year 2002 audit regarding accounting procedures and internal
controls that could be improved for which we do not presently have any
recommendations outstanding. Although not all of these issues were
discussed in our fiscal year 2002 audit report, they all warrant
management's attention.
Results in Brief:
During fiscal year 2002, IRS had a number of internal control issues
that affected financial reporting, which includes safeguarding of
assets. These issues concern policies and procedures related to (1)
employee fingerprint records, (2) enforcement of courier service
standards, (3) taxpayer receipt processing areas, (4)
candling,[Footnote 2]
(5) acceptance of tax payments in cash, and (6) structuring of
installment agreements. Each of these control weaknesses posed added
risks of losses, nonpayment of taxes, or potential burden to taxpayers.
Specifically, we found the following:
IRS did not always ensure that fingerprint check results for
individuals entering on duty were under the required 180 day expiration
period. The fingerprint check results consist of information provided
by law enforcement agencies on events that occurred before the
fingerprint check results are released. The older the fingerprint check
results are, the greater the risk that IRS might hire applicants
unsuitable for working with taxpayer receipts and information.
IRS did not always ensure that couriers adhered to certain security
requirements. We found that (1) at half of IRS's service center
campuses, couriers did not undergo the specified background
investigations or fingerprint checks and (2) a courier service had not
maintained the required insurance coverage for the deposits it
transports.
IRS did not maintain consistently effective physical security controls
over its receipt processing areas. We found (1) instances at service
centers where prohibited items were brought into receipt processing
areas and where the requirement to carry permitted personal items in
clear plastic bags was circumvented and (2) at one of two taxpayer
assistance centers[Footnote 3] we visited, employees were allowed to
store personal belongings with cash payments and official receipt
certificate vouchers.
IRS did not always ensure that emptied envelopes were candled twice or
that final candling was not performed by a single employee in a remote
area.[Footnote 4]
At some taxpayer assistance centers, IRS did not accept cash payments
from taxpayers as required by IRS policy, thereby imposing an undue
burden on certain taxpayers.
IRS did not always structure installment agreements with taxpayers to
provide for full payment of the tax liability as required by the
Internal Revenue Code.
At the end of our discussion of each of the first five of these issues,
we make recommendations for strengthening IRS's internal controls.
In its comments, IRS agreed with our recommendations and described
actions it was taking or planned to take to address several of the
control weaknesses described in this report. At the end of our
discussion of each of the issues in this report where we are making
recommendations, we have summarized IRS' related comments and provided
our evaluation. We also considered IRS' comments on our findings and
have made revisions as appropriate.
Scope and Methodology:
As part of our audit of IRS's fiscal years 2002 and 2001 financial
statements, we evaluated IRS's internal controls and its compliance
with selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls including those for proper
authorization, execution, accounting, and reporting of transactions.
We conducted our audit in accordance with U.S. generally accepted
government auditing standards. We requested comments on a draft of this
report from the Acting Commissioner of IRS. We received written
comments from the Acting Commissioner and have reprinted the comments
in enclosure I to this report. Further details on our scope and
methodology are included in our November 2002 report on the results of
our fiscal years 2002 and 2001 financial statement audits and are
reproduced in enclosure II.[Footnote 5]
Enforcement of Expiration Period Policy for Fingerprint Check Results:
In previous years, we found that IRS was hiring individuals and
allowing them access to cash, checks, and other taxpayer data before it
had received satisfactory results of their fingerprint checks, thereby
subjecting IRS to an increased risk of theft or misuse of taxpayer
receipts and taxpayer data.[Footnote 6] During our fiscal year 2002
audit, we found that IRS had made substantial progress in this area and
as a result had significantly reduced its exposure related to the risk
of hiring individuals prior to receiving satisfactory fingerprint check
results.[Footnote 7] However, fingerprint results most accurately
reflect all the information known by law enforcement authorities on an
individual on the date the results are obtained. The usefulness of
preemployment fingerprint results in enabling an employer to assess an
individual's suitability for employment therefore decreases as the age
of the fingerprint results used increases.
IRS's hiring policies require that IRS receive and evaluate fingerprint
check results before individuals enter on duty and set the expiration
period for these results at 180 days. However, in our fiscal year 2002
audit, we found that IRS did not actively track fingerprint results to
ensure that they did not exceed the 180-day limit when individuals
entered on duty. Specifically, we found 53 instances in which new
employees entered on duty at IRS with fingerprint check results over180
days old.
Until IRS enforces its policy on the expiration period for fingerprint
check results it is exposed to increased risk of hiring applicants with
unsuitable backgrounds to handle cash, checks, and sensitive taxpayer
information. This, in turn, increases the risk of potential theft and
misuse of taxpayer receipts and data.
