Management Report
Improvements Needed in IRS's Internal Controls
Gao ID: GAO-06-543R May 12, 2006
In November 2005, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2005 and 2004, and on the effectiveness of its internal controls as of September 30, 2005. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2005, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2005 audit report, they all warrant management's consideration.
During our fiscal year 2005 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, and the reliability of expense, and property & equipment (P&E) records. These issues concern (1) taxpayer receipts and data transmittal documents, (2) physical security controls at taxpayer assistance centers, (3) the roles and responsibilities of security guards, (4) candling procedures, (5) timely processing of large remittances at lockbox banks, (6) access to tax return processing facilities, (7) juvenile hiring policy, (8) classification of procurement transactions as P&E or expense, and (9) recording P&E disposals.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-06-543R, Management Report: Improvements Needed in IRS's Internal Controls
This is the accessible text file for GAO report number GAO-06-543R
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls' which was released on May 12, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
Washington, DC 20548:
May 12, 2006:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls:
Dear Mr. Everson:
In November 2005, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of, and
for the fiscal years ending, September 30, 2005 and 2004, and on the
effectiveness of its internal controls as of September 30,
2005.[Footnote 1] We also reported our conclusions on IRS's compliance
with significant provisions of selected laws and regulations and on
whether IRS's financial management systems substantially comply with
requirements of the Federal Financial Management Improvement Act of
1996. A separate report on the implementation status of recommendations
from our prior IRS financial audits and related financial management
reports, including this one, will be issued shortly.
The purpose of this report is to discuss issues identified during our
audit of IRS's financial statements as of, and for the fiscal year
ending September 30, 2005, regarding internal controls that could be
improved for which we do not currently have any recommendations
outstanding. Although not all of these issues were discussed in our
fiscal year 2005 audit report, they all warrant management's
consideration. This report contains 22 recommendations that we are
proposing IRS implement to improve its internal controls. We conducted
our audit in accordance with U.S. generally accepted government
auditing standards.
Results in Brief:
During our fiscal year 2005 audit, we identified a number of internal
control issues that adversely affected safeguarding of tax receipts and
information, and the reliability of expense, and property & equipment
(P&E) records. These issues concern (1) taxpayer receipts and data
transmittal documents, (2) physical security controls at taxpayer
assistance centers, (3) the roles and responsibilities of security
guards, (4) candling procedures, (5) timely processing of large
remittances at lockbox banks, (6) access to tax return processing
facilities, (7) juvenile hiring policy, (8) classification of
procurement transactions as P&E or expense, and (9) recording P&E
disposals.
Specifically, we found the following:
* At three of the four service center campuses (SCCs), seven of the
eight Taxpayer Assistance Centers (TACs),[Footnote 2] and two of the
six field offices we visited, we found no evidence of managerial review
of the transmittal documents and acknowledgment forms used to transmit
and monitor taxpayer receipts and information shipped from one IRS
location to another. Additionally, at five TACs and both field offices,
we found no evidence of follow-up on the overdue unacknowledged
transmittals we reviewed.
* At four TAC sites, physical security controls were not adequate to
preclude individuals from entering controlled areas and gaining access
to taxpayer receipts and information. At three of these TACs, we found
that individuals were able to enter controlled areas[Footnote 3] of the
TAC or other IRS office space unnoticed. In addition, one of the four
TACs did not have an operable emergency alarm and at another of the
four TACs, the door separating the customer area from the controlled
area was not locked nor marked with a sign alerting customers that they
were not permitted to enter unescorted.
* At one SCC, one TAC, and one lockbox bank[Footnote 4] we visited, we
found that security guard personnel did not always effectively fulfill
their responsibilities in (1) controlling access to IRS tax return
facilities, (2) responding to intrusion alarms, and (3) recording,
maintaining, and reporting security incidents or violations.
* At three SCCs we visited, we found that IRS did not always ensure
that envelopes were opened and candled[Footnote 5] twice before
destruction, as required by its procedures, to provide assurance that
all contents have been extracted.
* At two lockbox banks, we found that large dollar checks were not
always immediately processed and deposited according to IRS's
guidelines.
* At two SCCs and one lockbox bank, controls over access to facilities
were not adequate to provide reasonable assurance that unauthorized
personnel would not be admitted. Credentials of persons entering one
SCC and one lockbox bank were not always validated before admission
and, at one SCC, (1) alarms were not always functional and (2) gaps
existed in perimeter security.
* Limitations in IRS's juvenile[Footnote 6] hiring policy increased the
risk of unsuitable candidates being hired and permitted access to
taxpayer receipts and data. For juvenile employee candidates, IRS (1)
only required references for those individuals hired to work in receipt
processing functions although taxpayer receipts and data are also
accessible in other functions, and (2) accepted written references that
were hand delivered to IRS by the candidates themselves without
independently verifying their source.
* IRS did not always ensure that it properly classified its procurement
transactions as P&E and recognized assets when they met its
capitalization criteria or classified these transactions as expense
when they did not. Of 267 sample transactions we tested from IRS's non-
payroll expenses and P&E acquisitions recorded during the first 9
months of fiscal year 2005 and accounts payable as of September 30,
2005, six were incorrectly classified and reported.
* Disposals of property and equipment were not recorded in a timely
manner at five IRS locations, resulting in inventory records that were
inaccurate and out-of-date.
The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed, and (2)
physical assets could be stolen or valued incorrectly.
At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into
conformance with its own policies and with the internal control
standards that all federal agencies are required to follow.[Footnote 7]
In its comments, IRS agreed with our recommendations and described
actions it had taken or planned to take to address the control
weaknesses described in this report. At the end of our discussion of
each of the issues in this report, we have summarized IRS's related
comments and provide our evaluation.
Scope and Methodology:
As part of our audit of IRS's fiscal years 2005 and 2004 financial
statements, we tested IRS's internal controls and its compliance with
selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions.
This report addresses issues we observed during our fiscal year 2005
audit. For issues related to safeguarding taxpayer receipts and
information, we visited four SCCs, four lockbox banks, eight TACs, and
six other IRS field offices; and for issues related to procurement and
property and equipment (P&E), we performed our testing at 22 IRS
offices and at the IRS Finance Center.
Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2005 and 2004
financial statements[Footnote 8] and are reproduced in enclosure II. We
requested comments on a draft of this report from the Commissioner of
IRS or his designee. We received written comments from the
Commissioner, which we have incorporated as appropriate and have
reprinted them as Enclosure 1.
Transmission of Taxpayer Receipts and Information:
IRS's controls over transmissions of taxpayer receipts and information
between offices did not always ensure that transmissions were reviewed
to make certain that potential errors were promptly identified and
corrected and that transmissions were timely received and acknowledged.
When IRS transmits taxpayer receipts and/or information between
locations, IRS personnel are required to use either a Daily Report of
Collection Activity (form 795) or a Document Transmittal (form 3210) to
record and document the items being transmitted.[Footnote 9] However,
during our fiscal year 2005 audit, we found that these forms were not
always (1) subject to a documented supervisory review prior to
submitting the documents for final processing, or (2) tracked to ensure
that recipients timely acknowledged receipt of the transmitted
documents. Specifically, we found:
* at three of the four SCCs we visited, managers or supervisors within
the Refund Inquiry Unit did not document their review of forms used to
record and transmit returned refund checks before they were mailed to
the Austin Regional Finance Center for final processing.
* at five of the eight TACs and at three Large and Mid-Size Business
(LMSB) and three Tax-Exempt and Government Entities (TEGE) field
units,[Footnote 10] document transmittals were not always acknowledged
by the recipient within the timeframe required by IRS. In addition,
there was no evidence that the originators of the transmittals
contacted the recipient to follow-up on the status of the
unacknowledged transmittals.
* at seven of the eight TACs, four LMSB units, and one TEGE unit, there
was no evidence that managers periodically reviewed the logbooks used
to track acknowledged transmittals.
