Management Report
Improvements Needed in IRS's Internal Controls
Gao ID: GAO-05-247R April 27, 2005
In November 2004, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2004 and 2003, and on the effectiveness of its internal controls as of September 30, 2004. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2004 audit regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2004 audit report, they all warrant management's consideration.
During our fiscal year 2004 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, refunds to taxpayers, and lien resolutions. These issues concern (1) enforcement of IRS contractor background investigation policies, (2) omission of certain provisions related to contingency plans and taxpayer privacy in lockbox bank service contracts, (3) verification of lockbox bank deposits, (4) procedures for handling taxpayer receipts and information by couriers, (5) safeguarding sensitive systems and equipment in lockbox banks, (6) candling procedures, (7) monitoring and verifying recording and transmittal of taxpayer receipts and information, (8) controls over automated refund disbursements, (9) controls over authorization of manual refunds, and (10) resolution of liens with manually calculated interest or penalties. These issues increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) improper refunds to taxpayers could be disbursed; and (3) liens could be released before taxpayers have paid the full amount of interest or penalties due.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-05-247R, Management Report: Improvements Needed in IRS's Internal Controls
This is the accessible text file for GAO report number GAO-05-247R
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls' which was released on April 27, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
April 27, 2005:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls:
Dear Mr. Everson:
In November 2004, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of, and
for the fiscal years ending, September 30, 2004 and 2003, and on the
effectiveness of its internal controls as of September 30,
2004.[Footnote 1] We also reported our conclusions on IRS's compliance
with significant provisions of selected laws and regulations and on
whether IRS's financial management systems substantially comply with
requirements of the Federal Financial Management Improvement Act of
1996. A separate report on the implementation status of recommendations
from our prior IRS financial audits and related financial management
reports, including this one, will be issued shortly.
The purpose of this report is to discuss issues identified during our
fiscal year 2004 audit regarding internal controls that could be
improved for which we do not currently have any recommendations
outstanding. Although not all of these issues were discussed in our
fiscal year 2004 audit report, they all warrant management's
consideration. This report contains 30 recommendations that we are
proposing IRS implement to improve its internal controls. We conducted
our audit in accordance with U.S. generally accepted government
auditing standards. We requested and received written comments on a
draft of this report from the Commissioner of Internal Revenue.
Results in Brief:
During our fiscal year 2004 audit, we identified a number of internal
control issues that adversely affected safeguarding of tax receipts and
information, refunds to taxpayers, and lien resolutions. These issues
concern (1) enforcement of IRS contractor background investigation
policies, (2) omission of certain provisions related to contingency
plans and taxpayer privacy in lockbox bank[Footnote 2] service
contracts, (3) verification of lockbox bank deposits, (4) procedures
for handling taxpayer receipts and information by couriers, (5)
safeguarding sensitive systems and equipment in lockbox banks, (6)
candling procedures, (7) monitoring and verifying recording and
transmittal of taxpayer receipts and information, (8) controls over
automated refund disbursements, (9) controls over authorization of
manual refunds, and (10) resolution of liens with manually calculated
interest or penalties.
Specifically, we found the following:
* At three IRS service centers we visited, some contractors who had not
undergone background investigations and, in some cases, for whom
background investigation requests had not been submitted, were granted
staff-like access[Footnote 3] to restricted areas. In addition, at one
service center we visited, the security office did not maintain files
onsite that documented the status of background investigations for
contractors with staff-like access to restricted areas.
* At three lockbox banks we visited, courier contingency plans did not
cover all the contingencies specified in the "Lockbox Processing
Guidelines" (LPG),[Footnote 4] and at another lockbox bank we visited,
there was no courier contingency plan on file. In addition, at one of
the lockbox banks we visited, the courier contract did not contain the
language set out in the LPG related to privacy laws applicable to
handling taxpayer information, and at three of the lockbox banks we
visited, shredding contracts did not include required privacy
provisions.
* At three lockbox banks we visited, we found that receipts for
deposits delivered by courier services to depositories did not always
indicate the time and date the deposits were received. We also found
that two of these lockbox banks did not obtain deposit receipts from
their couriers.
* For several courier services transporting taxpayer receipts and
information, we found that procedures for handling taxpayer receipts
and information at lockbox banks, service centers, or both were not
always followed. This included (1) couriers not always transporting
taxpayer receipts and information directly to their destination, (2) a
courier vehicle containing a pickup that was left unattended, (3)
transfer of taxpayer receipts and information from one courier vehicle
to another, (4) solo couriers transporting taxpayer receipts and
information, and (5) couriers not wearing required uniforms.
* At one lockbox bank we visited, the electrical and water shutoff
valves were in an area where janitors kept their supplies and which
they accessed daily, and the shutoff valves were not locked to prevent
tampering. The security system control panel was located in the same
area, and the keys to the panel were left on top of the panel. There
were no surveillance cameras monitoring this room.
* At one lockbox bank we visited, a high-speed machine was used to
extract checks from and candle[Footnote 5] envelopes, but no visual
inspection or second candling was performed on envelopes opened by this
machine. In addition, at one service center we visited, the candling
tables in the final candling area did not provide sufficient light to
enable personnel to ensure that all contents had been removed from
envelopes.
* At the two IRS field offices we visited, we found that internal
controls were not always properly followed to ensure that recording and
transmittal of taxpayer receipts and information were adequately
monitored and verified.
* At one of the service centers we visited to review refund procedures,
IRS did not have adequate controls in place to prevent automated
disbursements of improper refunds related to taxpayer accounts under
investigation for potential unreported taxes.
* At the two service centers we visited to review refund procedures,
controls over authorization of manual refunds were not effective.
* At the five lien units[Footnote 6] we visited, personnel were not
properly verifying manual interest and penalty calculations for
taxpayer accounts with liens with manually calculated interest or
penalties.
The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed; (2) improper
refunds to taxpayers could be disbursed; and (3) liens could be
released before taxpayers have paid the full amount of interest or
penalties due.
At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into
conformance with its own policies and with the internal control
standards that all federal agencies are required to follow.[Footnote 7]
In its comments, IRS substantially agreed with our recommendations and
described actions it had taken or planned to take to address the
control weaknesses described in this report. At the end of our
discussion of each of the issues in this report, we have summarized
IRS's related comments and provided our evaluation.
Scope and Methodology:
As part of our audit of IRS's fiscal years 2004 and 2003 financial
statements, we tested IRS's internal controls and its compliance with
selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions.
This report addresses issues we observed during our fiscal year 2004
audit. For issues related to safeguarding tax receipts, we visited four
lockbox banks, four IRS service centers, and two IRS field offices; for
issues related to tax refunds, we visited two IRS service centers; and
for issues related to liens, we visited five IRS lien units.
Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2004 and 2003
financial statements[Footnote 8] and are reproduced in enclosure II.
Enforcement of IRS Contractor Background Investigation Policies:
During our fiscal year 2004 audit, we found control deficiencies
related to contractor employee background investigations at three of
the four service centers we visited. Specifically, at one of these
three service centers, IRS had not submitted paperwork for new
clearances for 10 contractors with staff-like access even though their
background investigations did not meet requirements that took effect in
July 2000, including the requirement that such investigations be
conducted by IRS's National Background Investigation Center. IRS did
not submit paperwork for new clearances for these contractors until
January 29, 2004--several years after they had been granted access. At
another of these three service centers, one contractor who had not
undergone the required background investigation--and for whom there was
no evidence that a background investigation had been requested--had had
staff-like access to restricted areas at the center for more than a
year and a half. At the third of the three service centers, two
contractors, one with access to restricted areas and the other with
staff-like access to the service center, had not had the required
background investigation. In addition, at one of the service centers we
visited, the security office responsible for granting contractors
unescorted access to restricted areas did not maintain files onsite
that documented the status of background investigations for contractors
with access to restricted areas.
IRS requires that all contractors have successfully completed a
background investigation conducted by the National Background
Investigation Center before being granted access to taxpayer receipts
and information. Further, GAO's Standards for Internal Control in the
Federal Government requires agencies to establish controls to safeguard
vulnerable assets. Until IRS ensures that only contractors who have
successfully met background investigation requirements have access to
taxpayer receipts and sensitive information and that service center
security offices can verify that these requirements have been met, the
federal government will be unnecessarily exposed to the risk of loss,
theft, or abuse of taxpayer receipts and information.