Recommendation:
To further reduce IRS's risk of hiring unsuitable employees to handle
and process taxpayer receipts and data, we recommend that IRS enforce
its policy of a 180-day expiration period for fingerprint check results
when an individual enters on duty.
IRS's Comments and Our Evaluation:
IRS agreed with this issue and indicated in its response that it has
already taken action to address the finding. In its comments, IRS
stated that it has a policy of 180 days for the expiration period of
fingerprint results. IRS had initially informed us that it did not have
such a policy. As a result, we modified the report to stress the
importance of IRS enforcing this policy. With respect to actions taken
to address this finding, IRS stated that it had (1) reemphasized its
policy to background investigation coordinators and personnel officers
and (2) created and distributed software calculating the fingerprint
results expiration date and instructed staff to use this software and
note the expiration date on the fingerprint check results
documentation. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2003 financial audit.
IRS also noted that exceptions could be made to the policy for GS-1811
Criminal Investigation Special Agents and executives from outside the
IRS, as they must complete an additional background investigation prior
to their entering on duty. However, we had specifically excluded any
individual having met these additional requirements from our count of
53 instances in which employees entered on duty with fingerprint check
results past the 180-day expiration period.
Enforcement of Courier Service Standards:
During previous audits of IRS's financial statements, we found that IRS
did not have effective controls in place to ensure that its courier
service requirements were enforced. Since November 1998, we have
reported that IRS lacks effective controls
over courier services responsible for transporting taxpayer
receipts.[Footnote 8] To address some of these matters, we recommended
that IRS (1) clarify that the intent of the requirement for background
investigations is meant to apply to personnel being entrusted with
taxpayer receipts and information rather than just personnel being
granted access to an IRS facility and (2) develop policies intended to
ensure that contracts related to courier services do not unduly expose
the government or taxpayers to losses in the event that deposits are
lost, stolen, or damaged in transit. IRS has made an effort to address
courier security weaknesses we identified by adopting more stringent
security standards for couriers who transport IRS's daily deposits to
depositary institutions. Specifically, as a result of our
recommendations, IRS established a policy that couriers requiring
access to IRS facilities undergo a limited background investigation,
including a fingerprint check. IRS subsequently extended the
requirement for background investigations to all personnel entrusted
with taxpayer receipts and information. In addition, the courier
service standards were revised to include, in particular, a requirement
that courier services have and maintain insurance coverage valued at $1
million to cover the costs of reconstructing a lost, stolen, or
destroyed deposit. However, during our fiscal year 2002 audit, we
identified two issues related to IRS's enforcement of its courier
service standards that increased the risk that (1) taxpayer receipts
and taxpayer data could be lost, stolen, or misused by couriers who
transport these items and (2) taxpayers and the government could be
unnecessarily exposed to the risk of financial loss.
Specifically, we found that at 5 of IRS's 10 service centers for which
agreements for courier services were negotiated by the Department of
the Treasury's Financial Management Service (FMS), there was no
requirement that couriers undergo
background investigations or FBI fingerprint checks.[Footnote 9] Such a
requirement does exist for the 5 service center campuses for which
courier services agreements were negotiated by IRS. According to FMS,
these background check requirements were not incorporated in the FMS-
negotiated courier agreements because FMS had been waiting since 2000
for IRS to issue a final revision of its courier service standards--IRS
issued revised standards on September 6, 2002. As of the end of our
fiscal year 2002 audit fieldwork, FMS-negotiated agreements for
couriers had not been revised. As a result, through fiscal year 2002,
couriers under FMS-negotiated contracts were not required to undergo
background investigations.
While IRS relies on FMS to enter into agreements with general
depositaries, IRS nonetheless retains the responsibility to ensure that
resulting contracts reflect the standards it establishes as necessary
for personnel entrusted with taxpayer deposits. Until all couriers who
are entrusted with IRS deposits are required to undergo background
investigations, including fingerprint checks, IRS runs an increased
risk that taxpayer receipts and taxpayer data may be vulnerable to
theft, loss, or misuse.
Additionally, at one of two IRS service center campuses we visited, we
found that the campus did not verify that the courier service had
insurance coverage as required by the courier service standards.
According to the courier's insurance agency, it had not provided
insurance coverage to the courier service for the last year. Until IRS
ensures that courier services are complying with courier service
standards, taxpayers and the government will be unnecessarily exposed
to the risk of financial loss.
Recommendations:
We recommend that IRS:
confirm with FMS that IRS' requirements for background and fingerprint
checks for courier services are met regardless of whether IRS or FMS
negotiates the service agreement, and
establish procedures to verify that courier services are adhering to
the standards established for them by IRS, including the requirement
that the courier services have insurance coverage.