GAO's Standards for Internal Control in the Federal Government[Footnote
11] require agencies to establish controls to enforce adherence to
management policies and procedural requirements, such as management
reviews, to create and maintain records providing evidence that these
controls are executed, and to appropriately safeguard assets.
Additionally, the Internal Revenue Manual (IRM)[Footnote 12] requires
that area offices take responsibility for the security and
accountability of taxpayer receipts and information during transit.
Specifically, the IRM requires senders to establish a control to ensure
timely delivery of taxpayer receipts and information and to follow up
with the recipient if the acknowledgement has not been received within
10 workdays. The lack of documentation of review and follow-up on
overdue acknowledgements increases the risk that these procedures are
not in place and operating effectively and that, consequently, errors,
theft, or loss of taxpayer receipts and information may occur and not
be timely detected.
Recommendations:
We recommend that IRS:
* require that Refund Inquiry Unit managers or supervisors document
their review of all forms used to record and transmit returned refund
checks prior to sending them for final processing;
* enforce compliance with existing requirements that all IRS units
transmitting taxpayer receipts and information from one IRS facility to
another, including SCCs, TACs, and units within LMSB and TEGE,
establish a system to track acknowledged copies of document
transmittals;
* provide instructions to document the follow-up procedures performed
in those cases where transmittals have not been timely acknowledged;
and:
* require that managers or supervisors document their reviews of
document transmittals to ensure that taxpayer receipts and/or taxpayer
information mailed between IRS locations are tracked according to
guidelines.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning its documentation of
controls over transmission of taxpayer receipts and information between
offices. IRS indicated it will remind all SCCs of the requirement to
conduct periodic reviews of the document transmittal form and that
verifying this will be included as part of the site review process by
March 2007. IRS also indicated it had conducted an education effort to
ensure that all managers in Examination are familiar with existing IRMs
related to check processing procedures and provided their personnel
additional instruction on requirements for transmitting taxpayer
receipts, checks, and taxpayer information in order to ensure their
personnel comply with policy. Specifically, IRS stated that it had
conducted an information presentation for Examination managers,
developed a flowchart to document the process, and developed a quick
reference guide for processing checks in TEGE. IRS stated it also
developed training materials to provide additional guidance on handling
transmittals and will perform periodic reviews to ensure transmittals
are handled appropriately. IRS also indicated that it will revise the
IRM to require documentation of follow-up actions with SCCs when
transmittal documents are not acknowledged timely. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2006 financial
audit.
Physical Security at Taxpayer Assistance Centers:
During our fiscal year 2005 audit, we found that physical security
controls at several TAC sites we visited were not adequate to prevent
unauthorized individuals from accessing areas which contained taxpayer
receipts and information. For example:
* At one TAC, upon entering the facility at the time of our audit, we
were able to repeatedly walk from the public entrance to a controlled
area without being noticed or challenged. The only obstacle was a door
which was not locked nor marked with a sign alerting individuals that
they were not permitted to enter unescorted. This area was also
accessible through a separate door that was also not locked nor marked.
* Another TAC was staffed by two Technical Research Representatives
(TRRs),[Footnote 13] whose responsibilities included monitoring the
public reception area of the TAC and preventing customers from
venturing into controlled areas of the office that were shared by other
IRS business units. However, TRRs sometimes found it necessary to leave
their desks and the public reception area to perform their other
duties, thereby leaving the area unattended and potentially allowing
individuals to enter controlled areas of the TAC unchallenged. We were
informed that individuals had on occasion been found in the other
business units' office space seeking assistance. Additionally, there
were no signs posted in the TAC informing individuals that access
within the office beyond a certain point was not permitted unless
escorted by an employee.
IRS is currently in the process of reconfiguring the space at several
of its TACs, and refers to the reconfigured TAC sites as the "new TAC"
models.[Footnote 14] The IRM requires that layouts of the new TACs
should incorporate certain security features to meet a controlled area
requirement to protect taxpayer receipts and information from
disclosure and prevent unauthorized access to both information and
property. However, during our visits to two of the new TAC models, we
found similar security problems as discussed above. For example, at one
new TAC that was often staffed by 1 or 2 TRRs, the TRRs responsible for
monitoring the entrance of the TAC at times would leave their
workstations to perform other duties. Based on our observations and
inquiries, we found that unauthorized individuals could access and had
occasionally been found to have entered the controlled area of the TAC
and offices shared by other IRS business units. At the same TAC, we
noted that emergency alarms (known as duress alarms) were not connected
to a central monitoring station or the local police department. We were
informed that the contractor had not completed installing the duress
alarm at the time the new TAC was opened to the public. At another new
TAC, we found that a door separating the customer waiting area from the
secured area was not equipped with a locking device nor marked with a
sign to inform customers that they were not permitted to enter
unescorted. We also found that three of the TAC sites discussed above
were not supervised by an on-site manager. IRS policy requires that in
such cases, designated responsible offsite TAC managers are required to
make routine supervisory visits to ensure that operations are performed
according to standards. However, IRS did not have documentation to
demonstrate if or how often such supervisory visits to these locations
actually occurred or what was accomplished during these visits. Without
appropriate supervisory oversight, the risk is significantly increased
that the physical security issues we identified may not be timely
detected and corrected.
The IRM requires that access to assets be limited to those employees
with a valid business need to access the information. GAO's Standards
for Internal Control in the Federal Government requires physical
controls to limit access to vulnerable assets and records to authorized
individuals. Such controls may include an appropriate combination of
locks, duress alarms, warning signs, and other measures. Not adequately
implementing such measures to restrict access to taxpayer receipts and
information increases the risk that loss, theft, and/or misuse of
taxpayer receipts and information may occur and not be timely detected.
Recommendations:
We recommend that IRS:
* equip all TACs with adequate physical security controls to deter and
prevent unauthorized access to controlled areas or office space
occupied by other IRS units, including those TACs that are not
scheduled to be reconfigured to the "new TAC" model in the near future.
This includes appropriately separating customer service waiting areas
from controlled areas by physical barriers such as locked doors marked
with signs barring entrance by unescorted customers;
* connect duress alarms to a central monitoring station or local police
department or institute appropriate compensating controls when these
alarm systems are not operable or in place; and:
* document supervisory visits by offsite managers to TACS not having a
manager permanently onsite. This documentation should be signed by the
manager and should (1) record the time and date of the visit, (2)
identify the manager performing the visit, (3) indicate the tasks
performed during the visit, (4) note any problems identified, and (5)
describe corrective actions planned.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning physical security at the
TACs. IRS indicated that it will identify those TACs that lack adequate
physical barriers, evaluate this issue, and determine corrective
actions by June 2006. IRS noted that its Field Assistance staff have
developed procedures to canvass TACs twice a year for security, safety,
health, and space concerns. IRS also stated that its Field Assistance
staff have developed testing requirements to ensure that the alarms are
appropriately monitored and working properly. In addition, IRS
indicated that it will connect duress alarms to a central monitoring
station or local police departments in TACs based on criticality and
funding availability, and implement compensating controls when alarm
systems are inoperable. IRS also stated that it had developed a
checklist for managers to use to document their visits to TACs, which
is scheduled to be added to the IRM by June 2006. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2006 financial
audit.
Security Guards' Roles and Responsibilities:
IRS relies heavily on security guards to (1) control access to IRS
facilities and lockbox banks to safeguard taxpayer receipts and
information from theft, loss, or abuse; (2) respond to intrusion alarms
and other emergencies as needed; and (3) record, maintain, and report
security incidents or violations to IRS for review or, when necessary,
for corrective action. However, during our fiscal year 2005 audit, we
found that security guards did not always effectively fulfill these
responsibilities. Specifically, we found the following:
* Security guard personnel at one SCC and one lockbox bank did not
document a tripped door alarm in their respective security logs. At the
SCC, it took security guard personnel nearly 10 minutes to respond to
an alarm and they later did not deem it necessary to document the
incident as required by IRS policy because the door was malfunctioning
and there was an "understanding" that such documentation was not
necessary. The security personnel at the lockbox bank did not provide
an explanation for why they did not record the tripped alarm.