Recommendations:
We recommend that IRS:
* enforce its existing requirement that appropriate background
investigations be completed for contractors before they are granted
staff-like access to service centers and:
* require that background investigation results for contractors (or
evidence thereof) be on file where necessary, including at contractor
worksites and security offices responsible for controlling access to
sites containing taxpayer receipts and information.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation that background investigation
results for contractors (or evidence thereof) be on file, where
necessary, and stated that the Physical Security Program Office will
work with the Business Operating Divisions and Procurement staff to
determine if the interagency agreement with the Financial Management
Service (FMS) should be modified to include a requirement for lockbox
banks to maintain background investigation files. IRS stated that it
has addressed the issues that gave rise to our recommendation that it
enforce its existing requirement that appropriate background
investigations be completed for contractors before they are granted
staff-like access to service centers. IRS indicated that it has
implemented steps to monitor and enforce existing requirements related
to background checks for contractors. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2005 financial
audit.
Required Provisions in Lockbox Bank Service Contracts:
Lockbox banks enter into contracts with service providers for a variety
of services, including transport of taxpayer receipts and information
by couriers and shredding of taxpayer information prior to its
disposal.
During our fiscal year 2004 audit, we found that the contract for
courier services at one of the four lockbox banks lacked the language
set out in the LPG that would acknowledge the legal restrictions on a
courier's handling of taxpayer information. These legal restrictions
are imposed by the Privacy Act of 1974[Footnote 9] and certain
provisions of the Internal Revenue Code. We also found that contracts
for shredding services at three of the four lockbox banks failed to
include the mandatory provisions required for complying with federal
law related to safeguarding taxpayer information. The LPG requires that
the contracts include the safeguard provisions required by the Internal
Revenue Code. Omission of privacy-related provisions from lockbox
courier or shredding contracts increases the risk of unauthorized
disclosure of taxpayer information.
In addition to the omission of contract provisions, we found problems
in contract implementation during our fiscal year 2004 audit. We found
that courier contract disaster contingency plans for three of the four
lockbox banks we visited did not address all required contingencies.
The other lockbox bank we visited did not have a courier disaster
contingency plan on file. The LPG requires that before a contractor
provides courier services to a lockbox bank, the contractor is to
provide the lockbox bank with a disaster contingency plan. The plan
must cover labor disputes, employee strikes, inclement weather, natural
disasters, traffic accidents, and unforeseen events. Incomplete or
inaccessible courier contingency plans increase the risk that courier
service could be disrupted and that taxpayer receipts might not be
timely deposited and taxpayer accounts might not be timely updated.
Recommendations:
We recommend that IRS:
* require that courier contracts call for couriers to submit
contingency plans to lockbox banks,
* review lockbox bank courier contingency plans to help ensure that
they incorporate all contingencies specified in the LPG,
* revise the LPG to specify that courier contingency plans be available
at the lockbox banks, and:
* review lockbox bank courier and shredding contracts to ensure that
they address all privacy-related criteria and include clear reference
to privacy-related laws and regulations.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning lockbox bank courier
contingency plans and adherence to requirements for inclusion of
privacy-related requirements in lockbox bank courier and shredding
contracts. To address these recommendations, IRS stated that (1) the
LPG has been updated to require that courier services provide lockbox
banks with a disaster contingency plan before their contract is
implemented; (2) lockbox bank courier contingency plans have been
reviewed by Lockbox Coordinators to ensure that the plans address all
contingencies specified in the LPG; (3) the LPG would be updated by
April 15, 2005, to require all lockbox banks to have the courier
contingency plan available on site; and (4) the LPG had been updated on
January 1, 2005, to specifically address privacy-related criteria,
including references to pertinent sections of the Internal Revenue Code
and the Privacy Act of 1974. We have verified the above-noted
enhancements to the LPG during our ongoing fiscal year 2005 audit, and
we will evaluate their effectiveness as we proceed with the audit.
During the fiscal year 2005 financial audit, we will also evaluate the
effectiveness of IRS's efforts with respect to reviewing lockbox bank
courier contingency plans for completeness.
Verification of Lockbox Bank Deposits:
During our fiscal year 2004 audit, in reviewing deposit receipts--
receipts for deposits delivered by courier services to depositories--
maintained by courier services under contract to lockbox banks, we
found that deposit receipts for three of the lockbox banks we visited
did not always indicate the time and date deposits were received by
depositories. In addition, we found that two of these lockbox banks did
not obtain the deposit receipts from their courier services to verify
that the depositories had in fact received the deposits in a timely
manner.
GAO's Standards for Internal Control in the Federal Government requires
that all transactions be clearly documented and that documentation be
readily available for examination. Although the LPG requires that
lockbox bank couriers, upon delivery of packages to designated sites,
annotate time of delivery, it does not require that deposit receipts be
time-and date-stamped or that they be returned to the lockbox bank.
Unless receipts bear evidence of time and date of deposit and are
promptly returned, lockbox banks cannot expeditiously verify timely
deposit of receipts, thereby increasing the risk of theft or loss of
taxpayer receipts and the risk that such theft or loss might not be
promptly detected.
Recommendations:
We recommend that IRS:
* revise the LPG to require that (1) lockbox couriers promptly return
deposit receipts to the lockbox banks following delivery of taxpayer
remittances to depositories and (2) lockbox banks promptly review the
returned deposit receipts;
* revise the LPG to require that deposit receipts for taxpayer
remittances be time-and date-stamped; and:
* better enforce the LPG requirement that lockbox bank couriers
annotate the time of delivery on receipts for deposits of taxpayer
remittances.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning revisions to the LPG to
require prompt return and review of deposit receipts and time-and date-
stamping of deposit receipts. IRS also agreed with our recommendation
that it better enforce the LPG requirement that lockbox bank couriers
annotate the time of delivery on receipts for deposits of taxpayer
remittances. To address these recommendations, IRS stated that it had
updated the LPG on January 1, 2005, to require that lockbox bank sites:
(1) receive back by the next business day the original completed
Receipt for Transport of IRS Lockbox Bank Deposit form with the bank
representative's name and signature, date, and time the deposit was
received by the depository and (2) daily reconcile the Receipt for
Transport of IRS Lockbox Bank Deposit form(s) to ensure receipt of
dedicated service (i.e., that the time between the lockbox bank's
release of the deposit to the courier and the courier's release of the
deposit to the depository bank is not excessive). We have verified
during our ongoing fiscal year 2005 financial audit that IRS updated
the LPG, and we will evaluate the effectiveness of these enhancements
as we proceed with the 2005 audit.
Procedures for Handling Taxpayer Receipts and Information by Couriers:
We have previously reported on various security weaknesses related to
courier services at IRS service centers, field offices, and lockbox
banks.[Footnote 10] IRS has made an effort to address such weaknesses
by adopting more stringent security standards for the couriers who
transport IRS's daily deposits to depository institutions. For example,
IRS implemented a new lockbox courier policy requiring that more
stringent background investigations of couriers be satisfactorily
completed before granting them access to taxpayer receipts and
information.
During our fiscal year 2004 audit, however, we found that IRS did not
have controls in place to ensure that the courier requirements were
effectively enforced. Specifically, we found the following:
* Couriers for two of the lockbox banks we visited did not always
transport taxpayer receipts and information directly to their
destination. In one case, we observed a courier vehicle make a pickup
and then drive to and park at another location, where the vehicle and
its contents remained for the rest of the day. In the other case, we
observed a courier vehicle stop at an industrial park before proceeding
to the depository institution.
* A courier van containing the morning pickup from one lockbox bank we
visited was left unattended for approximately 30 minutes at the courier
service office.
* Couriers for one lockbox bank made an unauthorized stop and
transferred the contents of the courier vehicle to a pick-up truck.
* Solo couriers were permitted to transport taxpayer receipts and
information for one service center and two lockbox banks we visited. At
the service center, during our review of deposit receipts for the 2
months prior to our visit, we found that in one instance the center's
management permitted a solo courier to transport $47 million in
receipts to the depository institution. Management informed us that it
permitted this solo delivery because (1) the second courier was sick
and the courier company was unable to provide another courier; (2) the
deposit was large; and (3) it was a Friday, and delaying deposit until
the following Monday would have resulted in loss of interest on the $47
million over the weekend. With respect to the two lockbox banks, in one
case we observed a courier vehicle depart the courier company with only
one courier in the vehicle; in the other case, we observed a courier
vehicle with two couriers make a pickup at the lockbox bank and then
drop off one of the couriers before completing the delivery.
* Couriers were not wearing required uniforms at one service center and
one lockbox bank we visited. At the service center, we observed that
neither courier transporting deposits to the depository institution was
wearing the required company logo shirt. In addition, one courier was
not wearing an identification badge, which had instead been placed on
the rearview mirror of the transport vehicle. Although lockbox banks
have other ways to identify couriers, at the lockbox bank on two
separate occasions, we observed couriers--two couriers in one case and
one courier in the other case--who were not wearing company uniforms
pick up taxpayer receipts and information.