IRS's Comments and Our Evaluation:
IRS agreed with our recommendations. IRS noted that (1) FMS had amended
the Courier Memorandum of Understanding to include the requirement that
all courier employees under contracts negotiated by FMS satisfy the
basic investigation requirements, (2) IRS had established a campus
contact at each of its 10 service center campuses to ensure that all
required information is submitted to the National Background
Investigation Center (NBIC) and that a clearance is granted, and (3) it
had requested NBIC to provide it with a monthly report of campus
compliance. IRS also noted that its Security Review Team of Receipt and
Control reviews compliance with the courier requirements monthly and
that it had (1) requested that the 5 campuses where IRS holds the
courier contracts produce insurance certificates for the couriers
during these reviews and (2) requested FMS to direct the depositary
banks holding the courier contracts for the 5 remaining campuses to
provide the insurance certificates to IRS. We will evaluate the
effectiveness of IRS' efforts during our fiscal year 2003 financial
audit.
Controls in Receipt Processing Areas:
During our fiscal year 2002 audit, we identified weaknesses in IRS's
controls over its receipt processing areas that increased the risk that
taxpayer receipts and taxpayer information could be lost or stolen.
These weaknesses relate to the presence of certain personal belongings
that employees bring into receipt processing areas. GAO's Standards for
Internal Control in the Federal Government requires agencies to
establish controls to secure and safeguard vulnerable assets.
In our prior audits, we found that IRS did not have consistent controls
over personal belongings brought into receipt processing areas; we
recommended that IRS
(1) restrict personal items that can be brought into the receipt
processing areas, such as handbags, briefcases, and bulky outerwear,
(2) provide lockers and require their use for storing personal
belongings outside of the receipt processing areas, and
(3) expand IRS's review of service center deterrent controls to include
similar analyses of controls at IRS field offices in areas such as
safeguarding of receipts by
storing them in locked containers.[Footnote 10] In response to our
recommendations, IRS issued policies requiring that (1) employees
display in clear plastic bags certain other personal items that can be
kept at their desks and transported in and out of the receipt
processing area, (2) employees store such items as purses, backpacks,
lunch bags, CD cases, newspapers, and magazines in lockers before they
enter the receipt processing area, and (3) taxpayer assistance centers
secure cash payments and receipts in locked containers.
In each of our fiscal year 2001 and 2002 audits, we found that at one
of two service center campuses we visited, many of the clear plastic
bags employees used to bring personal belongings into the receipt
processing area contained so many items that it would have been easy
for employees to use the bags to conceal and remove checks from the
area. At one of these campuses, we found that employees carried
prohibited items such as CD cases, newspapers, and magazines--all items
in which taxpayer receipts could be easily concealed--into the receipt
processing area in plastic bags. At another campus, we observed
employees using large clear plastic backpacks and tote bags to carry
multiple personal belongings such as lunch bags, makeup bags and items
of clothing. Such practices are at odds with the purpose intended in
IRS's policies----namely limiting personal items allowed into the
receipts processing area and requiring that all items allowed in be
clearly visible. Until campuses are required to adhere to policies
concerning employees' personal belongings in a consistent manner and
until these policies are effectively enforced, taxpayer receipts and
taxpayer information are vulnerable to theft or loss.
Additionally, during our fiscal year 2002 audit, we found that at one
of two taxpayer assistance centers we visited, employees were allowed
to store cash payments and official receipt certificate vouchers with
their personal belongings in desk drawers, overhead cabinets, and
lockers. IRS employees could use these personal belongings to conceal
and remove funds from the receipt processing area. Unlike service
centers, IRS does not have a policy concerning personal belongings at
taxpayer assistance centers. Thus, there is nothing preventing
employees at taxpayer assistance centers from storing personal
belongings with cash payments and receipts. Until IRS ensures that cash
payments and receipts are not stored with employees' personal
belongings, taxpayer receipts are vulnerable to theft, loss, or misuse.
Recommendations:
We recommend that IRS:
enforce consistent implementation of its policy limiting personal
belongings in receipt processing areas at service center campuses and:
prohibit the storage of employees' personal belongings with cash
payments and receipts at IRS's taxpayer assistance centers.
IRS's Comments and Our Evaluation:
IRS agreed with our recommendations and stated it would (1) issue a
memorandum requiring managers in receipt processing areas at service
center campuses to ensure that employees are adhering to the
established security procedures and (2) require unit managers in these
areas to conduct random reviews of employee compliance with all
security policies. IRS also stated it would review managerial adherence
to this direction on a monthly basis as well as have its security
review team perform unannounced reviews. We will evaluate the
effectiveness of IRS' efforts in future audits.
Candling Procedures:
During our fiscal year 2002 financial audit, we found that IRS's
candling procedures were not adequate to minimize the risk that
taxpayer receipts and information could be destroyed, lost, or stolen.
GAO's Standards for Internal Control in the Federal Government requires
agencies to establish physical controls to secure and safeguard
vulnerable assets.