* Security guards stationed at one TAC often left their assigned post
of duty to escort customers to the workstations of IRS representatives.
While the guards were absent from their post, customers were, at times,
left unsupervised in the customer/visitor waiting area that was
accessible to controlled space through a door that was unlocked at the
time of our visit.
* Incident reports[Footnote 15] prepared by security guards at one
lockbox bank did not include corrective follow-up actions as required
by the lockbox processing guidelines (LPG).[Footnote 16] Additionally,
we found that the lockbox bank security review checklist used by IRS to
periodically monitor whether all incidents and alarms are recorded and
reported does not ask whether corrective actions were included in the
incident reports. Without documentation of the corrective action taken
on each incident, IRS management does not have a record of what, if
any, corrective actions the bank took and, consequently, will be unable
to evaluate the appropriateness of these actions or analyze whether
other actions are needed to minimize the incident from occuring at
other lockbox banks.
GAO's Standards for Internal Control in the Federal Government require
that management establish physical controls to secure and safeguard
vulnerable assets and that access to resources and records, such as IRS
receipts and taxpayer information, be limited to authorized individuals
to reduce the risk of unauthorized use or loss to the government.
Further, the IRM requires that access to assets be limited to those
employees with a need due to their official duties and/or
responsibilities. The IRM and LPG also require security guards to
report and record significant conditions or situations to appropriate
authorities. IRS relies heavily on security guards to control entry
into all of its SCCs and lockbox banks and several of the TACs we
visited, and to protect taxpayer receipts and information from theft,
loss, or abuse. However, when they do not perform their duties in
accordance with IRS policy, their effectiveness in achieving these
objectives is impaired, thus increasing the risk that unauthorized
individuals may access IRS offices and compromise taxpayer records and
data and/or disrupt operations.
Recommendations:
We recommend that IRS:
* enforce the requirement that all security or other responsible
personnel at SCCs and lockbox banks record all instances involving the
activation of intrusion alarms regardless of the circumstances that may
have caused the activation;
* reemphasize the need for the security guards at all TACs to ensure
that key posts of duty, such as entrances to facilities, are not left
unattended; and:
* revise its lockbox bank's security review checklist to ensure that it
encompasses reviewing security incident reports to validate whether
security personnel are providing corrective actions related to the
incidents cited.
IRS Comments and Our Evaluation:
IRS substantially agreed with our recommendations concerning security
guards' roles and responsibilities. Regarding our recommendation that
IRS enforce the requirement that personnel responsible for security at
SCCs and lockbox banks record all instances of activation of intrusion
alarms, IRS stated that it had revised the Lockbox Security Guidelines
in January 2006 to require documentation of such events. IRS also noted
that field security analysts were advised to enforce this requirement.
In addition, IRS indicated that it would prepare a memorandum to
reemphasize security guards' duties and responsibilities and the
importance of meeting security requirements, and provide it to all TACs
by October 2006. IRS also stated that it would revise its physical
security review checklist to ensure that it encompasses reviewing
security incident reports to validate whether security personnel are
providing corrective actions related to the incidents cited. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2006
financial audit.
Candling Reviews:
In previous audits, we found weaknesses in IRS's controls over candling
and made several recommendations to IRS for improving its candling
procedures at SCCs and lockbox banks.[Footnote 17] Generally, we
recommended that IRS revise candling procedures to specify the precise
candling methods to be used for various types of envelopes received,
require management to ensure that envelopes are properly candled, and
monitor adherence to these requirements. In response, IRS revised its
candling procedures to (1) specify the precise candling method to be
used for the first and final candling based on the dimensions of
envelopes received, (2) require that all envelopes, including those
manually extracted (e.g., non letter-size envelopes), be subject to
initial and final candling prior to destruction, (3) require that non
letter-size envelopes be sliced on three sides and opened flat to
assure no contents are left inside the envelope, (4) require that
envelopes opened on three or more sides manually or by machine still be
candled, and (5) require that managers review and document evidence of
their review of items found during candling every day for each work
shift. Additionally, IRS modified the LPG and IRM, as applicable, to
(1) require recording of receipts discovered during candling in a
control log, (2) prohibit a single, isolated employee from performing
candling, and (3) require that all envelopes opened on three or more
sides including those opened by machine, be candled one more time on a
candling table.
Despite these actions, during our fiscal year 2005 audit, we continued
to find deficiencies in IRS's oversight and implementation of candling
procedures at three of the four SCCs we visited. At these SCCs, IRS
management did not always enforce the requirement that opened envelopes
receive at least two candlings before they are made available for
destruction. Specifically, we found the following:
* At one SCC, we observed that an extractor did not perform initial
candling of regular letter-size envelopes by placing the envelope over
a light source. The employee indicated that there was no need to place
the envelope over the light source because they "knew" the envelope was
empty. We also found several non letter-size envelopes[Footnote 18]
that were not slit open on all three sides as required by IRS policy.
In each instance, the envelopes had not received initial candling or
been properly candled before being made available for destruction.
* At another SCC, we observed extractors splitting non letter-size
envelopes on three sides and placing them in the bin for shredding
without the benefit of a final candling. Also, we observed that
employees performing final candling did not immediately record the
items found upon discovery. After further inquiry, we found that there
was no candling log available at the candling table for employees to
record the discovered items.
* At two SCCs, we found non letter-size envelopes that had been slit
only once in a bin scheduled for final destruction. This indicates that
these envelopes were either only candled once or not properly candled
before being made available for destruction.
Over the past several years IRS has conducted monthly security reviews
of its receipt and control function responsible for opening and
candling envelopes. While these reviews address various controls
designed to safeguard taxpayer receipts and information, including
candling, they do not address the effectiveness of the candling
procedures performed. For example, there are no questions on the
checklist designed to test the usefulness of the candling procedures or
discussions and observations with employees performing initial and
final candling to assess their awareness of the required candling
procedures. GAO's Standards for Internal Control in the Federal
Government requires that management establish physical controls to
secure and safeguard vulnerable assets and provide qualified and
continuous supervision to ensure that control objectives are
achieved.[Footnote 19] Candling is a key control employed by IRS to
ensure that taxpayer receipts are not inadvertently overlooked and
destroyed. The lack of adherence to the prescribed candling procedures
limits the effectiveness of this control and increases the risk of
inadvertent loss or destruction of taxpayer receipts.
Recommendation:
We recommend that IRS refine the scope and nature of its periodic
reviews of candling processes at SCCs to ensure they (1) encompass
tests of whether envelopes are properly candled through observation of
candling in process and inquiry of employees who perform initial and
final candling, and (2) document the nature and scope of the test and
observation results.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated it will revise its
Internal Control Checklist used for the monthly security reviews by
January 2007 to address the effectiveness of the candling procedures
performed. We will evaluate the effectiveness of IRS's efforts during
future audits.
Processing of Remittances:
During our fiscal year 2005 audit, we found that lockbox banks were not
always timely processing large dollar remittances.[Footnote 20]
Specifically, at two of the lockbox banks we visited, we found large
dollar checks that were not processed immediately. At one of the
lockbox banks, six large checks totaling $1.25 million had been
extracted from envelopes but were left in the extraction area; bank
management informed us that the checks were not immediately processed
because they were extracted by an earlier shift and that the current
shift leaders were not aware of them. At the other bank, we found
similar large checks in the extraction area that were not immediately
processed but rather were left in bins while the extraction team went
on a break.
GAO's Standards for Internal Control in the Federal Government require
that transactions be promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions.
This includes the timely processing of transactions. In addition, the
LPG requires that remittances of $50,000 or more be immediately
processed and deposited as part of the first available deposit. IRS
conducts periodic performance and operational reviews of lockbox banks
to ensure compliance with guidelines over processing and securing
taxpayer receipts and information. However, the review process does not
assess controls designed to ensure whether large checks are immediately
processed and deposited as part of the first available deposit, as
required by the LPG. By not always processing high dollar remittances
immediately, IRS increases the risk of loss, theft, or misappropriation
of such checks.