Despite IRS's adoption of more stringent security standards for
couriers who transport IRS's daily deposits to depository institutions,
the findings above demonstrate that weaknesses continue to exist in
IRS's enforcement of courier service procedures--specifically, those
that require (1) courier service drivers to transport taxpayer receipts
and information directly to their destination, with no stops in
between; (2) vehicles to always be under the supervision of at least
one courier and never left unattended; (3) courier service drivers to
travel in pairs when transporting deposits; and (4) courier service
drivers for lockbox banks to wear company uniforms. Nonadherence by
couriers to IRS procedures increases the risk of loss, theft, or misuse
of taxpayer receipts and information.
Recommendations:
We recommend that IRS:
* provide a written reminder to courier contractors of the need to
adhere to all courier service procedures;
* periodically verify that contractors entrusted with taxpayer receipts
and information offsite adhere to IRS procedures; and:
* develop alternative back-up plans that are consistent with IRS
courier policies and procedures to address instances in which only one
courier reports for transport of taxpayer receipts or information, such
as requiring that a service center or lockbox bank employee accompany
the courier to the depository.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations that it provide a written reminder
to courier contractors of the need to adhere to all courier service
procedures, periodically verify that contractors entrusted with
taxpayer receipts and information adhere to IRS procedures, and develop
alternative back-up plans to address instances in which only one
courier reports for transport of taxpayer receipts and information. IRS
stated that it (1) intends to provide lockbox banks with a reminder to
adhere to all courier service procedures, (2) has updated the LPG to
provide that contractor adherence to IRS procedures will be monitored
during periodic security reviews, and (3) intends to work with FMS to
develop a plan by June 30, 2005, to address instances in which only one
courier reports for transport of taxpayer receipts and information. We
will evaluate the effectiveness of IRS's efforts during our fiscal year
2005 financial audit.
Safeguarding Sensitive Systems and Equipment in Lockbox Banks:
At one of the lockbox banks we visited during our fiscal year 2004
financial audit, we found that the electrical and water shutoff valves
were in an area where janitors kept their supplies and which they
accessed daily, and that the shutoff valves were not locked to prevent
tampering. In addition, the security system control panel was located
in the same area as the shutoff valves, and the keys to the security
system control panel were left on top of the panel in this room. At the
same lockbox bank, we also found that there were no surveillance
cameras monitoring the security system controls and the water and
electrical shutoff valves that were located in the janitors' supply
room.
While the LPG does not address utility feeds located within the lockbox
facility, it does require that utility feeds at the perimeter of
lockbox banks be secured with locking devices and physically protected
to prevent tampering or destruction. According to GAO's Standards for
Internal Control in the Federal Government, agencies must establish
physical control to secure and safeguard vulnerable assets, including
providing security for, and limiting access to, equipment that might be
vulnerable to unauthorized use. In addition, the LPG requires that
items that need a higher level of security, including keys, be
controlled and stored in containers to prevent theft and fraud. With
respect to security closed-circuit television cameras, the LPG requires
that they be deployed both generally and at critical locations
throughout lockbox bank facilities to provide direct visual monitoring
24 hours a day. Location of critical controls in frequently accessed
areas and lack of effective monitoring of sensitive systems and
equipment at lockbox banks increase the risk of unauthorized access,
which in turn increases the risk of theft and misuse of taxpayer
receipts and information.
Recommendations:
We recommend that IRS:
* formulate a policy to require that critical utility or security
controls not be located in areas requiring frequent access,
* require lockbox bank management to position closed-circuit television
cameras to enable monitoring of secured areas containing sensitive
systems or controls, and:
* periodically monitor lockbox banks' adherence to the LPG requirement
that keys be kept in secured containers within the secured perimeter.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning safeguarding of
sensitive systems and equipment in lockbox banks. To require that
critical utility or security controls not be located in areas requiring
frequent access, IRS stated its intent to (1) ensure that policy
guidelines address protection of critical or security controls and (2)
work with the Business Operating Divisions and Procurement to
incorporate any revised requirements into updated and future
interagency agreements with FMS. With respect to requiring lockbox bank
management to position closed-circuit television cameras to enable
monitoring of secured areas containing sensitive equipment or controls,
IRS indicated that as part of its Mission Assurance review process, it
would review the use of closed-circuit television at the banks and,
within local constraints, expand surveillance capabilities to include
utility controls. With respect to periodically monitoring lockbox
banks' adherence to the LPG requirement that keys be kept in secured
containers within the secured perimeter, IRS stated that Mission
Assurance will include controls over keys as part of any and all
reviews. IRS also indicated that as part of the review process, it will
work with the lockbox banks and lessors to improve security for keys
and security panels, irrespective of ownership. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2005 financial
audit.
Candling Procedures:
IRS uses and requires lockbox banks to use a candling process to
determine if any contents remain in open envelopes received from
taxpayers before the envelopes are disposed of. Candling is often
performed by passing the envelopes over a light source, although other
methods mentioned in the 2004 LPG are also allowed, including opening
an envelope on three sides and flattening it. The purpose of candling
is to prevent the accidental destruction of taxpayer receipts and
information.
As in previous years,[Footnote 11] we observed weaknesses in controls
over candling of envelopes. The weaknesses we observed during our
fiscal year 2004 audit are as follows:
At one of the lockbox banks we visited, the OPEX System 150, a high-
volume machine that extracts checks from envelopes by opening them on
three sides, had been deemed by IRS to meet LPG candling requirements
because the envelopes were flattened and traveled a distance of 3
linear feet inside the machine before dropping into a bin. The OPEX
System 150 entails no visual inspection of opened envelopes. Because
envelopes opened by the OPEX System 150 are not visually inspected when
they are laid flat, there is no assurance that all their contents have
been properly removed. During our visit, we observed the envelopes
falling into a bin, with no one watching them as they dropped. Once the
bin was full, the envelopes were put into a garbage can to be shredded.
At one service center we visited, we observed light bulbs in candling
tables in the final candling area that did not provide sufficient light
for staff to see whether contents remained in opened envelopes.
The 2004 LPG candling requirement was unclear with respect to the
number of candlings required for envelopes processed by OPEX equipment.
Although the LPG stated that "envelopes must be candled twice before
destruction" either through a light source or by splitting the
envelopes on three sides and flattening them, the same section of the
LPG also stated that splitting envelopes on three sides and flattening
them "is sufficient to meet candling requirements without further light
source viewing." IRS has no written guidelines for minimum wattage of
bulbs in candling tables. Weaknesses in candling procedures increase
the potential for inadvertent loss or destruction of taxpayer receipts.
Recommendations:
We recommend that IRS:
* assess technologies that may be exempt from the visual inspection
requirement to determine whether they are acceptable methods of
satisfying candling objectives and, if so, add such technologies to the
LPG list of accepted candling methods;
* conduct an assessment of the costs and benefits of relying on only
one candling when using certain automated equipment;
* clarify the LPG to eliminate confusion about the number of candlings
required for different extraction methods; and:
* establish guidelines and a testing requirement to ensure satisfactory
lighting conditions for effective candling.
IRS Comments and Our Evaluation:
IRS indicated that it has taken action to address issues that gave rise
to our recommendations to (1) assess technologies that may be exempt
from the visual inspection requirement to determine whether they are
acceptable methods of satisfying candling objectives and, if they are,
add them to the LPG list of accepted candling methods and (2) assess
the costs and benefits of relying on only one candling when using
certain automated equipment. IRS agreed with our recommendation to
clarify the LPG to eliminate confusion about the number of candlings
required for different extraction methods. IRS indicated that to
address the issues raised by these recommendations, it added a
provision to the 2005 LPG specifying that envelopes opened (either
manually or by OPEX) on three or more sides must be candled once on the
candling tables. During our ongoing fiscal year 2005 audit, we verified
that IRS had made this change to the LPG, and we will evaluate the
effectiveness of this enhancement as the audit progresses. IRS also
agreed with our recommendation to establish guidelines and a testing
requirement to ensure satisfactory lighting conditions for effective
candling. IRS stated that additional work is needed to strengthen the
current procedures in the Internal Revenue Manual (IRM) and that it is
in the process of reviewing and strengthening these procedures. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2005
financial audit.
Monitoring and Verifying Recording and Transmittal of Taxpayer Receipts
and Information:
When an IRS field office receives taxpayer receipts and returns, it is
responsible for recording the information received and sending it to a
service center for further processing with a transmittal form listing
the documents included in the package. However, at the two IRS field
offices we visited, we found multiple instances in which internal
controls were not in place to ensure that recording and transmittal of
taxpayer receipts and information were adequately monitored and
verified:
At one field office, there was a lack of segregation of duties with
respect to handling taxpayer receipts. We observed in seven Small
Business/Self-Employed (SB/SE) units[Footnote 12] that the individuals
responsible for preparing Payment Posting Vouchers were the same
individuals who recorded the information from those vouchers on
Document Transmittal forms, which list the contents of a package sent
from one IRS location to another, and mailed those forms to the IRS
service center. At the other field office, we observed that there was
no independent review of documents or payments before they were mailed
by their preparer to the service center for processing, nor was there
any independent reconciliation of the information on the Document
Transmittal forms to those documents or payments. In addition, at the
same field office, there was no independent review or reconciliation of
payments recorded on Daily Report of Collection Activity forms, which
are used to list and transmit tax receipts and returns to service
centers, to the actual payments that accompanied the forms before the
payments were sent to the service center for processing.