IRS receives mail of different dimensions and separates and uses
different methods to extract the contents depending on their
dimensions. The extraction methods IRS employs to separate the
envelopes from their contents are not always fully effective. To help
ensure that items that were not removed from envelopes during
extraction are not subsequently destroyed with the envelopes, IRS
established a candling process.
The candling procedures are documented in two separate sections of
IRS's Internal Revenue Manual (IRM). The first section addresses the
extraction of envelope contents and requires that envelopes be candled
after their contents have been removed. The second section states that
"those envelopes to be destroyed shall be reviewed again before
destruction." However, these procedures do not provide sufficient
guidance as to what specific candling procedures need to be followed in
each of the two candlings. During our fiscal year 2002 audit, as well
as in our previous audits, we observed instances where taxpayer
receipts or taxpayer data were not removed from envelopes during the
extraction phase and would have been destroyed had they not been
discovered through a final candling just prior to destruction of the
envelopes and using a light source to illuminate the envelopes. Yet, in
fiscal year 2002, we found that at one of two IRS service center
campuses we visited, some envelopes were not candled at the point of
extraction. Thus, these envelopes received, at most, one candling prior
to destruction. Until IRS clarifies its candling requirements to ensure
that emptied envelopes are candled twice and to specify the precise
candling methods to be used based on the dimensions of the mail
processed and the extraction method used for each of the two candlings,
IRS's risk of loss of taxpayer receipts and information is increased.
We also found that at one of the two IRS service center campuses we
visited, a single employee performed the final candling of envelopes in
an area removed from other ongoing work in the receipts processing area
- -a procedure not prohibited by IRS's policies and procedures. The
initial candling, because it is performed immediately upon extraction,
generally occurs in the presence of other employees in the receipt
processing area. However, final candling often occurs in a less-
populated area of receipt processing. By not prohibiting a single
employee in a remote location from performing the final candling, IRS's
risk of theft of taxpayer receipts and information increases.
Recommendations:
We recommend that IRS:
revise its candling procedures to specify the precise candling methods
to be used based on the dimensions of the mail processed and the
extraction method used for both the first and the final candling and
establish and implement procedures prohibiting a single employee from
performing the final candling in a remote location.
IRS's Comments and Our Evaluation:
IRS agreed with our recommendations and stated it would provide us with
copies of the procedures developed to address these recommendations by
May 30, 2003.
Cash Acceptance Procedures at Taxpayer Assistance Centers:
During our fiscal year 2002 audit, we found that IRS did not have
controls in place to ensure that its taxpayer assistance centers adhere
to its cash payment acceptance requirement. IRS policy states that IRS
must accept cash payments from taxpayers who do not have a check or
money order, are unable to obtain one, or insist on paying in cash.
However, during our fiscal year 2002 audit, we found that the taxpayer
assistance center at one of two IRS field offices we visited, as well
as other taxpayer assistance centers in the area, did not accept cash
payments. At the taxpayer assistance center we visited, employees would
direct taxpayers to a nearby financial institution where they could
obtain a money order, but that institution did not maintain the same
hours as the center and was regularly closed during parts of the day.
These centers' refusal to accept cash payments could place undue burden
on taxpayers who do not have a check or money order or are unable to
obtain one. To obtain a money order, they must find an open financial
institution and then pay a fee. The burden associated with these extra
efforts and costs could adversely impact IRS's collection of taxes
owed.
Recommendations:
We recommend that IRS:
determine which taxpayer assistance centers do not accept payment of
taxes in cash and issue a memorandum reminding them of the requirement
that cash be accepted and
establish a mechanism to periodically review adherence to this policy.
IRS's Comments and Our Evaluation:
IRS agreed with our recommendations. In its comments, IRS noted that
(1) it had included guidelines in its Fiscal Year 2003 Field Assistance
Office Operating Procedures stating that all taxpayer assistance
centers (TACs) would accept all standard forms of payment including
checks, money orders, and cash, (2) signs are to be posted in all TACs,
specifying that exact change must be remitted as IRS cannot make
change, and (3) it will be reviewing adherence to these procedures.
Structuring of Installment Agreements:
During our fiscal year 2002 financial audit, we found that IRS did not
always structure installment agreements to provide for full payment of
the tax liability as required by section 6159 of the Internal Revenue
Code. As we noted in our fiscal year 2002 audit report, the presence of
cases in fiscal year 2002 that were not structured to obtain full
payment indicates that IRS was not in compliance with the Internal
Revenue Code.[Footnote 11] IRS's failure to properly structure taxpayer
installment agreements could result in the loss to the federal
government of legally collectible tax revenue.