Recommendations:
We recommend that IRS:
* enforce its existing policies and procedures at lockbox banks to
ensure that all remittances of $50,000 or more are processed
immediately and deposited at the first available opportunity; and:
* refine the scope and nature of its periodic reviews of lockbox banks
to include high dollar remittances to better monitor adherence to the
requirement that they are processed immediately and deposited at the
first available opportunity.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning controls over processing
high dollar remittances. IRS stated that it will add appropriate
language to the LPG to enforce its existing policies and procedures at
lockbox banks for handling remittances of $50,000 or more. IRS also
stated that by May 2006, it will add a review checkpoint for high
dollar remittances to the Processing Internal Controls Data Collection
Instrument used by Lockbox Field Coordinators during on-site reviews.
We will evaluate the effectiveness of IRS's efforts during our fiscal
year 2006 financial audit.
Physical Access Controls at Tax Return Processing Facilities:
As the U.S. government's principal revenue-collecting agency, IRS
collects more than two trillion dollars in taxes each year, accounting
for more than 95 percent of the U.S. government's total revenues. This
includes hundreds of millions of dollars in hardcopy tax payments and
related information which is submitted to IRS tax processing facilities
by millions of taxpayers. IRS has a responsibility to safeguard these
payments and the related information entrusted to it by the nation's
taxpayers. To fulfill this responsibility, it is essential that IRS
have effective physical security controls to prevent unauthorized
access to its tax return processing facilities. However, we found
deficiencies in several of these controls during our fiscal year 2005
audit. Specifically, at two of the SCCs and at one of the lockbox banks
we visited as part of our audit, we found weaknesses in controls over
access to the facility and/or surrounding perimeter that increase the
risk of penetration by unauthorized individuals. For example:
* At one SCC, we observed flaws in the security over the facility's
perimeter that could allow unauthorized individuals to bypass security
guards and enter the grounds unobserved. These flaws included (1)
unguarded entrances to perimeter grounds, (2) gaps in the security
fence, and (3) overgrown shrubbery which obstructed the view of
security personnel.
* At the same SCC, we observed that employees entering the facility
were not always subject to verification of their credentials. At the
SCC, we observed employees closely following an employee who had opened
a secure door with their proximity access card; these individuals were
able to enter without presenting credentials of their own (a practice
known as "piggybacking"). In testing another entrance, we found the
same weakness by entering via piggybacking on IRS employees who had
presented access cards.
* At the second SCC's annex facility, we found two loading dock door
alarms that were both inoperable. IRS officials at the facility
informed us that they had been inoperable since they had been
inadvertently deactivated while performing maintenance on an adjacent
door three weeks earlier.
* At the lockbox bank, we found that couriers from two different mail
delivery services were allowed to enter the facility without first
presenting proper identification.
GAO's Standards for Internal Control in the Federal Government requires
that agencies establish physical controls to limit access to vulnerable
assets and records to authorized individuals. To help ensure that its
physical security controls are effective, IRS routinely reviews the
security at all SCCs and lockbox banks, identifies weaknesses, and
pursues corrective actions. However, at SCCs, these reviews do not
encompass reviewing controls over access to the grounds through the
outer perimeter. Additionally, at both SCCs and lockbox banks, the
reviews do not encompass testing the effectiveness of controls intended
to prevent individuals without proper credentials from entering the
facility. Also, while the IRM requires that SCC intrusion alarm systems
be tested, it only requires that the testing be conducted annually.
Consequently, an alarm could potentially be dysfunctional for an
extended period and remain undetected for several months. Also, the IRM
does not offer guidance as to how these tests should be conducted and
the results documented. These weaknesses increase the risk that
unauthorized individuals may enter these tax return processing
facilities and potentially disrupt operations or compromise the
taxpayer receipts or information they process.
Recommendations:
We recommend that IRS:
* refine the scope and nature of its periodic security reviews to
encompass (1) testing the effectiveness of controls intended to ensure
that only individuals with proper credentials are permitted access to
SCCs and lockbox banks, and (2) reviewing the integrity of perimeter
security at SCCs; and:
* revise the physical security procedures contained in the IRM to
require that all SCCs and any respective annex facilities processing
taxpayer receipts and/or information perform and document monthly tests
of the facility's intrusion detection alarms. At a minimum, these
procedures should (1) outline the type of test to be conducted, (2)
include criteria for assessing whether the controls used to respond to
the alarm were effective, and (3) require that a logbook be maintained
to document the test dates, results, and response information.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning physical access controls
at tax processing facilities. In response to our recommendation that
IRS refine the nature of its periodic security reviews, IRS stated that
the lockbox bank site discussed in the audit report that did not
restrict access of unauthorized employees was instructed to immediately
prohibit entry and acceptance of deliveries from these and similar
unauthorized employees in the loading dock area. IRS stated that its
review team will add this requirement as a specific review item in
their physical security review process. Additionally, IRS indicated
that it had updated its Security Review Procedures and Checklist for
SCCs and lockbox banks and conducted quarterly reviews with the new
procedures/checklist to assess employee piggybacking attempts, fence
lines, landscaping, and alarm testing. IRS noted that it will update
the IRM and LPG related to the SCCs alarm testing procedures to include
a description of the types of tests to be conducted, criteria for
assessing controls, and the logging of requirements by August 2007. We
will evaluate the effectiveness of IRS's efforts during future audits.
Hiring Juveniles for Access to Taxpayer Receipts and Information:
IRS requires background investigations on every prospective contract or
non-contract employee prior to granting them access to taxpayer
receipts and information. However, legal restrictions limit the scope
of background investigations for juvenile applicants. Specifically,
title 18 of the United States Code, section 5038, prevents the release
of criminal records on juveniles when the request is related to an
application for employment. To compensate, IRS policy requires that
juveniles hired to perform receipt and control processing functions
submit a Recommendation for Juvenile Employment (form 13094) or an
equivalent document from an individual recommending the juvenile for
employment in a position of trust.[Footnote 21] However, during our
fiscal year 2005 audit, we found limitations in IRS's design and
implementation of its policy. Specifically, we found the following:
* IRS policy requiring the completed form 13094 only applies to
juveniles hired to perform receipt processing functions. However,
access to taxpayer information is not limited to staff assigned to
receipt processing functions. Thus, this policy may allow juveniles
access to taxpayer information without providing any references.
* The form 13094s are provided directly to IRS by the juvenile as part
of the application package, and IRS personnel officials do not verify
the source of the information submitted. Consequentially, IRS does not
have adequate assurance that the individual whose name appears on the
form actually exists and that they completed the form as represented.
* The form does not require that the reference describe his or her
relationship with the juvenile, including the number of years known and
the nature of the relationship, in order to allow IRS to assess whether
the reference has sufficient basis to recommend the juvenile for
employment.
* IRS did not obtain form 13094s for three juveniles hired in the
receipt and control processing function during fiscal year 2005.
According to IRS officials, they decided not to request the form from
these three individuals because they graduated from high school prior
to attaining the age of 18 and did not have a current or former
employer or a current teacher, counselor, or principal as required by
the form's instructions. As a result, these three juveniles were given
access to taxpayer receipts and information without an independent
assessment of their character, as required by IRS policy.
GAO's Standards for Internal Control in the Federal Government requires
that access to resources and records, such as IRS receipts and taxpayer
data, be limited to authorized individuals to reduce the risk of
unauthorized use or loss to the government.[Footnote 22] By not (1)
always obtaining a character reference for juveniles to be permitted
access to taxpayer receipts and information and (2) independently
verifying the source of the information on the form, IRS increases the
risk that juveniles with inappropriate backgrounds may obtain access to
sensitive taxpayer receipts and information.