One of the field offices sent Daily Report of Collection Activity forms
to a service center without listing those forms on, and enclosing with
them, a Document Transmittal form, as required by the IRM.[Footnote 13]
Only packages containing a single Daily Report of Collection Activity
form do not require an accompanying Document Transmittal form.
One of the field offices we visited did not use a logbook for filing
Document Transmittal forms, and two units at the other field office had
no system in place for maintaining and monitoring acknowledgments of
Document Transmittal forms.
There was no evidence of management review of five units' Document
Transmittal form logbooks at one of the field offices.
GAO's Standards for Internal Control in the Federal Government requires
that key duties and responsibilities be segregated among different
people to reduce the risk of error or fraud. In addition, according to
the IRM, if a unit sends individually sealed envelopes in one package
to the service center, the package must contain a Document Transmittal
form listing the enclosed Daily Report of Collection Activity forms and
the respective tracking information. The IRM also requires that senders
establish a control to ensure delivery of tax receipts and information
to IRS service centers and follow up within 10 work days on packages
not acknowledged by the center. Not adequately accounting for taxpayer
receipts because of insufficient review, reconciliation, monitoring,
and segregation of duties increases the risk of error and fraud and,
therefore, the potential for loss, theft, and misuse of taxpayer
receipts.
Recommendations:
We recommend that IRS:
* establish policies and procedures to require appropriate segregation
of duties in SB/SE units of field offices with respect to preparation
of Payment Posting Vouchers, Document Transmittal forms, and
transmittal packages;
* enforce the requirement that a Document Transmittal form listing the
enclosed Daily Report of Collection Activity forms be included in
transmittal packages, using such methods as more frequent inspections
or increased reliance on error reports compiled by the service center
teller units receiving the information;
* establish a procedure for SB/SE field office units to track Document
Transmittal forms and acknowledgements of receipt of Document
Transmittal forms; and:
* require evidence of managerial review of recording, transmittal, and
receipt of acknowledgments of taxpayer receipts and information.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations. To establish policies and
procedures to require appropriate segregation of duties in SB/SE units
of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages, IRS
indicated that it will (1) establish procedure for SB/SE field office
units to track Document Transmittal forms and acknowledgements of
receipt of Document Transmittal forms and (2) strengthen its guidance
to revenue officers and develop procedures specifically for field
clerical staff. To enforce the requirement that a Document Transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, IRS stated that its procedures will
clarify that (1) the designated clerical contacts are responsible for
bundling sealed envelopes into a single package for overnight mail to
Submission Processing pursuant to the IRM and (2) the designated
clerical contacts are to prepare a Document Transmittal form and send
the prepared package to Submission Processing via overnight mail. IRS
stated that these procedures will direct the designated clerical
contact to retain a control copy of the Document Transmittal form and
the overnight mail transmittal until the receipted copy of the Document
Transmittal form is returned from Submission Processing. In addition,
IRS said that it intends to require that the transmittal and the
acknowledgement be reconciled monthly, with appropriate follow-up as
required. IRS also stated its intent to issue a memorandum to all Field
Assistance employees reminding them to adhere to these IRM requirements
and to add this as a review item for operational reviews conducted by
Field Assistance headquarters and area personnel. To establish a
procedure for SB/SE field office units to track Document Transmittal
forms and acknowledgements of receipt of Document Transmittal forms,
IRS stated that it will clarify its procedures to require that managers
ensure continuous coverage of the designated clerical contact duties so
that absence due to illness or leave does not disrupt the processing of
remittances. With respect to a requirement for evidence of managerial
review of recording, transmittal, and receipt of acknowledgements of
taxpayer receipts and information, IRS indicated that it will establish
procedures to require documented evidence of such review, but noted
that it will not implement any procedure that requires 100 percent
managerial review. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2005 financial audit.
Controls over the Generation of Automated Refunds in Automated
Underreporter Program Cases:
Most refunds are generated automatically by IRS when taxpayers file tax
returns reflecting a lower tax liability than the amount the taxpayer
has paid. Upon receipt of a tax return, IRS records the tax liability
for the appropriate tax period. If the taxpayer's payments and credits
exceed the tax liability, an automated refund is generated.
In July of each year, after the peak tax filing period,[Footnote 14]
IRS matches data submitted by taxpayers on their tax returns against
data submitted to IRS by third parties to report earnings such as
wages, interest, and dividends. This matching process is a key part of
IRS's Automated Underreporter Program (AUR). IRS follows up on selected
discrepancies identified as a result of the AUR to determine the reason
for the discrepancy and attempt to collect any taxes due. If a
discrepancy can be resolved by IRS based on review of available
documentation, the case is closed. Otherwise, an underreporter notice,
which informs the taxpayer of a proposed change to tax liability, is
sent to the taxpayer. Because the taxpayer has not yet agreed to an
additional tax assessment at this point, no tax liability is entered in
the taxpayer's account. Instead, the underreporter notice includes a
Consent of Assessment form which the taxpayer is asked to sign and
return with his or her payment. When IRS receives this form with the
payment, the form alerts employees to route the payment to the AUR
unit, which is to record both the payment and the tax assessment in the
taxpayer's account.
Taxpayers who receive an underreporter notice can choose to agree with
the proposed additional assessment, disagree and provide reasons, or
ask for an appeal. Once IRS sends an underreporter notice to a
taxpayer, an AUR notice indicator is placed on the taxpayer's account
within IRS's master files.[Footnote 15] IRS typically places a
different type of indicator--known as a freeze code--on taxpayers'
accounts that are undergoing examination or investigation. Freeze codes
temporarily prevent the automated issuance of a refund until the issue
is resolved and the freeze code is removed. An AUR notice indicator,
however, does not on its own prevent issuance of an automated refund;
rather, it serves as notice to other IRS units that AUR has control of
the case and should be notified before any action is taken.
Consequently, an automated refund may be improperly generated if a
taxpayer submits a payment in response to an AUR notice but does not
return a Consent of Assessment form with the payment.
At one of the two service centers we visited to review refund
procedures during our fiscal year 2004 audit, we found two instances in
which IRS generated refunds for taxpayers based on payments received in
consideration of unpaid taxes identified by AUR. Both taxpayers
received an AUR notice proposing a change in tax liability because of a
discrepancy in their tax return, and both submitted a payment to IRS
indicating agreement with IRS's finding. However, they did not enclose
with their payment the form that accompanied the underreporter notice
they received. As a result, IRS employees did not forward the payments
to the AUR unit and instead recorded them on the taxpayers' accounts.
Since no form had been received from these taxpayers and, consequently,
the tax liabilities related to the payments had not been recorded in
the taxpayers' accounts, the entire payment amounts were interpreted to
be overpayments and refunds were disbursed. Weaknesses in IRS's
controls over automated refund disbursements for accounts with AUR
notice indicators unnecessarily expose the federal government to losses
due to issuance of improper refunds.
Recommendation:
We recommend that IRS assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved AUR
discrepancies, including placement of a freeze or hold on all such
accounts, until the AUR review has been completed.
IRS Comments and Our Evaluation:
IRS indicated that its existing procedures address the issue that gave
rise to this recommendation. However, IRS stated that AUR will partner
with Submissions Processing to ensure that employees receiving
unidentified remittances are aware of the need to conduct IDRS research
and how to properly post AUR remittances in these instances. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2005
financial audit.
Controls over Authorization of Manual Refunds:
During our fiscal year 2004 financial audit, we found weaknesses in
IRS's controls over the authorization of manual refunds at both of the
service centers we visited to review refund procedures during our
fiscal year 2004 audit. These weaknesses resulted primarily from IRS
employees not consistently adhering to policies and:
procedures intended to prevent disbursement of improper manual
refunds.[Footnote 16] Specifically, IRS employees did not always (1)
comply with IRS requirements when authorizing officials to approve
manual refunds, (2) monitor or review the monitoring of accounts to
prevent duplicate refunds or document that monitoring had been
performed, or (3) review computer system command code profiles of
approving employees and officials who certify that refund payments are
proper to ensure that these officials did not have access to
inappropriate command codes that would allow them to both process and
approve or certify improper refunds.