Section 6159 of the Internal Revenue Code grants IRS the power to enter
into written agreements with certain taxpayers to allow them to pay
their full tax liability (along with additional interest) in
installments. Both the Internal Revenue Code and IRS's procedures
require that installment agreements fully satisfy the tax debt
(including future accruals of interest and penalties) before the
statutorily allowed period for collection on the liability
expires.[Footnote 12] However, in our testing of a statistical sample
of 59 installment agreements entered into during fiscal year 2002, we
found 4 instances in which the terms of the agreements did not require
full satisfaction of the tax liability. Based on the results of our
work, we estimate that nearly 7 percent of the new installment
agreements entered into during fiscal year 2002 had payment terms that
would not fully satisfy the tax liability within the statutory
collection period.[Footnote 13]
In each of these cases, we found that the installment agreements did
not fully satisfy the tax debt because IRS did not consider accruals of
interest and penalties in calculating the total amount to be paid under
the installment agreements. This occurred for two reasons. First,
customer service representatives relied on IRS's Integrated Data
Retrieval System (IDRS) to determine the amount of the taxpayer's
liability in structuring the terms of the installment agreement.
However, IDRS includes only assessed balances rather than the total
amount of tax owed, which must also include interest and penalties.
While IRS procedures require that its customer service representatives
use a special command function that takes various accruals into account
when entering into installment agreements, these procedures were not
followed in these cases.
Second, taxpayers may apply for an installment agreement through the
Telephone Routing Interactive System. However, the balance due amounts
in this system, like those in the IDRS, do not include accrued interest
and penalties, and thus understate the total amount of tax owed.
After we discussed these findings with IRS, management reinforced the
current installment agreement guidance, provided additional training,
and issued a memo to the customer service representatives that stressed
the importance of following this guidance. In addition, IRS revised the
Telephone Routing Interactive System to include both interest and
penalty accruals in its calculation of installment agreement:
balances. We commend IRS for its prompt action to develop and implement
corrections to the installment agreement controls and will evaluate the
effectiveness of these corrective actions during our fiscal year 2003
financial audit.
- - - --:
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Governmental Affairs and the House
Committee on Government Reform within 60 days of the date of this
report. A written statement must also be sent to the House and Senate
Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of the report.
This report is intended for use by the management of IRS. We are
sending copies to Chairmen and Ranking Minority Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Governmental Affairs; Senate Committee on the Budget;
Subcommittee on Transportation, Treasury, and General Government,
Senate Committee on Appropriations; Subcommittee on Taxation and IRS
Oversight, Senate Committee on Finance; and the Subcommittee on
Oversight of Government Management, the Federal Workforce, and the
District of Columbia, Senate Committee on Governmental Affairs. We are
also sending copies to the Chairmen and Ranking Minority Members of the
House Committee on Appropriations; House Committee on Ways and Means;
House Committee on Government Reform; House Committee on the Budget;
Subcommittee on Transportation, Treasury, and Independent Agencies,
House Committee on Appropriations; Subcommittee on Government
Efficiency and Financial Management, House Committee on Government
Reform; and the Subcommittee on Oversight, House Committee on Ways and
Means. In addition, we are sending copies of this report to the
Chairman and Vice-Chairman of the Joint Committee on Taxation, the
Secretary of the Treasury, the Director of the Office of Management and
Budget, the Chairman of the IRS Oversight Board, and other interested
parties. Copies will be made available to others upon request. The
report is also available free on GAO's web site at http://www.gao.gov.
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audit of IRS's fiscal years 2002
and 2001 financial statements. If you have any questions or need
assistance in addressing these matters, please contact Paul Foderaro,
Assistant Director, at (202) 512-2535.
Sincerely yours,
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Signed by Steven J. Sebastian:
Comments from the Internal Revenue Service:
See comment 1.
See comment 2.
See comment 3.
DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE WASHINGTON, D C
20224:
April 28, 2003:
Mr. Steven J. Sebastian Director:
Financial Management and Assurance U.S. General Accounting Office:
441 G Street, NW Washington, DC 20548:
Dear Mr. Sebastian:
I am responding to your draft of the FY 2002 management report tried,
Improvements Needed in IRS's Internal Controls. Over the last several
years, IRS has adopted numerous improvements to ensure the adequacy of
its accounting procedures and internal controls. We have a robust
program in place to keep improving our performance in these areas. As
examples, we:
* Began conducting periodic security reviews of receipt processing areas,
implemented many of our new hiring and courier standards, and updated
relevant polices and procedures to safeguard taxpayer receipts and data
Issued Lockbox Processing Guidelines to improve the safeguarding of
taxpayer receipts and data at lockbox facilities:
* Established a Peer Review Program to ensure adequacy and compliance
with internal access control guidelines:
* Published guidance to all field offices to assure that a "controlled
access environment" is implemented in every Taxpayer Assistance Center,
to the maximum extent possible within space and funding constraints:
We agree the issues presented in the draft report will help us continue
to improve our accounting procedures and internal controls. As
evidenced in our response to the recommendations we have already taken
actions to correct some of these matters. The following comments
address your recommendations separately.
Recommendation: We recommend that the IRS establish e policy setting an
appropriate expiration period for fingerprint check results required
when an individual enters on duty. In establishing such a policy, IRS
may wish to consider, among other factors, the standards used by OPM
and other agencies as further guidance and justification, and the risks
associated with the age of the fingerprint check results in addition to
its own workforce management needs.
Comments: Our existing fingerprint expiration policy is 180 days. While
the report references a 90-day expiration period for fingerprint check
results, the OPM standard is 120 days.[NOTE 1]
IRS thoroughly examined its
recruiting and hiring processes and practices, including the
fingerprint expiration period, security issues, OPM guidance, and the
costs associated with background checks. As a result, we determined
that 180 days is a reasonable expiration period for fingerprint check
results. OPM agreed by waiving the 120-day standard due to our unique
hiring cycles and conditions.[NOTE 2]
IRM 1.23.3.4.23 (6) documents this requirement, and we re-emphasized
this policy by e-mail to Background Investigations Coordinators and
Personnel Officers on
September 30, 2002, and during a conference call on October 9, 2002.
Additionally, the Personnel Security and Investigations staff created
and distributed an Excel file that calculates the date when fingerprint
results expire. Staff received instructions to use the Excel file and
to annotate Case Closing Transmittal documentation when the 180-day
expiration date is to occur.
We have an additional requirement when hiring GS-1811 Criminal
Investigation Special Agents and executives from outside the IRS. A
background investigation must be completed before these individuals can
enter on duty (EOD). Fingerprint checks are only part of a complete
background investigation that may take more than 180 days, and result
in an EOD after the fingerprint expiration date. Because a more
comprehensive background investigation was completed for these
individuals (including checks of local law enforcement files and FBI
fingerprint check), we do not fingerprint them again. These individuals
are added to the Security Entry Tracking System (SETS) after the
fingerprint expiration date. Risk is mitigated because the individual
could not EOD without a favorable decision on the comprehensive
background investigation.
Recommendation: We recommend that IRS confirm with Financial Management
Services (FMS) that IRS' requirements for background and fingerprint
checks for courier services are met regardless of whether IRS or FMS
negotiates the service agreement.
Comments: We agree with this recommendation. The IRS is responsible for
ensuring that all courier contracts reflect the standards we
established. On October 7, 2002, FMS issued Amendment II to the Courier
Memorandum of Understanding (MOU). The amendment included the
requirement that all courier employees satisfy the basic investigation,
which includes an FBI fingerprint and name check. A conference call was
held on January 29, 2003, with all 10 campuses and the National
Background Investigation Center (NBIC) to establish a campus contact to
ensure all required paperwork is submitted to NBIC and clearance is
granted. On April 10, 2003, we requested that NBIC provide a monthly
status report of the campus compliance to the Headquarters Wage and
Investment Division.
Recommendation: We recommend that IRS establish procedures to verify
that courier services are adhering to the standards established for
them by IRS, including the requirement that the courier service have
insurance coverage.
Comments: We agree with this recommendation. The Security Review Team
of Receipt and Control reviews compliance with the courier requirements
monthly, using the Campus Security Checklist. For the five campuses
where IRS holds the courier contract, we required that the monthly
Security Review Team of Receipt and Control verify the campus has a
valid insurance certificate valued at $1 million. The campuses are
required to produce a file copy for the monthly reviews. For the five
campuses with FMS negotiated agreements, we sent a written request, on
April 17, 2003, to the FMS financial analyst and the Director,
Financial Services Division, requesting them to direct the banks to
issue a copy of the insurance certificate to their aligned campus. FMS
agreed to draft a memorandum to the financial institutes advising them
to regularly provide a copy of the insurance certificates to IRS
Headquarters (HQ) instead of the aligned campus. HQ will then forward a
copy of the insurance certificate to each of the Submission Processing
Service Centers.
Recommendation: We recommend that the IRS enforce consistent
implementation of its policy limiting personal belongings in receipt
processing areas at service center campuses.
Comments: We agree with this recommendation. We require employees in
receipt processing areas at service center campuses to limit personal
belongings brought into the restricted areas of Receipt and Control.
Employees who want to keep items at their desks must transport them in
and out of receipt processing areas in clear plastic bags. Each
employee is provided a locker to store personal belongings (e.g.,
handbags, briefcases, bulky outerwear, backpacks, lunch bags,
newspapers, etc.).
The Director, W&I CAS Submission Processing, will issue a memorandum to
all Submission Processing Field Directors, requiring managers in
receipt processing areas to ensure employees are adhering to
established security procedures. This memorandum will be issued before
May 15, 2003, and will require unit managers in receipt processing
areas to conduct random reviews of employee compliance with all
security policies. Starting no later than June 30, 2003, we will verify
managerial adherence to this direction during the monthly Campus
Security Reviews. The IRS Headquarters Security Review Team will also
conduct unannounced Campus Security Reviews at the campuses.
Recommendation: We recommend that the IRS prohibit the storage of
employees' personal belongings with cash payments and receipts at IRS'
taxpayer assistance centers.
Comments: We agree that employee's personal belongings should be stored
separately from cash payments and receipts. We will include a
requirement in the Internal Revenue Manual (IRM) guidelines to be
issued June 30, 2003, stating that cash payments and Form 809 - Receipt
for Payment of Taxes must be stored separately from personal
belongings. We have also included this issue in our operational reviews
of the Taxpayer Assistance Centers.
Recommendation: We recommend that IRS revise its candling procedures to
specify the precise candling methods to be used based on the dimensions
of the mail processed and the extraction method used for both the first
and the final candling.
Comments: We agree with this recommendation. The IRM candling
procedures are being revised to specify precise first and final
candling methods. We will provide GAO a copy of the procedures no later
than May 30, 2003.
Recommendation: We recommend that IRS establish and implement
procedures prohibiting a single employee from performing the final
candling in a remote location.
Comments: We agree with this recommendation. We will work with the
service center campuses to incorporate the new requirements in the IRM
by May 30, 2003.
Recommendation: We recommend that IRS determine which taxpayer
assistance centers do not presently accept payment of taxes in cash and
issue a memorandum reminding them of the requirement that cash be
accepted. In addition, we recommend that IRS establish a mechanism to
periodically review adherence to this policy.
Comments: We included guidelines in our Fiscal Year 2003 Field
Assistance Operating Procedures (FAOPs) stating that all Taxpayer
Assistance Centers (TAC) will accept all standard forms of payments
from customers including checks, money orders, and cash. Document
10161, posted in all TACs, states, "Make all cash payments in the exact
amount due only, as we cannot make change." Additionally, this
procedure will be included in our operational reviews of the TACs, to
ensure compliance with FAOP guidelines. Managers in the TACs are also
required to complete an annual review to address this issue.
Recommendation: We recommend that IRS establish a supervisory mechanism
to monitor the effectiveness of the additional guidance and training in
addressing the issues associated with the structuring of installment
agreements.
Comments: Currently managers must approve installment agreements when
the aggregate unpaid balance of assessment exceeds $25,000 or when the
balance is $25,000 or less and cannot be fully paid within 60 months.
Installment agreements that:
require collection statute extensions require mid-level management
review. Managers review installment agreements as part of their
mandatory employee workload and quality reviews.
I appreciate your input and will continue to take the necessary steps
to improve our financial management. With the continued dedication and
cooperation of both our staffs, we will further enhance the IRS'
accounting procedures and internal controls.
Sincerely,
Bob Wenzel
Acting Commissioner:
Signed by Bob Wenzel:
NOTES:
[1] Refer to OPM Publication IS-15, Requesting OPM Personnel
Investigations, dated May 2001, page 25.
[2] OPM issues its waiver letter
in June 1999 to the Associate Director, Personnel Security Division.
The following are GAO's comments on the Internal Revenue Service's
letter dated April 28, 2003.
GAO Comments:
IRS stated it has a policy of 180 days for the expiration period of
fingerprint results. IRS had initially informed us that it did not have
such a policy. As a result, we modified our report to stress the
importance of IRS enforcing its policy and modified our recommendation
accordingly.
:
IRS had previously informed us of these exceptions. As a result, we had
specifically excluded any individual having met these additional
requirements from our count to arrive at the total of 53 instances in
which employees entered on duty with fingerprint check results over the
180 day expiration period.
:
In our draft report, we initially recommended that IRS establish a
supervisory mechanism to monitor the effectiveness of the additional
guidance and training in addressing the deficiencies noted in the
structuring of installment agreements. In its comments, IRS stated that
its policy is to require managers to approve installment agreements
where the unpaid assessment balance exceeds $25,000 or where the
balance cannot be fully paid within 5 years, regardless of the size of
the balance. We do not find that this policy is unreasonable at this
time and have thus revised our report accordingly.
Details on Audit Methodology:
To fulfill our responsibilities as the auditor of IRS's financial
statements, we:
Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accounts
payable, accrued expenses, payroll, nonpayroll, property and equipment,
and undelivered order transactions. These statistical samples were
selected primarily to substantiate balances and activities reported in
IRS's financial statements. Consequently, dollar errors or amounts can
and have been statistically projected to the population of transactions
from which they were selected. In testing these samples, certain
attributes were identified that indicated either significant
deficiencies in the design or operation of internal control or
compliance with provisions of laws and regulations. These attributes,
where applicable, can be and have been statistically projected to the
appropriate populations.
:
Assessed the accounting principles used and significant estimates made
by management.
:
Evaluated the overall presentation of the financial statements.
:
Obtained an understanding of internal control related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in the
Management's Discussion and Analysis.
:
Tested relevant internal control over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal control.
:
Considered the process for evaluating and reporting on internal control
and financial management systems under the Federal Managers' Financial
Integrity Act of 1982.
:
Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. §1341(a)(1) and
31 U.S.C. §1517(a)); Agreements for payment of tax liability in
installments (26 U.S.C. §6159); Purpose Statute (31 U.S.C. §1301);
Release of lien or discharge of property (26 U.S.C. §6325); Interest on
underpayment, nonpayment, or extensions of time for payment of tax (26
U.S.C. §6601); Interest on overpayments (26 U.S.C. §6611);
Determination of rate of interest (26 U.S.C. §6621); Failure to file
tax return or to pay tax (26 U.S.C. §6651); Failure by individual to
pay estimated income tax (26 U.S.C. §6654); Failure by corporation to
pay estimated income tax (26 U.S.C. §6655); Prompt Payment Act (31
U.S.C. §3902 (a), (b), and (f), and 31 U.S.C. §3904) ; Fair Labor
Standards Act of 1938, as amended (29 U.S.C. §206); Civil Service
Retirement Act of 1930, as amended (5 U.S.C. §§5332, 5343); Federal
Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§8422
and 8423); Social Security Act, as amended (26 U.S.C. §3101 and 3121,
and 42 U.S.C. §430); and Federal Employees Health Benefits Act of 1959,
as amended (5 U.S.C. §§8905, 8906, and 8909).
:
Tested whether IRS's financial management systems substantially comply
with the three FFMIA requirements.
GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Paul Foderaro, (202) 512-2535:
Alain Dubois, (202) 512-6365:
Acknowledgments:
Staff making key contributions to this report were: William Cordrey,
Laurie King, Yola Lewis, and J. Lawrence Malenich.
(196001):
FOOTNOTES
[1] U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years
2002 and 2001 Financial Statements, GAO-03-243 (Washington D.C.: Nov.
15, 2002).
[2] Candling is a process used by IRS to determine whether any contents
remain in open envelopes before their destruction. Candling is
generally performed by placing open envelopes in front of a light
source.
[3] Taxpayer assistance centers handle questions and accept payments
from taxpayers who choose to conduct business with IRS in person. They
are located in field offices.
[4] Final candling occurs at the end of the mail extraction process to
ensure that all the contents have been removed from each envelope.
[5] GAO-03-243.
[6] U.S. General Accounting Office, Internal Revenue Service: Progress
Made, but Further Actions Needed to Improve Financial Management, GAO-
02-35 (Washington D.C.: Oct. 19, 2001).
[7] GAO-03-243.
[8] U.S. General Accounting Office, Internal Revenue Service: Physical
Security Over Taxpayer Receipts and Data Needs Improvement, GAO/AIMD-
99-15 (Washington D.C.:
Nov. 30, 1998); Internal Revenue Service: Custodial Financial
Management Weaknesses, GAO/AIMD-99-193 (Washington D.C.: Aug. 4, 1999);
Internal Revenue Service: Recommendations to Improve Financial and
Operational Management, GAO-01-42 (Washington D.C.: Nov. 17, 2000);
Management Report: Improvements Needed in IRS's Accounting Procedures
and Internal Controls, GAO-02-746R (Washington D.C.: July 18, 2002);
and GAO-02-35.
[9] Courier service agreements for IRS service center campuses are
negotiated by either IRS or FMS, depending on the type of depositary
institution IRS uses to deposit campus receipts. IRS has the option of
depositing campus receipts into a Federal Reserve Bank or into a
general depositary. General depositaries are designated commercial
banks that have been specifically authorized by Treasury to maintain a
Treasury General Account for the purpose of accepting deposits for
Treasury. When receipts are to be deposited to an FRB, IRS contracts
for the courier services. When receipts are to be deposited to a
general depositary, FMS negotiates an agreement with the depositary to
perform services for FMS. There are five service center campuses with
FMS-negotiated agreements and five service center campuses with IRS-
negotiated agreements.
[10] U.S. General Accounting Office, Internal Revenue Service:
Immediate and Long-Term Actions Needed to Improve Financial Management,
GAO/AIMD-99-16 (Washington D.C.: Oct. 30, 1998) and GAO/AIMD-99-193.
[11] GAO-03-243.
[12] The statutory collection period for taxes is generally 10 years
from the date of the tax assessment. However, this period can be
extended by agreement with the taxpayer.
[13] We are 95 percent confident that the error rate could be as high
as 15 percent.