Recommendations:
We recommend that IRS:
* amend its policy to require that a completed form 13094 with a
positive recommendation be provided for every juvenile hired to any
position that will allow access to taxpayer receipts and/or taxpayer
information;
* require IRS personnel to verify the information on the form 13094 by
contacting the reference directly;
* revise the form 13094 to require the reference to describe his/her
relationship with the juvenile, including extent of first-hand contact,
to allow IRS to review the forms and assess whether the referencer has
sufficient basis to recommend that juvenile to a position of trust; and:
* establish procedures for hiring juveniles who do not have a current
teacher, principal, counselor, employer or former employer, and clarify
that IRS's current policies and procedures should not be interpreted to
mean that such juveniles should be allowed access to taxpayer receipts
and information without a form 13094 or its equivalent. These
procedures could include a list of acceptable alternatives that may
serve as references for juveniles who do not have a current teacher,
principal, or guidance counselor.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning controls over hiring
juveniles. To address these recommendations, IRS stated that (1) it
will amend its policy to require that a completed Recommendation for
Juvenile Employment (form 13094) with a positive recommendation be
provided for every juvenile hired to any position allowing access to
taxpayer receipts and/or taxpayer information; (2) once the Office of
Management and Budget (OMB) approves the revised form 13094, it will,
by August 2006, issue a new policy requiring IRS personnel to verify
the information on the form 13094 by contacting the reference directly;
(3) it will make appropriate revisions to the form 13094 to require the
reference to describe his/her relationship with the juvenile; and (4)
after OMB approves the revised form 13094, it will issue a new policy
establishing procedures for hiring juveniles who do not have a current
teacher, principal, counselor, employer or former employer, and clarify
that IRS's current policies and procedures should not be interpreted to
mean that such juveniles should be allowed access to taxpayer receipts
and information without a form 13094 or its equivalent. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2006
financial audit.
Classifying and Reporting Expense and P&E Transactions:
During our fiscal year 2005 audit, we found deficiencies in IRS's
controls over the classification and reporting of transactions relating
to its expenses and property and equipment (P&E) acquisitions.
Specifically, IRS did not always assure that it properly classified its
procurement transactions as P&E and recognized assets when they met its
capitalization criteria, or as expenses when they did not. IRS's
property and equipment capitalization policy, which is consistent with
Statement of Federal Financial Accounting Standards No. 6[Footnote 23]
and provides criteria on the capitalization of P&E, requires the
recognition of assets when its capitalization criteria is met and the
recognition of expense when it is not. To implement this policy, IRS
requires its staff to classify expense and P&E acquisition transactions
at the time orders are placed and assign and record the classification
and accounting codes in the general ledger when they record the
obligations. At the end of each month, IRS personnel review the entries
to expense and P&E accounts considered more susceptible to error to
determine if any classification errors occurred and, if so, to make the
necessary corrections to properly classify and record them. We noted
that IRS's established policy, if properly implemented, could help its
staff differentiate between expense and P&E transactions and, through
periodic reviews, detect and correct transactions improperly recorded
in the expense and P&E accounts. However, IRS's staff did not always
follow the capitalization policy effectively in fiscal year 2005.
We tested a total of 267 sampled transactions from IRS's non-payroll
expenses and P&E acquisitions recorded during the first 9 months of
fiscal year 2005 and accounts payable as of September 30, 2005, and
found that 6 of the transactions were classified and reported
incorrectly. Specifically:
* We found two instances where IRS initially recorded purchases of
automated data processing equipment with a total cost of $7.8 million
correctly as P&E acquisitions but subsequently reviewed the initial
accounting treatment, removed the transactions from P&E, and
erroneously included them in the expense accounts. In another instance,
IRS initially recorded a $266,000 purchase of information services
correctly as an expense but, after one of its periodic reviews, removed
it from expense and erroneously included it as capitalized P&E.
* In the remaining 3 instances, IRS initially misclassified procurement
transactions totaling $1.7 million that should have been recorded as
expenses and incorrectly recorded them as P&E. One transaction involved
an operating lease payment that IRS capitalized as an asset instead of
including it in expenses. The other 2 transactions involved charges for
support services that IRS misclassified and incorrectly recorded as P&E
instead of expenses. IRS did not detect and correct these misclassified
transactions either when they were initially recorded or during its
periodic review process.
GAO's Standards for Internal Control in the Federal Government require
that transactions and other events be accurately and timely recorded to
maintain their relevance and value to management in controlling
operations and making decisions. This applies to the entire process or
life cycle of a transaction or event from the initiation and
authorization through its final classification in summary records. In
addition, control activities help to ensure that all transactions are
completely and accurately recorded.
The errors we found occurred because IRS's controls over its property
and equipment capitalization process were not always effective. While
these errors did not result in a material misstatement to IRS's fiscal
year 2005 financial statements, the control weaknesses that gave rise
to these errors precludes IRS from having assurance that its financial
records for expenses and capital assets are capable of generating
reliable reports on an ongoing basis throughout the year.
Recommendation:
To assure proper accounting treatment of expense and P&E transactions
and reliable financial reporting, we recommend that IRS enforce its
property and equipment capitalization policy to ensure that it is
properly implemented to fully achieve management's objectives,
including recognizing assets when its capitalization criteria is met
and recognizing expenses when it is not.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation. IRS's stated that its Chief
Financial Officer and Procurement Office implemented new procedures for
reviewing the classification of P&E into its accounting system. The
Procurement Office will begin reviewing classification codes to ensure
correctness and will take all necessary steps to ensure end users
correct errors prior to entering the obligations. IRS expects these new
procedures to be fully operational for the fourth quarter of fiscal
year 2006. IRS also stated that it modified the scope of its monthly
review of P&E transactions to include only obligations above a pre-
determined dollar threshold. IRS indicated that these procedures were
implemented in April 2006 for P&E acquired in March 2006. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2006
financial statement audit.
Recording Disposals of Property and Equipment:
In prior years, we identified deficiencies in IRS's process for
recording property and equipment (P&E) transactions in its inventory
records. Over the past several years, IRS has made substantial progress
in improving the accuracy and reliability of its inventory records.
While we recognize IRS's progress, our work performed as part of our
fiscal year 2005 audit indicates that further improvements are needed.
During our audit, we found that IRS staff did not always follow the
agency's procedures requiring the prompt recording of disposals of
property and equipment in its inventory records.
The P&E disposal process is initiated when the function utilizing P&E
notifies the local Single Point Inventory Function (SPIF) unit that
they have P&E to be excessed or retired. The local SPIF unit arranges
to remove the P&E, prepares the necessary paperwork, updates the
inventory records to reflect that the asset is pending disposal, and
turns custody of the P&E over to the Facilities Management Branch
(FMB). FMB has responsibility for physical disposition of the P&E and
updating the inventory records to reflect the final disposal. The IRM
specifies that P&E inventory records must be updated to reflect all
disposals within ten days of the action.
During our fiscal year 2005 audit, we found that eight of 220 items
selected from IRS's inventory records could not be located.[Footnote
24] All of these assets had been disposed of, but the inventory records
reflected the assets as pending disposal. FMB had not updated the
inventory system to change the disposal status from pending to final.
For three of the exceptions found at one location, the assets were
retired on May 15, 2004, but the disposals were still reflected as
pending as of July 15, 2005, more than one year after the date of
disposal. IRS's property management system does not generate aging
reports to indicate the length of time assets have remained in pending
status.
GAO's Standards for Internal Control in the Federal Government require
agencies to implement internal control procedures to ensure the
accurate and timely recording of transactions and events. This standard
further states that transactions should be promptly recorded to
maintain their relevance and value to management in controlling
operations and making decisions. Property records that are out of date
impede management's ability to make sound operating decisions, monitor
performance, and allocate resources, and can result in undetected theft
or loss of assets.
