Management Report
Improvements Needed in IRS's Internal Controls and Accounting Procedures
Gao ID: GAO-04-553R April 26, 2004
In November 2003, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of and for the fiscal years ending September 30, 2003 and 2002, and on the effectiveness of its internal controls as of September 30, 2003. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports including this one will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2003 audit regarding internal controls and accounting procedures that could be improved for which we do not presently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2003 audit report, they all warrant management's consideration.
During fiscal year 2003, we identified a number of internal control issues that adversely affected safeguarding of tax receipts, budgeting, operating costs, and financial reporting. These issues concern (1) enforcement of lockbox bank contractor policies, (2) courier service requirements, (3) lockbox bank management reviews, (4) candling, (5) safeguarding of taxpayer receipts and information at IRS field offices and service center campuses, (6) physical security, (7) deobligation of funds, (8) overpayments to employees' Thrift Savings Plan (TSP) accounts, (9) financial statement disclosures, and (10) interim performance measures.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-553R, Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures
This is the accessible text file for GAO report number GAO-04-553R
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures' which was released on April 28,
2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
April 26, 2004:
The Honorable Mark W. Everson
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures:
Dear Mr. Everson:
In November 2003, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of and for
the fiscal years ending September 30, 2003 and 2002, and on the
effectiveness of its internal controls as of September 30,
2003.[Footnote 1] We also reported our conclusions on IRS's compliance
with significant provisions of selected laws and regulations and on
whether IRS's financial management systems substantially comply with
requirements of the Federal Financial Management Improvement Act of
1996. A separate report on the implementation status of recommendations
from our prior IRS financial audits and related financial management
reports including this one will be issued shortly.
The purpose of this report is to discuss issues identified during our
fiscal year 2003 audit regarding internal controls and accounting
procedures that could be improved for which we do not presently have
any recommendations outstanding. Although not all of these issues were
discussed in our fiscal year 2003 audit report, they all warrant
management's consideration. This report contains 15 recommendations
that we are proposing IRS implement in order to improve its internal
controls and accounting procedures. We conducted our audit in
accordance with U.S. generally accepted government auditing standards.
Results in Brief:
During fiscal year 2003, we identified a number of internal control
issues that adversely affected safeguarding of tax receipts, budgeting,
operating costs, and financial reporting. These issues concern (1)
enforcement of lockbox bank[Footnote 2] contractor policies, (2)
courier service requirements, (3) lockbox bank management reviews, (4)
candling,[Footnote 3] (5) safeguarding of taxpayer receipts and
information at IRS field offices and service center campuses, (6)
physical security, (7) deobligation of funds, (8) overpayments to
employees' Thrift Savings Plan (TSP) accounts, (9) financial statement
disclosures, and (10) interim performance measures.
Specifically, we found the following:
IRS did not require lockbox banks to maintain information on the
employment start dates of their contractors[Footnote 4] who have access
to taxpayer receipts and related information. As a result, there is no
evidence that lockbox managers are adhering to IRS's criterion that
contractors receive favorable fingerprint results prior to having
access to taxpayer receipts and information. IRS allowed immediate
family members to serve as couriers together, thereby undermining the
intent of IRS's requirements that two-person courier teams transport
taxpayer receipts to depositories. Allowing two-person courier teams to
consist of related individuals or individuals in close relationships
increases the risk of collusion and consequently the theft of taxpayer
receipts.
IRS did not require documentary evidence that lockbox management
performed required reviews of certain control logs and transmittal
documents. At the lockbox banks we visited, there were several
instances for which no evidence of required reviews was available. The
lack of such evidence reduces IRS's assurance that the reviews are
performed, in turn increasing the risk of untimely detection of theft
of, loss of, or unauthorized access to taxpayer information and
receipts.
Automated mail extraction machines used to perform candling were not
checked prior to use to ensure that they were operating properly. As a
result, IRS's risk of loss of receipts and taxpayer information was
increased.
IRS did not always follow the required procedures to safeguard taxpayer
receipts and information in its facilities. We found (1) taxpayer
receipts and information kept in unsecured containers and areas at
field offices and (2) discovered remittances[Footnote 5] stored in
unsecured containers and areas at a service center campus. The reduced
level of protection given to these taxpayer receipts and data increases
the risk of their theft, loss, or misuse.
Security guards did not respond to alarms at two of the four service
center campuses we visited. The lack of timely response to alarms
increases the risk of theft of taxpayer receipts and information as
well as untimely detection of such incidents.
IRS did not always timely identify and deobligate outstanding
obligations, hindering its ability to use the funds for other programs
and initiatives.
IRS did not have controls in place to provide reasonable assurance that
payroll calculations made on its behalf by the National Finance Center
(NFC) were not adversely affected by control weaknesses at NFC,
resulting in inaccurate contributions to employee TSP accounts.
IRS's controls over the calculation and reporting of Other Claims for
Refunds in the supplemental information to its financial statements
were not effective in preventing errors from occurring in the reporting
of those amounts.
IRS lacked adequate controls over the preparation of interim period
performance management data. As a result, IRS reported inaccurate or
outdated interim performance data, and program managers lacked
consistent and reliable information to make informed decisions on
interim program performance.
At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into
conformance with the internal control standards that federal agencies
are required to follow.[Footnote 6]
In its comments, IRS agreed with our recommendations and described
actions it was taking or planned to take to address the control
weaknesses described in this report. At the end of our discussion of
each of the issues in this report, we have summarized IRS's related
comments and provided our evaluation.
Scope and Methodology:
As part of our audit of IRS's fiscal years 2003 and 2002 financial
statements, we evaluated IRS's internal controls and its compliance
with selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions.
We requested comments on a draft of this report from the Commissioner
of Internal Revenue. We received written comments from the Commissioner
and have reprinted the comments in enclosure I. Further details on our
audit scope and methodology are included in our report on the results
of our audits of IRS's fiscal years 2003 and 2002 financial statements
and are reproduced in enclosure II.[Footnote 7]
Enforcement of Lockbox Contractor Background Investigation Policies:
In previous years, we found that IRS allowed lockbox bank employees and
contractors access to cash, checks, and other taxpayer data at lockbox
banks before lockbox management had received satisfactory results of
the individuals' background investigations, thereby subjecting IRS to
an increased risk of theft or misuse of taxpayer receipts and
data.[Footnote 8] During our fiscal year 2003 audit, we found that IRS
had made substantial progress in this area with regard to lockbox bank
employees and, as a result, had substantially reduced its exposure
related to the risks of hiring individuals prior to receiving the
results of satisfactory background investigations. Additionally, IRS
procedures require lockbox bank managers to ensure that they have
received satisfactory results of fingerprint checks from the National
Background Investigation Center (NBIC) for lockbox bank contractors,
such as couriers, before they are granted staff-like access to the
lockbox processing area or are entrusted with taxpayer receipts and
information. However, at two of the four lockbox bank locations we
visited this year, lockbox bank managers could not provide the
necessary data to demonstrate that they had not granted contractors,
such as couriers, access to taxpayer data without having previously
received satisfactory fingerprint check results from NBIC.
At one of the two locations where management was unable to demonstrate
that it had received satisfactory fingerprint check results before it
had granted couriers access to taxpayer receipts and data, the
couriers' start dates were inconsistent with data gathered from that
same location during the prior year's audit. As a result, we concluded
that the lockbox bank's data on contractor start dates were unreliable.
At the second location, lockbox bank management informed us that
maintaining information on start dates for contractors was not a
requirement. From the information provided by the lockbox bank
managers, we were not able to verify the controls the lockbox bank uses
to validate its adherence to the fingerprinting requirement for
contractors. GAO's Standards for Internal Control in the Federal
Government requires agencies to establish controls to safeguard
vulnerable assets.[Footnote 9] Until IRS ensures that lockbox bank
managers allow only contractors who have successfully met the
background investigation requirements to have access to taxpayer
receipts and data and sensitive IRS information, the federal government
will be unnecessarily exposed to the risk of loss, theft, or misuse of
taxpayer receipts and information.
Recommendation:
We recommend that IRS require lockbox bank managers to maintain
appropriate documentation on-site demonstrating that satisfactory
fingerprint results have been received before contractors are granted
access to taxpayer receipts and data.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and indicated that its current
Lockbox Processing Guideline (LPG) now requires appropriate
documentation for couriers and guards before they are granted access to
taxpayer receipts. Additionally, to ensure compliance with the LPG, IRS
has included the requirement in its security and administrative
reviews. We will evaluate the effectiveness of IRS's efforts during our
fiscal year 2004 financial audit.
Courier Requirements:
In a number of reports, we have pointed out that IRS lacks effective
controls over various aspects of courier services used to transport
taxpayer receipts.[Footnote 10] We have made numerous recommendations
to IRS to strengthen related controls. IRS has made significant efforts
to address the courier security weaknesses we identified by adopting
more stringent security standards for couriers who transport IRS's
daily deposits to depositary institutions. In particular, IRS adopted a
requirement that courier service employees work in pairs to mitigate
the risk of loss.
While this modification was well conceived, it does not satisfactorily
reduce risk in certain atypical situations we found at two service
center campuses and one lockbox bank location we visited. At the two
campuses, we found courier teams consisting of (1) a husband and wife
and (2) a mother and daughter. At the lockbox bank location, we found
one team consisting of a husband and wife[Footnote 11] and another team
consisting of a father and son. When courier team members have close
relationships, the risk of collusion is increased and the assurance
provided by having two-person courier teams is diminished.
Recommendation:
We recommend that IRS revise its policy on two-person courier teams to
prohibit the use of courier teams consisting of closely related
individuals to further minimize the risk of collusion in the theft of
taxpayer receipts and data.
IRS Comments and Our Evaluation:
In response to our recommendation, IRS agreed to work with its Revenue
and Deposit Branch to assess the risks associated with its current
courier policy and determine if changes are needed. We will evaluate
IRS's conclusions and any corrective actions during our fiscal year
2004 financial audit.
Lockbox Management Reviews:
During our fiscal year 2003 financial audit, we found instances in
which there was no evidence that lockbox management performed certain
required reviews. GAO's Standards for Internal Control in the Federal
Government[Footnote 12] requires agencies to establish controls to
enforce adherence to requirements, such as management reviews, and to
create and maintain records providing evidence that these controls are
executed.
We visited four lockbox banks during our fiscal year 2003 audit. We
found that at all four of these lockbox banks, there was no documentary
or other evidence that some required management reviews of control logs
and transmittal documents relating to transport of taxpayer receipts
and access to taxpayer receipts and data had been performed. The lack
of such evidence increases the risk that the reviews are not performed,
thereby increasing the risk of untimely detection of theft of, loss of,
or unauthorized access to taxpayer receipts and data.
As discussed above, lockbox banks use couriers to transport taxpayer
receipts and taxpayer information to depositories and to service center
campuses. Each lockbox bank is required to maintain a log showing the
courier driver's signature, date and time of pickup, and number of
boxes transported for all courier services, and lockbox bank managers
are required to review these control logs monthly. At three of the four
lockbox banks we visited, we found no evidence such as a reviewer's
signature or initial, date, or comment, that managers had reviewed
these logs. On two of the logs we reviewed, we noted that the courier
drivers' signatures were missing, and at one lockbox bank we noted that
no log existed for service center campus shipments or depository
pickups. We also noted that at one of the lockbox banks, the
transmittal document that is required to accompany all shipments of
IRS-and taxpayer-related information, including cartridges and
microfilm, from any bank site to the service center campus was
frequently incomplete and often lacked a complete count of the items
shipped. This transmittal document is extremely important since it is
the only way assure that all packages included in each shipment are
properly and timely received and acknowledged by the addressee at the
service center campus.
IRS also requires that lockbox banks using automated entry systems
(AES) to the lockbox processing areas establish and maintain logs
controlling key, proximity, and swipe cards in order to provide an up-
to-date audit trail of employee access and to deter unauthorized access
to restricted areas. Lockbox managers are required to review these logs
monthly. At two of four lockbox banks we visited, managers either
lacked evidence of their monthly review or did not perform the review
in accordance with established guidelines. At one of these two lockbox
banks, we noted that the AES control log did not list the dates that
proximity cards were enabled or disabled.
The lack of evidence of managerial reviews reduces IRS's assurance that
such reviews are performed, thereby increasing the risk of untimely
detection of theft of, loss of, or unauthorized access to taxpayer
receipts and data.
Recommendation:
We recommend that IRS develop procedures to require lockbox managers to
provide satisfactory evidence that managerial reviews are performed in
accordance with established guidelines. At a minimum, reviewers should
sign and date the reviewed documents and provide any comments that may
be appropriate in the event that their reviews identified problems or
raised questions.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it would (1)
consider the risk level of each document log, (2) assess each one to
determine the appropriate level of review, and (3) follow up with
additional guidelines, if necessary. We will evaluate the effectiveness
of IRS's efforts in future audits.
Automated Candling Procedures:
In our previous audits, we reported that IRS did not always ensure that
opened envelopes were candled twice before destruction, as required by
its procedures to provide assurance that all contents have been
extracted. During our fiscal year 2003 financial audit, we continued to
find weaknesses in IRS candling procedures. GAO's Standards for
Internal Control in the Federal Government[Footnote 13] requires that
management establish physical controls to secure and safeguard
vulnerable assets and provide qualified and continuous supervision to
ensure that control objectives are achieved.
During our testing at one of the four lockbox banks we visited, we
found that machines were used to assist in the extraction of taxpayer
remittances. These machines, after the operator extracted the contents
from envelopes, subjected the envelopes to a light source and a sensor
and were designed to notify the operator in the event that envelopes
had not been fully emptied of their contents. We tested 4 of 14 such
machines by placing items in envelopes, and found that all four
machines were not notifying the operators that envelopes were not
emptied. IRS's procedures for the lockbox banks require managers to
monitor equipment and personnel for extraction accuracy and institute
additional measures should trends occur or discovered remittance
volumes increase. However, no specific guidance exists to help ensure
that automated candling equipment is functioning as intended throughout
the process. In addition, no evidence exists documenting that lockbox
bank managers periodically reviewed the effectiveness of the automated
candling equipment. The lack of such guidance increases the risk of
loss of taxpayer receipts and data.
Recommendations:
We recommend that IRS:
revise its candling procedures at lockbox banks to require testing of
automated candling machines at appropriate intervals, taking into
account such factors as use time, volume processed, machine
requirements, and shift cycles, and
require lockbox managers to maintain logs of these tests and to
periodically review their logs.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and indicated that corrective
actions have been or will be implemented. Specifically, IRS stated that
it now requires an additional candling of all envelopes processed by
extractors using automated candling machines. In addition, IRS agreed
to include our recommendation on maintaining logs of the tests
conducted as part of its assessment of testing standards for machines
with automated candling equipment. We will evaluate the effectiveness
of IRS's efforts in future audits.
Safeguarding of Taxpayer Receipts and Information:
During our fiscal year 2003 financial audit, we found instances in
which IRS was not following its procedures for safeguarding taxpayer
receipts and information in its facilities, thus increasing the risk
that taxpayer receipts and information could be lost, stolen, or
destroyed. GAO's Standards for Internal Control in the Federal
Government requires agencies to establish physical controls to secure
and safeguard vulnerable assets.[Footnote 14]
We visited three IRS Taxpayer Assistance Centers (TAC) during our
fiscal year 2003 audit. All three centers were receiving and storing
taxpayer receipts and information in unsecured areas without properly
securing them. From our observations, taxpayers were greeted, upon
entering a TAC, by an IRS representative who was responsible for
determining the type of assistance needed, assigning taxpayers a
service number, and receiving drop-off payments. These functions were
performed outside the secured area of the TAC. We observed the IRS
representatives receiving taxpayer remittances and storing them in an
unlocked drawer at the information desk. When the representatives left
the information desk to assist other taxpayers waiting in the TAC, they
did not secure or remove the remittances from the desk. The:
failure to properly safeguard assets created an opportunity for
unauthorized access to and theft of taxpayer receipts and data.
In addition, at one of the service center campuses, we observed
discovered remittances outside a secured area and not stored in secured
containers as required by IRS procedures. Storing receipts in unsecured
containers in an unsecured area significantly increases the risk of
theft of taxpayer receipts because anyone with access to the service
center could gain access to the receipts. In our audits of IRS's
financial statements for fiscal years 1997 through 2001, we found
similar weaknesses in controls over receipts discovered outside of
designated receipt processing areas within IRS's service center
campuses. We recommended that IRS correct the weaknesses by providing
secure containers in which service center employees could immediately
store and inventory discovered remittances. In our May 2003 report
following up on this and other issues,[Footnote 15] IRS officials
stated that locked containers had been provided to all services
centers, that instructions had been issued to service centers
concerning proper handling and recording of discovered remittances, and
that monitoring steps had been put in place. Our fiscal year 2003 audit
finding, however, raises concern about IRS's ability to effectively
monitor its service center campuses' implementation of sound controls
over safeguarding discovered remittances.
Recommendations:
We recommend that IRS:
discontinue its practice of storing taxpayer receipts and data outside
TAC secured areas without storing the receipts in a secured locked
container and:
develop procedures to enhance adherence to existing instructions on
safeguarding discovered remittances at service center campuses.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and reiterated its Internal Revenue
Manual (IRM) guidance on both recommendations. In both instances, IRS
stated that it would continue to monitor adherence to the IRM guidance
in its operational reviews at TAC offices and its monthly reviews of
the service center campus revenue receipt and control process. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2004
and future financial audits.
Response to Alarms:
GAO's Standards for Internal Control in the Federal Government[Footnote
16] requires that access to resources and records, such as IRS receipts
and taxpayer data, be limited to authorized individuals to reduce the
risk of unauthorized use or loss to the government. Tax receipts, such
as cash and checks, are highly susceptible to theft, and unauthorized
use of taxpayer data could result in identity theft and financial
fraud.[Footnote 17] Due to the large volume of receipts and the
assembly-line nature of tax receipt processing, taxpayer data and
receipts are easily accessible to individuals on the processing floor.
This vulnerability underscores the need for effective controls to deter
and detect unauthorized access.
As part of our fiscal year 2003 financial audit of IRS, we conducted
tests of physical security controls at four IRS service center
campuses, including tests to determine the responsiveness of security
guards to activated building perimeter door alarms. We found that at
two of four service center campuses we visited, security guards did not
respond to the activated alarms. At one location, IRS officials told us
that the exit door we tested did not show up as a breach in security on
the monitoring equipment. However, a subsequent test of the same door
resulted in a prompt response by the guards. At the second location,
IRS officials informed us that the computer for the alarm system had
gone down and was in the process of being rebooted at the time of
breach. Nonetheless, the security guards' lack of response increases
the risk of theft of taxpayer receipts and information and reduces the
possibility of timely detection of such incidents.
Recommendations:
We recommend that IRS:
enforce its policies and procedures to ensure that service center
campus security guards respond to alarms and:
establish compensating controls in the event that automated security
systems malfunction, such as notifying guards and managers of the
malfunction and immediately deploying guards to better protect the
processing center's perimeter.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that by August 30, 2004,
it would modify its IRM to include (1) the development, integration,
and review of self-assessments for guards' response capabilities to
alarms; (2) initial, periodic, and annual security exercises; and (3)
written reports to support the security exercises conducted. Also, IRS
stated that its Physical Security Program within Mission Assurance
would develop, within the same time frame, procedures to ensure that
local management is notified whenever there is a malfunction of alarms
and that guards are deployed or doors are secured, as necessary, either
during tests or when otherwise identified. We will evaluate the
effectiveness of IRS's efforts in future audits.
Timeliness of Deobligations:
In prior years, we identified deficiencies in IRS's process for
deobligating funds that were no longer valid or needed.[Footnote 18]
Over the past several years, IRS has made substantial progress in
addressing internal control deficiencies related to deobligations. IRS
issued policy memorandums and implemented procedures to more frequently
review obligations that are no longer active and thus need to be
deobligated. These improvements have allowed IRS to better manage its
financial resources and improve its reporting on the status of
budgetary resources. While we recognize IRS's progress in reviewing
outstanding obligations, our work performed as part of our fiscal year
2003 financial audit indicates that further improvements are needed.
During our fiscal year 2003 audit, we found instances in which IRS did
not timely identify and deobligate outstanding obligations. In our
testing of a statistical sample of 110 undelivered orders[Footnote 19]
as of August 31, 2003, we found four instances in which IRS did not
deobligate undelivered orders that were no longer valid. These
exceptions resulted primarily from (1) a system deficiency that
prevented IRS personnel responsible for reviewing inactive obligations
from having accurate information on when activity last occurred against
the obligation and (2) IRS personnel's failure to timely review certain
obligations. Consistent with GAO's Standards for Internal Control in
the Federal Government,[Footnote 20]agencies are required to properly
execute and accurately record transactions.
In fiscal year 2003, IRS issued a memorandum that provides financial
plan managers[Footnote 21] guidelines for reviewing and identifying
obligations to be deobligated. This memorandum supplemented existing
guidance by providing the business unit finance staff with more
detailed direction for reviewing outstanding obligations. For example,
these guidelines state that IRS's business units are required to review
aging unliquidated obligations (AUO) reports monthly and certify that
all outstanding obligations with no activity for more than 180 days
have been reviewed and validated as either (1) requiring deobligation
or (2) valid obligations. IRS's Beckley Finance Center (BFC) generates
AUO reports by running a program to extract information on outstanding
obligations from the accounting system. AUO reports provide lists of
all open obligations, along with such information as the outstanding
obligation amount and the obligation's last activity date. The business
units then review the obligations and make entries in the reports
indicating whether the obligations are valid or should be deobligated.
We found that AUO reports did not capture the information necessary for
reviewers to correctly identify inactive obligations. IRS may issue an
obligation to purchase several types of equipment or services for
various units within the organization, each of which is reported as a
separate obligation line amount in the accounting system. However, when
generating an AUO report, the most recent date activity occurred
against the obligation is extracted and applied to all of the line
amounts. For example, in one of the cases, an AUO report for an
obligation with five obligation line amounts had a last activity date
of June 9, 2003, recorded for all five obligation line amounts. The
last date on which any goods or services were charged against the line
item in our sample, however, was September 25, 2002. Because the AUO
reports did not capture the correct activity date for each outstanding
obligation line amount, IRS's business units did not have accurate data
with which to identify all the inactive undelivered orders for possible
deobligation.
For certain obligations, IRS's guidelines require concurrence between
business unit staff and procurement office staff before an obligation
can be deobligated. These are obligations that are processed through
IRS's Integrated Procurement System, such as interagency agreements and
large-dollar contracts. In order to respond to the business units,
procurement office staff perform research on the status of the
contract, contact the vendor, or obtain additional documentation to
support a deobligation. If the procurement office is silent as to
whether the obligations should be deobligated, the business units
certify that the obligations are valid.
We found three instances in which obligations were not properly
deobligated because the procurement office did not provide timely
responses to the business units. In one case, IRS had ordered computer
equipment and services at a cost of $334,910 on September 18, 2001. In
October 2001, IRS received all the equipment and services ordered at a
cost of $267,676. According to the documentation we reviewed, the
vendor provided preliminary notification to IRS in November 2001 that
IRS did not owe any additional funds because the vendor did not charge
for goods and services that were initially ordered at $67,234. When we
performed our testing, in August 2003, the procurement office had not
yet confirmed with the vendor that the remaining $67,234 was a no-
charge item and thus had not requested that this amount be deobligated.
In another case, an undelivered order for computer equipment and
services totaling $28,268 had not had activity since November 2000. As
of August 2003, the business unit had not received a response from the
procurement office as to whether to deobligate the funds. Based on our
review of these two files, IRS followed up on these cases and
subsequently deobligated the funds.
Since the AUO reports did not capture the information necessary to
ensure that all outstanding obligations with more than one line amount
had the appropriate activity dates, IRS's financial plan managers did
not identify all the obligations that needed to be reviewed for
possible deobligation. Additional delays in deobligating funds were
caused by the procurement office staff's failure to provide responses
to business units in a timely manner. Based on our testing, we estimate
that $37 million of undelivered orders were not valid.[Footnote 22] By
not promptly deobligating funds, IRS affected its ability to use its
financial resources effectively. If IRS had deobligated the funds
within their periods of availability, the funds could have been used
for other initiatives and programs.
Recommendations:
We recommend that IRS:
modify AUO reports to ensure that they report the last activity date
for each outstanding obligation line amount and:
require procurement office staff to review and sign off on whether
obligations are valid or require deobligation before business units
complete their quarterly certifications.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations. In its comments, IRS stated that
its BFC revised the AUO report in March 2004 to accurately report the
last activity date for each obligation line amount. Moreover, IRS
stated that it is currently evaluating its approach toward reviewing
open obligations and approving those obligations that require
deobligation. This includes studying the relative responsibilities of
the procurement office, business units, and BFC with respect to
validating and certifying deobligations. IRS will issue new guidelines
at the conclusion of its internal review. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2004 financial
audit.
Excess Contributions to Employees' Thrift Savings Plan Accounts:
During fiscal year 2003, IRS did not have procedures in place to timely
detect mathematical errors in its payroll information made by the
NFC.[Footnote 23] We found that while processing IRS's payroll in
fiscal year 2003, NFC made mathematical errors when it calculated the
mandatory agency TSP contribution for some IRS employees. IRS did not
detect these errors because, although it had control procedures in
place to test certain payroll information processed by NFC, these
procedures did not include verifying the accuracy of NFC's
calculations. IRS relied on NFC to accurately process the biweekly
payroll for its employees. Consistent with GAO's Standards for Internal
Control in the Federal Government, IRS's internal controls should
provide reasonable assurance that its financial transactions, including
those processed by NFC, are accurately recorded.[Footnote 24] The
errors we identified with respect to employee contributions to TSP were
not material to IRS's financial statements. Nonetheless, because it did
not have controls in place to verify NFC's calculations, IRS had less
assurance that government funds were used as intended and that employee
TSP accounts were accurate.