Authorization to Approve Manual Refunds:
The IRM requires that all manual refunds be approved by officials who
are designated by managers. To designate approving officials, managers
are required to submit documents to the Manual Refund Unit that include
the designated approving official's and manager's names and titles or
positions, their telephone numbers, their IRS campus or field service
organizations, their signatures, and a statement by the delegating
manager certifying that sensitive command codes are not authorized for
the approving official that would allow the official to both approve
and process manual refunds.
At both service centers we visited to review refund procedures,
however, we found that these controls were not always effective.
At one service center, we found documents authorizing approving
officials that did not contain the delegating manager's signature and
others that did not contain the authorized approving official's
signature. We also found the name of an individual on the list of
designated approving officials that had been on the list for about 9
months even though the delegating manager had included a statement on
the document requesting that the name remain on the list for only 90
days.
At the other service center, we found documents that did not contain
the name and title or position of the manager submitting the document.
Improper authorization of approving officials for manual refunds
exposes the federal government to losses due to the increased risk of
issuance of improper refunds.
Monitoring to Avoid Duplicate Refunds:
As we have previously reported,[Footnote 17] the risk of issuance of
duplicate refunds is increased because (1) IRS's automated and manual
refund systems are not adequately coordinated to prevent the issuance
of a duplicate automated refund if a corresponding manual refund has
already been generated and (2) manual refunds may not be posted to the
taxpayer's account in the master file until up to 6 weeks after the
refund has been issued to the taxpayer, potentially allowing a
duplicate automated refund to be disbursed in the interim. To mitigate
this risk, IRS has implemented various procedures, such as a
requirement for employees who have initiated a manual refund to monitor
the account to ensure that a duplicate automated refund does not post
in the interim as a pending transaction. Supervisors are required to
review the initiator's monitoring actions, and both the initiators and
supervisors are required to document their monitoring or reviewing
actions.
We have also previously reported that IRS employees did not always
monitor accounts to prevent duplicate refunds and that they were not
required to document their reviews. As a result of a previous
recommendation we made, IRS revised its procedures to require
documentation of monitoring actions and supervisory review of
monitoring actions. However, at both service centers we visited, we
found that this control was not always effective--IRS employees did not
always monitor accounts to prevent duplicate refunds, and their
supervisors did not always review monitoring actions to ensure that
they were being properly conducted. We also found that IRS employees
and supervisors did not always document their monitoring or reviewing
actions. We interviewed nine manual refund initiators and their
supervisors at the two service centers we visited to review refund
procedures. During our review of documentation of their monitoring and
reviewing procedures, we found the following:
Two initiators did not monitor the accounts to prevent duplicate
refunds.
Of the seven initiators who did monitor the accounts, three did not
sign and date their monitoring action.
Three initiators' supervisors did not review the monitoring actions.
Of the six supervisors who did review monitoring actions, only one
documented, signed, and dated the review. Three of these supervisors
documented but did not sign and date their review, and two did not
document their review.
These weaknesses increase the risk that account monitoring and related
reviews may not be conducted on a consistent and timely basis,
rendering this control ineffective. As a result, IRS does not have
adequate assurance that accounts are being appropriately monitored to
prevent duplicate refunds from being paid.
Review and Approval of Command Code Profiles:
IRS uses IDRS, an online data retrieval and entry system, to process
manual refunds. Employees' level of access to IDRS is determined by
their specific role and responsibilities. Each employee who uses IDRS
is assigned a command code profile that determines the type of
transactions he or she can process. To ensure that approving officials
do not have sensitive command codes that would allow them to process
manual refunds in violation of segregation of duties requirements
implemented to reduce the risk of error or fraud, IRS requires service
centers to review command code profiles of approving officials. These
individuals also review command code profiles of certifying officials,
who are responsible for ensuring that refund payments are correct and
proper.
At both service centers we visited to review refund procedures during
our fiscal year 2004 financial audit, however, we found that command
code profiles of approving and certifying officials were not always
reviewed as required by the IRM.
At one service center, we found that the individual responsible for the
review did not review the command code profiles for all authorized
approving officials. Instead, only employees who had indicated or whose
manager had indicated that they had been assigned command codes were
selected for review. The reviewer did not verify that the employees who
had indicated they did not have assigned command codes had not in fact
been assigned command codes. In addition, no one at this service center
reviewed the command code profiles of certifying officials.
At the other service center, we found that no review of command code
profiles for approving officials had been conducted since July 2000,
although the IRM requires that a review of the accounts and profiles of
all users of IRS's network be conducted at least annually. For
certifying officials at this service center, command code profiles had
been reviewed monthly. However, since it was a certifying official who
conducted the reviews, she also reviewed her own command code profile.
The IRM does not specify who should conduct the reviews.
Because IRS employees did not always adhere to IRM requirements
specifying control procedures over manual refunds and the IRM was not
specific as to the timing and assignment of responsibility for
reviewing command code profiles, the effectiveness of these controls
was impaired. As a result, the risk is increased that IRS could
disburse improper manual refunds.
Recommendations:
We recommend that IRS:
* enforce documentation requirements relating to authorizing officials
charged with approving manual refunds,
* enforce requirements for monitoring accounts and reviewing monitoring
of accounts,
* enforce requirements for documenting monitoring actions and
supervisory review,
* enforce the requirement that command code profiles be reviewed at
least once annually, and:
* specify in the IRM that staff members are not to review their own
command code profiles.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning controls over
authorization of manual refunds. With respect to the recommendations
that call for enforcement of existing documentation, review, and
monitoring requirements, IRS indicated its intent to remind management
officials annually of these requirements via memorandum, notice, or
Alert. IRS noted that as part of the reminder, checksheets will be
included and a response will be required confirming that these actions
have been taken. IRS also indicated that it will consider including
these items in its Management Accountability Review Process. With
respect to the recommendation that the IRM specify that staff members
are not to review their own command code profiles, IRS stated that IRM
wording would be updated and annual memorandums or notices would be
sent to management officials reminding them that the approver's manager
is responsible for ensuring that the approver's profiles have
appropriate restrictions and have been reviewed. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2005 financial
audit.
Resolution of Liens with Manually Calculated Interest or Penalties:
During our fiscal year 2004 financial audit, we found that IRS did not
properly verify interest or penalties on taxpayers' accounts with
manually calculated interest or penalties to ensure that these
taxpayers paid the full amount of taxes due before IRS released tax
liens associated with their accounts. Specifically, none of the five
lien units that we visited properly verified manual interest and
penalties. Personnel at these lien units queried IDRS to see if it
indicated that an account with a lien with manually calculated interest
or penalties had been paid in full. If IDRS indicated that such an
account had been paid in full, lien unit personnel incorrectly
interpreted this to mean that there were no outstanding interest
accruals or penalties and thus released the lien. However, IDRS does
not make the manual interest and penalty calculations. Consequently, if
IRS personnel do not verify that there are no unassessed interest or
penalty amounts, they could close an account as having been fully paid
when there are accumulated amounts of interest or penalties that are
legally due to the government but that have not been assessed or paid.
Interest on most taxpayer accounts is calculated automatically by IDRS.
However, IRS must manually calculate interest and penalties on some
taxpayers' accounts because IDRS has not been programmed with the
capability to calculate interest and penalties in accordance with
certain legal requirements. IRS refers to such interest as "restricted
interest" because IDRS is restricted from making the interest
computations. For these cases, IRS officials must manually calculate
the amount of interest or penalties due as of a point in time and
manually enter the result into IDRS. However, these manually calculated
interest or penalty amounts are not automatically updated with the
passage of time to reflect new accruals of interest or penalties--
subsequent calculations of additional interest or penalties must also
be done manually.
To help ensure that manually calculated interest and penalties are
determined properly and that all accruals of interest and penalties are
paid, IRS established a control to prevent the release of liens until
the amounts of manually calculated interest and penalties are verified.
Before releasing a lien, IRS automatically routes all accounts with
manual calculations to the lien units. IRS guidance[Footnote 18] calls
for lien unit personnel to verify the completeness of manual interest
or penalty calculations before releasing the lien but does not show how
this is to be done. Instead, it instructs lien unit personnel to
"follow local procedures." However, none of the lien unit personnel we
interviewed had local procedures for verifying the completeness of
manual interest or penalty calculations. If lien units do not properly
verify that there are no unassessed interest or penalty amounts for
accounts with liens with manually calculated interest or penalties,
there is a risk of loss of revenue to the federal government through
the premature release of tax liens.
Recommendation:
We recommend that IRS specify in the IRM how to properly verify
interest and penalties for accounts with liens with manually calculated
interest or penalties.