Recommendation:
We recommend that IRS:
* generate aging reports when an asset remains in pending disposal
status for longer than a specified period of time; and:
* direct FMB managers to research and resolve the aging reports.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning recording disposals of
property and equipment. IRS indicated that issues raised in the fiscal
year 2005 financial statement audit were being addressed through an IRS
re-engineering effort focused on the entire asset retirement and
disposal process. IRS stated that it currently has reports available to
monitor aging transactions during the disposal life cycle. IRS also
indicated that it is (1) developing procedures to require reviews of
aging reports to streamline the process to ensure timely recording of
disposal transactions, and (2) modifying software to electronically
record such transactions. IRS intends to implement these modifications
and review procedures by August 2006. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2006 financial
statement audit.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and Governmental
Affairs and the House Committee on Government Reform within 60 days of
the date of this report. A written statement must also be sent to the
House and Senate Committees on Appropriations with the agency's first
request for appropriations made more than 60 days after the date of the
report.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Minority Members of the
Senate Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; and
Subcommittee on Taxation and IRS Oversight, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking
Minority Members of the House Committee on Appropriations; House
Committee on Ways and Means; the Chairman and Vice-Chairman of the
Joint Committee on Taxation, the Secretary of the Treasury, the
Director of the Office of Management and Budget, the Chairman of the
IRS Oversight Board, and other interested parties. The report is
available at no charge on GAO's Web site at [Hyperlink,
http://www.gao.gov].
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years 2005
and 2004 financial statements. Please contact me at (202) 512-3406 or
sebastians@gao.gov if you or your staff have any questions concerning
this report. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report. GAO
staff who made major contributions to this report are listed in
enclosure III.
Signed By:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
[End of section]
Enclosure I:
Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
May 1, 2006:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.:
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to your draft of the FY 2005 Management Report
titled, Improvements Needed in IRS' Internal Controls (GAO-06-532R). I
appreciate your continued assistance during our fiscal year financial
statement audit. The issues you presented in your report will help us
to take the necessary steps to strengthen our controls over property
and equipment, safeguarding tax receipts, and improving financial
management.
We continue to make progress in addressing our financial management
challenges. We successfully closed 33 recommendations during fiscal
year 2005. We expanded our remediation plans to better address the
reportable condition on lockbox to include the controls over hard-copy
tax receipts at our service center campuses, Taxpayer Assistance
Centers, and field offices. We have developed corrective action plans
for each of these areas and will monitor the plans through
implementation. We are working with your staff to trace each of the
remaining open recommendations to the underlying issues and ensure that
our corrective actions will address all of the controls to which they
relate. I have enclosed a response addressing all of your
recommendations separately.
We appreciate your recommendations and will continue to work with you
to address each of them. We are committed to implementing appropriate
improvements to ensure that the IRS maintains sound financial
management practices. If you have any questions, please contact Janice
Lambert, Chief Financial Officer, at (202) 622-6400.
Sincerely,
Signed By:
Mark W. Everson:
Enclosure:
GAO Recommendations and IRS Responses to GAO FY 2005 Management Report
Improvements Needed in the IRS' Internal Controls GAO-06-532R:
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing.
Comments: We agree with this recommendation. Internal Revenue Manual
(IRM) 21.4.3, Returned Refunds/Releases, contains procedures for
transmitting returned refund checks to the Regional Finance Center
utilizing Document Transmittal - Form 3210. Although the procedures do
not require the manager to initial the Form 3210, procedures are in
place in the Manager's IRM to conduct periodic reviews. Accounts
Management (AM) will include a reminder to all centers of the
requirement to conduct periodic Form 3210 reviews in the annual AM
Program Letter. This item will also be included as part of the site
review process by March 2007.
Recommendation: Enforce compliance with existing requirements that all
Internal Revenue Service (IRS) units transmitting taxpayer receipts and
information from one IRS facility to another, including Service Center
Campuses (SCCs), Taxpayer Assistance Centers (TACs), and units within
Large & Mid-Size Business (LMSB) and Tax Exempt & Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals.
Comments: We agree with this recommendation. TEIGE conducted an
education effort to ensure all managers in Examination are familiar
with existing IRMs related to check processing procedures, including
proper maintenance of log books for document transmittals. These
efforts included conducting an information presentation at a meeting
that included managers from TEIGE, developing a Quick Reference Guide
for Processing Checks in TE/GE Examination, documenting the process via
a flowchart, and revising our Exam Revenue Agent basic training course.
Document Transmittal - Form 3210 is one method used Service-wide to
transmit information. IRM 3.13.62, Media Transport and Control,
contains Form 3210 procedures, including the acknowledgement process.
AM will include a reminder to all centers of the requirement to conduct
periodic Form 3210 reviews in the annual AM Program Letter. This item
will also be included as part of the site review process by March 2007.
By July 2006, Field Assistance will establish a process to monitor
acknowledgements of Report of Collection Activity - Form 795 and Form
3210 - when received from the service centers. Specific actions
underway include revising IRM procedures to require documentation of
follow-up actions with Submission Processing Centers when an identified
Form 795 or Form 3210 is not acknowledged timely. The documentation
will be retained with the group copy of Form 795 or Form 3210.
Recommendation: Provide instructions to document the follow-up
procedures performed in those cases where transmittals have not been
timely acknowledged.
Comments: We agree with this recommendation. TE/GE developed a
flowchart and quick reference guide on proper check handling procedures
and also incorporated these into its Examination Phase 1 training
materials.
By July 2006, Field Assistance will establish a process to monitor
acknowledgements of Form 795 and Form 3210 when received from the
service centers. Specific actions underway include revising IRM
procedures to require documentation of follow-up actions with
Submission Processing Centers when an identified Form 795 or Form 3210
is not acknowledged timely. The documentation will be placed with the
group copy of Form 795 or Form 3210.
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts and/
or taxpayer information mailed between IRS locations are tracked
according to guidelines.
Comments: We agree with this recommendation. TE/GE conducted an
education effort to ensure all managers in Examination are familiar
with existing IRMs. An informational presentation was conducted at the
Examination manager's meeting on check processing procedures and proper
maintenance of log books for document transmittals. TE/GE developed a
Quick Reference Guide for Processing Checks in TE/GE Examination and
documented the process via a flowchart. TE/GE has also added a new
commitment to the performance plan of its managers regarding
implementation of the TE/GE action plan to address the General
Accountability Office (GAO) repeat findings for safeguarding hard copy
receipts.
Field Assistance will identify and, as appropriate, develop and
implement methods to improve the consistent use of Form 3210 for
documenting the shipment of taxpayer receipts and information to the
service centers. Specific actions underway include developing
procedures by September 2006, to require TAC managers to perform a
weekly review of the Forms 3210 as part of the payment reconciliation
review and to document the review.
Recommendation: Equip all TACs with adequate physical security controls
to deter and prevent unauthorized access to restricted areas or office
space occupied by other IRS units, including those TACs that are not
scheduled to be reconfigured to the "new TAC" model in the near future.
This includes appropriately separating customer service waiting areas
from restricted areas by physical barriers such as locked doors marked
with signs barring entrance by unescorted customers.
Comments: We agree with this recommendation. Field Assistance will
identify TACs that lack the physical barriers to prevent unauthorized
access to TAC space and work with IRS Agency-Wide Shared Services /
Real Estate Facilities Management (AWSS/REFM) to address alternatives
to controlling access. Meetings with AWSS/REFM began in January 2006,
and they agreed to evaluate barrier issues within the TACs and
determine corrective actions by June 2006. Field Assistance has also
developed procedures to canvas TACs twice a year for security, safety,
health, and space concerns.
Recommendation: Connect duress alarms to a central monitoring station
or local police department or institute appropriate compensating
controls when these alarm systems are not operable or in place.
Comments: We agree with this recommendation. Field Assistance has
developed testing requirements to ensure security equipment (e.g.,
duress alarms) is functioning properly. Field Assistance will
coordinate with AWSS/REFM and Mission Assurance and Security Services
(MA&SS) on any reported deficiencies, especially when the new TAC
models are completed. Otherwise, Field Assistance will work with MA&SS
to ensure testing of duress alarms is performed semi-annually.