We found that in fiscal year 2003, a total of 131 IRS employees
erroneously received excess mandatory contributions to their TSP
accounts equaling 2 percent of their base pay, rather than the 1
percent required by law. IRS must identify and recover amounts overpaid
to TSP on behalf of its employees within 1 year of the time of payment
or forfeit the funds to the Federal Retirement Thrift Investment Board
or to the employees' TSP accounts. IRS did not detect these errors
through its review process but became aware of them when we informed
the agency about them. Some of these errors related to overpayments
that had exceeded the 1-year limitation for recovery.
For the past several years, the Department of Agriculture's Office of
Inspector General has reported weaknesses in internal controls over
NFC's payroll operations.[Footnote 25] In addition, in a previous audit
report,[Footnote 26] we stated that any agency that uses a service
organization, such as NFC, to process its payroll transactions should
establish adequate policies and procedures to ensure that the services
provided meet the objectives of agency management. We further stated
that adequate internal controls over input and output data to prevent
or detect material misstatements are particularly critical when it has
been determined that the service organization's internal controls do
not provide reasonable assurance that payroll transactions were
processed and reported accurately. In our report, we recommended that
IRS implement control procedures to compensate for the weaknesses
identified in NFC's payroll operations.
In response to our recommendation, IRS implemented compensating internal
control procedures to ensure that NFC accurately processed IRS's
payroll each pay period. Specifically, each pay period, IRS's
Transactional Processing Operations Division reviews a
nonrepresentative selection of employee Social Security numbers from a
list of IRS employees paid that pay period and compares key payroll
information (e.g., hours worked, leave taken, and payroll deductions)
received from NFC to information that IRS submitted to NFC (e.g., time
and attendance data, employee health plan, and life insurance
election). Our findings during fiscal year 2003 also indicate that the
mathematical errors we detected in NFC's payroll calculations occurred
as a result of the NFC internal control weaknesses identified. However,
since IRS's compensating control procedures do not include a test of
the mathematical accuracy of NFC's calculations of payroll amounts,
they do not give IRS the capability to timely detect errors in payroll
calculations made by NFC during the processing of IRS payroll
transactions. Because IRS did not have controls in place to verify
NFC's calculations within the period allowed for recovery, it lost the
ability to recover the erroneously contributed funds and use them to
pay for its operations.
Recommendations:
We recommend that IRS:
enhance its compensating internal controls by including tests or
recalculations of payroll computations performed by NFC for the IRS
employees selected for review each pay period and:
timely investigate and resolve any identified errors.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that its Transactional
Processing Operations (TPO) division will expand its current random
sample payroll review and validation process to include the
recalculation of agency TSP contributions. IRS expects implementation
of the review process by June 2004. The TPO division will also be
responsible for following up immediately on any discrepancies found and
ensuring that NFC responds timely. We will evaluate the effectiveness
of IRS's efforts during our fiscal year 2004 financial audit.
Supplemental Information for Other Claims for Refund:
During our audit of IRS's fiscal year 2003 financial statements, we
found that IRS reported incorrect information in the supplemental
information to the financial statements. Specifically, IRS incorrectly
reported the total estimated payout for refund claims pending review by
IRS's Appeals organization[Footnote 27] or federal courts. This error
occurred because IRS's controls over the calculation and reporting of
estimated payouts for refund claims were ineffective. GAO's Standards
for Internal Control in the Federal Government[Footnote 28] requires
that transactions be properly executed and accurately recorded. Because
IRS did not have effective controls in place to ensure proper
calculation and reporting of estimates of Other Claims for Refund,
management did not have relevant, reliable, and timely information to
achieve its objectives, increasing the risk that these amounts could be
misstated.
During our audit, we found two errors relating to Other Claims for
Refund in the supplemental information contained in IRS's draft fiscal
year 2003 financial statements.
IRS's draft financial statements disclosed that the total estimated
payout for claims pending review by IRS's Appeals organization was $5.2
billion. However, based on our review of the supporting documentation,
we found that the correct amount was $7.6 billion. This misstatement
occurred because IRS used the wrong amount for interest in its
computation. As a result, the supplemental information to the draft
financial statements was misstated. When we informed IRS of the error,
IRS corrected the amount reported in the supplemental information for
the final financial statements.
IRS's financial statements disclosed that the estimated amount of
claims pending review by federal courts was $6.5 billion. However, in
its November 7, 2003, update for contingencies as of September 30
through November 1, 2003, IRS counsel reported estimated claims pending
review by federal courts as $6.2 billion. The updated data were not
included in IRS's final supplemental information because of weaknesses
in controls over reporting this information.
These misstatements did not materially affect IRS's financial
statements, but without effective controls in place to ensure that
amounts estimated for Other Claims for Refund are correctly reported,
the risk of misstatement increases, and the accuracy of information
available to IRS management for decision-making purposes is impaired.
Recommendation:
We recommend that IRS establish review procedures for amounts being
reported in Supplemental Information to the financial statements for
Other Claims for Refund.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it would add a
second level of management review to its final financial statements to
ensure that changes are identified and reported before final print. In
addition, IRS stated that it would work closely with our financial
audit team to determine the last day of fieldwork, and notify its Chief
Counsel's office to determine if there are any material changes needed
to its final financial statements. We will evaluate the effectiveness
of IRS's efforts during our fiscal year 2004 financial audit.
Controls over Reporting Interim Performance Measures:
During our audit of IRS's fiscal year 2003 financial statements, we
found that IRS's controls over its reporting of interim performance
measurement data were not effective throughout the year. Specifically,
we found that data reported at interim periods for certain performance
measures were either not accurate or were outdated. This occurred
because of data entry errors made in the reports generated from the
performance data submitted by IRS's divisions. We also found that
review of the reports was not documented. GAO's Standards for Internal
Control in the Federal Government[Footnote 29] requires the review of
performance measurement data. Such reviews should be designed to
validate the propriety and integrity of performance measurement data
and indicators. IRS reviews the Monthly Summary of Performance (MSP)
reports from performance data submitted by IRS divisions, but these
reviews were undocumented and were not effective in identifying the
erroneous performance data reported. While we did not identify any
errors in the performance data IRS reported in its year-end Management
Discussion and Analysis, IRS management did not always have reliable
performance measurement data available at interim periods to assist
managers in making decisions.
IRS's Corporate Planning and Performance Division (CPPD) collects and
reports performance data for each of its 69 performance measures. Each
month and at year-end, CPPD compiles performance data submitted by
operating divisions in an MSP report. These reports contain records of
tax enforcement results that IRS uses for such purposes as forecasting,
financial planning, and resource management. Information reported for
each performance measure includes full-year performance, year-to-date
comparison of performance data, and current fiscal year actual and
planned performance data. Staff in CPPD review the data submitted by
IRS's operating divisions. To identify any anomalies, the CPPD review
includes comparisons of current-month data to prior-month data and
current-year data to prior-year data. Generally, the offices
responsible for submitting the data can explain any anomalies or, if
data errors are found, will correct them. CPPD staff, using the
reviewed and corrected performance data submissions, then manually
prepare the MSP report. At the end of the fiscal year, IRS uses the MSP
report to prepare the performance measure results reported in the
Management and Discussion Analysis section of its financial statements.
As part of our fiscal year 2003 audit, we reviewed a nonrepresentative
selection of five performance measures. For each measure, we obtained
the supporting documentation and compared the support to what was
reported in IRS's MSP reports for July and August 2003. In conducting
our review, we identified data that were not current or not accurate
for two of the five performance measures:
The number reported for the "Criminal Investigations Completed"
performance measure as of July 2003 was the planned, rather than the
actual, amount.
The number reported for the "Federal Tax Payment Transactions Paid
Electronically" performance measure in both July and August 2003 was
actually the April 2003 amount.
IRS agreed that the data were incorrect due to errors in data entry by
CPPD staff during preparation of the MSP report. However, IRS is in the
process of implementing a Business Performance Management System (BPMS)
that when fully operational, is intended to be able to accept
performance data directly from the operation divisions' reporting
systems and would eliminate the need for data entry by CPPD staff. BPMS
is expected to validate the accuracy of the data submitted by IRS's
operating divisions.
Recommendation:
Until BPMS is fully operational, we recommend that IRS implement
procedures to ensure that all performance data reported in MPS reports
are subject to effective, documented reviews to provide reasonable
assurance that the data are current at interim periods.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation. In its comments, IRS stated that it
has taken steps to ensure that performance measurement data are
properly reviewed before being published. IRS plans to increase control
over data by (1) increasing the number of measures reported through the
automated BPMS, (2) requiring the submitting divisions to certify that
their data are accurate, and (3) reducing the number of measures
manually reported in the monthly report. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2004 financial
audit.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Governmental Affairs and the House
Committee on Government Reform within 60 days of the date of this
report. A written statement must also be sent to the House and Senate
Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of the report.
This report is intended for use by the management of IRS. We are
sending copies to Chairmen and Ranking Minority Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Governmental Affairs; Senate Committee on the Budget;
Subcommittee on Treasury and General Government, Senate Committee on
Appropriations; Subcommittee on Taxation and IRS Oversight, Senate
Committee on Finance; and the Subcommittee on Oversight of Government
Management, Restructuring, and the District of Columbia, Senate
Committee on Governmental Affairs. We are also sending copies to the
Chairmen and Ranking Minority Members of the House Committee on
Appropriations; House Committee on Ways and Means; House Committee on
Government Reform; House Committee on the Budget; Subcommittee on
Treasury, Postal Service, and General Government, House Committee on
Appropriations; Subcommittee on Government Efficiency, Financial
Management, and Intergovernmental Relations, House Committee on
Government Reform; and the Subcommittee on Oversight, House Committee
on Ways and Means. In addition, we are sending copies of this report to
the Chairman and Vice-Chairman of the Joint Committee on Taxation, the
Secretary of the Treasury, the Director of the Office of Management and
Budget, the Chairman of the IRS Oversight Board, and other interested
parties. Copies will be made available to others upon request. The
report is also available at no charge on GAO's Web site at http://
www.gao.gov.
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal year 2003
and 2002 financial
statements. If you have any questions or need assistance in addressing
these matters, please contact Larry Malenich, Assistant Director, at
(202) 512-9399.
Sincerely yours,
Signed by:
Steven J. Sebastian
Director, Financial Management and Assurance:
Enclosures - 3:
Enclosure I:
Comments from the Internal Revenue Service:
COMMISSIONER:
DEPARTMENT OF THE TREASURY
INTERNAL REVENUE SERVICE
WASHINGTON, D.C. 20224:
April 16, 2004:
Mr. Steven J. Sebastian
Director:
Financial Management and Assurance
U.S. General Accounting Office:
441 G Street, NW Washington, DC 20548:
Dear Mr. Sebastian:
I am responding to your draft of the FY 2003 Management Report titled,
Improvements Needed in IRS's Internal Controls and Accounting
Procedures (GAO-04-553R). I believe the issues presented in your draft
report will help us continue to improve our accounting procedures and
internal controls, and we are committed to strengthening our oversight
in these areas. We have instituted a number of changes that I believe
will improve our controls related to safeguarding tax receipts.
Specifically we:
* Established the Mission Assurance organization to combine key security
activities into a single organization:
* Increased management awareness and our commitment to ensuring
compliance with the policies and procedures we have implemented in the
campuses, lockboxes, and field locations:
As evidenced in our response to the recommendations, we have already
taken actions to correct many of these matters. The following comments
address your recommendations separately.
Recommendation: The GAO recommended that the IRS require lockbox
managers to maintain appropriate documentation on-site demonstrating
that satisfactory fingerprint results have been received before
contractors are granted access to taxpayer receipts and data.
Comments: We agree with this recommendation. The current Lockbox
Processing Guideline (LPG) requires appropriate documentation for
couriers and guards before we grant contractors access to taxpayer
receipts. To ensure compliance with the LPG, we have included this in
both the Financial Management Service (FMS) and our security and
administrative reviews.
Recommendation: The GAO recommended that IRS revise its policy on two-
person courier teams to prohibit the use of courier teams consisting of
closely related
individuals to further minimize the risk of collusion in the theft of
taxpayer receipts and data.
Comments: We agree the Revenue and Deposit Branch will work with
Mission Assurance to assess the risks in the current guidelines by June
30, 2004, and determine if we need to make any changes. We will provide
you with any new guidelines we develop.
Recommendation: The GAO recommended that IRS develop procedures to
require lockbox managers to provide satisfactory evidence that
managerial reviews are performed in accordance with established
guidelines. At a minimum, reviewers should sign and date the reviewed
documents and provide any comments that may be appropriate in the event
that their reviews identified problems or raised questions.
Comments: We agree with this recommendation. Our Lockbox Processing
Guidelines instruct the banks to perform numerous managerial reviews.
We will consider the risk level of each of the document logs, and
assess each one to determine the appropriate level of review, and
determine if more guidelines are necessary.
Recommendation: The GAO recommended that IRS revise its candling
procedures at lockbox banks to require testing of automated candling
machines at appropriate intervals, taking into account such factors as
use time, volume processed, machine requirements, and shift cycles.
Comments: We agree with this recommendation. The IRS now requires an
additional candling of all envelopes processed by extractors using
machines that have automated candling equipment. This requirement
mitigates the risk identified by the GAO. We agree to assess our
current guidelines for possible inclusion of testing standards for
equipment with automated candling equipment.
Recommendation: The GAO recommended that IRS require lockbox managers
to maintain logs of these tests and to periodically review their logs.
Comments: We agree with the recommendation. We will include this
recommendation as part of the assessment of testing standards for
machines with automated candling equipment.
Recommendation: The GAO recommended that the IRS discontinue its
practice of storing taxpayer receipts and data outside Taxpayer
Assistance Center (TAC) secured areas without storing the receipts in a
secured locked container.
Comments: We agree with this recommendation. We have provided written
procedures to the TAC employees for safeguarding taxpayer receipts when
received. The Internal Revenue Manual (IRM) 21.3.4.7(6), issued in June
2003, provides guidance stating that payments received from taxpayers
will be immediately placed in a locked container. The receipts are also
stored away from employees' personal belongings. We will continue to
conduct operational reviews at TAC offices to ensure our employees are
following these IRM procedures.
For the TAC location you referenced in your letter that secured
payments from taxpayers outside the secure area of the TAC, we
contacted that location and they have moved the desk inside the secured
area of TAC. We have also instructed the TAC managers to ensure we
perform all TAC operations inside the secured TAC area.
Recommendation: The GAO recommended that the IRS develop procedures to
enhance adherence to existing instructions on safeguarding discovered
remittances at service center campuses.
Comments: We agree with this recommendation. In February 2003, we
produced and distributed IRM 3.8.46 to all of our campuses. Form 4287
(Record of Discovered Remittances) has been revised to include a box
for managers to indicate that reconciliation has been performed. We
also added a review for the discovered remittance procedures to the
monthly security checklist.
Recommendation: The GAO recommended that IRS enforce its policies and
procedures to ensure that service center campus security guards respond
to alarms.
Comments: We agree with this recommendation. The IRS Physical Security
Programs within Mission Assurance will modify IRM 16.12, Facility and
Property Protection by August 30, 2004, to require the following:
* Develop self-assessments, which may be used to test the response
capabilities for guards, as these relate to alarms:
* Integrate self-assessments into IRM 1.16 Physical and Property
Protection
* Conduct initial and then periodic security exercises, which
are realistic, to ensure security guards respond to alarms, required by
Operational Assurance personnel:
* Operational Assurance will provide written reports to the Physical
Security Program Office to support the conducting of security
exercises:
* Review self-assessment reports for alarm response and coordinate
corrective action of outstanding issues:
* Conduct annual security exercises at each of their assigned facilities
to test alarm responses:
Recommendation: The GAO recommended that IRS establish compensating
controls in the event that automated security systems malfunction, such
as notifying guards and managers of the malfunction, and immediately
deploying guards to better protect the processing center's perimeter.
Comments: We agree with this recommendation. The IRS Physical Security
Program within Mission Assurance will develop procedures by August 30,
2004, to be used in conjunction with the policies developed to ensure
that local management is notified whenever there is a malfunction of
alarms and that guards are deployed or doors are secured, as necessary,
either during tests or when otherwise identified.
Recommendation: The GAO recommended that IRS modify Aging Unliquidated
Obligations (AUO) reports to ensure that they report the last activity
date for each outstanding obligation line amount.
Comments: We agree with this recommendation. The Beckley Finance Center
(BFC) revised the AUO report in March 2004 so that it accurately
reports the last activity date for each obligation line amount.
Recommendation: The GAO recommended that IRS require procurement office
staff to review and sign off on whether obligations are valid or
require deobligation before business units complete their quarterly
certifications.
Comments: We agree with this recommendation. The IRS is evaluating its
current approach toward reviewing open obligations and approving those
that require deobligation. This includes studying the relative
responsibilities of the procurement office, business units, and the BFC
with respect to validating and certifying deobligations. We will issue
new guidelines at the conclusion of this internal review.
Recommendation: The GAO recommended that IRS enhance its compensating
internal controls by including tests or recalculations of payroll
computations performed by the National Finance Center (NFC) for the IRS
employees selected for review each pay period.
Comments: We agree with this recommendation. The IRS Transactional
Processing Operations (TPO) division will expand its current random
sample payroll review and validation process to include the
recalculation of agency TSP contributions. They are developing a
detailed Standard Operating Procedure outlining the complete review
process, and expect implementation of this process by June 2004.
Recommendation: The GAO recommended that IRS timely investigate and
resolve any identified errors.
Comments: We agree with this recommendation. The IRS TPO Division is
responsible for following up immediately on any discrepancies with NFC,
and ensures the NFC takes corrective action within a timely manner.
Recommendation: The GAO recommended that IRS establish review
procedures for amounts being reported in Supplemental Information to
the financial statements for Other Claims for Refund.
Comments: We agree with this recommendation. The Office of Revenue
reports currently provides in the draft financial statements,
information from Appeals and Chief Counsel that are interim through the
period of the draft statements. We agree to add a second level of
management review to ensure we identify and report any changes in our
final financial statements.
For the claims pending review by federal courts, our Chief Counsel's
office sends their final contingencies as of September 30 and through
November 1 directly to your office, and simultaneously to the CFO. We
established this process with you because of the timing of this
information related to the completion of your fieldwork, and finalizing
our financial statements. Last year, we received this information after
you had completed your fieldwork, and we jointly decided the changes
were not material, and therefore not to adjust our final statements.
For this year's audit, we will work closely with your office to
determine the last day for your fieldwork, and notify our Chief
Counsel's office so we can accelerate getting this information in time
to determine if there are any material changes to make to our final
financial statements.
Recommendation: Until Business Performance Management System (BPMS) is
fully operational, we recommend that IRS implement procedures to ensure
that all performance data reported in MPS reports are subject to
effective, documented reviews to provide reasonable assurance that the
data are current at interim periods.
Comments: We agree with this recommendation. The IRS has taken steps to
ensure that the performance measures data reported in the monthly
report is properly reviewed before being published. The IRS is
increasing the control over the data by increasing the number of
measures reported through the automated BPMS, requiring the submitting
divisions to certify that their data is accurate, and reducing the
number of measures manually reported in the monthly report. In
addition, the Corporate Planning and Performance Unit (CPPU) staff
continues to complete the manual review process as described by GAO.
This review process requires that CPPU staff review the draft document,
compare it to the data provided by the divisions, and compare it to
the
previous month's report for consistency. This review process validates
the accuracy of the manual input of data to the report.
I appreciate your input and will continue to take the necessary steps
to improve our financial management. With the continued dedication and
cooperation of both our staffs, we will further enhance the IRS'
accounting procedures and internal controls.
If you have any questions, please contact me or Eileen Powell, Chief
Financial Officer, at (202) 622-6400.
Sincerely,
Signed by:
Mark W. Everson:
Enclosure II:
Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:
Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, and undelivered
order transactions. These statistical samples were selected primarily
to substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which
they were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design
or operation of internal control or compliance with provisions of laws
and regulations. These attributes, where applicable, can be and have
been statistically projected to the appropriate populations.
Assessed the accounting principles used and significant estimates made
by management.
Evaluated the overall presentation of the financial statements.
Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in IRS' Management
Discussion and Analysis.
Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.
Considered the process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. § 3512 (c),
(d), (commonly referred to as the Federal Managers' Financial Integrity
Act of 1982).
Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1)
and 31 U.S.C. § 1517(a)); Agreements for payment of tax liability in
installments (26 U.S.C. § 6159); Purpose Statute (31 U.S.C. § 1301);
Release of lien or discharge of property (26 U.S.C. § 6325); Interest
on underpayment, nonpayment, or extensions of time for payment of tax
(26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611);
Determination of rate of interest (26 U.S.C. § 6621); Failure to file
tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to
pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to
pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31
U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance
System for Civilian Employees (5 U.S.C. §§ 5332 and 5343 and 29 U.S.C.
§ 206); Federal Employees' Retirement System Act of 1986, as amended (5
U.S.C. §§ 8422 and 8423 and 8432); Social Security Act, as amended (26
U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health
Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909);
and Consolidated Appropriations Resolution, 2003 (Pub. L. No. 108-7).
Tested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996.[Footnote 30]
Enclosure III:
GAO Contacts and Staff Acknowledgments:
GAO Contacts:
J. Lawrence Malenich, (202) 512-9399 John D. Sawyer, (202) 512-9566:
Acknowledgments:
Staff who made key contributions to this report were Nina Crocker, John
Davis, Alain Dubois, Valerie Freeman, Patrick McCray, Ryan Holden,
Theresa Patrizio, and Robert Preshlock.
(196013):
GAO/AIMD-00.21.3.1.
FOOTNOTES
[1] U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years
2003 and 2002 Financial Statements, GAO-04-126 (Washington, D.C.: Nov.
13, 2003).
[2] Lockbox banks are financial institutions designated as depositories
and financial agents of the U.S. government to perform certain
financial services, including processing tax documents, depositing the
receipts, and then forwarding the documents and data to IRS's service
center campuses, which update taxpayers' accounts.
[3] Candling is a process used by IRS to determine if any contents
remain in open envelopes. This is often achieved by passing the
envelopes over a light source.
[4] For the purpose of this report, the term "lockbox bank contractors"
refers to all individuals in a contractual relationship with a lockbox
bank who are granted staff-like access to the lockbox bank but are not
involved in the extraction and posting of receipts. This would include
couriers and janitorial and equipment maintenance personnel.
[5] Discovered remittances are cash and noncash taxpayer receipts that
instead of being identified and processed during the initial mail
extraction phase are found later during further processing of mail.
[6] U.S. General Accounting Office, Standards for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November
1999).
[7] GAO-04-126.
[8] U.S. General Accounting Office, Internal Revenue Service: Progress
Made, but Further Actions Needed to Improve Financial Management, GAO-
02-35 (Washington, D.C.: Oct. 19, 2001).
[9] GAO/AIMD-00.21.3.1.
[10] U.S. General Accounting Office, Internal Revenue Service: Physical
Security Over Taxpayer Receipts and Data Needs Improvement, GAO/AIMD-
99-15 (Washington, D.C.: Nov. 30, 1998); Internal Revenue Service:
Custodial Financial Management Weaknesses, GAO/AIMD-99-193
(Washington, D.C.: Aug. 4, 1999); Internal Revenue Service:
Recommendations to Improve Financial and Operational Management, GAO-
01-42 (Washington, D.C.: Nov. 17, 2000); Management Report:
Improvements Needed in IRS's Accounting Procedures and Internal
Controls, GAO-02-746R (Washington, D.C.: July 18, 2002); and GAO-02-35.
[11] This husband and wife team is the same husband and wife team we
noted at one of the service center campuses.
[12] GAO/AIMD-00-21.3.1.
[13] GAO/AIMD-00-21.3.1.
[14] GAO/AIMD-00-21.3.1.
[15] U.S. General Accounting Office, Internal Revenue Service: Status
of Recommendations from Financial Audits and Related Financial
Management Reports, GAO-03-665 (Washington, D.C.: May 29, 2003).
[16] GAO/AIMD-00-21.3.1.
[17] Taxpayer data on tax forms could include taxpayer name, Social
Security number, and address.
[18] Deobligations are downward adjustments of previously recorded
obligations. Deobligations can occur for a variety of reasons, such as
if the actual expense was less than the amount obligated, a project or
contract was canceled, an initial obligation was determined to be
invalid, or previously recorded estimates were reduced.
[19] Undelivered orders represent the value of goods and services that
were ordered and for which funds were obligated but have not been
received.
[20] GAO/AIMD-00.21.3.1.
[21] Financial plan managers are responsible for managing the spending
plans under their control.
[22] We are 95 percent confident that the amount of invalid undelivered
orders did not exceed $82 million.
[23] NFC is a component of the U.S. Department of Agriculture that
provides administrative and financial services to many federal
agencies, including IRS.
[24] GAO/AIMD-00.21.3.1.
[25] U.S. Department of Agriculture, Office of Inspector General,
Fiscal Year 2003 National Finance Center Review of Internal Control
Structure, 11401-15-FM (Washington, D.C.: Nov. 19, 2003), is the most
recently issued inspector general audit report on NFC's internal
controls.
[26] U.S. General Accounting Office, Management Letter: Suggested
Improvements in IRS' Accounting Procedures and Internal Controls, GAO/
AIMD-99-182R (Washington, D.C.: June 30, 1999).
[27] The purpose of the Appeals organization is to resolve tax
controversies without litigation on a basis that is fair and impartial
to both the government and the taxpayer. Appeals provide an independent
channel for taxpayers who wish to dispute recommended enforcement
actions.
[28] GAO/AIMD-00.21.3.1.
[29] GAO/AIMD-00.21.3.1.
[30] Pub. L. No. 104-208, div. A., § 101 (f), title VIII, 110 Stat. 3009,
3009-389 (Sept. 30, 1996).