IRS Comments and Our Evaluation:
IRS stated that it has taken actions to address the issue that gave
rise to this recommendation. Specifically, IRS stated that it revised
the IRM to instruct employees to check IDRS to determine if restricted
interest or penalty is due. IRS noted that the IRM now clearly states
that there are only two instances for which restricted interest and
penalty should not be computed--offer-in-compromise and bankruptcy
cases. In addition, IRS noted that tax examiners hired to staff the
Centralized Case Processing Lien Processing Unit were provided hands-on
training in the computation of restricted interest and penalty and that
resolution of these cases moved to Centralized Case Processing
effective February 2005. IRS also stated that the centralized site has
created a special group of employees who were trained in the resolution
of restricted interest and penalty cases and that new hires for this
group:
will also receive this training. We will evaluate the effectiveness of
IRS's efforts during our fiscal year 2005 financial audit.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and Governmental
Affairs and the House Committee on Government Reform within 60 days of
the date of this report. A written statement must also be sent to the
House and Senate Committees on Appropriations with the agency's first
request for appropriations made more than 60 days after the date of the
report.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Minority Members of the
Senate Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; Senate
Committee on the Budget; Subcommittee on Transportation, Treasury, the
Judiciary, Housing and Urban Development, and Related Agencies, Senate
Committee on Appropriations; Subcommittee on Taxation and IRS
Oversight, Senate Committee on Finance; and Subcommittee on Oversight
of Government Management, the Federal Workforce, and the District of
Columbia, Senate Committee on Homeland Security and Governmental
Affairs. We are also sending copies to the Chairmen and Ranking
Minority Members of the House Committee on Appropriations; House
Committee on Ways and Means; House Committee on Government Reform;
House Committee on the Budget; Subcommittee on Transportation,
Treasury, and Housing and Urban Development, the Judiciary, District of
Columbia, House Committee on Appropriations; Subcommittee on Government
Management, Finance, and Accountability, House Committee on Government
Reform; and Subcommittee on Oversight, House Committee on Ways and
Means. In addition, we are sending copies of this report to the
Chairman and Vice-Chairman of the Joint Committee on Taxation, the
Secretary of the Treasury, the Director of the Office of Management and
Budget, the Chairman of the IRS Oversight Board, and other interested
parties. The report is available at no charge on GAO's Web site at
http://www.gao.gov.
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years 2004
and 2003 financial statements. If you have any questions or need
assistance in addressing these matters, please contact Chuck Fox,
Assistant Director, at (202) 512-5261. Other major contributors are
listed in enclosure III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures-3:
Comments from the Internal Revenue Service:
DEPARTMENT OF THE TREASURY:
INTERNAL REVENUE SERVICE:
WASHINGTON, D.C. 20224:
COMMISSIONER:
April 18, 2005:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to your draft of the FY 2004 Management Report
titled, Improvements Needed in the IRS' Internal Controls (GAO-05-
247R). I appreciate your continued assistance during our fiscal year
financial statement audit. I believe the issues you presented in your
report will help us to take the necessary steps to strengthen our
controls over safeguarding tax receipts, and to improve financial
management.
Over the last several years we have made significant progress in
addressing our financial management challenges, and we have resolved or
substantially mitigated several material weaknesses in our internal
controls, including those affecting Treasury Fund balance, budgetary
activities, and property and equipment. We are pleased, for the first
time, that your yearly audit report contains no recommendations related
to operational deficiencies in the Service's administrative accounting
procedures. Because of the number of open recommendations related to
lockbox issues, the IRS responsibly designated these issues as a
reportable condition. We have also developed a comprehensive action
plan to address the lockbox weaknesses identified in your report and
will monitor the plan through its implementation. I have enclosed a
response which addresses each of your 30 recommendations.
In closing, we are committed to improving our internal controls and
have identified actions to improve the areas identified in your report.
We look forward to continuing to work with the GAO to overcome the
weaknesses cited in your report. If you have any questions, please
contact Janice Lambert, Chief Financial Officer, at (202) 622-6400.
Sincerely,
Signed for:
Mark W. Everson:
Enclosure:
GAO Recommendations and IRS Responses to GAO FY 2004 Management Report
Improvements Needed in the IRS' Internal Controls GAO-05-247R:
Recommendation: Enforce IRS' existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers.
Comments: We believe we have addressed this recommendation. We have
implemented steps to monitor and enforce the requirements we issued on
September 29, 2003, on the issuance of ID cards to contractors. Our
guidance requires that a letter from the National Background
Investigation Center (NBIC) indicating successful completion of at
least an interim background investigation be received by the issuing
office before a contractor can be approved for staff-like access to
IRS. The guidance further stipulates that Physical Security staff
would, on at least a 6-month basis, make sure that a re-certification
is received from the Contracting Officers Technical Representatives
(COTR) and confirms the contractors' need for continued staff-like
access to the IRS facility. Additionally, as part of the required
records and accountability process, non-Federal photo ID cards are
audited annually by the issuing office to reconcile numerical and
alphabetical files and to assure that ID cards have been recovered upon
separation or termination of the contract.
Recommendation: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information.
Comments: We agree with this recommendation. In the guidance memorandum
we issued on September 29, 2003, the Physical Security Program Office
requires COTRs to complete and submit a request form for every contract
employee. Implementation of the standardized form assures that all
required information is provided in order for the contractor to receive
its IRS photo ID card. This guidance also requires that a copy of the
letter from NBIC indicating successful completion of at least an
interim background investigation be attached to the request form or no
ID card will be issued. Both documents are maintained by the issuing
office. The IRS COTR for the lockbox banks verified that all six banks
currently maintain background investigation records, including copies
of documents submitted to NBIC and lists of cleared personnel. The
Physical Security Program Office will work with the Business Operating
Divisions (BOD) and Procurement to determine if the interagency
agreement with Financial Management Services (FMS) should be modified
to include a requirement for lockbox banks to maintain background
investigation files. The estimated completion date for the review of
the interagency agreement is November 2005.
Recommendation: Require that courier contracts call for couriers to
submit contingency plans to lockbox banks.
Comments: We agree with this recommendation. The Lockbox Processing
Guidelines (LPG) was updated on January 1, 2005--LPG 4.2.3.1 (01-01-
2005) Courier Contingency Plan--to require that prior to implementation
of the contract, the courier service must provide the lockbox with a
disaster contingency plan. The contingency plan must cover labor
disputes, employee strikes, inclement weather, natural disasters,
traffic accidents, and unforeseen events.
Recommendation: Review lockbox bank courier contingency plans to help
ensure that they incorporate all contingencies specified in the LPG.
Comments: We agree with this recommendation. Contingency plans were
provided by all lockbox sites and are part of the Filing Season
Readiness (FSR) Plan. LPG 4.2.3.1 states "the contingency plan must
cover labor disputes, employee strikes, inclement weather, natural
disasters, traffic accidents, and unforeseen events." The Lockbox
Coordinators reviewed the contingency plans to ensure that these issues
were addressed.
Recommendation: Revise the LPG to specify that courier contingency
plans be available at the lockbox banks.
Comments: We agree with this recommendation. LPG 2.1.7 requires each
lockbox bank to submit an annual FSR Plan. The plan must be submitted
to the Lockbox Field Coordinators for review to ensure each site is
prepared for the filing season. Lockbox Field Coordinators will ensure
all contingencies specified in the LPG are incorporated in the
contract. Additionally, the LPG will be updated by April 15, 2005, to
require all lockbox banks to have the courier contingency plan
available on site.
Recommendation: Review lockbox bank courier and shredding contracts to
ensure that they address all privacy-related criteria and include clear
reference to privacy-related laws and regulations.
Comments: We agree with this recommendation. The LPG was updated on
January 1, 2005--LPG 4.2.3(2), Courier Services--which requires lockbox
banks to ensure all bonded courier/armored car agreements contain the
following language: "As an independent contractor, courier/armored car
company under contract with the Financial Institution (FI), I fully
understand that much of the information provided to (name of the
courier/armored car company) and its employees is privileged, legally
and administratively restricted and falls under the provisions of the
Privacy Act of 1974 and the Internal Revenue Code (IRC) Sections 6103,
7213, and 7131. The Privacy Act, the safeguards, and the criminal/civil
sanctions paragraphs specify (name of the courier/armored car
company's) responsibility and liability regarding disclosure of this
information. At the expiration of (name of the courier/armored car
company's) contract with the Fl, (name of the courier/armored car
company) is required to return all documents in its possession to the
Internal Revenue Service." We will monitor this action during on-site
reviews.
Recommendation: Revise the LPG to require that (1) lockbox couriers
promptly return deposit receipts to the lockbox banks, following
delivery of taxpayer remittances to depositories and (2) lockbox banks
promptly review the returned deposit receipts.
Comments: We agree with this recommendation. The LPG was updated on
January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox
Bank Deposit Form--which requires the lockbox site to receive back by
the next business day the original completed Receipt for Transport of
IRS Lockbox Bank Deposit Form with the bank representative's name and
signature, date and time the deposit was received by the depository.
The guidance also requires the lockbox site to reconcile daily the
Receipt for Transport of IRS Lockbox Bank Deposit Form(s) to ensure
receipt of dedicated service (e.g., the time between your release to
the courier and the release to the bank is not in excess). If
discrepancies are found, the Lockbox Field Coordinator should be
notified immediately.
Recommendation: Revise the LPG to require that deposit receipts for
taxpayer remittances be time and date-stamped.
Comments: We agree with this recommendation. The LPG was updated on
January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox
Bank Deposit Form-to require the courier service employee to return
the form to the lockbox site on the next business day, ensuring the
following information is completed on the form: the depository bank
employee's name and signature, the date the deposit was received by the
depository, and the time the deposit was received by the depository.
Recommendation: Better enforce the LPG requirement that lockbox bank
couriers annotate the time of delivery on receipts for deposits of
taxpayer remittances.
Comments: We agree with this recommendation. The LPG was updated on
January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox
Bank Deposit Form-to require lockbox bank couriers to annotate the
time of delivery of receipts for deposits of taxpayer remittances.
Recommendation: Provide a written reminder to courier contractors of
the need to adhere to all courier service procedures.
Comments: We agree with this recommendation. We will develop an annual
memorandum by January 1, 2006, to require banks to remind courier
contractors to adhere to all courier service procedures in the LPG. We
will monitor adherence during site reviews.
Recommendation: Periodically verify that contractors entrusted with
taxpayer receipts and information offsite adhere to IRS procedures.
Comments: We agree with this recommendation. The 2005 LPG 4.2.3.1.8(1)
has been updated, and the procedures will be monitored during the
periodic Security Reviews.
Recommendation: Develop alternative, back-up plans that are consistent
with IRS courier policies and procedures to address instances in which
only one courier reports for transport of taxpayer receipts or
information, such as requiring that a service center or lockbox bank
employee accompany the courier to the depository.
Comments: We agree with this recommendation. We will work with FMS to
develop an alternative back-up plan by June 30, 2005.
Recommendation: Formulate a policy to require that critical utility or
security controls not be located in areas requiring frequent access.
Comments: We agree with this recommendation. We will ensure policy
guidelines address protection of critical or security controls. We will
work with the BODs and Procurement to incorporate any revised
requirements into updated and future interagency agreements with FMS.
Recommendation: Require lockbox bank management to position closed-
circuit television cameras to enable monitoring of secured areas
containing sensitive systems or controls.
Comments: We agree with this recommendation. The IRS, through
Procurement, enters into an interagency agreement with FMS for lockbox
services, which in turn makes arrangements with banks. These
arrangements are non-procurement contracts that require adherence to
the IRS LPG. Internal Revenue Manual (IRM) 3.0.230.5 (dated 1-20-05)
indicates the Revenue and Deposit Branch, Lockbox Policy and
Procedures: "coordinates with FMS any new or updated processing
changes, obtains data for the re-bidding of contract(s) and finalizes
the Lockbox Processing Guidelines (LPG)." Since lockbox banks are
already required to comply with the IRS LPG, there is no need for the
COTR to do anything else. The LPG does require and the lockbox banks
have installed cameras to monitor critical areas and assets in those
parts of a facility controlled by the banks. As part of the Mission
Assurance review process, we will review the use of closed-circuit
television at the banks and, within local constraints, expand
surveillance capabilities to include utility controls.
Recommendation: Periodically monitor lockbox banks' adherence to the
LPG requirement that keys be kept in secured containers within the
secured perimeter.
Comments: We agree with this recommendation. The LPG guidelines require
that keys and panels controlled by the banks should be properly stored
and secured and Mission Assurance will include key control as part of
any and all reviews. As part of the review process, we will work with
the banks and lessors to improve security for keys and security panels,
irrespective of ownership.
Recommendation: Assess technologies that may be exempt from the visual
inspection requirement to determine whether they are acceptable methods
of satisfying candling objectives and, if so, add such technologies to
the LPG list of accepted candling methods.
Comments: We feel we have addressed this recommendation in the 2005
LPG, and have shared this information with GAO. We determined current
technologies are not exempt from the candling requirement and added to
the 2005 LPG 3.2.8 (1) envelopes opened (either manually or by OPEX) on
three or more sides must be candled once on the candling tables. All
other envelopes must be candled twice on the candling tables.
Recommendation: Conduct an assessment of the costs and benefits of
relying on only one candling when using certain automated equipment.
Comments: We feel we have addressed this recommendation in the 2005 LPG
and have shared this information with GAO. We assessed the candling
functions on automated equipment and included in the 2005 LPG under
3.2.8 section (1) a requirement that envelopes opened (either manually
or by OPEX equipment) on three or more sides must be candled once on
the candling tables. We will monitor adherence during site reviews.
Recommendation: Clarify the LPG to eliminate confusion about the number
of candlings required for different extraction methods.
Comments: We agree with this recommendation. We have updated the 2005
LPG under 3.2.8, "Candling" to require envelopes opened (either
manually or by OPEX) on three or more sides must be candled once on the
candling tables. All other envelopes must be candled twice on the
candling tables.
Recommendation: Establish guidelines and a testing requirement to
ensure satisfactory lighting conditions for effective candling.
Comments: We agree with this recommendation. The IRS agrees that
additional work is needed to strengthen the current procedures
contained in IRM 3.10.72, Batching, Sorting and Numbering. Currently,
our Campus management tests 10 envelopes at the start of each shift to
ensure that maximum envelope recognition is met and that all contents
left in envelopes can be easily detected. The IRS is in the process of
reviewing and strengthening these procedures.
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in SB/SE units of field offices with
respect to preparation of Payment Posting Vouchers, Document
Transmittal forms, and transmittal packages.
Comments: We agree with this recommendation. We will establish a
procedure(s) for SB/SE field office units to track Document Transmittal
forms and acknowledgements of receipt of Document Transmittal forms.
We currently have numerous procedures in place which provide guidance
to revenue officers regarding the processing of returns and payments.
However, we do not currently have procedures specifically for our field
clerical staff. We will strengthen our guidance to revenue officers and
will develop procedures specifically for our field clerical staff.
Our procedures will clarify that revenue officers are responsible for
submitting an appropriately labeled sealed envelope containing the
Daily Report of Collection Activity form to a designated clerical
contact in the Post of Duty (POD). This guidance will apply unless the
revenue officers are working away from the POD on extended field calls
or Flexiplace, or are working in a single revenue officer POD. Those
revenue officers will send the envelope directly to Submission
Processing.
Recommendation: Enforce the requirement that a Document Transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information.
Comments: We agree with this recommendation. Our procedures will
clarify that the designated clerical contacts are responsible for
bundling the sealed envelopes into a single package for overnight mail
to Submission Processing pursuant to the IRM. The procedures will also
clarify that the designated clerical contacts will prepare a Document
Transmittal form and send the prepared package to Submission Processing
via overnight mail. The procedures will direct the designated clerical
contact to retain a control copy of the Document Transmittal form and
the overnight mail transmittal until the receipted copy of the Document
Transmittal form is returned from Submission Processing. We will also
require that the transmittal and the acknowledgement be reconciled on a
monthly basis, with appropriate follow-up as required.
The Taxpayer Assistance Center, GAO visited, was instructed to ensure
that a Document Transmittal form be prepared and enclosed in the
package when multiple Daily Reports of Collection Activity are sent to
the service center. We will issue a memorandum to all Field Assistance
employees reminding them to adhere to these IRM requirements. We will
also add this as a review item for operational reviews conducted by
Field Assistance headquarters and area personnel.
Recommendation: Establish a procedure for SB/SE field office units to
track Document Transmittal forms and acknowledgements of receipt of
Document Transmittal forms.
Comments: We agree with this recommendation. Our procedures will
clarify that the managers should ensure continuous coverage of the
designated clerical contact duties so that absence due to illness or
leave does not disrupt the processing of remittances.
Recommendation: Require evidence of managerial review of recording,
transmittal, and receipt of acknowledgments of taxpayer receipts and
information.
Comments: We agree with this recommendation. We will establish a
procedure(s) to require evidence of managerial review of recording,
transmittal, and receipt of acknowledgements of taxpayer receipts and
information. However, we will not implement any procedure requiring 100
percent managerial review.
The new procedure(s) will call for random managerial spot-checking of
packages prepared for submission to Submission Processing by revenue
officers working in PODS or by the designated clerical contacts in the
PODS. The new procedure(s) will not call for any random managerial
spot-checking of packages prepared by revenue officers working away
from the POD on extended field calls or Flexiplace. Instead, on those
packages, we will continue to rely on the remittance reviews conducted
by remittance processing personnel in Submission Processing. These
reviews will be documented by the revenue officer group manager and be
retained for the appropriate period required under record management
guidelines.
Recommendation: Assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved
Automated Underreporter Program (AUR) discrepancies, including
placement of a freeze or hold on all such accounts, until the AUR
review has been completed.
Comments: We feel the procedures that we have in place adequately
address preventing the generation or disbursement of refunds associated
with AUR accounts if followed. Submissions Processing's IRM 3.8.45
requires employees receiving an unidentified remittance to conduct
Individual Data Retrieval System (IDRS) research to determine if there
is an open account that allows for posting of the remittance. AUR cases
are identified in IDRS by transaction code (TC) 922.
Once the TC 922 is found through research, the remittance should be
posted as a TC 640 which is an "Advanced Payment of Determined
deficiency or Underreporter Proposal." In the cases identified by GAO
it is apparent that appropriate IDRS research was not conducted or
remittances were posted erroneously as a TC 610 which will refund out
if the taxpayer's tax return does not indicate a balance due. AUR will
partner with Submissions Processing to ensure that employees receiving
unidentified remittances are aware of the need to conduct IDRS
research, and how to properly post AUR remittances in these instances.
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds.
Comments: We agree with this recommendation. We will enforce
requirements to document monitoring by reminding management officials
annually via a memorandum, notice or an Alert. As part of the reminder,
the IRM check sheets will be included and a response will be required
confirming these actions have been taken. In addition, we will consider
including this item in the Management Accountability Review Process.
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts.
Comments: We agree with this recommendation. We will enforce monitoring
requirements by reminding management officials annually via a
memorandum, notice or an Alert. As part of the reminder, the IRM check
sheets will be included and a response will be required confirming
these actions have been taken. In addition, we will consider including
this item in the Management Accountability Review Process.
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review.
Comments: We agree with this recommendation. We will enforce
requirements to document monitoring by reminding management officials
annually via a memorandum, notice or an Alert. As part of the reminder,
the IRM check sheets will be included and a response will be required
confirming these actions have been taken. In addition, we will consider
including this item in the Management Accountability Review Process.
Recommendation: Enforce the requirement that command code profiles be
reviewed at least once annually.
Comments: We agree with this recommendation. We will enforce annual
review of command code profiles by reminding management officials
annually via a memorandum or notice. As part of the reminder, the IRM
check sheets will be included and a response will be required
confirming these actions have been taken. In addition, we will consider
including this in the Management Accountability Review Process.
Recommendation: Specify in the IRM that staff members are not to review
their own command code profiles.
Comments: We agree with this recommendation. IRM wording will be
updated and recommendations will be included in annual reminders
(memos/notices, etc,) to management officials that the approver's
manager is responsible for ensuring that approver's profiles have
appropriate restrictions and have been reviewed.
Recommendation: Specify in the IRM how to properly verify interest and
penalties for accounts with liens with manually calculated interest or
penalties.
Comments: We have taken actions to implement this recommendation.
During the Fiscal Year 2004 financial audit, GAO determined that IRS
did not properly verify restricted interest and penalty computations
before releasing the federal tax lien in some instances. GAO recommends
that restricted interest and penalty methodology be included in the
Federal Tax Lien, Internal Revenue Manual. We agree that an account
with a zero balance "assessed" status does not mean that additional
accruals are not due. We also agree that additional guidance was needed
in this area. The newly revised IRM instructs employees to check IDRS
to determine if restricted interest or penalty is due. The IRM now
clearly states that there are only two instances where restricted
interest and penalty should not be computed, offer-in-compromise and
bankruptcy cases.
Also, instructions for computing restricted interest and penalty are
found in the Automated Lien System (ALS) User Guide as well as in
training material and desk guides. In addition, tax examiners hired to
staff the Centralized Case Processing (CCP), Lien Processing Unit were
provided hands on training in the computation of restricted interest
and penalty. Resolution of these cases moved to CCP effective February
2005. The centralized site has created a special group of employees who
were trained in the resolution of restricted interest and penalty
cases. New hires for this group will also receive this training.
Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:
Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, and undelivered
order transactions. These statistical samples were selected primarily
to substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which
they were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design
or operation of internal control or compliance with provisions of laws
and regulations. These attributes, where applicable, can be and have
been statistically projected to the appropriate populations.
Assessed the accounting principles used and significant estimates made
by management.
Evaluated the overall presentation of the financial statements.
Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in the Management
Discussion and Analysis.
Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.
Considered the process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. § 3512 (c),
(d), commonly referred to as the Federal Managers' Financial Integrity
Act of 1982.
Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1)
and 31 U.S.C. § 1517(a)); Agreements for payment of tax liability in
installments (26 U.S.C. § 6159); Purpose Statute (31 U.S.C. § 1301);
Release of lien or discharge of property (26 U.S.C. § 6325); Interest
on underpayment, nonpayment, or extensions of time for payment of tax
(26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611);
Determination of rate of interest (26 U.S.C. § 6621); Failure to file
tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to
pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to
pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31
U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Fair Labor
Standards Act of 1938, as amended (29 U.S.C. § 206); Civil Service
Retirement Act of 1930, as amended (5 U.S.C. §§ 5332, 5343); Federal
Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§ 8422,
8423, and 8432); Social Security Act, as amended (26 U.S.C. §§ 3101 and
3121 and 42 U.S.C. § 430); Federal Employees Health Benefits Act of
1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909); and Consolidated
Appropriations Act, 2004, Pub. L. No. 108-199, 118 Stat. 3 (Jan. 23,
2004).
Tested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996) (codified at 31 U.S.C.
§ 3512 note).
GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Chuck Fox, (202) 512-5261:
Alain Dubois, (202) 512-6365:
Acknowledgments:
Staff who made key contributions to this report were Esther Tepper,
Theresa Bowman, Gloria Cano, George Ogilvie, John Ryan, and Jeffrey
Yoder.
(196035):
FOOTNOTES
[1] GAO, Financial Audit: IRS's Fiscal Years 2004 and 2003 Financial
Statements, GAO-05-103 (Washington, D.C.: Nov. 10, 2004).
[2] Lockbox banks are financial institutions designated as depositories
and financial agents of the U.S. government to perform certain
financial services, including processing tax documents, depositing the
receipts, and then forwarding the documents and data to IRS's service
center campuses, which update taxpayers' accounts.
[3] Staff-like access consists of unescorted access to IRS-owned or
controlled facilities, information systems, security items and
products, or sensitive but unclassified information.
[4] Internal Revenue Service, "2004 Lockbox Processing Guidelines"
(Washington, D.C: January 2004), and subsequent 2004 updates. The 2004
LPG provides guidelines for processing work at lockbox banks serving
IRS for the 2004 tax processing year.
[5] Candling is a process used by IRS to determine if any contents
remain in open envelopes, which is often achieved by passing the
envelopes over a light source.
[6] Lien units are separate offices established by IRS to handle lien
processing, including release of tax liens. As of June 1, 2004, IRS had
33 lien units located throughout the United States. IRS is currently
reorganizing the physical structure and management of its lien units
and by mid-2005 plans to have consolidated them into one physical
location, called the Central Lien Processing Unit, at its Cincinnati
campus.
[7] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[8] GAO-05-103.
[9] Privacy Act of 1974, 5 U.S.C. § 552a.
[10] See, e.g., GAO, Management Report: Improvements Needed in IRS's
Internal Controls and Accounting Procedures, GAO-04-553R (Washington,
D.C.: Apr. 26, 2004), and Management Report: Improvements Needed in
IRS's Internal Controls, GAO-03-562R (Washington, D.C.: May 20, 2003).
[11] See, e.g., GAO, Management Report: Improvements Needed in IRS's
Internal Control and Accounting Procedures, GAO-04-553R (Washington,
D.C.: Apr. 26, 2004).
[12] SB/SE units are field office units that serve partially or fully
self-employed individuals, individual filers with certain types of
nonsalary income, and small businesses.
[13] The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct business and contains policy, direction,
and delegations of authority necessary to carry out IRS
responsibilities to administer tax law and other legal provisions.
[14] IRS's master files contain detailed records of taxpayer accounts.
[15] Most refunds are generated automatically; under certain
circumstances, however, IRS processes refunds manually to expedite
payment. Such refunds include those over $10 million, those requested
by taxpayers for immediate payment due to hardship or emergency, those
to beneficiaries of deceased taxpayers, and those that need to be
expedited because IRS is in jeopardy of paying interest for exceeding
the 45-day limit for processing a return.
[16] GAO, Internal Revenue Service: Recommendations to Improve
Financial and Operational Management, GAO-01-42 (Washington, D.C.: Nov.
17, 2002).
[17] This guidance consists of a detailed manual distributed to lien
unit personnel at a February 2003 workshop.
[18] The peak tax filing season primarily occurs from January 1 to
April 15 of each year.