MA&SS, Wage and Investment (W&I), and AWSS will connect duress alarms
to a central monitoring station or local police departments in TACs
based upon criticality and funding availability, and enact compensating
controls when the systems are inoperable. The IRS will address
appropriate compensating controls at TACs not connected to central
monitoring/local police departments by December 2006.
Recommendation: Document supervisory visits by offsite managers to TACs
not having a manager permanently onsite. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned.
Comments: We agree with this recommendation. Field Assistance has
developed a checklist for managers to use to document visits to
outlying TACs. The checklist includes the manager's name and date of
visit, as well as the issues discussed with employees, the
Commissioner's Representative, and the Union President. The checklist
will be added to the IRM 1.4.11 by June 2006.
Recommendation: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms regardless of the
circumstances that may have caused the activation.
Comments: We believe we have addressed this recommendation. We revised
the Lockbox Security Guideline under L.S.G.2.2.3.1.6 (6) in January
2006 to add the requirement that the banks maintain a logbook of
incident reports and any applicable supporting documentation, noting
corrective follow-up actions taken on each incident. The logbook must
be maintained in sequential date order.
Additionally, field security analysts were advised to enforce the
recordation requirement for all activations of intrusion alarms with
guards. The IRS updated alarm testing procedures and checklists to
include a review of guard console logs, and IRS will check compliance
in unannounced alarm tests.
Recommendation: Reemphasize the need for the security guards at all
TACs to ensure that key posts of duty, such as entrances to facilities,
are not left unattended.
Comments: We agree with this recommendation, MA&SS, W&I, and AWSS will
prepare a memorandum that reemphasizes security guards' duties and
responsibilities (post orders) and the importance of meeting security
requirements, and provide to all TAC locations by October 2006.
Recommendation: Revise its lockbox bank's security review checklist to
ensure that it encompasses reviewing security incident reports to
validate whether security personnel are providing corrective actions
related to the incidents cited.
Comments: We agree with this recommendation. Submission Processing will
work with MA&SS and Treasury Financial Management Service (FMS) to
ensure the physical security review checklist is updated to include
reviews of the security incident reports and to validate that the
security personnel are providing corrective actions related to the
incidents that are cited by May 2006.
Recommendation: Refine the scope and nature of its periodic reviews of
candling processes at SCCs to ensure they (1) encompass tests of
whether envelopes are properly candled through observation of candling
in process and inquiry of employees who perform initial and final
candling, and (2) document the nature and scope of the test and
observation results.
Comments: We agree with this recommendation. We will revise the
Internal Control Checklist used for the monthly security reviews by
January 2007, to address the effectiveness of the candling procedures
performed.
Recommendation: Enforce its existing policies and procedures at lockbox
banks to ensure that all remittances of $50,000 or more are processed
immediately and deposited at the first available opportunity.
Comments: We agree with this recommendation. To further enhance our
current requirements, we will add the following language by May 2006,
to L.P.G.3.2 (4) and L.P.G.3.2.7.1: "In addition, Lockbox management
must ensure remittances of $50,000 or more are not left unattended; for
example: shift changes, breaks, meetings, etc. These remittances must
be collected and then batched for expedited processing.":
Recommendation: Refine the scope and nature of its periodic reviews of
lockbox banks to include high dollar remittances to better monitor
adherence to the requirement that they are processed immediately and
deposited at the first available opportunity.
Comments: We agree with this recommendation. A review checkpoint for
high dollar remittances will be added by May 2006, to the Processing
Internal Controls Data Collection Instrument that the Lockbox Field
Coordinators use during their on-site reviews.
Recommendation: Refine the scope and nature of its periodic security
reviews to encompass (1) testing the effectiveness of controls intended
to ensure that only individuals with proper credentials are permitted
access to SCCs and lockbox banks, and (2) reviewing the integrity of
perimeter security at SCCs.
Comments: We agree with this recommendation. The lockbox site discussed
in the audit report that did not restrict access of unauthorized
employees has been instructed to immediately prohibit entry and
acceptance of deliveries from these and similar unauthorized employees
in the loading dock area. The IRS Review Team will add this requirement
as a specific review item in our physical security review process.
Additionally, the IRS updated its Security Review Procedures and
Checklists for SCCs and lockbox banks, and conducted quarterly security
reviews with the new procedures/checklist to assess employee
piggybacking attempts, fence lines, landscaping, and alarm testing.
Recommendation: Revise the physical security procedures contained in
the IRM to require that all SCCs and any respective annex facilities
processing taxpayer receipts and/or information perform and document
monthly tests of the facility's intrusion detection alarms. At a
minimum, these procedures should (1) outline the type of test to be
conducted, (2) include criteria for assessing whether the controls used
to respond to the alarm were effective, and(3) require that a logbook
be maintained to document the test dates, results, and response
information.
Comments: We agree with this recommendation. MA&SS and AWSS will update
the IRMs and Lockbox Processing Guidelines related to the SCCs alarm
testing procedures to include a description of the types of tests to be
conducted, criteria for assessing controls, and the logging
requirements by August 2007.
Recommendation: Amend its policy to require that a completed
Recommendation for Juvenile Employment - Form 13094 with a positive
recommendation be provided for every juvenile hired to any position
that will allow access to taxpayer receipts and/or taxpayer
information.
Comments: We agree with this recommendation. After the Office of
Management Budget (OMB) approves Form 13094, the Human Capital Office
(HCO) will issue a new policy requiring a positive recommendation for
juveniles hired to any position that will allow access to taxpayer
receipts and/or taxpayer information by August 2006.
Recommendation: Require IRS personnel to verify the information on the
Form 13094 by contacting the reference directly.
Comments: We agree with this recommendation. After the OMB approves
Form 13094, the HCO will issue new policy requiring IRS personnel to
verify the information on the Form 13094 by contacting the reference
directly by August 2006.
Recommendation: Revise the Form 13094 to require the reference to
describe his/her relationship with the juvenile, including extent of
first-hand contact, to allow IRS to review the forms and assess whether
the referencer has sufficient basis to recommend that juvenile to a
position of trust.
Comments: We agree with this recommendation. The HCO will revise Form
13094 to require that the reference describe their relationship with
the juvenile and how long they have known the juvenile. This will allow
the HCO offices to assess whether the reference has sufficient basis to
recommend the juvenile for employment. After Form 13094 is revised, it
will be submitted to OMB for formal approval to be used as a pre-
employment form by August 2006.
Recommendation: Establish procedures for hiring juveniles who do not
have a current teacher, principal, counselor, employer or former
employer, and clarify that IRS's current policies and procedures should
not be interpreted to mean that such juveniles should be allowed access
to taxpayer receipts and information without a Form 13094 or its
equivalent. These procedures could include a list of acceptable
alternatives that may serve as references for juveniles who do not have
a current teacher, principal or guidance counselor.
Comments: We agree with this recommendation. After the OMB approves
Form 13094, the HCO will issue a new policy establishing procedures for
hiring juveniles who do not have a current teacher, principal,
counselor, employer or former employer, and clarify that IRS' current
policies and procedures should not be interpreted to mean that such
juveniles should be allowed access to taxpayer receipts and information
without a Form 13094 or its equivalent by August 2006. Additionally,
the revised Form 13094 will offer alternative reference documentation
if the juvenile does not have a current teacher, principal or guidance
counselor.
Recommendation: Enforce its property and equipment capitalization
policy to ensure that it is properly implemented to fully achieve
management's objectives, including recognizing assets when its
capitalization criteria is met and recognizing expenses when it is not.
Comments: We agree with this recommendation. The Chief Financial
Officer (CFO) and Procurement implemented new procedures for reviewing
the classification of property and equipment (P&E) prior to entering
transactions into the accounting system. In the past, Procurement was
not required to review classification codes end users provided prior to
entering obligations into the accounting system. Going forward,
Procurement will now review classification codes to ensure correctness,
and will take all necessary steps to ensure end users correct errors
prior to entering the obligations. We anticipate the new procedures to
be fully operational for the fourth quarter of FY 2006.
Additionally, the CFO's Internal Financial Management (IFM) improved
its monthly review of P&E transactions. In the past, IFM reviewed
virtually all transactions related to capitalized P&E or expendable
purchases. With advance approval from GAO in FY 2006, I FM has modified
the scope of its review to include only purchases above a material
dollar threshold. As a result, reviews will concentrate primarily on
ensuring the transactions are properly classified as capital assets or
expense. The new review procedures will be implemented in April 2006,
for P&E acquired during the month of March 2006 and each month
thereafter.
Recommendation: Generate, aging reports when an asset remains in
pending disposal status for longer than a specified period of time.
Comments: We agree with this recommendation. In March 2006, the Chief
Information Officer (CIO) property program manager informed GAO that
issues raised in the FY 2005 Financial Statement Audit are being
addressed via a re-engineering effort focused on the entire asset
retirement and disposal process. As such, reports are currently
available to monitor aging transactions during the disposal life cycle.
Additionally, procedures are being developed to require reviews of
aging reports for the timely recording of disposal transactions.
Substantial software modifications are being designed to improve the
recording of information by replacing manual data entry methods by
using electronic forms, signatures, and processes. These
modifications and review procedures will be implemented to streamline
the recording of asset disposal activity as required by IRS policy by
August 2006.
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports.
Comments: We agree with this recommendation. AWSS and CIO property
program managers are working to reengineer the entire asset retirement
and disposal process and discussed this initiative with GAO in March
2006. Reports are currently available for management to monitor the
status of aging transaction dates until the disposal process is
complete. Also, we are developing review procedures to streamline the
process to ensure the timely recording of disposal transactions.
Reengineered process modifications, review procedures, and guidance for
conducting reviews, will be implemented by August 2006.
[End of section]
Enclosure II:
Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:
* Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, and undelivered
order transactions. These statistical samples were selected primarily
to substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which
they were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design
or operation of internal control or compliance with provisions of laws
and regulations. These attributes, where applicable, can be and have
been statistically projected to the appropriate populations.
* Assessed the accounting principles used and significant estimates
made by management.
* Evaluated the overall presentation of the financial statements.
* Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in the Management
Discussion and Analysis.
* Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.
* Considered the process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. § 3512 (c),
(d), commonly referred to as the Federal Managers' Financial Integrity
Act of 1982.
* Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1)
and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. § 1301); Release
of lien or discharge of property (26 U.S.C. § 6325); Interest on
underpayment, nonpayment, or extensions of time for payment of tax (26
U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611);
Determination of rate of interest (26 U.S.C. § 6621); Failure to file
tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to
pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to
pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31
U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance
System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C.
§ 206); Federal Employees' Retirement System Act of 1986, as amended (5
U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26
U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health
Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909);
Transportation, Treasury, and Independent Agencies Appropriations Act,
2004, Pub. L. No. 108-199, div. F, tit. II, 118 Stat. 314 (Jan. 23,
2004); and Transportation, Treasury, Independent Agencies, and General
Government Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit.
II, 118 Stat. 3235 (Dec. 8, 2004).
* Tested whether IRS's financial management systems substantially
comply with the three requirements of the Federal Financial Management
Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996).
[Signed By:]
Enclosure III:
Staff Acknowledgments:
Acknowledgments:
The following individuals made major contributions to this report:
Charles Fox-Assistant Director, Manmei Chen, John Davis, Paul Foderaro,
Ted Hu, Jerrod O'Nelio, Theresa Patrizio, Robert Preshlock, John
Sawyer, Angel Sharma, Peggy Smith, and Gary Wiggins.
(196092):
[End of section]
FOOTNOTES
[1] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005).
[2] TACs are field assistance units designed to serve taxpayers who
choose to seek help from the IRS in person. Services provided include
interpreting tax laws and regulations, preparing some tax returns,
resolving inquiries on taxpayer accounts, receiving payments and
forwarding those payments to their respective SCC for deposit and
further processing, and performing other services designed to minimize
the burden on taxpayers in satisfying their tax obligations. These
offices are typically much smaller facilities than SCCs or lockbox
banks with staff sizes ranging from 1 to about 35 employees.
[3] IRS defines controlled areas as space to which access is limited to
IRS employees with a valid business purpose. Within such controlled
space, certain areas are designated as restricted and are subject to a
further elevated level of security to safeguard such sensitive assets
as hardcopy taxpayer receipts and computer facilities.
[4] Lockbox banks are financial institutions designated as depositories
and financial agents of the U.S. government to perform certain
financial services, including processing tax documents, depositing the
receipts, and then forwarding the documents and data to their
respective SCC, which update taxpayers' accounts.
[5] Candling is a process used by IRS to determine if any contents
remain in open envelopes, which is often achieved by passing the
envelopes over a light source.
[6] IRS defines juvenile as a person who is not yet eighteen years of
age.
[7] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[8] GAO-06-137.
[9] The Daily Report of Collection Activity is generally used to
transmit taxpayer receipts from an IRS facility to a SCC. A Document
Transmittal is used interchangeably to transmit (1) taxpayer receipts
or several form 795s from an IRS facility to a SCC for final processing
or (2) non-payment related taxpayer information (e.g., case files and
other sensitive tax related data) between IRS facilities.
[10] LMSB units are field office units charged with administering taxes
for corporations and partnerships with assets over $10 million. TEGE
units are field office units that serve a wide range of customers
including small local community organizations, municipalities, major
universities, pension funds, state governments, Indian tribal
governments, and tax exempt bond issuers. All other corporations,
partnerships, small businesses, and individuals with certain types of
non-salary income with assets under $10 million are serviced by IRS's
Small Business and Self-Employed (SB/SE) units. We addressed similar
monitoring weaknesses within several SB/SE units in our management
report from our fiscal year 2004 audit, see GAO, Management Report:
Improvements Needed in IRS's Internal Controls, GAO-05-247R
(Washington, D.C.: April 2005).
[11] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[12] The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct its operations and contains policy,
direction, and delegations of authority necessary to carry out IRS's
responsibilities to administer tax law and other legal provisions.
[13] One of the TRRs at this location worked a part-time schedule.
[14] As of March 2006, IRS had reconfigured 115 of its 400 TACs located
throughout the United States, has an additional 29 such projects
underway, and plans on reconfiguring the remaining TACs by 2014.
[15] Incident reports are used by security guards to document and
record their response to suspicious events, incidents, and activities.
In addition, lockbox banks are required to maintain a log of incident
reports, noting the action that the lockbox bank took to correct the
incident.
[16] Internal Revenue Service, "2005 Lockbox Processing Guidelines"
(Washington, D.C.: January 2005), and subsequent 2005 updates. The 2005
LPG provides guidelines for processing work at lockbox banks serving
IRS for the 2005 filing season.
[17] GAO-05-247R.
[18] Non letter-size envelopes refer to envelopes that are either
larger or smaller than the standard white business-size envelopes that
are used for mailing such items as personal or business mail (e.g.,
utility bills, tax returns, general correspondences).
[19] GAO/AIMD-00-21.3.1.
[20] In the LPG, IRS defines large dollar remittances as those with
amounts $50,000 or greater.
[21] The Recommendation for Juvenile Employment form asks the reference
provider to check off whether he or she feels that the juvenile is
suitable for a position of trust or to disclaim his/her knowledge of
the juvenile. Other data captured includes the name of the reference
and information related to the school and current/former employer of
the juvenile.
[22] GAO/AIMD-00-21.3.1.
[23] U.S. Federal Accounting Standards Advisory Board (FASAB), SFFAS
No. 6, Accounting for Property, Plant, and Equipment.
[24] For our book-to-floor sample, we selected a two-stage cluster
sample of P&E items. In the first stage, we selected a sample of 22
buildings in probabilities proportionate to the number of P&E items in
each building's inventory records. In the second stage, we randomly
selected a sample of 10 assets located at each of the 22 buildings.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: