Internal Revenue Service
Status of Recommendations from Financial Audits and Related Financial Management Reports Gao ID: GAO-06-560 June 6, 2006In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility in annually collecting over $2 trillion in taxes, processing hundreds of millions of tax and information returns, and enforcing the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective action to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO not only makes recommendations to address any new weaknesses identified but also follows up on the status of weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) assist IRS management in tracking the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations fit into IRS's overall management and internal control structure.
IRS has made significant progress in improving its internal controls and financial management since its first financial audit in 1992, as evidenced by 6 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and the closing of over 200 financial management recommendations. This progress has been the result of hard work and commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO's audit of IRS's fiscal year 2005 financial statements, 84 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2005 financial audit, IRS took actions that enabled GAO to close 34 of those recommendations. At the same time, GAO identified additional internal control deficiencies resulting in 22 new recommendations. In total, 72 recommendations currently remain open. To assist IRS in evaluating its internal controls and in making improvements, GAO categorized the 72 open recommendations by various internal control activities which, in turn, were grouped into three broad control activity groupings. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management. IRS stated that it is taking action to address the recommendations included in the report. GAO will review the effectiveness of these corrective actions and the status of IRS's progress as part of the fiscal year 2006 audit.
GAO-06-560, Internal Revenue Service: Status of Recommendations from Financial Audits and Related Financial Management Reports
This is the accessible text file for GAO report number GAO-06-560
entitled 'Internal Revenue Service: Status of Recommendations from
Financial Audits and Related Financial Management Reports' which was
released on June 6, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Commissioner of Internal Revenue:
United States Government Accountability Office:
GAO:
June 2006:
Internal Revenue Service:
Status of Recommendations from Financial Audits and Related Financial
Management Reports:
GAO-06-560:
GAO Highlights:
Highlights of GAO-06-560, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
In its role as the nation‘s tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility in annually collecting over $2
trillion in taxes, processing hundreds of millions of tax and
information returns, and enforcing the nation‘s tax laws. Since its
first audit of IRS‘s financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS‘s financial management
operations. In related reports, GAO has recommended corrective action
to address those weaknesses.
Each year, as part of the annual audit of IRS‘s financial statements,
GAO not only makes recommendations to address any new weaknesses
identified but also follows up on the status of weaknesses GAO
identified in previous years‘ audits. The purpose of this report is to
(1) assist IRS management in tracking the status of audit
recommendations and actions needed to fully address them and (2)
demonstrate how the recommendations fit into IRS‘s overall management
and internal control structure.
What GAO Found:
IRS has made significant progress in improving its internal controls
and financial management since its first financial audit in 1992, as
evidenced by 6 consecutive years of clean audit opinions on its
financial statements, the resolution of several material internal
control weaknesses, and the closing of over 200 financial management
recommendations. This progress has been the result of hard work and
commitment at the top levels of the agency.
However, IRS still faces financial management challenges. At the
beginning of GAO‘s audit of IRS‘s fiscal year 2005 financial
statements, 84 financial management-related recommendations from prior
audits remained open because IRS had not fully addressed the issues
that gave rise to them. During the fiscal year 2005 financial audit,
IRS took actions that enabled GAO to close 34 of those recommendations.
At the same time, GAO identified additional internal control
deficiencies resulting in 22 new recommendations. In total, 72
recommendations currently remain open.
To assist IRS in evaluating its internal controls and in making
improvements, GAO categorized the 72 open recommendations by various
internal control activities which, in turn, were grouped into three
broad control activity groupings.
Table: Summary of Open Recommendations:
Control activity group: Safeguarding of assets and security activities:
Open in 2005: 33:
Closed during 2005 audit: 13:
New from 2005 audit: 9:
Total open for 2006: 29:
Control activity group: Proper recording and documenting of
transactions: Open in 2005: 30:
Closed during 2005 audit: 13:
New from 2005 audit: 9:
Total open for 2006: 26:
Control activity group: Effective management review and oversight: Open
in 2005: 21:
Closed during 2005 audit: 8:
New from 2005 audit: 4:
Total open for 2006: 17:
Control activity group: Total:
Open in 2005: 84:
Closed during 2005 audit: 34:
New from 2005 audit: 22:
Total open for 2006: 72:
Source: GAO analysis of financial management recommendations made to
IRS.
[End of Table]
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-560].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Steven J. Sebastian at
(202) 512-3406 or sebastians@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Objectives, Scope, and Methodology:
IRS's Progress on Financial Management Recommendations:
Open Recommendations Grouped by Control Activity:
Concluding Observations:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports:
Appendix II: Comments from the Internal Revenue Service:
Appendix III: Staff Acknowledgments:
Tables:
Table 1: Summary of Open Recommendations:
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
Table 3: Recommendations to Improve IRS's Segregation of Duties:
Table 4: Recommendations to Improve IRS's Controls over Information
Processing:
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control:
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording
of Transactions and Events:
Table 8: Recommendation to Improve IRS's Execution of Transactions and
Events:
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
Table 11: Recommendation to Improve IRS's Management of Human Capital:
Abbreviations:
ALS: Automated Lien System:
ATFR: Automated Trust Fund Recovery:
AUR: Automated Under Reporter:
AWSS: Agency-Wide Shared Services:
BMF: Business Master File:
BPMS: Business Performance Management System:
CAP: Custodial Accounting Project:
CCP: Centralized Case Processing:
CCTV: closed-circuit television:
CDDB: Custodial Detail Data Base:
CFO: chief financial officer:
CIO: chief information officer:
CIQMS: complex interest quality measurement system:
COTR: contracting officer's technical representative:
CPE: continuing professional education:
DCI: data collection instrument:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
FMIS: Financial Management Information System:
FMS: Financial Management Service:
FRB: Federal Reserve Bank:
IDRS: Integrated Data Retrieval System:
IFS: Integrated Financial System:
IMF: Individual Master File:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
IT: information technology:
LEM: Security Law Enforcement Manual:
LMSB: Large and Mid-sized Business:
LPG: Lockbox Processing Guidelines:
LSG: Lockbox Security Guide:
MOU: memorandum of understanding:
NBIC: National Background Investigation Center:
NFC: National Finance Center:
OMB: Office of Management and Budget:
P&E: property and equipment:
POD: post of duty:
PSEP: office of Physical Security and Emergency Preparedness:
SATMOD: satisfied module:
SB/SE: Small Business/Self-Employed:
SCC: service center campus:
SERP: Service-wide Electronic Research Program:
SETS: Security Entry and Tracking System:
SP: Submission Processing:
SPC: submission processing center:
TAC: taxpayer assistance center:
TE/GE: Tax Exempt and Government Entities:
TFRP: Trust Fund Recovery Penalty:
TGA: Treasury's General Account:
W&I: Wage and Investment:
United States Government Accountability Office:
Washington, DC 20548:
June 6, 2006:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Dear Mr. Everson:
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2005, IRS
collected about $2.3 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $267 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.
IRS has made much progress in improving its financial management since
it was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress has led to its ability to
obtain and maintain a clean audit opinion on its financial statements
each year beginning in fiscal year 2000, and to correct several
material internal control weaknesses over the years. Despite these
considerable improvements, however, more remains to be done to address
long-standing internal control issues that continue to plague the
agency. IRS continues to have weak or ineffective internal controls
over fundamental elements of its operations that leave it vulnerable to
a greater risk of fraud, waste, abuse, and mismanagement. This, in
turn, has the potential to impact the lives of the nation's taxpayers,
as our audits over the years have demonstrated.
An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.[Footnote 1] Unfortunately, IRS
continues to be challenged with several long-standing material
weaknesses in internal control that are at the heart of IRS's
operations.[Footnote 2] During our audit of IRS's fiscal year 2005
financial statements, we continued to find material weaknesses in
controls over:
* financial reporting (including safeguarding of assets),
* unpaid tax assessments,
* identifying and collecting tax revenues due and issuing tax refunds,
and:
* information systems security.
In addition to the material weaknesses, we continued to identify two
reportable conditions, including deficiencies in controls over (1) hard-
copy tax receipts and taxpayer data, which increase the government's
and taxpayer's risk of loss or inappropriate disclosure of taxpayer
data, and (2) property and equipment (P&E), which preclude IRS from
readily reconciling its property records to its financial records.
To assist IRS in strengthening its internal controls and improving its
operations, we have made numerous recommendations as part of our annual
financial statement audits and other financial management-related work
at IRS. This report is being provided to you to (1) assist IRS
management in tracking the status of financial audit and financial
management-related recommendations and the actions needed to address
them and (2) demonstrate how the recommendations fit into IRS's overall
management and internal control structure. In cases where IRS has taken
action on open recommendations that did not result in our closing them,
we explain why this occurred.
We conducted our review from December 2005 through May 2006 in
accordance with U.S. generally accepted government auditing standards.
Results in Brief:
IRS management continues to make progress in addressing many of the
internal control deficiencies that plague the agency. At the beginning
of the fiscal year 2005 IRS financial statement audit, 84 financial
management-related recommendations from prior audits remained open
because IRS had not addressed the issues that gave rise to them
sufficiently to allow us to close them. During the fiscal year 2005
financial audit, IRS took actions to effectively address issues that
gave rise to numerous recommendations, enabling us to close 34 of those
recommendations. However, more efforts are needed by IRS to effectively
address its financial management challenges. During our fiscal year
2005 financial audit, we continued to identify recurring internal
control deficiencies, as well as new deficiencies, and we made 22 new
recommendations to address these newly identified issues. As a result,
72 recommendations to address IRS's internal control deficiencies
remain open.
In analyzing the nature of these open financial management
recommendations, we found that 29 recommendations, or 40 percent,
relate to issues associated with IRS's lack of effective controls over
safeguarding assets and security activities. Another 26
recommendations, or more than a third of the open recommendations,
relate to issues associated with IRS's inability to properly record and
document transactions. The remaining 17 recommendations, or
approximately 24 percent, relate to issues associated with lack of
effective management review and oversight. Effective implementation of
these open recommendations could greatly assist IRS in improving its
internal controls and achieving sound financial management. We are
making no new recommendations in this report.
In commenting on this report, IRS highlighted its efforts to further
improve its internal controls over hard-copy tax receipts, and felt our
grouping of the remaining open recommendations into broad internal
control categories will facilitate its strategy to address its
remaining financial management issues. We have reprinted IRS's written
comments in appendix II.
Background:
Internal control is not one event, but a series of actions and
activities that occur throughout an entity's operations and on an
ongoing basis. Internal control should be recognized as an integral
part of each system that management uses to regulate and guide its
operations rather than as a separate system within an agency. In this
sense, internal control is management control that is built into the
entity as a part of its infrastructure to help managers run the entity
and achieve their goals on an ongoing basis.
Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as the
Federal Managers' Financial Integrity Act of 1982 (FMFIA)), requires
agencies to establish and maintain internal control. The agency head
must annually evaluate and report on the control and financial systems
that protect the integrity of federal programs. The requirements of
FMFIA serve as an umbrella under which other reviews, evaluations, and
audits should be coordinated and considered to support management's
assertion about the effectiveness of internal control over operations,
financial reporting, and compliance with laws and regulations.
Office of Management and Budget (OMB) Circular No. A-123, Management's
Responsibility for Internal Control (revised Dec. 21, 2004), provides
the implementing guidance for FMFIA, and sets out the specific
requirements for assessing and reporting on internal controls[Footnote
3] consistent with the internal control standards issued by the
Comptroller General of the United States.[Footnote 4] The circular,
which was revised in 2004 with the revisions effective for fiscal year
2006, defines management's responsibilities related to internal control
and the process for assessing internal control effectiveness, and
provides specific requirements for conducting management's assessment
of the effectiveness of internal control over financial reporting. The
circular requires management to annually provide assurances on internal
control in its Performance and Accountability Report, and for the Chief
Financial Officers (CFO) Act agencies, beginning in fiscal year 2006,
to include a separate assurance on internal control over financial
reporting, along with a report on identified material weaknesses and
corrective actions.[Footnote 5] The circular also emphasizes the need
for integrated and coordinated internal control assessments that
synchronize all internal control-related activities.
FMFIA requires GAO to issue standards for internal control in the
federal government. GAO's Standards for Internal Control in the Federal
Government provides the overall framework for establishing and
maintaining internal control and for identifying and addressing major
performance and management challenges and areas at greatest risk of
fraud, waste, abuse, and mismanagement.
As summarized in GAO's Standards for Internal Control in the Federal
Government, the minimum level of quality acceptable for internal
control in the government is defined by the following five standards,
which also provide the basis against which internal controls are to be
evaluated:
* Control environment: Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management.
* Risk assessment: Internal control should provide for an assessment of
the risks the agency faces from both external and internal sources.
* Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives.
* Information and communications: Information should be recorded and
communicated to management and others within the entity who need it and
in a form and within a time frame that enables them to carry out their
internal control and other responsibilities.
* Monitoring: Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
The third control standard--internal control activities--helps ensure
that management's directives are carried out. Control activities are
the policies, procedures, techniques, and mechanisms that enforce
management's directives. In other words, they are the activities
conducted in the everyday course of business that accomplish a control
objective, such as ensuring IRS employees successfully complete
background checks prior to being granted access to taxpayer information
and receipts. As such, control activities are an integral part of an
entity's planning, implementing, reviewing, and accountability for
stewardship of government resources and achievement of effective
results.
A key objective in our annual audits of IRS's financial statements is
to obtain reasonable assurance about whether IRS maintained effective
internal controls with respect to financial reporting, including
safeguarding of assets, and compliance with laws and regulations. While
all five internal control standards are critical and are used by us as
a basis for evaluating the effectiveness of IRS's internal controls, we
place a heavy emphasis on testing control activities. This has resulted
in the identification of significant deficiencies in certain internal
controls over the years and recommendations for corrective action.
Objectives, Scope, and Methodology:
The objectives of this report are to (1) assist IRS management in
tracking the status of financial audit and financial management-related
recommendations and the actions needed to address them and (2)
demonstrate how the recommendations fit into IRS's overall management
and internal control structure. To accomplish these objectives, we
evaluated the effectiveness of IRS's corrective actions implemented in
response to open recommendations during fiscal year 2005 as part of our
fiscal years 2005 and 2004 financial audits. To report on the current
status of the recommendations, we obtained the status of each
recommendation and corrective action taken or planned as of April 2006,
as reported to us by IRS. We then compared IRS's assessment to our
fiscal year 2005 audit findings and noted any differences between IRS's
and our conclusions regarding the status of each recommendation.
In order to determine how these recommendations fit within IRS's
management and internal control structure, we compared the open
recommendations, and the issues that gave rise to them, to the control
activities listed in GAO's Standards for Internal Control in the
Federal Government and to the list of major factors and examples
outlined in our Internal Control Management and Evaluation
Tool.[Footnote 6] We also considered how the recommendations and the
underlying issues were categorized in our prior reports, whether IRS
had addressed in whole or in part the underlying control issues that
gave rise to the recommendations, and other legal requirements and
implementing guidance, such as OMB Circular No. A-123; FMFIA; and the
Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6
(revised June 2001).
We conducted our review from December 2005 through May 2006 in
accordance with U.S. generally accepted government auditing standards.
We requested comments on a draft of this report from the Commissioner
of Internal Revenue or his designee. We received written comments from
the commissioner, which are reprinted in appendix II.
IRS's Progress on Financial Management Recommendations:
IRS continues to make progress on addressing its significant financial
management challenges. Over the years since we first began auditing
IRS's financial statements in fiscal year 1992, we have closed out over
200 financial management-related recommendations we made based on
actions IRS has taken to improve its internal controls and operational
efficiency. This includes 34 recommendations we are closing in fiscal
year 2006 based on actions IRS took during the period covered by our
fiscal year 2005 financial audit. At the same time, however, our audits
continue to identify significant internal control deficiencies,
resulting in our making further recommendations for corrective action,
including 22 new financial management-related recommendations resulting
from our fiscal year 2005 financial audit. These internal control
deficiencies, and the resulting recommendations, can directly be traced
to the control activities in GAO's Standards for Internal Control in
the Federal Government. As such, it is essential that they be fully
addressed and resolved to strengthen IRS's overall financial management
and to assist it in achieving its goals and mission.
Status of Recommendations Based on the Fiscal Year 2005 Financial
Statement Audit:
In April 2005, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2004 and prior year
financial audits and other financial management-related work.[Footnote
7] In that report, we identified 84 audit recommendations that at that
time, remained open and thus required corrective action by IRS. A
significant number of these recommendations had been open for several
years, either because IRS had not taken corrective action or because
the actions taken had not been effective in resolving the issues that
gave rise to the recommendations.
IRS continued to work to address many of the internal control
deficiencies to which these open recommendations relate. In the course
of performing our fiscal year 2005 financial audit, we identified
numerous actions IRS took to address many of its internal control
deficiencies. Based on IRS's actions, which we were able to
substantiate through our audit, we are able to close 34 of these prior
years' recommendations since we concluded that IRS's actions
effectively addressed the issues that gave rise to them. IRS considers
another 23 of the prior years' recommendations to be effectively
addressed. However, we still consider them to be open either because we
have not yet had time to verify the effectiveness of IRS's actions--
they occurred subsequent to completion of our audit testing and thus
have not been verified, which is a prerequisite to our closing a
recommendation--or because the actions taken did not fully address the
issue that gave rise to the recommendation.
However, continued efforts are needed by IRS to address its serious
internal control weaknesses. While we are able to close 34 financial
management recommendations made in prior years, this still leaves 50
recommendations from prior years that remain open, a significant number
of which have been outstanding for several years. In some cases, as
mentioned, IRS may have effectively addressed the issues that gave rise
to the recommendations subsequent to our fiscal year 2005 audit
testing; however, in many cases, our fiscal year 2005 audit determined
that the actions taken to date had not effectively addressed the
underlying internal control issues. Additionally, during our fiscal
year 2005 audit, we identified additional internal control issues that
will require corrective action by IRS. In a recent management report to
IRS,[Footnote 8] we discussed these internal control issues, and made
22 new recommendations to IRS to address these new issues.
Consequently, a total of 72 financial management-related
recommendations are currently open and need to be addressed by IRS. Of
these, we consider 64 to be short term and 8 to be long term.[Footnote
9]
Appendix I presents a listing of (1) recommendations we have made based
on our financial audits and other financial management-related work
that we have not previously reported as closed, (2) the status of each
of these recommendations and corrective actions taken or planned as of
April 2006 as reported to us by IRS, and (3) our analysis of whether
the issues that gave rise to the recommendations have been effectively
and fully addressed based on the work performed during our fiscal year
2005 financial audit. The appendix lists the recommendations by the
date on which the recommendation was made and by report number.
Relation of Open Recommendations to IRS's Control Environment:
An agency's overall internal control environment comprises the plans,
methods, and procedures that are used to meet its mission, goals, and
objectives and, in doing so, supports its performance-based management.
Internal control also serves as the first line of defense in
safeguarding an agency's assets and in preventing and detecting errors
and mitigating the potential for fraud. Effective internal control
assists program managers in achieving desired results through effective
stewardship of public resources.
Control activities, one of the five broad standards contained in GAO's
Standards for Internal Control in the Federal Government, are the
policies, procedures, techniques, and mechanisms that enforce
management's directives. As such, they are an integral part of an
entity's planning, implementing, reviewing, and accountability for
stewardship of government resources and achievement of results. GAO's
Standards for Internal Control in the Federal Government defines 11
control activities. These control activities can be further grouped
into three broad categories:
* safeguarding of assets and security activities, including:
* physical control over vulnerable assets,
* segregation of duties,
* controls over information processing, and:
* access restrictions to and accountability for resources and records;
* proper recording and documenting of transactions, including:
* appropriate documentation of transactions and internal control,
* accurate and timely reporting of transactions and events, and:
* proper execution of transactions and events; and:
* effective management review and oversight, including:
* reviews by management at the functional or activity level,
* establishment and review of performance measures and indicators,
* management of human capital, and:
* top level reviews of actual performance.
Each of the open recommendations from our financial audits and
financial management-related work, and the underlying issues that gave
rise to them, can be traced back to the 11 control activities and their
three broad categories. Table 1 presents a summary of the open
recommendations, each tied back to the control activity to which it
relates.
Table 1: Summary Of Open Recommendations
Control activity: Safeguarding of assets and security activities;
Open at start of fiscal year 2005 audit: [Empty];
Closed during fiscal year 2005 audit: [Empty];
New from fiscal year 2005 audit: [Empty];
Total open recommendations: [Empty];
Percentage: 40.
Control activity: Physical control over vulnerable assets;
Open at start of fiscal year 2005 audit: 17;
Closed during fiscal year 2005 audit: 9;
New from fiscal year 2005 audit: 5;
Total open recommendations: 13;
Percentage: 18.
Control activity: Segregation of duties;
Open at start of fiscal year 2005 audit: 4;
Closed during fiscal year 2005 audit: 1;
New from fiscal year 2005 audit: 0;
Total open recommendations: 3;
Percentage: 4.
Control activity: Controls over information processing;
Open at start of fiscal year 2005 audit: 8;
Closed during fiscal year 2005 audit: 2;
New from fiscal year 2005 audit: 0;
Total open recommendations: 6;
Percentage: 8.
Control activity: Access restrictions to and accountability for
resources and records;
Open at start of fiscal year 2005 audit: 4;
Closed during fiscal year 2005 audit: 1;
New from fiscal year 2005 audit: 4;
Total open recommendations: 7;
Percentage: 10.
Control activity: Proper recording and documenting of transactions;
Open at start of fiscal year 2005 audit: [Empty];
Closed during fiscal year 2005 audit: [Empty];
New from fiscal year 2005 audit: [Empty];
Total open recommendations: [Empty];
Percentage: 36.
Control activity: Appropriate documentation of transactions and
internal controls;
Open at start of fiscal year 2005 audit: 16;
Closed during fiscal year 2005 audit: 10;
New from fiscal year 2005 audit: 5;
Total open recommendations: 11;
Percentage: 15.
Control activity: Accurate and timely recording of transactions and
events;
Open at start of fiscal year 2005 audit: 13;
Closed during fiscal year 2005 audit: 3;
New from fiscal year 2005 audit: 4;
Total open recommendations: 14;
Percentage: 20.
Control activity: Proper execution of transactions and events;
Open at start of fiscal year 2005 audit: 1;
Closed during fiscal year 2005 audit: 0;
New from fiscal year 2005 audit: 0;
Total open recommendations: 1;
Percentage: 1.
Control activity: Effective management review and oversight;
Open at start of fiscal year 2005 audit: [Empty];
Closed during fiscal year 2005 audit: [Empty];
New from fiscal year 2005 audit: [Empty];
Total open recommendations: [Empty];
Percentage: 24.
Control activity: Reviews by management at the functional or activity
level;
Open at start of fiscal year 2005 audit: 14;
Closed during fiscal year 2005 audit: 6;
New from fiscal year 2005 audit: 4;
Total open recommendations: 12;
Percentage: 17.
Control activity: Establishment and review of performance measures and
indicators;
Open at start of fiscal year 2005 audit: 4;
Closed during fiscal year 2005 audit: 0;
New from fiscal year 2005 audit: 0;
Total open recommendations: 4;
Percentage: 6.
Control activity: Management of human capital;
Open at start of fiscal year 2005 audit: 3;
Closed during fiscal year 2005 audit: 2;
New from fiscal year 2005 audit: 0;
Total open recommendations: 1;
Percentage: 1.
Control activity: Total;
Open at start of fiscal year 2005 audit: 84;
Closed during fiscal year 2005 audit: 34;
New from fiscal year 2005 audit: 22;
Total open recommendations: 72;
Percentage: [Empty].
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
As table 1 indicates, many of IRS's open recommendations are tied to
safeguarding and security issues. Specifically, 29 of the open
recommendations, or 40 percent, relate to issues associated with IRS's
lack of effective controls over safeguarding of assets and security
activities. Another 26 recommendations, or 36 percent, relate to issues
associated with IRS's inability to properly record and document
transactions. The remaining 17 recommendations, or 24 percent, relate
to issues associated with the lack of effective management review and
oversight.
Open Recommendations Grouped by Control Activity:
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to
them, to the internal control activities identified in GAO's Standards
for Internal Control in the Federal Government provides insight
regarding their significance to IRS's ability to effectively achieve
the objectives associated with the control activities and, thus, to its
overall mission and goals.
On the following pages, we group the 72 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented
in GAO's Standards for Internal Control in the Federal Government and
briefly identify some of the key IRS operations that fall under that
control activity. Although not comprehensive, the descriptions are
intended to help explain why the control activity is important for IRS
and thus why implementing the recommendations would strengthen
management and controls that support those operations. For each
recommendation, we also indicate whether it is a short-term or long-
term recommendation.
Safeguarding of Assets and Security Activities:
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of
the most important control activities at IRS is the safeguarding of
assets. Internal control should be designed to provide reasonable
assurance regarding prevention or prompt detection of unauthorized
acquisition, use, or disposition of an agency's assets. We have grouped
together the four control activities in GAO's Standards for Internal
Control in the Federal Government that relate to safeguarding of assets
(including tax receipts) and security activities (such as limiting
access to only authorized personnel): (1) physical control over
vulnerable assets, (2) segregation of duties, (3) controls over
information processing, and (4) access restrictions to and
accountability for resources and records.
Physical Control over Vulnerable Assets:
An agency must establish physical control to secure and safeguard
vulnerable assets. Examples include security for and limited access to
assets such as cash, securities, inventories, and equipment which might
be vulnerable to risk of loss or unauthorized use. Such assets should
be periodically counted and compared to control records.
IRS is charged with collecting over $2 trillion in taxes each year, a
significant amount of which is collected in the form of checks and cash
accompanied by tax returns and related information. IRS collects taxes
both at its own facilities as well as at lockbox banks that operate
under contract with the Treasury Department's Financial Management
Service (FMS) to provide processing services for certain taxpayer
receipts for IRS. IRS acts as custodian for (1) the tax payments it
receives until they are deposited in the General Fund of the U.S.
Treasury and (2) the tax returns and related information it receives
until they are either sent to the Federal Records Center or destroyed.
IRS is also charged with controlling many other assets, such as
computers and other equipment, but IRS's legal responsibility to
safeguard tax returns and the confidential information taxpayers
provide in tax returns makes the effectiveness of its internal controls
with respect to physical security essential.
IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at one of its offices. While adequate
physical safeguards over receipts should exist throughout the year, it
is especially important during the peak tax filing season. Each year
during the weeks preceding and shortly after April 15, an IRS service
center campus (SCC) may receive and process daily over 100,000 pieces
of mail containing returns, receipts, or both. The dollar value of
receipts each service center processes increases to hundreds of
millions of dollars a day during the April 15 time frame.
Of our 72 open recommendations, the following 13 open recommendations
are designed to improve IRS's physical controls over vulnerable assets.
(See table 2.)
Table 2: Recommendations To Improve Irs's Physical Controls Over
Vulnerable Assets:
ID. No.: 99-19;
Recommendations: Ensure that walk-in payment receipts are recorded in a
control log prior to depositing the receipts in the locked container
and ensure that the control log information is reconciled to receipts
prior to submission of the receipts to another unit for payment
processing. To ensure proper segregation of duties, an employee not
responsible for logging receipts in the control log should perform the
reconciliation. (short-term).
ID. No.: 03-32;
Recommendations: Prohibit the storage of employees' personal belongings
with cash payments and receipts at IRS's taxpayer assistance centers.
(short-term).
ID. No.: 04-07;
Recommendations: Develop procedures to enhance adherence to existing
instructions on safeguarding discovered remittances at SCCs. (short-
term).
ID. No.: 04-08;
Recommendations: Enforce its policies and procedures to ensure that SCC
security guards respond to alarms. (short-term).
ID. No.: 04-09;
Recommendations: Establish compensating controls in the event that
automated security systems malfunction, such as notifying guards and
managers of the malfunction, and immediately deploying guards to better
protect the processing center's perimeter. (short- term).
ID. No.: 05-25;
Recommendations: Formulate a policy to require that critical utility or
security controls not be located in areas requiring frequent access.
(short-term).
ID. No.: 05-26;
Recommendations: Require lockbox bank management to position closed-
circuit television cameras to enable monitoring of secured areas
containing sensitive systems or controls. (short-term).
ID. No.: 05-34;
Recommendations: Establish a procedure for Small Business/Self-Employed
(SB/SE) field office units to track Document Transmittal forms and
acknowledgments of receipt of Document Transmittal forms. (short-term).
ID. No.: 06-05;
Recommendations: Equip all taxpayer assistance centers (TACs) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas by
physical barriers such as locked doors marked with signs barring
entrance by unescorted customers. (short-term).
ID. No.: 06-06;
Recommendations: Connect duress alarms to a central monitoring station
or local police department or institute appropriate compensating
controls when these alarm systems are not operable or in place. (short-
term).
ID. No.: 06-08;
Recommendations: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms regardless of the
circumstances that may have caused the activation. (short-term).
ID. No.: 06-09;
Recommendations: Reemphasize the need for the security guards at all
TACs to ensure that key posts of duty, such as entrances to facilities,
are not left unattended. (short-term).
ID. No.: 06-15;
Recommendations: Revise the physical security procedures contained in
the IRM (Internal Revenue Manual) to require that all SCCs and any
respective annex facilities processing taxpayer receipts and/or
information perform and document monthly tests of the facility's
intrusion detection alarms. At a minimum, these procedures should (1)
outline the type of test to be conducted, (2) include criteria for
assessing whether the controls used to respond to the alarm were
effective, and (3) require that a logbook be maintained to document the
test dates, results, and response information. (short- term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Segregation of Duties:
Key duties and responsibilities need to be divided or segregated among
different people to reduce the risk of error or fraud. This should
include separating the responsibilities for authorizing transactions,
processing and recording them, reviewing the transactions, and handling
any related assets. No one individual should control all key aspects of
a transaction or event.
IRS employees are responsible for processing trillions of dollars of
tax receipts each year, of which hundreds of billions are received in
the form of cash or checks,[Footnote 10] and for processing hundreds of
billions of dollars in refunds to taxpayers. Consequently, it is
critical that IRS maintain appropriate separation of duties to allow
for adequate oversight of staff and protection of these vulnerable
resources so that no single individual would be in a position of both
causing an error or irregularity and then concealing it. For example,
when an IRS field office or lockbox bank receives taxpayer receipts and
returns, it is responsible for depositing the cash and checks in a
depository institution and forwarding the related information received
to an SCC for further processing. In order to adequately safeguard
receipts from theft, the person responsible for recording the
information from the taxpayer receipts on a voucher should be different
from the individual who prepares those receipts for transmittal to the
SCC for further processing.
The following three open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over
both tax receipts and refunds. (See table 3.)
Table 3: Recommendations To Improve Irs's Segregation Of Duties:
ID. No.: 02-16;
Recommendations: Ensure that field office management comply with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term).
ID. No.: 05-32;
Recommendations: Establish policies and procedures to require
appropriate segregation of duties in SB/SE units of field offices with
respect to preparation of Payment Posting Vouchers, Document
Transmittal forms, and transmittal packages. (short-term).
ID. No.: 05-41;
Recommendations: Specify in the IRM that staff members are not to
review their own command code profiles. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Controls over Information Processing:
A variety of control activities are used in information processing.
Examples include edit checks of data entered, accounting for
transactions in numerical sequences, and comparing file totals with
control totals. There are two broad groupings of information systems
control--general control (for hardware such as mainframe, network, end-
user environments) and application control (processing of data within
the application software). General controls include entitywide security
program planning, management, and backup recovery procedures, and
contingency and disaster planning. Application controls are designed to
help ensure completeness, accuracy, authorization, and validity of all
transactions during application processing.
IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax
processing responsibilities, IRS relies extensively on interconnected
networks of computer systems to perform various functions, such as
collecting and storing taxpayer data, processing tax returns,
calculating interest and penalties, generating refunds, and providing
customer service.
As part of our annual audits of IRS's financial statements, we assess
the effectiveness of IRS's information security controls[Footnote 11]
over key financial systems, data, and interconnected networks at IRS's
critical data processing facilities that support the processing,
storage, and transmission of sensitive financial and taxpayer data.
From that effort, we have identified over the years information
security control weaknesses that impair IRS's ability to ensure the
confidentiality, integrity, and availability of its sensitive financial
and taxpayer data. As of March 2006, there were 45 open recommendations
from our information security work designed to improve IRS's
information security controls.[Footnote 12] Recommendations resulting
from our information security work are reported separately and are not
included in this report primarily because of the sensitive nature of
some of these issues.
However, the following six open recommendations are related to systems
limitations and IRS's need to review and resolve various exception
reports that its systems generate. (See table 4.) We included reviews
of exception reports in this control activity since they help ensure
the integrity of IRS's automated data.[Footnote 13]
Table 4: Recommendations To Improve Irs's Controls Over Information
Processing:
ID. No.: 02-18;
Recommendations: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Secure Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short-term).
ID. No.: 05-03;
Recommendations: Research and resolve the current backlog of unresolved
unmatched exception reports. (short-term).
ID. No.: 05-04;
Recommendations: Research and resolve unmatched exception reports
weekly. (short-term).
ID. No.: 05-06;
Recommendations: Research and resolve the current backlog of unresolved
manual interest or penalties reports. (short- term).
ID. No.: 05-07;
Recommendations: Research and resolve exception reports containing
liens with manually calculated interest or penalties weekly, as called
for in the IRM and the ALS[A] User Guide. (short-term).
ID. No.: 05-09;
Recommendations: Improve the current unmatched exception report by
including a cumulative list of all unmatched taxpayer accounts that
have not been resolved to date. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[A] ALS stands for Automated Lien System.
[End of table]
Access Restrictions to and Accountability for Resources and Records:
Access to resources and records should be limited to authorized
individuals, and accountability for their custody and use should be
assigned and maintained. Periodic comparison of resources with the
recorded accountability should be made to help reduce the risk of
errors, fraud, misuse, or unauthorized alteration.
Because IRS deals with a large volume of cash and checks, it is
imperative that it maintain strong controls over who has access to
those assets, the records that track those assets, and sensitive
taxpayer information. Although IRS has a number of both physical and
information system controls in place, some of the issues we have
identified in our financial audits over the years pertain to ensuring
that those with direct access to these cash and checks are
appropriately vetted before being granted access to taxpayer receipts
and information and to ensuring that IRS maintains effective access
security control.
The following seven open recommendations would help IRS improve its
access restrictions to assets and records. (See table 5.)
Table 5: Recommendations To Improve Irs's Access Restrictions To And
Accountability For Resources And Records:
ID. No.: 03-29;
Recommendations: Confirm with FMS that IRS's requirements for
background and fingerprint checks for courier services are met
regardless of whether IRS or FMS negotiates the service agreement.
(short-term).
ID. No.: 05-11;
Recommendations: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at SCCs selected for significant reductions in
their submission processing functions. (short-term).
ID. No.: 05-13;
Recommendations: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers. (short- term).
ID. No.: 06-16;
Recommendations: Amend its policy to require that a completed form
13094 with a positive recommendation be provided for every juvenile
hired to any position that will allow access to taxpayer receipts
and/or taxpayer information. (short-term).
ID. No.: 06-17;
Recommendations: Require IRS personnel to verify the information on the
form 13094 by contacting the reference directly. (short-term).
ID. No.: 06-18;
Recommendations: Revise the form 13094 to require the reference to
describe his/her relationship with the juvenile, including extent of
firsthand contact, to allow IRS to review the forms and assess whether
the referencer has sufficient basis to recommend that juvenile to a
position of trust. (short-term).
ID. No.: 06-19;
Recommendations: Establish procedures for hiring juveniles who do not
have a current teacher, principal, counselor, employer or former
employer, and clarify that IRS's current policies and procedures should
not be interpreted to mean that such juveniles should be allowed access
to taxpayer receipts and information without a form 13094 or its
equivalent. These procedures could include a list of acceptable
alternatives that may serve as references for juveniles who do not have
a current teacher, principal or guidance counselor. (short- term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Recording and Documenting of Transactions:
One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers
need to assist in making day-to-day decisions. While progress is being
made to modernize its financial management capabilities, IRS
nonetheless continues to face many of the pervasive internal control
weaknesses that we have reported each year since we began auditing its
financial statements in fiscal year 1992, many of which are related to
its long-standing systems deficiencies.
However, IRS also has a number of internal control issues that relate
to recording transactions, documenting events, and tracking the
processing of taxpayer receipts or information, which do not depend
upon improvements in information systems.
We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate
documentation of transactions and internal controls, (2) accurate and
timely recording of transactions and events, and (3) proper execution
of transactions and events.
Appropriate Documentation of Transactions and Internal Control:
Internal control and all transactions and other significant events need
to be clearly documented, and the documentation should be readily
available for examination. The documentation should appear in
management directives, administrative policies, or operating manuals
and may be in paper or electronic form. All documentation and records
should be properly managed and maintained.
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract
to process taxpayer receipts for the federal government. Therefore, it
is important that IRS maintain appropriate assurance that all documents
and records are properly managed and maintained both at its facilities
and at the lockbox banks.
The following 11 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. (See
table 6.)
Table 6: [RECOMMENDATIONS TO IMPROVE IRS'S DOCUMENTATION OF
TRANSACTIONS AND INTERNAL CONTROL]
ID. No.: 04-03;
Recommendations: Develop procedures to require lockbox managers to
provide satisfactory evidence that managerial reviews are performed in
accordance with established guidelines. At a minimum, reviewers should
sign and date the reviewed documents and provide any comments that may
be appropriate in the event their reviews identified problems or raised
questions. (short-term).
ID. No.: 05-12;
Recommendations: Document a methodology for estimating anticipated
rapid changes in mail volume at future SCCs selected for significant
reductions in their submission processing functions, taking into
consideration factors such as the prior rampdown experience at
Brookhaven. (short-term).
ID. No.: 05-14;
Recommendations: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor work sites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information. (short-term).
ID. No.: 05-35;
Recommendations: Require evidence of managerial review of recording,
transmittal, and receipt of acknowledgments of taxpayer receipts and
information. (short-term).
ID. No.: 05-39;
Recommendations: Enforce requirements for documenting monitoring
actions and supervisory review. (short-term).
ID. No.: 05-42;
Recommendations: Specify in the IRM how to properly verify interest and
penalties for accounts with liens with manually calculated interest or
penalties. (short-term).
ID. No.: 06-01;
Recommendations: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term).
ID. No.: 06-02;
Recommendations: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within IRS's Large
and Mid-sized Business (LMSB) and Tax Exempt and Government Entity
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term).
ID. No.: 06-03;
Recommendations: Provide instructions to document the follow-up
procedures performed in those cases where transmittals have not been
timely acknowledged. (short-term).
ID. No.: 06-04;
Recommendations: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term).
ID. No.: 06-07;
Recommendations: Document supervisory visits by offsite managers to
TACS not having a manager permanently onsite. This documentation should
be signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Accurate and Timely Recording of Transactions and Events:
Transactions should be promptly recorded to maintain their relevance
and value to management in controlling operations and making decisions.
This applies to the entire process or life cycle of a transaction or
event from the initiation and authorization through its final
classification in summary records. In addition, control activities help
to ensure that all transactions are completely and accurately recorded.
IRS is responsible for maintaining taxpayer records for tens of
millions of taxpayers in addition to maintaining its own financial
records. To carry out this responsibility, IRS often has to rely on
outdated computer systems or manual work-arounds. Unfortunately, some
of IRS's recordkeeping difficulties we have reported on over the years
will not be addressed until it can replace its aging systems, which is
a long-term effort and is dependent on future funding.
The following 14 open recommendations would strengthen IRS's
recordkeeping abilities. (See table 7.) They include some specific
recommendations regarding requirements for new systems for maintaining
taxpayer records. Several of the recommendations listed affect
financial reporting processes, such as subsidiary records and
appropriate allocation of costs. Some of the issues that gave rise to
certain of our recommendations directly affect taxpayers, such as those
involving duplicate assessments, errors in calculating and reporting
manual interest, and recovery of trust fund penalty assessments. Half
of these recommendations are almost over 5 years old and 1 is over 10
years old, reflecting the long-term nature of the resolution of some of
these issues.
Table 7: Recommendations To Improve Irs's Accurate And Timely Recording
Of Transactions And Events:
ID. No.: 94-2;
Recommendations: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short- term).
ID. No.: 99-1;
Recommendations: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure all accounts
related to a single assessment are appropriately credited for payments
received. (short-term).
ID. No.: 99-3;
Recommendations: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term).
ID. No.: 99-20;
Recommendations: Analyze and determine the factors causing delays in
processing and posting trust fund recovery penalty assessments. Once
these factors have been determined, IRS should develop procedures to
reduce the impact of these factors and to ensure timely posting to all
applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance. (short-term).
ID. No.: 99-36;
Recommendations: Make enhancements to IRS financial systems to include
recording P&E and capital leases as assets when purchased and to
generate detailed records for P&E that reconcile to the financial
records. (long-term).
ID. No.: 01-17;
Recommendations: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term).
ID. No.: 01-39;
Recommendations: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long- term).
ID. No.: 02-08;
Recommendations: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term).
ID. No.: 02-09;
Recommendations: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year. (long-term).
ID. No.: 05-36;
Recommendations: Assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved
Automated Under Reporter (AUR) discrepancies, including placement of a
freeze or hold on all such accounts, until the AUR review has been
completed. (short-term).
ID. No.: 06-12;
Recommendations: Enforce its existing policies and procedures at
lockbox banks to ensure that all remittances of $50,000 or more are
processed immediately and deposited at the first available opportunity.
(short-term).
ID. No.: 06-20;
Recommendations: To assure proper accounting treatment of expense and
P&E transactions and reliable financial reporting, we recommend that
IRS enforce its property and equipment capitalization policy to ensure
that it is properly implemented to fully achieve management's
objectives, including recognizing assets when its capitalization
criteria is met and recognizing expenses when it is not. (short-term).
ID. No.: 06-21;
Recommendations: Generate aging reports when an asset remains in
pending disposal status for longer than a specified period of time.
(short-term).
ID. No.: 06-22;
Recommendations: Direct Facilities Management Branch managers to
research and resolve the aging reports. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Execution of Transactions and Events:
Transactions and other significant events should be authorized and
executed only by persons acting within the scope of their authority.
This is the principal means of assuring that only valid transactions to
exchange, transfer, use, or commit resources and other events are
initiated or entered into. Authorizations should be clearly
communicated to managers and employees.
IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak
of the tax filing season. Because of the tremendous number of personnel
involved, IRS must maintain effective control over which employees are
authorized to either view or change sensitive taxpayer data. IRS's
ability to establish access rights and permissions for information
systems is a critical control.
Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.[Footnote 14] IRS
requires that all manual refunds be approved by officials who are
designated by managers. However, weaknesses in the authorization of
such approving officials expose the federal government to losses
because of the issuance of improper refunds. The following open
recommendation would improve IRS's controls over its manual refund
transactions. (See table 8.)
Table 8: Recommendation To Improve Irs's Execution Of Transactions And
Events:
ID. No.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Effective Management Review and Oversight:
All personnel within IRS have an important role in making internal
controls work, but the responsibility for good internal control rests
with IRS's managers. Management sets the objectives, puts the control
mechanisms and activities in place, and monitors and evaluates the
controls. Without effective monitoring by managers, internal control
activities may not be conducted on a consistent and timely basis.
We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of
performance measures and indicators, and (3) management of human
capital. Although we also include the control activity "top level
reviews of actual performance" in this grouping, we do not have any
open recommendations to IRS related to this internal control activity.
Reviews by Management at the Functional or Activity Level:
Managers need to compare actual performance to planned or expected
results throughout the organization and analyze significant
differences.
IRS has over 80,000 full-time employees and hires over 10,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, IRS contracts with banks to process tens of
thousands of individual receipts, totaling hundreds of billions of
dollars. At any organization, management oversight of operations is
important, but with an organization as vast in scope as the IRS,
management oversight is imperative.
The following 12 open recommendations would improve IRS's management
oversight. (See table 9.) In general, these recommendations were made
to correct instances where an internal control activity either does not
exist or where an established control is not being adequately or
consistently applied. The majority of these recommendations emphasize
improvements needed to IRS's oversight of lockbox banks and contracted
courier programs in order to ensure appropriate physical control over
vulnerable assets, such as taxpayer receipts.
Table 9: Recommendations To Improve Irs's Reviews By Management At The
Functional Or Activity Level:
ID. No.: 99-22;
Recommendations: Expand IRS's current review of service center
deterrent controls to include similar analyses of controls at IRS field
offices in areas such as courier security, safeguarding of receipts in
locked containers, requirements for fingerprinting employees, and
requirements for promptly over-stamping checks made out to the "IRS"
with "Internal Revenue Service" or "United States Treasury." Based on
the results, IRS should make appropriate changes to strengthen its
physical security controls. (short-term).
ID. No.: 01-06;
Recommendations: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term).
ID. No.: 03-15;
Recommendations: Require lockbox management to ensure that envelopes
are properly candled and that IRS takes steps to monitor adherence to
this requirement. (short-term).
ID. No.: 05-22;
Recommendations: Provide a written reminder to courier contractors of
the need to adhere to all courier service procedures. (short-term).
ID. No.: 05-23;
Recommendations: Periodically verify that contractors entrusted with
taxpayer receipts and information off-site adhere to IRS procedures.
(short-term).
ID. No.: 05-33;
Recommendations: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term).
ID. No.: 05-38;
Recommendations: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts. (short-term).
ID. No.: 05-40;
Recommendations: Enforce the requirement that command code profiles be
reviewed at least once annually. (short-term).
ID. No.: 06-10;
Recommendations: Revise the lockbox bank's security review checklist to
ensure that it encompasses reviewing security incident reports to
validate whether security personnel are providing corrective actions
related to the incidents cited. (short-term).
ID. No.: 06-11;
Recommendations: Refine the scope and nature of IRS's periodic reviews
of candling processes at SCCs to ensure they (1) encompass tests of
whether envelopes are properly candled through observation of candling
in process and inquiry of employees who perform initial and final
candling and (2) document the nature and scope of the test and
observation results. (short-term).
ID. No.: 06-13;
Recommendations: Refine the scope and nature of IRS's periodic reviews
of lockbox banks to include high-dollar remittances to better monitor
adherence to the requirement that they are processed immediately and
deposited at the first available opportunity. (short- term).
ID. No.: 06-14;
Recommendations: Refine the scope and nature of IRS's periodic security
reviews to encompass (1) testing the effectiveness of controls intended
to ensure that only individuals with proper credentials are permitted
access to SCCs and lockbox banks and (2) reviewing the integrity of
perimeter security at SCCs. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Establishment and Review of Performance Measures and Indicators:
Activities need to be established to monitor performance measures and
indicators. These controls could call for comparisons and assessments
relating different sets of data to one another so that analyses of the
relationships can be made and appropriate actions taken. Controls
should also be aimed at validating the propriety and integrity of both
organizational and individual performance measures and indicators.
IRS's operations include a vast array of activities encompassing
taxpayer education, processing of taxpayer receipts and data,
disbursing hundreds of billions of dollars in refunds to millions of
taxpayers, maintaining extensive information on tens of millions of
taxpayers, and seeking collection from individuals and businesses that
fail to comply with the nation's tax laws. Within its compliance
function, IRS has numerous activities, including identifying businesses
and individuals that underreport income, collecting from taxpayers that
do not pay, and collecting from those receiving refunds for which they
are not eligible. Although IRS has at its peak over 90,000 employees,
it still faces resource constraints in attempting to fulfill its
duties. Because of this, it is vitally important for IRS to have sound
performance measures to assist it in assessing its performance and
targeting its resources in a manner that maximizes the government's
return on investment.
However, in past audits we have reported that IRS did not capture cost
at the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a
result, IRS is unable to measure the costs and benefits of its various
collection and enforcement efforts to best target its available
resources. Additionally, we have reported that IRS's controls over its
reporting of interim performance measurement data were not effective
throughout the year because the data reported at interim periods for
certain performance measures were either not accurate or were outdated.
The following four open recommendations are designed to assist IRS in
evaluating its operations, determining which activities are the most
beneficial, and establishing a good system for oversight. (See table
10.) These recommendations call for IRS to measure, track, and evaluate
the cost, benefits, or outcomes of its operations--particularly with
regard to identifying its most effective tax collection activities.
Table 10: Recommendations To Improve Irs's Establishment And Review Of
Performance Measures And Indicators:
ID. No.: 99-29;
Recommendations: Develop the data to support meaningful cost
information categories and cost-based performance measures. (long-
term).
ID. No.: 01-04;
Recommendations: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, and administrative support) as well as the expected
additional tax collections generated. (long-term).
ID. No.: 01-12;
Recommendations: For (1) IRS's AUR and Combined Annual Wage Reporting
programs, (2) screening and examination of Earned Income Tax Credit
(EITC) claims, and (3) identifying and collecting previously disbursed
improper refunds, use the best available information to develop
reliable cost-benefit data to estimate the tax revenue collected by,
and the amount of improper refunds returned to, IRS for each dollar
spent pursuing these outstanding amounts. These data would include (1)
an estimate of the full cost incurred by IRS in performing each of
these efforts, including the salaries and benefits of all staff
involved, as well as any related nonpersonnel costs, such as supplies
and utilities, and (2) the actual amount (a) collected on tax amounts
assessed and (b) recovered on improper refunds disbursed. (long-term).
ID. No.: 04-15;
Recommendations: Until the Business Performance Management System
(BPMS) is fully operational, implement procedures to ensure that all
performance data reported in the Monthly Summary of Performance (MSP)
report are subject to effective, documented reviews to provide
reasonable assurance that the data are current at interim periods.
(short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Management of Human Capital:
Effective management of an organization's workforce--its human capital-
-is essential to achieving results and an important part of internal
control. Management should view human capital as an asset rather than a
cost. Only when the right personnel for the job are on board and are
provided the right training, tools, structure, incentives, and
responsibilities is operational success possible. Management should
ensure that skill needs are continually assessed and that the
organization is able to obtain a workforce that has the required skills
that match those necessary to achieve organizational goals. Training
should be aimed at developing and retaining employee skill levels to
meet changing organizational needs. Qualified and continuous
supervision should be provided to ensure that internal control
objectives are achieved. Performance evaluation and feedback,
supplemented by an effective reward system, should be designed to help
employees understand the connection between their performance and the
organization's success. As a part of its human capital planning,
management should also consider how best to retain valuable employees,
plan for their eventual succession, and ensure continuity of needed
skills and abilities.
IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens
of thousands of employees spread throughout the country, management's
responsibility to keep its guidance up-to-date and its staff properly
trained is imperative.
The following open recommendation would assist IRS in its management of
human capital in its financial operations. (See table 11.) The
recommendation is over 5 years old and may be resolved through IRS's
business systems modernization efforts.
Table 11: Recommendation To Improve Irs's Management Of Human Capital:
ID. No.: 99-25;
Recommendation: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes. (short-
term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Concluding Observations:
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to operate more efficiently
and more effectively in its mission while protecting taxpayers and
their information.
Sound financial management and effective internal controls can assist
IRS in achieving its goals. IRS has made substantial progress in
improving its financial management since its first financial audit, as
evidenced by consecutive clean audit opinions on its financial
statements for the past 6 years, resolution of several material
internal control weaknesses, and the closing of hundreds of financial
management recommendations. This progress has been the result of hard
work and commitment at the top. Nonetheless, more needs to be done to
fully address the financial management challenges the agency faces.
Efforts must continue to address the internal control deficiencies that
continue to exist. Effective implementation of the recommendations we
have made and continue to make through our financial audits and related
work could greatly assist IRS in improving its internal controls and
achieving sound financial management.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS expressed its appreciation
that we acknowledged the progress the agency has made in addressing its
financial management challenges, and noted that our mapping of its
remaining recommendations to specific internal control activities and
grouping them into three broad categories will facilitate its strategy
to address the remaining financial management issues. IRS also
highlighted its efforts to further improve its internal controls over
hard-copy tax receipts, noting that its plan to address these issues
now includes comprehensive actions to address our remaining
recommendations covering lockbox banks, submission processing campuses,
taxpayer assistance centers, and field offices. We will review the
effectiveness of these corrective actions and the status of IRS's
progress in addressing all open recommendations as part of our fiscal
year 2006 IRS financial statement audit.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate Committee on Appropriations; Senate
Committee on Finance; Senate Committee on Homeland Security and
Governmental Affairs; and Subcommittee on Taxation and IRS Oversight,
Senate Committee on Finance. We are also sending copies to the Chairmen
and Ranking Minority Members of the House Committee on Appropriations;
House Committee on Ways and Means; Chairman and Vice Chairman of the
Joint Committee on Taxation, the Secretary of the Treasury, the
Director of the Office of Management and Budget, the Chairman of the
IRS Oversight Board, and other interested parties. Copies will be made
available to others upon request. In addition, the report will be
available at no charge on GAO's Web site at http://www.gao.gov.
If you have any questions concerning this report, please contact me at
(202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs can be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director Financial Management and Assurance:
[End of section]
Appendix I Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports:
Count: 1;
ID. No.: 94-2;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term);
Source report: Financial Management: Important IRS Revenue Information
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993);
Per IRS: Open. The five errors identified in the FY05 Financial
Statement Audit were resolved. The Complex Interest Quality Measurement
System (CIQMS) staff assisted GAO with their sample review for the FY06
Audit. Once GAO completes their audit, CIQMS will continue to provide
assistance as subject matter experts;
Per GAO: Open. In testing a statistical sample of 45 manual interest
transactions recorded during fiscal year 2005, we found five errors
relating to the calculation and recording of manually calculated
interest. We estimate that 11 percent of IRS's manual interest
population contains errors and concluded that IRS controls over this
area remain ineffective. We will continue to test the accuracy of IRS's
manual interest calculations during our fiscal year 2006 financial
audit.
Count: 2;
ID. No.: 99-1;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure all accounts
related to a single assessment are appropriately credited for payments
received. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Per IRS: Open. IRS has taken several actions to strengthen controls and
correct programming or procedural deficiencies in the cross referencing
of payments. To ensure quality, timeliness, and accuracy of the Trust
Fund Recovery Penalty (TFRP) process, the IRS initiated a quality
review process that focused in two primary areas. The first being
consolidation of all TFRP work to one campus. Consolidation of all
SB/SE Automated Trust Fund Recovery (ATFR) work to the Ogden campus was
completed in September 2005. All Wage & Investment (W&I) business unit
TFRP work was transferred to SB/SE Campuses as of January 2006. The
second area IRS undertook was the task of rewriting the ATFR area
office user component to provide system flexibility that better
replicates the realities of the current trust fund investigation/
proposal process. The enhanced rewrite has been delivered and is in
production testing. Training is scheduled to begin in June 2006 with a
complete nationwide deployment by the end of fiscal year 2006. IRS
continues to monitor the accuracy and effectiveness of the TFRP process
and all corrective actions already in place;
Per GAO: Open. We recognize automation of the current TFRP program is
much needed. However, IRS's efforts to date have not been effective. In
fiscal year 2005, we reviewed a statistical sample of 80 TFRP payments
made on accounts established since August 2001. We found six instances
in which IRS did not properly record the payment to all related
taxpayer accounts. We estimate that 7.5 percent of these payments may
not be properly recorded. We will continue to review IRS's initiatives
to improve posting of TFRP cases and test TFRP cases for proper
postings to all related accounts as part of our fiscal year 2006
financial audit.
Count: 3;
ID. No.: 99-3;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Per IRS: Open. The Custodial Accounting Project (CAP) has been canceled
due to budget constraints. The IRS chief financial officer (CFO) has
developed a TFRP database that can establish the links and identify
problems to more accurately report a single balance due for these
assessments and determine areas for improvement in the TFRP program.
The TFRP database is the first Release of the Financial Management
Information System's (FMIS) enhancement to the Custodial Detail Data
Base (CDDB) that has been proposed to enable the IRS CFO to address
many of the outstanding financial management recommendations. FMIS/CDDB
Release 1, TFRP database will be tested and fully implemented in 2006.
Further releases of FMIS/CDDB functionality are contingent on future
funding levels;
Per GAO: Open. We will continue to monitor IRS's development of an
alternative strategy for CAP, as well as its implementation of the new
FMIS/CDDB. If IRS implements CDDB Release 1 for fiscal year 2006, we
will perform tests of these data as part of our fiscal year 2006 audit.
Count: 4;
ID. No.: 99-17;
Recommendation: Ensure that all returned refund checks are stamped
"nonnegotiable" as soon as they are extracted. (short-term);
Source report: Internal Revenue Service: Physical Security Over
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30,
1998);
Per IRS: Closed. A memorandum is issued to Submission Processing (SP)
Field Directors prior to filing season reinforcing the importance of
ensuring SP procedures and policies regarding overstamping of returned
refund checks are followed. In addition, this requirement is part of
the Campus Monthly Security Reviews. All findings are shared with SP
Field Directors. Local management continues to remind employees of the
importance of overstamping returned refund checks on a regular basis
through individual and group meetings to ensure compliance with the
Internal Revenue Manual (IRM) and security requirements;
Per GAO: Closed. During our fiscal year 2005 audit, we found no
instances where returned refund checks were not stamped "nonnegotiable"
upon extraction at the four SCCs we visited.
Count: 5;
ID. No.: 99-19;
Recommendation: Ensure that walk-in payment receipts are recorded in a
control log prior to depositing the receipts in the locked container
and ensure that the control log information is reconciled to receipts
prior to submission of the receipts to another unit for payment
processing. To ensure proper segregation of duties, an employee not
responsible for logging receipts in the control log should perform the
reconciliation. (short-term);
Source report: Internal Revenue Service: Physical Security Over
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30,
1998);
Per IRS: Open. IRM 21.3.4.7 was updated in October 2005 to require
employees to record payments on Form 795, Daily Report of Collection
Activities, and to immediately place the payment in a locked container.
Field Assistance has implemented in taxpayer assistance centers (TACs)
where staffing permits the review of Form 795 and all supporting
documents for accuracy (by an employee other than the recipient of the
funds) before they are transmitted to the Submission Processing Centers
(SPC). The review process for these TACs was included in the IRM on
January 20, 2006. Additional procedures were explored to determine a
feasible process for mitigating the circumstances that prevent proper
segregation of duties in TACs with limited staffing. In exploring
procedures in January 2006 for TACs with limited staffing where there
is no manager, secretary, or Initial Account Representative, Field
Assistance determined proposed procedures to be burdensome, difficult
to administer, and not administratively feasible (e.g., copying and
faxing Form 795 to the manager). In addition, based on a September 2005
Treasury Inspector General for Tax Administration (TIGTA) report on
payments received at TACs, 99 percent of payments posted appropriately
to taxpayer accounts. This accuracy rate combined with compensating
controls at the SPCs effectively reduces risks associated with not
having reconciliation processes in small TACs. Additional emphasis was
placed on development of internal controls and the oversight and
accountability of both employees and managers within Field Assistance.
Specifically,;
Per GAO: Open. During our fiscal year 2005 audit, we found a lack of
segregation of duties related to the preparation, review, and/or
reconciliation of Form 795 at six of the eight TACs we visited. At
three of these TACs, at times only one employee was present to carry
out the functions of the office. At another TAC, there was no evidence
that the Form 795 was reconciled by an employee other than the employee
who received the payment from the taxpayer and recorded it on the Form
795. At this same TAC, we observed two instances where employees did
not log information onto the Form 795 upon receipt. At the fifth TAC,
the employee responsible for receiving and recording payments on the
control log did not receive an independent reconciliation of the
payments before they were mailed to the SCC for further processing. At
the sixth TAC, one employee retrieved all the checks from the locked
container and logged all the checks received onto a Form 795 and sent
them to the SCC without a supervisor or designee review. The corrective
actions cited by IRS were subsequent to our fieldwork at those
locations. We will evaluate IRS's corrective actions during our fiscal
year 2006 audit.
Per IRS: Count6: Field Assistance headquarters began conducting
operational reviews on February 28, 2006. The operational reviews
include assessing their ability to engage employees in process and
program improvement, identifying best practice ideas, ensuring elements
of accountability and responsibility are clearly communicated at each
level, and assessing conformance to the current policies and
procedures;
Per GAO: Count6: [Empty].
Count: 6;
ID. No.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting TFRP assessments. Once these factors have been
determined, IRS should develop procedures to reduce the impact of these
factors and to ensure timely posting to all applicable accounts and
proper offsetting of refunds against unpaid assessments before
issuance. (short-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD- 99-193, Aug. 4, 1999);
Per IRS: Open. To ensure quality, timeliness, and accuracy of the TFRP
process, the IRS initiated a quality review process that focused in two
primary areas. The first being consolidation of all TFRP work to one
campus. Consolidation of all SB/SE ATFR work to the Ogden campus was
completed in September 2005. All W&I business unit TFRP work was
transferred to SB/SE Campuses as of January 2006. The second area IRS
undertook was the task of rewriting the ATFR area office user component
to provide system flexibility that better replicates the realities of
the current trust fund investigation/proposal process. The enhanced
rewrite has been delivered and is in production testing. Training is
scheduled to begin in June 2006 with a complete nationwide deployment
by the end of fiscal year 2006. IRS continues to monitor the accuracy
and effectiveness of the TFRP process and all corrective actions
already in place;
Per GAO: Open. We will continue to review IRS's initiatives to improve
posting of TFRP cases and monitor trust fund recovery penalty
processing timeliness as part of our fiscal year 2006 audit.
Count: 7;
ID. No.: 99-22;
Recommendation: Expand IRS's current review of service center deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly over-stamping checks made out to the "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls. (short-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Per IRS: Closed. The guidelines in the Fiscal Year 2003 Operating
Procedures for TACs for safeguarding receipts in locked containers and
over-stamping checks made payable to IRS were incorporated into the IRM
in June 2003. The requirement for over-stamping checks made payable to
the IRS has been emphasized. Operational reviews by Field Assistance
Headquarters are planned to ensure adherence to safeguarding of
receipts and over- stamping requirements. Employees have been
instructed to keep all containers locked that contain taxpayer data.
Each employee will be provided individual performance feedback
regarding any security violations. More frequent security reviews will
be conducted that include this and other areas relating to protection
of taxpayer data. Additional emphasis will be placed on development of
internal controls and the oversight and accountability of both
employees and managers within Field Assistance;
Per GAO: Open. While IRS has taken steps to address this
recommendation, the current response does not entail expansion of IRS's
service center security reviews and TAC operational reviews to the non-
W&I business units. During our fiscal year 2005 audit, we found several
instances where controls over safeguarding taxpayer receipts and
information at the SB/SE, the Large and Mid-Size Business (LMSB), and
Tax Exempt and Government Entities (TE/GE) field office units were not
effective. We will evaluate IRS's corrective actions during our fiscal
year 2006 audit.
Count: 8;
ID. No.: 99-25;
Recommendation: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes. (short-
term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Per IRS: Open. The CAP has been stopped due to budget cuts. The IRS has
decided to address this recommendation by enhancing the Service's
existing FMIS with a new database, the CDDB and the Interim Revenue
Accounting Control System (IRACS) used to support the financial audit.
The CFO has developed a business case and will pursue opportunities to
identify resources within the IRS's Information Technology budget to
fund this effort. The need to build an appropriate depth of experience
is still an immediate and ongoing issue. The IRS continues to examine
its resources to see if work can be realigned, and if existing
employees can be retrained. Contractor support is used to provide the
support and backup necessary for preparation of the compensating
procedures, pending implementation of the CDDB and the Customer Account
Data Engine (CADE). IRS is committed to supporting the funding of
contractor resources that are used for the financial statement audit.
This corrective action will be continually monitored;
Per GAO: Open. In fiscal year 2005, IRS continued to augment its own
resources with contractor support to produce auditable financial
statements. We will continue to assess IRS's actions during our fiscal
year 2006 audit.
Count: 9;
ID. No.: 99-29;
Recommendation: Develop the data to support meaningful cost information
categories and cost-based performance measures. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD- 99-196, Aug. 9,
1999);
Per IRS: Open. Integrated Financial System (IFS) Release 1, which was
implemented on November 10, 2004, includes a cost module that will
interface with program area management information systems. Both direct
and indirect resource cost data will be linked to the budget process
and the strategic planning goals of all business units. This will help
move IRS forward in transitioning to a performance-based organization.
Full cost accounting will not be realized until future releases, such
as Work Management, are implemented. An integrated Work Management
module would routinely provide a greater level of detail for costing
purposes. However, at present, all future releases are being
reevaluated based on funding availability and no future implementation
date has been established;
Per GAO: Open. We will follow up during future audits to assess IRS's
progress in implementing a cost-accounting system and populating it
with the cost information needed to support meaningful cost-based
performance measures.
Count: 10;
ID. No.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E
are being recorded as an asset when purchased. The ability to tie to
the detailed physical asset information and a fully integrated system
with subsidiary records will not be available until the IFS Asset
Management module is implemented. At present, all future releases are
being reevaluated based on funding availability and no future
implementation date has been established;
Per GAO: Open. IRS implemented the first release of the new IFS on
November 10, 2004, which allowed recording P&E as assets when
purchased. However, implementation of a property asset module that is
intended to generate detailed records for P&E that will reconcile to
the financial records is being deferred indefinitely due to funding
constraints. We will continue to monitor IRS's progress in implementing
subsequent IFS releases and the property asset module.
Count: 11;
ID. No.: 01-04;
Recommendation: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, and administrative support) as well as the expected
additional tax collections generated. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Per IRS: Open. Based on initial success with modeling technology, SB/SE
has initiated several other projects to build additional decision
analytical models to increase our ability to route cases to the
appropriate resource. These projects include the addition of external
credit scores and other internal data to build more robust models with
increased predictive power. These efforts will continue to help IRS
ensure that the right resources are devoted to the appropriate cases.
IRS has developed a corporate strategy for working collections cases.
The Collection Governance Board (consisting of executives from SB/SE
and W&I) was established in August 2005 to ensure inventory is balanced
and resources are expended appropriately;
Per GAO: Open. We will continue to review IRS's initiatives to manage
resource allocation levels for its collection efforts.
Count: 12;
ID. No.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Per IRS: Open. IRS has redeveloped the prior action plan to incorporate
the requirements of the revised OMB Circular No. A-123. The overall
action addresses untimely lien releases, including identification of
root causes and where they occur organizationally. ;
Per GAO: Open. During our fiscal year 2005 audit, we continued to find
delays in release of liens. We found 13 instances out of 59 cases
tested in which IRS did not release the applicable federal tax lien
within the 30-day statutory period. The time between the satisfaction
of the liability and release of the lien ranged from 36 days to 233
days. We will assess the impact of IRS's actions and continue to review
IRS's release of tax liens as part of our fiscal year 2006 audit.
Count: 13;
ID. No.: 01-12;
Recommendation: For (1) IRS's AUR and Combined Annual Wage Reporting
programs, (2) screening and examination of Earned Income Tax Credit
claims, and (3) identifying and collecting previously disbursed
improper refunds, use the best available information to develop
reliable cost-benefit data to estimate the tax revenue collected by,
and the amount of improper refunds returned to, IRS for each dollar
spent pursuing these outstanding amounts. These data would include (1)
an estimate of the full cost incurred by IRS in performing each of
these efforts, including the salaries and benefits of all staff
involved, as well as any related nonpersonnel costs, such as supplies
and utilities and (2) the actual amount (a) collected on tax amounts
assessed and (b) recovered on improper refunds disbursed. (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Per IRS: Open. Allocation methodology was reviewed and enhanced for
fiscal year 2006 and further refinements will be implemented each year.
The first year's data will be reviewed in fiscal year 2006 and a plan
developed for integrating cost data in decision making. The use of the
data will be tested in fiscal year 2007 with baseline data. However, to
achieve maximum benefit in decision making, several years' data will be
needed. As a result, the IRS will fully implement the use of cost
accounting data for resource allocation decisions in fiscal year 2008;
Per GAO: Open. During our fiscal year 2005 audit, IRS provided
information on the AUR program, including program results. Based on our
review of the information and discussions with IRS officials, we
determined IRS does not use the data to make decisions on the AUR
workload. In addition, IRS implemented a cost accounting module during
fiscal year 2005. However, management has not yet determined what the
full range of its cost information needs are or how best to tailor the
capabilities of this module to serve those needs. Also, IRS has not yet
implemented a related workload management system intended to provide
the cost module with detailed personnel cost information. In addition,
as noted by IRS, because it generally takes several years of historical
cost information to support meaningful estimates and projections, IRS
cannot yet rely on this system as a significant planning tool. We will
continue to followup on IRS's progress on this issue during our fiscal
year 2006 audit.
Count: 14;
ID. No.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E
and leasehold improvements are recorded as assets when purchased.
However, amortization will remain a manual process. The ability to tie
the detailed physical asset information and a fully integrated system
with subsidiary records will not be available until the Asset
Management module is implemented. At present, all future releases are
being reevaluated based on funding availability and no future
implementation date has been established;
Per GAO: Open. IRS implemented the first release of the new IFS on
November 10, 2004, which allowed recording leasehold improvements as
assets when purchased. However, implementation of a property asset
module that is intended to generate detailed records for P&E that will
reconcile to the financial records is being deferred indefinitely due
to funding constraints. We will continue to monitor IRS's progress in
implementing subsequent IFS releases and the property asset module.
Count: 15;
ID. No.: 01-18;
Recommendation: Implement procedures and controls to ensure that
expenditures for P&E are charged to the correct accounting codes to
provide reliable records for expenditures as a basis of extracting the
costs for major systems and leasehold improvements. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO- 01-42, Nov. 17, 2000);
Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004,
P&E and leasehold improvements are posted to the correct accounting
code at the time of purchase. IRS has improved the definitions of P&E
and has provided guidance on appropriate coding classifications to end
users. Routine control reviews have been established to ensure the
accuracy and appropriate coding of classifications;
Per GAO: Closed. IRS implemented the first release of IFS on November
10, 2004, which incorporated procedures to allow IRS to record the
majority of P&E additions in the appropriate general ledger accounts as
they occur. During our fiscal year 2005 audit, we found that IRS was
generally recording P&E transactions as they occurred, although we did
identify some new issues. See recommendation ID. No. 06-20.
Count: 16;
ID. No.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Source report: Management Letter: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-01-880R, July 30,
2001);
Per IRS: Open. IRS has developed guidance for costing reimbursable
agreements, which includes instructions on tracking labor. IFS Release
1, implemented on November 10, 2004, includes a cost module that will
interface with program area management information systems. Full cost
accounting will not be realized until future releases, such as Work
Management, are implemented. Actions will be initiated in fiscal year
2006 or fiscal year 2007 to begin gathering the real cost of certain
reimbursable projects. At present, future releases are being evaluated
based on funding availability and no future implementation date has
been established;
Per GAO: Open. We confirmed that IRS has procedures for costing
reimbursable agreements that provide the basic framework for the
accumulation of both direct and indirect costs at the necessary level
of detail. IRS plans to implement these procedures over several years
as it phases in various program area management information systems
that will provide critical information to its new cost accounting
system. However, as indicated by IRS, these systems have not yet been
scheduled for implementation. We will continue to monitor IRS's efforts
to fully implement its cost accounting system and, once it has been
fully implemented, evaluate the effectiveness of IRS procedures for
developing cost information for its reimbursable agreements.
Count: 17;
ID. No.: 02-01;
Recommendation: Implement policies and procedures to record
capitalizable acquisition costs for P&E, capital leases, leasehold
improvements, and major systems in the appropriate P&E general ledger
accounts as transactions occur. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004,
property and equipment are recorded as assets when purchased;
Per GAO: Closed. IRS implemented the first release of IFS on November
10, 2004, which incorporated procedures to allow IRS to record the
majority of P&E additions in the appropriate general ledger accounts as
they occur. During our fiscal year 2005 audit, we found that IRS was
generally recording P&E transactions as they occurred, although we did
identify some new issues. See recommendation ID. No. 06-20.
Count: 18;
ID. No.: 02-08;
Recommendation: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Per IRS: Open. IRS agreed with the objective of this recommendation,
which is to allow it to collect and report the full payroll costs
associated with its activities. While IRS indicated that most of its
employees already itemize their time charges in functional tracking
systems, it has acknowledged that full implementation of the IFS cost
accounting module is required to close this recommendation. IFS Release
1, implemented on November 10, 2004, includes requirements for a cost
module that will be interfaced with program area management information
systems. Both direct and indirect resource cost data can be linked to
the budget process and the strategic planning goals of all business
units. This will help move IRS forward in transitioning to a
performance-based organization. Full cost accounting will not be
realized until future releases, such as Work Management, are
implemented. At present, all future releases are being reevaluated
based on funding availability and no future implementation date has
been established;
Per GAO: Open. We confirmed that IRS employees continue to use
functional tracking (workload management) systems to itemize and track
their time charges. However, this recommendation remains open because
its objective is to allow IRS to collect and report the full payroll
costs associated with its activities. During our fiscal year 2005
audit, we continued to find that the functional tracking systems are
insufficient for this purpose because they do not interface with each
other or the general ledger to allow management to use them to readily
accumulate the time charged to specific projects.
Count: 19;
ID. No.: 02-09;
Recommendation: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Per IRS: Open. The IFS, Release 1, implemented on November 10, 2004,
includes a cost module that is interfaced with program area management
information systems. Both direct and indirect resource cost data can be
linked to the budget process and the strategic planning goals of all
business units. This helps move IRS forward in transitioning to a
performance- based organization. Full cost accounting will not be
realized until future IFS releases, including Work Management, are
implemented;
Per GAO: Open. We confirmed that the IRS plans include requirements
that meet the objectives of this recommendation;
however, IRS has indefinitely delayed the implementation of these
requirements. IRS's plans to implement these requirements are expected
to be executed over several years as IRS phases in various program area
management information systems that will provide critical information
to the cost accounting system. We will continue to monitor the progress
of IRS's efforts to address this issue.
Count: 20;
ID. No.: 02-14;
Recommendation: Develop policies and procedures to require that IRS and
lockbox employees performing final candling record receipts in a
control log at the time of discovery, recording at a minimum the total
number of payments found, the amount of each payment, and the taxpayer
who submitted the payment. (short- term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Per IRS: Closed. The 2005 Lockbox Processing Guidelines (LPG),
Documentation of Items Found in Candling (Form 9535), directs the
responsible manager to initial Form 9535 every day for each shift. An
entry must be made each shift, whether or not items have been found. A
manager will initial Form 9535 to validate all of the following: (1)
all available information is correctly entered;
(2) items found have been reconciled with Form 9535 entries;
(3) items have been correctly categorized as processable or
unprocessable;
(4) all processable work has been cleared after each shift, i.e., the
work has been put back into the stream of work;
and (5) the received date has been entered correctly. Only Form 9535
will be used for documenting items found during candling. IRM
3.10.72.6.2 provides the following guidance for the campuses:
Management shall maintain Form 13592 Candling Log - Receipt and Control
(R&C) Discovered Remittances to record remittances found in final
candling. An employee designated by management will immediately record
these items into the final candling log. In addition, management shall
initial the log to validate that all available information is correctly
entered and ensure that all remittances listed on the log are brought
to the deposit function on a daily basis. The National Office
redesigned the Form 13592 candling log that records, at a minimum, the
total number of payments found, the amount of each payment, and the
taxpayer who submitted the payment;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated its candling procedures in the LPG and IRM to include the
recording of receipts in the control log at the time of discovery.
Count: 21;
ID. No.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Per IRS: Open. Field Assistance has implemented in TACs, where staffing
permits, the review of Form 795 and all supporting documents for
accuracy by someone other than the recipient of the funds before they
are transmitted to the SPCs. Additional procedures are being explored
to determine a process for mitigating the circumstances that prevent
proper segregation of duties in those TACs with limited staffing.
Additional emphasis will be placed on development of internal controls
and the oversight and accountability of both employees and managers
within Field Assistance;
Per GAO: Open. During our fiscal year 2005 audit, we found a lack of
segregation of duties related to the preparation, review, and/or
reconciliation of Form 795 at six of the eight TACs we visited. At
three of these TACs, at times only one employee is present to carry out
the functions of the office. At another TAC, there was no evidence that
the Form 795 was reconciled by an employee other than the employee who
received the payment from the taxpayer and recorded it on the Form 795.
At this same TAC, we observed two instances where employees did not log
information onto the Form 795 upon receipt. At the fifth TAC, the
employee responsible for receiving and recording payments on the
control log did not receive an independent reconciliation of the
payments before they were mailed to the SCC for further processing. At
the sixth TAC, one employee retrieved all the checks from the locked
container and logged all the checks received onto a Form 795 and sent
them to the SCC without a supervisor or designee review. We will
evaluate IRS's corrective actions during our fiscal year 2006 audit.
Count: 22;
ID. No.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Secure Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Per IRS: Closed. In July 2005, NFC demonstrated (first time) a Web
version of SETS and more IRS requirements are to be accommodated in
that system;
a meeting is slated for early 2006 between IRS and NFC. Also, IRS/NFC
dialogue continues to ensure that data flows are timely and accurate,
reconciliations and error adjustments regularly occur, and monthly NFC
reports are reviewed and analyzed by IRS. Agency-Wide Shared Services
(AWSS) continues to monitor SETS reports for each pay period and
coordinates with employment offices when corrections are needed. IRS
and NFC continue to engage on-going discussions on reconciliations and
error adjustments as needed. NFC controls the time table for deploying
a Web version of SETS;
however, no time table has been set and no meetings are being convened;
Per GAO: Open. During our fiscal year 2005 audit, we continued to find
technical limitations in IRS's SETS database. The corrective actions
cited by IRS were subsequent to our fieldwork for the fiscal year 2005
audit. We will evaluate the effectiveness of these actions during our
fiscal year 2006 audit.
Count: 23;
ID. No.: 03-02;
Recommendation: Establish and document guidelines and procedures in IRS
policy and procedure manuals for implementing the new penalty provision
for lockbox banks to reimburse the government for direct costs incurred
in correcting errors made by lockbox banks. (short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. IRS and the Financial Management Service (FMS)
prepared a reimbursement process. The procedures include the use of a
special Lockbox Program code to delineate IRS rework costs as a result
of errors made by the lockbox sites. The Lockbox Policy Reimbursement
procedures are included in the 2005 LPG under LPG 2.1.9 and 2005
Lockbox Processing Procedures under IRM 3.0.230.9.3;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS had incorporated reimbursement procedures in the 2005 LPG.
Count: 24;
ID. No.: 03-07;
Recommendation: Revise the guidance used for compliance reviews so it
requires reviewers to (1) determine whether lockbox contractors, such
as couriers, have completed and obtained favorable results on IRS
fingerprint checks and (2) obtain and review all relevant logs for cash
payments and candled items to ensure that all payments are accounted
for. (short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. IRS updated the security check sheet in January 2004
to instruct reviewers to determine whether contractors have completed
and obtained favorable fingerprint results and to review all relevant
logs for cash payments and candling logs. In order to ensure compliance
to the LPG requirements, an IRS and FMS task group developed a
performance measures process to include a category for security
(Courier, Physical, Remittance) that was implemented in October 2005.
This process which was piloted in 2005 and implemented in January 2006
uses a data collection instrument (DCI) check sheet that lists by line
item the requirements as outlined in the LPG. It is used as a tool to
identify varying levels of performance and provide incentives and
disincentives based on those levels of performance. This helps the
IRS/FMS Security staff ensure compliance with the LPG requirements.
Additionally, an internal control review is included in the reviews
performed quarterly by the Lockbox coordinators;
Per GAO: Closed. During our fiscal year 2005 audit, we verified the
lockbox coordinator's on-site review check sheet included the
requirement to ensure that the cash and candling logs are being kept
and updated daily and that contractors have completed and obtained
favorable results on IRS fingerprint checks.
Count: 25;
ID. No.: 03-08;
Recommendation: Assign individuals, other than the lockbox
coordinators, responsibility for completing on-site performance
reviews. (short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. IRS Lockbox Field Section, IRS Policy & Procedures
Section, and FMS are responsible for conducting their own on-site
performance reviews during peak season at each Lockbox site. DCIs are
used by the IRS Field Coordinators to review Lockbox processing
requirements and processing internal controls. DCIs are also used by
IRS Policy & Procedures Section in conjunction with IRS Mission
Assurance and FMS Security to review courier, physical, and personnel
security. FMS and IRS Policy and Procedures Section also use a check
sheet to review various processing/security requirements during peak
processing. DCI processing reviews are also completed daily at each IRS
SPC by SPC staff after the work is received from the lockbox. The on-
site DCI processing and security reviews and the SPC reviews are
incorporated into the Bank Performance Standards scorecards. The
scorecards are signed by both IRS and FMS management prior to being
issued to each Lockbox site under an FMS cover letter. In addition,
peak trip reports are completed jointly by the IRS and FMS personnel on
site. These trip reports assess the banks performance by categories
such as deliverables, FMS cash management cash flow, mail, processing,
remittance security, and staffing. This report is used to capture any
observations that may or may not have been covered on the various DCIs.
The combination of these reviews serves as the checks and balances of
the program. While the Field Coordinators remain responsible for the on-
site processing review, these reviews constitute only a portion of the
overall assessment of each lockbox site;
Per GAO: Closed. We issued this recommendation in January 2003 when the
lockbox coordinators were the only individuals responsible for
conducting the performance reviews and at that time these reviews were
not being performed because of competing demands. Over the years, IRS
and FMS have increased their oversight of the lockbox bank program with
various performance and compliance reviews. These reviews include peak
season trip reports and annual security reviews conducted jointly by
IRS and FMS staff. In addition, IRS has implemented a scorecard system
performed, reviewed, and signed by both IRS and FMS that incorporates
the results of the reviews. These procedures collectively satisfy the
objective of this recommendation.
Count: 26;
ID. No.: 03-10;
Recommendation: Require lockbox management to ensure that guards are
responsive to alarms and that IRS take steps to monitor adherence to
this requirement. (short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. To provide more emphasis on security, the Lockbox
Security Guidelines (LSG) is no longer included in the LPG. Beginning
in 2006 LSG is a separate document. LSG 2.2.2.4(7) requires that "Bank
management is ultimately responsible for access control and procedures
for ensuring only authorized personnel are granted access to the
processing floor. Bank management must be involved in the day to day
access control process. This responsibility cannot be delegated (e.g.,
to temporary agency personnel, security guards, third parties)." LSG
2.2.3.1 (7) provides the requirements for guards to respond to alarms.
The Security Team performs alarm testing and evaluates guards'
responses to alarms during their on-site security reviews. Security
Performance Measures (effective January 2006) were developed to measure
and rate each site's overall adherence to security guidelines and
provides incentives/disincentives accordingly. Mission Assurance and
FMS Security staff supports the Lockbox Policy and Procedures Program
Office in conducting security reviews. Reviews rate each site's
compliance to physical, personnel, courier, and information technology
(IT) security;
Per GAO: Closed. We verified that the LSG requires lockbox bank
management to ensure that guards are responsive to alarms.
Additionally, we verified that Security Performance Measures are in
place to measure and rate each lockbox bank's overall adherence to
security guidelines.
Count: 27;
ID. No.: 03-15;
Recommendation: Require lockbox management to ensure that envelopes are
properly candled and that IRS take steps to monitor adherence to this
requirement. (short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. Effective October 2005, candling reviews are conducted
at all Lockbox sites to ensure that all candling requirements are being
met. These internal control reviews ensure that envelopes opened
(manually or by OPEX) on three or more sides are candled once and that
envelopes other than the ones opened on three or more sides are candled
twice. The results of these reviews are used to calculate each bank's
score in the new bank performance measurement process. The Processing-
Internal Controls (PIC) DCI that included the new candling review was
first performed by Lockbox Field Coordinators at Individual Master File
(IMF) lockbox sites during on-site reviews in October 2005 and at
Business Master File (BMF) sites in November 2005. This element is now
part of the Lockbox Performance Scorecard Measures;
Per GAO: Open. During our fiscal year 2005 audit, we found instances at
one lockbox bank where employees did not properly candle envelopes.
However, the candling reviews planned by IRS were implemented
subsequent to the completion of our fiscal year 2005 fieldwork. We will
evaluate the effectiveness of these reviews during our fiscal year 2006
audit.
Count: 28;
ID. No.: 03-17;
Recommendation: Require lockbox management to ensure that returned
refund checks are restrictively endorsed immediately upon extraction
and that IRS take steps to monitor adherence to this requirement.
(short-term);
Source report: Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003);
Per IRS: Closed. The requirement to ensure that returned refund checks
are restrictively endorsed immediately upon extraction was previously
listed in Section 3.2.1 of the 2002 LPG issued January 1, 2002, as well
as the 2003 (revised April 8, 2003) and 2004 LPG, issued December 1,
2003. During the on-site security reviews, IRS and FMS security teams
reviewed adherence to this requirement. Additionally, adherence to this
requirement is evaluated during the daily SPC quality reviews;
Per GAO: Closed. During our fiscal year 2005 audit, we did not identify
any instances where returned refund checks at the lockbox banks were
not restrictively endorsed upon extraction.
Count: 29;
ID. No.: 03-29;
Recommendation: Confirm with FMS that IRS's requirements for background
and fingerprint checks for courier services are met regardless of
whether IRS or FMS negotiates the service agreement. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-03-562R, May 20, 2003);
Per IRS: Closed. On October 7, 2002, FMS issued an amendment to the
Courier Memorandum of Understanding (MOU), which included the
requirement that all courier employees satisfy the basic investigation,
including a Federal Bureau of Investigation fingerprint and name check.
All 10 IRS campuses now have a contact responsible for submitting
paperwork to the National Background Investigations Center (NBIC) and
ensuring courier employees are granted clearance. On April 10, 2003,
IRS requested that NBIC provide a monthly status report of the campus
compliance to the W&I. The 2004 LPG (issued December 1, 2003) includes
guidelines for background investigations under Personnel Security in
Section 4.2;
all parties are adhering to these requirements. Compliance to the new
requirement will be reviewed during campus security reviews and/or
lockbox security reviews, and couriers are now required to have mid-
level investigations completed by NBIC prior to working for IRS and/or
a lockbox. A teleconference was held in September 2005 with FMS, the
Federal Reserve Banks (FRB), Treasury's General Account (TGA) Banks,
and Campuses. Continuing professional education (CPE) was conducted
with the Campus Deposit Managers, January 31 through February 1, 2006
to strengthen relationships with FMS and servicing depositories at
national and local levels;
also to foster understanding of IRS courier requirements and provide
guidance to the deposit managers. An IRS/FMS teleconference was held
with FRB officials and local;
Per GAO: Open. IRS's IRM and lockbox bank policies require that all
courier employees satisfy requirements for background and fingerprint
checks regardless of who negotiated the courier service agreement.
However, when we updated our review of courier contracts in March 2006,
we again found that one FMS-negotiated contract did not contain IRS's
requirements for background and fingerprint checks for courier
services. We will continue to evaluate the compliance of the 2006
courier agreements during our fiscal year 2006 audit.
Per IRS: Count30: depositories. Courier policies and procedures were
reinforced in IRM 3.8.45 with FRB and TGA bank offices and campus
deposit managers. The NBIC program manager participated in this
session;
Per GAO: Count30: [Empty].
Count: 30;
ID. No.: 03-32;
Recommendation: Prohibit the storage of employees' personal belongings
with cash payments and receipts at IRS's taxpayer assistance centers.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-03-562R, May 20, 2003);
Per IRS: Closed. In 2005, remittance training covering the procedures
for remittance processing was conducted for all TAC managers. The
requirement prohibiting storing personal belongings with taxpayer data
was reiterated. Operational reviews are planned by Field Assistance
Headquarters to ensure TACs adhere to required IRM procedures.
Additional emphasis will be placed on development of internal controls
and the oversight and accountability of both employees and managers
within Field Assistance;
Per GAO: Open. During our fiscal year 2005 audit, we identified an
instance at one TAC where an employee's personal belongings were stored
with taxpayer receipts. In addition, IRS's response does not
specifically address the prohibition of taxpayer payments (cash and non-
cash) with employees' personal belongings as stated in our
recommendation. We will continue to evaluate IRS's corrective actions
during our fiscal year 2006 audit.
Count: 31;
ID. No.: 03-33;
Recommendation: Revise its candling procedures to specify the precise
candling methods to be used based on the dimensions of the mail
processed and the extraction method used for both the first and the
final candling. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 03-562R, May 20, 2003);
Per IRS: Closed. Additional guidance was issued to Submission
Processing field employees on February 28, 2005, reinforcing the
importance of ensuring Submission Processing candling procedures and
policies are followed. IRM 3.10.72 has been revised to specify precise
candling methods, as well as specific illumination measures of light.
In addition, new requirements were implemented to turn large envelopes
that cannot be easily opened on all three sides, inside out. This
requirement is part of the campus monthly security reviews. All
findings are shared with SP field directors. Local management continues
to remind employees of the importance of candling of envelopes on a
regular basis through individual and group meetings to ensure
compliance with this requirement;
Per GAO: Closed. We verified that the IRM has been updated to provide
specific instructions regarding the candling processes for different
types of mail processed by service center campuses.
Count: 32;
ID. No.: 03-34;
Recommendation: Establish and implement procedures prohibiting a single
employee from performing the final candling in a remote location.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-03-562R, May 20, 2003);
Per IRS: Closed. IRM 3.10.72 has procedures prohibiting a single
employee from performing the final candling in a remote location. This
requirement is part of the campus monthly security reviews. All
findings are shared with SP field directors. Local management continues
to remind employees of candling requirements through individual and
group meetings to ensure compliance with this requirement;
Per GAO: Closed. We verified that IRS had established and implemented
procedures prohibiting a single employee from performing final candling
in a remote location. In addition, we did not identify any instances in
which final candling were performed by only one individual.
Count: 33;
ID. No.: 03-40;
Recommendation: Communicate in writing any potential changes in IRS's
certification process to other Treasury entities that use the
certification information, and obtain concurrence from these entities
prior to implementing such changes. (short-term);
Source report: Management Report: Improvements Needed in Controls over
IRS's Excise Tax Certification Process (GAO-03-687R, July 23, 2003);
Per IRS: Closed. An MOU was signed December 15, 2004, by the Chairman,
Excise Tax Trust Fund Working Group. The IRS Treasury Excise Tax Trust
Fund Working Group MOU established a process of recording minutes of
the Working Group meetings in order to document issues related to trust
fund certification procedures/ processes and proposed or passed
legislative changes impacting trust fund investments. Recording of
minutes will be taken by a representative of Treasury member offices or
bureaus on a rotating basis. Draft minutes will be shared with all
participants for concurrence prior to final approval and distribution.
IRS will discuss and make a presentation to advise the members of any
changes to the trust fund certification process;
Per GAO: Closed. We verified that the Treasury Excise Tax Trust Fund
Working Group signed a resolution to establish a process for
documenting issues related to IRS's trust fund certifications. Our
review shows the Treasury Excise Tax Working Group has established a
process of recording and distributing minutes of the Working Group
meetings in order to document issues related to trust fund
certification procedures/ processes including procedural or legislative
changes impacting trust fund investments.
Count: 34;
ID. No.: 04-01;
Recommendation: Require lockbox bank managers to maintain appropriate
documentation on-site demonstrating that satisfactory fingerprint
results have been received before contractors are granted access to
taxpayer receipts and data. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. To provide more emphasis on security, LSG (2.5)
requires appropriate documentation for couriers and guards before they
are granted access to taxpayer receipts. To ensure compliance with the
LSG, IRS/FMS Security has included this as a review item during their
security reviews;
Per GAO: Closed. We verified that the LSG does include a requirement
that lockbox managers maintain documentation on- site demonstrating
that satisfactory fingerprint results have been received before
contractors are granted access to taxpayer receipts and data. During
our fiscal year 2005 audit, we did not identify any instances in which
contractors were granted access to taxpayer receipts and data without
having satisfactory fingerprint results on file at the lockbox banks
that we visited.
Count: 35;
ID. No.: 04-02;
Recommendation: Revise its policy on two- person courier teams to
prohibit the use of courier teams consisting of closely related
individuals to further minimize the risk of collusion in the theft of
taxpayer receipts and data. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. On February 14, 2005, the 2005 LPG was updated and
reinforced current courier requirements with an addendum entitled
"Courier's Additional Disclosure Statement." Each courier is required
to complete and sign the disclosure, affirming that they are not to
travel with an immediate family member. In addition, each courier is
required to list the name and relationship of each family member
residing in the same domicile that also performs courier duties for the
IRS. The disclosure statement is updated annually and maintained in the
personnel file. Starting in July 2005, during the onsite reviews, the
IRS/FMS Security Team began reviewing the disclosure statements to
ensure adherence to this requirement;
Per GAO: Closed. We confirmed that IRS updated its policy on two-person
courier teams for lockbox banks as reflected in the revised LPG.
Additionally, we identified no instances in which two-person courier
teams consisted of closely related individuals during our fiscal year
2005 testing at the four lockbox banks and four service center campuses
that we visited.
Count: 36;
ID. No.: 04-03;
Recommendation: Develop procedures to require lockbox managers to
provide satisfactory evidence that managerial reviews are performed in
accordance with established guidelines. At a minimum, reviewers should
sign and date the reviewed documents and provide any comments that may
be appropriate in the event their reviews identified problems or raised
questions. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. Effective October 1, 2005, IRS established a new DCI
review entitled "Processing-Internal Controls." During on-site reviews,
the following logs are required to be reviewed: desk and work area,
date stamp, cash, candling, shred, and mail. The results of these DCI
reviews are rolled into a calculation to determine each bank's score in
the new bank performance measurement process. In addition, lockbox
personnel are required to perform reviews of the desk and work area,
cash, candling, and shred logs. A monthly report for each review must
be sent to the Lockbox Field Coordinator on the fifth business day of
the month following the review. The report must contain the following:
date of review, shifts reviewed, results of the review (even when no
items are found), and reviewer's and site manager's initials and/or
signature as required by the LPG. To further strengthen this internal
control, effective June 1, 2006, additional review of the monthly
reports (F9535/Discovered Remittance, candling log, disk checks/audits,
and shred) received from the lockbox site will be performed by the
Lockbox Field Coordinators. Specific check points will be added to the
"Monthly Reports" DCI that is a part of the Procedural DCI performed at
the SPC. In addition to confirming the receipt and timeliness of the
reports, coordinators will review the reports to ensure they are
completed per the LPG requirements and that all required management
signatures/initials are present to provide satisfactory evidence that
the managerial reviews are performed;
Per GAO: Open. During our fiscal year 2005 audit, we verified that the
LPG and LSG instruct the lockbox bank managers to perform numerous
managerial reviews and to provide evidence that the reviews were
performed. However, at two of the four lockbox banks we visited, we
found that satisfactory evidence was not always provided to validate
that these reviews were performed in accordance with established
guidelines. In addition, IRS's corrective actions addressing
documentation of required reviews occurred subsequent to our fiscal
year 2005 fieldwork. We will evaluate IRS's corrective actions during
our fiscal year 2006 audit.
Count: 37;
ID. No.: 04-04;
Recommendation: Revise candling procedures at lockbox banks to require
testing of automated candling machines at appropriate intervals, taking
into account factors such as use time, volume processed, machine
requirements and shift cycles. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. Lockbox Policy and Procedures staff assessed the
candling procedures and determined that current technologies are not
exempt from the candling requirement and added to the 2005 LPG section
3.2.8(1) that envelopes opened (either manually or by OPEX equipment)
on three or more sides must be candled once on the candling tables.
Thus, the requirement to keep tests and logs is not necessary. All
other envelopes must be candled twice on the candling tables;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
the LPG requires that envelopes opened (either manually or by OPEX
equipment) on three or more sides must be candled one additional time
on the candling table. This change and IRS's assessment that current
technologies are not exempt from the two candling requirement satisfies
the objective of our recommendation.
Count: 38;
ID. No.: 04-05;
Recommendation: Require lockbox managers to maintain a log of these
tests and to periodically review their logs. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. Lockbox Policy and Procedures staff assessed the
candling procedures and determined that current technologies are not
exempt from the candling requirement and added to the 2005 LPG section
3.2.8(1) that envelopes opened (either manually or by OPEX equipment)
on three or more sides must be candled once on the candling tables.
Thus, the requirement to keep tests and logs is not necessary. All
other envelopes must be candled twice on the candling tables;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
the LPG requires that envelopes opened (either manually or by OPEX
equipment) on three or more sides must be candled one additional time
on the candling table. This change and IRS's assessment that current
technologies are not exempt from the two candling requirement satisfies
the objective of our recommendation.
Count: 39;
ID. No.: 04-07;
Recommendation: Develop procedures to enhance adherence to existing
instructions on safeguarding discovered remittances at SCCs. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. In 2003, IRM 3.8.46, Discovered Remittances, was
issued and 10,000 copies were distributed to all campuses. Form 4287
(Record of Discovered Remittances) was revised to enhance adherence to
existing instructions by including a check box for managers to indicate
the reconciliation was performed. Additionally, Submission Processing
revised the monthly security checklist to include a review of the
discovered remittance procedures. A Discovered Remittances Job Aid was
added to IRM 3.8.46 on January 26, 2005 via the SP Web site. The job
aid and a PowerPoint presentation were added to the SP Web site again
in August 2005;
Per GAO: Open. We verified that the IRM contains a discovered
remittances job aid to be used for recording discovered remittances.
However, during our fiscal year 2005 audit we found that two of the
four SCCs we visited did not adhere to the IRM procedures for securing
discovered remittances. We will evaluate IRS's corrective actions
during our fiscal year 2006 audit.
Count: 40;
ID. No.: 04-08;
Recommendation: Enforce its policies and procedures to ensure that SCC
security guards respond to alarms. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Open. Mission Assurance revised policies and procedures in IRM
1.16.12, to require the following: (1) self- assessments which test
response capabilities of guards to alarms. Mission Assurance
implemented a self-assessment tool in October 2004 which is used to
test response capabilities relating to alarm activation;
(2) monthly, unannounced alarm tests at all campuses and computing
centers;
(3) mandatory reporting of the monthly alarm test results to the office
of Physical Security and Emergency Preparedness (PSEP);
(4) review of the monthly test results by the PSEP office, ensuring
that the results are in compliance with IRM requirements, and if not,
providing feedback for improvements;
and (5) annual security exercises at each facility to test alarm
responses;
Per GAO: Open. During our fiscal year 2005 audit, we continued to find
weaknesses in IRS's enforcement of policies and procedures to ensure
that SCC security guards respond to alarms. We identified instances at
two of four SCCs visited during our fiscal year 2005 audit in which
guards either did not respond or did not respond timely to our tests of
door alarms. IRS's implementation of new procedures to address guard
response issues occurred subsequent to the end of our fiscal year 2005
audit fieldwork. We will evaluate IRS's corrective actions during our
fiscal year 2006 audit.
Count: 41;
ID. No.: 04-09;
Recommendation: Establish compensating controls in the event that
automated security systems malfunction, such as notifying guards and
managers of the malfunction, and immediately deploying guards to better
protect the processing center's perimeter. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. Mission Assurance developed alarm testing procedures
which are used to supplement the requirements in IRM 1.16.12. The IRM
and supplemental procedures require the notification of local
management whenever there is a malfunction of alarms. The procedures
also require that guards are deployed or doors are secured, as
necessary, either during tests or when otherwise identified. The
contract guard force project manager is required to sign off on all
unannounced alarm test reports. Test results are maintained by the PSEP
office;
Per GAO: Open. IRS indicates in its response that compensating controls
have been developed and implemented in the event that automated
security systems malfunction. However, from our review of the IRM and
the compensating controls used in conjunction with the IRM, we did not
identify any procedures outlining specific controls to be employed
should automated security systems malfunction or be taken out of
service for any period of time. We will evaluate IRS's corrective
actions during our fiscal year 2006 audit.
Count: 42;
ID. No.: 04-15;
Recommendation: Until the Business Performance Management System (BPMS)
is fully operational, implement procedures to ensure that all
performance data reported in the MSP report are subject to effective,
documented reviews to provide reasonable assurance that the data are
current at interim periods. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004);
Per IRS: Closed. IRS has taken steps to ensure that the performance
measures data reported in the monthly report are properly reviewed
before being published. All divisions now submit most of their
performance measures data directly to BPMS. The divisions are required
to verify/certify the accuracy of the data before uploading to BPMS.
Corporate Performance Budgeting staff implemented additional manual
quality control procedures that include reviewing all tables, charts,
and line graphs and visually inspecting the numbers and comparing the
information to the previous month's report for consistency. In
addition, IRS is working with Treasury to streamline its current set of
performance measures. Its purpose is to increase the value of the
information provided to stakeholders, focus priorities, and reduce
administrative burden;
Per GAO: Open. In fiscal year 2005, we continued to find errors in
IRS's interim performance measures data at interim periods. GAO will
continue to monitor IRS's progress in this area during our fiscal year
2006 financial audit.
Count: 43;
ID. No.: 05-01;
Recommendation: Expedite efforts to resolve the backlog of unpostable
liens, releasing liens as appropriate. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Closed. IRS conducted a review of the unpostable accounts
during the period, October 31, 2005, to November 4, 2005. The remaining
1,500 accounts were resolved by May 31, 2005. Inventories are current
and being resolved in a timely manner;
Per GAO: Closed. We verified that IRS had resolved the backlog of
unpostable liens. IRS's Centralized Case Processing/ Lien Processing
Unit at the Cincinnati Campus is researching and resolving unpostable
liens weekly. We reviewed IRS's report of unpostable liens from
February and March 2006 and determined there was no current backlog.
Count: 44;
ID. No.: 05-02;
Recommendation: Keep current on all new unpostable liens. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Closed. IRS has been resolving new unpostables within 5 days
since June 2004. IRS conducted a review of the unpostable accounts
during the period, October 31, 2005, to November 4, 2005, which
verified inventories are current and being resolved in a timely manner;
Per GAO: Closed. Although IRS has not formally documented procedures in
the IRM for weekly resolution of unpostable liens, IRS officials of the
Centralized Case Processing / Lien Processing Unit told us that they
research and resolve unpostable liens weekly. We reviewed six weekly
reports of unpostable liens from February through March 2006 and
determined that IRS was keeping current on new unpostable liens.
Count: 45;
ID. No.: 05-03;
Recommendation: Research and resolve the current backlog of unresolved
unmatched exception reports. (short- term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Open. Managers and employees have received training on the
entity portion of the Satisfied Module (SATMOD) Reject Report.
Resolution of the backlog will be conducted by the centralized site.
Anticipated time for resolution is being extended to May 2006 in order
to complete a workshop, compile the extract from the master file, and
establish a specific group of employees to work on the backlog;
Per GAO: Open. We will review the status of IRS's corrective actions as
part of our fiscal year 2006 audit.
Count: 46;
ID. No.: 05-04;
Recommendation: Research and resolve unmatched exception reports
weekly. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Open. IRS developed new procedures for working on the
unmatched exception reports. Accounts on the unmatched exception report
will be resolved by matching information between the master file and
the Automated Lien System (ALS). Timely report resolution is an
integral function of the Centralized Lien Unit, and time frames and
managerial oversight are built into report resolution processes.
Managers and employees have received training on the entity portion of
the reject report. Training will be ongoing as new employees are
assigned to the unit. IRM provisions require resolution of rejected
accounts within 5 business days. Managers will monitor timeliness and
will report weekly on the outstanding inventory. SB/SE has started
working on the cumulative listings;
however, additional time is needed to complete the listings. Collection
Policy will conduct an onsite review in fiscal year 2006;
Per GAO: Open. According to IRS officials we contacted in March 2006,
IRS anticipates completing this review in June 2006. We will continue
to review the results of IRS's quality review as part of our fiscal
year 2006 audit.
Count: 47;
ID. No.: 05-05;
Recommendation: Provide training to designated staff on how to resolve
exception reports. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Closed. Managers and employees have received training on the
resolution of the restricted interest portion of the SATMOD reject
report. IRS conducted a review during the period October 31, 2005, to
November 4, 2005. All current employees have received training.
Procedural changes are not required;
Per GAO: Closed. We verified that IRS had provided training to
designated staff on resolving exception reports.
Count: 48;
ID. No.: 05-06;
Recommendation: Research and resolve the current backlog of unresolved
manual interest or penalties reports. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Open. Managers and employees have received training on the
resolution of the manual computation portion of the reject report. IRM
provisions require resolution of the rejected accounts within 5
business days. Managers will monitor timeliness and will report weekly
on the outstanding inventory. The Collection Policy unit will conduct
an on-site review. Training will be given to all new employees as they
are assigned to the group. The revised anticipated completion date is
May 2006;
Per GAO: Open. According to IRS officials we contacted in March 2006,
IRS anticipates completing this action in May 2006. We will continue to
monitor IRS's efforts to address its backlog of exception reports
containing liens with manually calculated interest or penalties as part
of our fiscal year 2006 audit.
Count: 49;
ID. No.: 05-07;
Recommendation: Research and resolve exception reports containing liens
with manually calculated interest or penalties weekly, as called for in
the IRM and the ALS User Guide. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Closed. ALS receives a master file data extract listing
modules where liabilities have been fully paid. The data extract that
is matched against information in the ALS automatically releases liens
when there is a match. In the case of modules with restricted interest
or penalty, the module is placed on a report for manual processing. In
our review of 300 satisfied modules, we identified five cases with
additional restricted interest or penalties. The remaining amounts due
after computation were for very small amounts, less than $10. Based on
those reviews, we ascertained that these cases should receive systemic
release based on the status 12 information provided by master file and
verified by our review. Copies of the last four weekly extract
transmittals in March were reviewed to verify that there were no
restricted interest and penalty entries on the listing--confirming that
these cases have been systemically released;
Per GAO: Open. According to IRS, an internal study determined that the
dollar amounts of additional interest and penalties to be assessed on
cases with liens requiring manual calculations was not significant.
Consequently, IRS is in the process of revising the IRM to no longer
require the additional manual computation and assessment of interest
and penalties on such cases. In addition, IRS updated its computer
programs to automatically release liens once the current account
balance had been satisfied. IRS's actions are based on its
determination that the additional interest and penalty amounts are not
significant. We will review the results of IRS's internal analysis
during our fiscal year 2006 audit.
Count: 50;
ID. No.: 05-08;
Recommendation: Provide training to designated staff on how to resolve
exception reports containing accounts with manually calculated interest
or penalties. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Closed. IRS conducted workshops and provided training to
employees of the Centralized Case Processing Lien Teams. IRS conducted
an onsite review during the period, October 31, 2005, to November 4,
2005. Procedural changes are not required;
Per GAO: Closed. IRS created a special unit within the Centralized Case
Processing Lien Processing Unit at the Cincinnati Campus to resolve
accounts containing restricted interest and penalties. We verified that
IRS had provided training to staff in this unit for resolving exception
reports containing accounts with manually calculated interest and
penalties. Unit staff we interviewed understood these procedures.
Count: 51;
ID. No.: 05-09;
Recommendation: Improve the current unmatched exception report by
including a cumulative list of all unmatched taxpayer accounts that
have not been resolved to date. (short-term);
Source report: Opportunities to Improve Timeliness of IRS Lien Releases
(GAO-05-26R, Jan. 10, 2005);
Per IRS: Open. Requests for additional enhancements to cumulate the
reject report have been initiated. In the interim, area managers are
required to print and resolve reports based on IRM procedures.
Anticipated date of completion is January 2007;
Per GAO: Open. We will review IRS's corrective actions during future
audits.
Count: 52;
ID. No.: 05-10;
Recommendation: Revise the Accounts Management Mail Unit procedures,
scheduled to be incorporated into the IRM, to include detailed
instructions for (1) monitoring transshipped documents and (2) handling
cash receipts found during extraction. Where adequate guidance exists
elsewhere, IRS should include these through cross-references. (short-
term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar. 10, 2005);
Per IRS: Closed. IRM 3.10.72.12 and 3.10.203 were updated to include
detailed procedures for mail operations where Submission Processing no
longer has a presence. These instructions include monitoring
transshipped documents, safeguarding taxpayer receipts and information,
precise candling, and security requirements. The IRM also contains a
cross-reference to the handling of cash receipts;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated the IRM to include detailed procedures and cross-
references, where applicable, for mail operations for SCCs selected for
significant reductions in their submission processing functions.
Count: 53;
ID. No.: 05-11;
Recommendation: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at SCCs selected for significant reductions in
their submission processing functions. (short-term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar. 10, 2005);
Per IRS: Closed. IRS has enforced adherence to existing instructions on
safeguarding taxpayer receipts and information by including this
requirement in the monthly Campus Security Reviews. It is also reviewed
annually by the National Office Security Review Team at selected sites.
Local Management continually reinforces these requirements through
employee counseling and individual and group meetings with security
clerks to ensure procedures for issuance of badges, inventory of
badges, and security of taxpayer receipts and information. Meetings
have also been held to discuss candling procedures. Local management
also conducts weekly and monthly reviews to ensure adherence to these
procedures;
Per GAO: Open. IRS's corrective actions addressing enforcing adherence
to instructions on safeguarding receipts and information occurred
subsequent to our fiscal year 2005 fieldwork and will continue as
future SCCs are selected for significant reductions in their submission
processing functions. We will continue to evaluate IRS's corrective
actions during our fiscal year 2006 audit.
Count: 54;
ID. No.: 05-12;
Recommendation: Document a methodology for estimating anticipated rapid
changes in mail volume at future SCCs selected for significant
reductions in their submission processing functions, taking into
consideration factors such as the prior rampdown experience at
Brookhaven. (short-term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar. 10, 2005);
Per IRS: Open. IRS will use historical data obtained from the
Brookhaven Campus rampdown, and any other prior consolidations, to
develop and document a methodology for estimating future mail volumes.
This methodology will be used in future consolidations to ensure that
IRS has reliable data to effectively manage resources during and after
the consolidation period;
Per GAO: Open. We will evaluate IRS's efforts to develop and document a
methodology for estimating mail volume for future sites selected for
rampdown.
Count: 55;
ID. No.: 05-13;
Recommendation: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS has implemented steps to monitor and enforce the
requirements issued on September 29, 2003, on the issuance of ID cards
to contractors. This guidance requires that a letter from the NBIC
indicating successful completion of at least an interim background
investigation be received by the issuing office before a contractor can
be approved for staff-like access to IRS. The guidance further
stipulates that Physical Security staff would, at least every 6 months,
ensure that a re-certification had been received from the contracting
officer's technical representative (COTR) confirming the contractors'
need for continued staff-like access to the IRS facility. Additionally,
as part of the required records and accountability process, non-federal
photo ID cards are audited annually by the issuing office to reconcile
numerical and alphabetical files and ensure that ID cards have been
recovered upon separation or termination of the contract;
Per GAO: Open. IRS indicated that steps were taken in September 2003 to
monitor and enforce the requirement that appropriate background
investigations be completed for contractors before they are granted
staff-like access to service centers. However, our recommendation was
based on findings from our fiscal year 2004 audit, which occurred
subsequent to the issuance of IRS's guidance. As such, IRS's actions
are not sufficient to address the objective of this recommendation. We
will continue to evaluate IRS's enforcement, oversight, and
implementation of contractor background investigation policies during
our fiscal year 2006 audit.
Count: 56;
ID. No.: 05-14;
Recommendation: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. A Mission Assurance policy memorandum dated September
29, 2003, requires the COTRs to complete and submit a request form for
every contract employee. Implementation of the standardized form
assures that all required information is provided in order for the
contractor to receive its IRS photo ID card. The guidance requires a
copy of the letter from NBIC indicating successful completion of at
least an interim background investigation be attached to the request
form or no ID card will be issued. Both documents are maintained by the
issuing office;
Per GAO: Open. IRS's policies and procedures do not require that
documentation of the results of background checks for contractors be
maintained onsite at SCCs where contractors are allowed access to sites
containing taxpayer receipts and information. During our fiscal year
2005 audit, we found that one SCC did not always maintain this
information onsite.
Count: 57;
ID. No.: 05-15;
Recommendation: Require that courier contracts call for couriers to
submit contingency plans to lockbox banks. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS updated LPG 4.2.3.1, Courier Contingency Plan, on
January 1, 2005, to require that prior to implementation of the
contract, the courier service must provide the lockbox with a disaster
contingency plan. The contingency plan must cover labor disputes,
employee strikes, inclement weather, natural disasters, traffic
accidents, and unforeseen events;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated the LPG to require that courier service contractors must
provide the lockbox bank with a disaster contingency plan.
Count: 58;
ID. No.: 05-16;
Recommendation: Review lockbox bank courier contingency plans to help
ensure that they incorporate all contingencies specified in the LPG.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr. 27, 2005);
Per IRS: Closed. Contingency plans were provided by all lockbox sites
by March 31, 2005, and were part of the Filing Season Readiness (FSR)
Plan. LPG 4.2.3.1 states "the contingency plan must cover labor
disputes, employee strikes, inclement weather, natural disasters,
traffic accidents, and unforeseen events." The lockbox coordinators
reviewed the contingency plans to ensure that these issues were
addressed. The lockbox coordinators interpreted the contingency plans
to be complete;
for example, the coordinators may have viewed contingencies covering
natural disasters as sufficient to address inclement weather even
though the term "inclement weather" was not specifically stated in the
plan. GAO disagreed, citing continued areas of deficiencies. In
September 2005, the FMS/IRS Security Team conducted an additional
review of each site's courier contingency plans to ensure compliance.
Their review indicated that in order to increase consistency and ensure
the plans are clearly documented, strengthening of the contingency plan
requirements was necessary. The 2006 LSG 2.7 (1) and (2) includes
clarification of the requirements for the courier contingency plans.
Review of the contingency plans to ensure incorporation of all of the
requirements is now assigned to the IRS/FMS security team as part of
the on-site courier contingency review;
Per GAO: Closed. We verified that IRS and FMS jointly reviewed the
lockbox bank courier contingency plans and as a result included
language in the LSG clarifying that before courier contracts are
implemented, couriers must provide a disaster contingency plan to the
lockbox bank addressing specific contingencies.
Count: 59;
ID. No.: 05-17;
Recommendation: Revise the LPG to specify that courier contingency
plans be available at lockbox banks. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. LPG 4.2.3.1(1) was updated June 30, 2005, to state
that all banks must maintain a signed copy of the courier contingency
plan on-site;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS revised the LPG to specify that courier contingency plans be
available at lockbox banks.
Count: 60;
ID. No.: 05-18;
Recommendation: Review lockbox bank courier and shredding contracts to
ensure that they address all privacy-related criteria and include clear
reference to privacy-related laws and regulations. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. The LPG 4.2.3(2), was updated on January 1, 2005--
Courier Services--which requires lockbox banks to ensure all bonded
courier/armored car agreements address all privacy-related criteria and
include clear reference to privacy-related laws and regulations.
Effective January 1, 2006, in addition to the above requirement, the
LSG.2.17.6 (2)(a) added the requirement that all lockbox banks ensure
shred company contracts contain clear reference to the privacy-related
laws and regulations. In October 2005 the Lockbox Policy and Procedures
team reviewed and confirmed that all courier and shred contracts
contained all privacy related criteria. Banks must submit their
contracts to the Lockbox Policy and Procedures team for their review by
October 1 of each year. The courier contract is also reviewed by the
IRS/FMS security staff during the on-site courier security review;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
the courier and shredding contracts had the required privacy-related
language and related provisions set forth in the Privacy Act of 1974.
In addition, we verified that the LSG requires lockbox banks to ensure
that all bonded courier agreements contain privacy-related language and
reminds couriers of their responsibility to not disclose taxpayer
information.
Count: 61;
ID. No.: 05-19;
Recommendation: Revise the LPG to require that (1) lockbox couriers
promptly return deposit receipts to the lockbox banks following
delivery of taxpayer remittances to depositories and, (2) lockbox banks
promptly review the returned deposit receipts. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS Lockbox Policy and Procedures Section updated the
LPG on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS
Lockbox Bank Deposit Form --which requires the lockbox site to receive
back by the next business day the original completed Receipt for
Transport of IRS Lockbox Bank Deposit Form with the bank
representative's name and signature, date and time the deposit was
received by the depository;
and each day the lockbox site must reconcile the Receipt for Transport
of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated
service (e.g., the time between release to the courier and the release
to the bank is not in excess). If discrepancies are found, the lockbox
field coordinator should be notified immediately;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated the LPG to require that (1) lockbox couriers return, on the
next business day, deposit receipts to the lockbox banks following
delivery of the taxpayer remittances to depositories and (2) lockbox
banks promptly review, on a daily basis, the returned deposit receipts.
Count: 62;
ID. No.: 05-20;
Recommendation: Revise the LPG to require that deposit receipts for
taxpayer remittances be time-and date- stamped. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8,
Receipt for Transport of IRS Lockbox Bank Deposit Form--to require the
courier service employee to return the form to the lockbox site on the
next business day, ensuring the following information is completed on
the form: the depository bank employee's name and signature, the date
the deposit was received by the depository, and the time the deposit
was received by the depository;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated the LPG to require that deposit receipts for taxpayer
remittances include the time and date of receipt by the depository
institution.
Count: 63;
ID. No.: 05-21;
Recommendation: Better enforce the LPG requirement that lockbox bank
couriers annotate the time of delivery on receipts for deposits of
taxpayer remittances. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox
Bank Deposit Form, was updated on January 1, 2005, to require lockbox
bank couriers to annotate the time of delivery of receipts for deposits
of taxpayer remittances. New Security Performance Measures have been
developed to measure and rate each site's overall adherence to security
guidelines and provides incentives/disincentives accordingly. Mission
Assurance and FMS Security support the Lockbox Policy and Procedures
Program Office in conducting security reviews. Reviews will rate each
site's compliance to physical, personnel, courier, and IT security.
Security Performance Measures is scheduled to be fully implemented by
January 2006. To further prepare for filing season each year, each bank
is now required to certify that they are adhering to security
guidelines;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS updated the LPG to require that couriers annotate the time of
delivery of receipts for deposits of taxpayer remittances. We did not
find any instances during our fiscal year 2005 testing in which the
courier did not annotate the time the courier received the deposit from
the bank personnel.
Count: 64;
ID. No.: 05-22;
Recommendation: Provide a written reminder to courier contractors of
the need to adhere to all courier service procedures. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. Effective January 1, 2006, the lockbox banks must
provide an annual memorandum to the courier contractor reminding them
that they must adhere to all of the courier service procedures in the
LSG. For the campuses, Service Center Accounting held a conference
(Deposit Manager's CPE on January 31, 2006) with FMS, the Federal
Reserve Banks, and the servicing TGA banks and reinforced all policies
and procedures governing the courier process as outlined in IRM 3.8.45;
Per GAO: Open. We verified that IRS's LSG requires lockbox banks to
issue an annual memorandum to courier contractors reminding them to
adhere to all courier service procedures in the LSG. However, this
memorandum had not been issued by the conclusion of our fiscal year
2005 fieldwork. We will evaluate IRS's corrective actions during our
fiscal year 2006 audit.
Count: 65;
ID. No.: 05-23;
Recommendation: Periodically verify that contractors entrusted with
taxpayer receipts and information off site adhere to IRS procedures.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. The Lockbox LSG requires that while transporting the
data from the lockbox facility, the courier vehicle used to transport
taxpayer data/remittances must be locked and secured (LSG 2.13), driven
directly to the destination (LSG 2.12) and the vehicle must always be
under the supervision of the courier (LSG 2.13). All couriers are
required to complete the same National Agency Check and Inquiry with
Credit Investigation (NACIC) as bank management officials. For specific
transport activities, deposit ticket and deposit transport timeframes
are reviewed as part of Lockbox Performance Measures;
Per GAO: Open. IRS's corrective actions do not address the intent of
this recommendation, which envisioned IRS testing courier compliance
through observations or similar methods. During our fiscal year 2005
audit, we found instances where couriers did not follow IRS policies
and procedures while transporting receipts and information. During our
observations of couriers en route, we continued to find instances where
couriers either made unauthorized stops before proceeding to the
depository institution or left the vehicle unattended while it
contained taxpayer receipts and information.
Count: 66;
ID. No.: 05-24;
Recommendation: Develop alternative, back-up plans that are consistent
with IRS courier policies and procedures to address instances in which
only one courier reports for transport of taxpayer receipts or
information, such as requiring that a service center or lockbox bank
employee accompany the courier to the depository. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. The 2005 LPG 4.2.3.1 "Courier Contingency Plan" was
updated on July 18, 2005 (effective Aug. 29, 2005) to include a plan
that ensures the security of receipts if courier requirements are not
met, or the courier contractor is unable to send suitable replacement
couriers in time to meet the bank's deposit deadline. Submission
Processing campuses submitted contingency plans in May 2005, which
outline what deposit managers are to do in the event that couriers are
unable to transport a deposit in the event of non- compliance with
contract requirements, vehicle breakdown, or other reasons. In
addition, the implementation of the Courier Daily Checklist in April
2005 has continued to work smoothly;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS had updated its LPG for lockbox banks and submitted contingency
plans for SCCs, which outline what to do in the event that couriers are
unable to transport a deposit in the event of noncompliance with
contract requirements.
Count: 67;
ID. No.: 05-25;
Recommendation: Formulate a policy to require that critical utility or
security controls not be located in areas requiring frequent access.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr. 27, 2005);
Per IRS: Open. Mission Assurance developed policy guidelines to address
protection of security or critical controls. Mission Assurance will
request transfer of this corrective action to W&I to coordinate with
the business operating divisions and Procurement to incorporate any
revised requirements into updated and future interagency agreements
with FMS;
Per GAO: Open. During our fiscal year 2005 audit, we verified that IRS
continues to develop guidelines to address protection of security of
critical controls. These corrective actions were not complete at the
conclusion of our fiscal year 2005 fieldwork. We will continue to
evaluate IRS's corrective actions during our fiscal year 2006 audit.
Count: 68;
ID. No.: 05-26;
Recommendation: Require lockbox bank management to position closed-
circuit television (CCTV) cameras to enable monitoring of secured areas
containing sensitive systems or controls. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. Mission Assurance has developed and incorporated a
CCTV evaluation matrix into the security review process ensuring that
critical areas and assets are monitored. Every camera is assessed
during the review. In addition, verbiage for the CCTV requirements is
being strengthened in W&I's new proposed LSG currently under
development. The LSG will require at least one camera monitor the main
utility feeds. Also, the LPG requires that the IRS security controls,
equipment, and utilities must be locked to prevent tampering and that
keys will be controlled and limited to authorized bank employees.
Mission Assurance will also include key and combination controls and
management as part of its review process at the banks;
Per GAO: Open. During our fiscal year 2005 audit, we found a sensitive
area in a lockbox bank that was not monitored by a camera. The
corrective actions planned by IRS had not been implemented at the
conclusion of our fieldwork. We will continue to assess IRS's
corrective actions during our fiscal year 2006 audit.
Count: 69;
ID. No.: 05-27;
Recommendation: Periodically monitor lockbox banks' adherence to the
LPG requirement that keys be kept in secured containers within the
secured perimeter. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr. 27, 2005);
Per IRS: Closed. The LSG was revised and published on January 1, 2006.
The LSG requires strict control of keys, panels, and access to rooms
and areas that contain facility utilities and controls. Lockbox banks
are monitored and reviewed to ensure compliance to the policy. The
Lockbox Physical Security Checklist includes checks to verify
compliance to the policy. Five lockbox reviews have been conducted
subsequent to publication of the LSG, and IRS has not observed any
instances of this finding at any of the sites reviewed;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS periodically monitored adherence to this requirement during its
lockbox bank security reviews.
Count: 70;
ID. No.: 05-28;
Recommendation: Assess technologies that may be exempt from the visual
inspection requirement to determine whether they are acceptable methods
of satisfying candling objectives and, if so, add such technologies to
the LPG list of accepted candling methods. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS Lockbox Policy and Procedures staff determined
that current technologies are not exempt from the candling requirement
and added to the 2005 LPG 3.2.8(1) that envelopes opened (either
manually or by OPEX) on three or more sides must be candled once on the
candling tables. All other envelopes must be candled twice on the
candling tables;
Per GAO: Closed. IRS's determination that current technologies are not
exempt from the candling requirement, and the additional LPG guidelines
added and verified by us during our fiscal year 2005 audit meets the
objective of this recommendation.
Count: 71;
ID. No.: 05-29;
Recommendation: Conduct an assessment of the costs and benefits of
relying on only one candling when using certain automated equipment.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. W&I determined that a cost benefit analysis was not
necessary because it previously assessed the candling function on the
automated equipment. To provide additional risk mediation, W&I revised
the LPG under section 3.2.8 (1) to require that envelopes opened
(either manually or by OPEX equipment) on three or more sides must be
candled once on the candling tables. W&I will monitor adherence during
site reviews;
Per GAO: Closed. IRS's determination that current technologies are not
exempt from the candling requirement and the additional LPG guidelines
added, and verified by us during our fiscal year 2005 audit meet the
objective of this recommendation.
Count: 72;
ID. No.: 05-30;
Recommendation: Clarify the LPG to eliminate confusion about the number
of candlings required for different extraction methods. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS updated the 2005 LPG 3.2.8, Candling, to require
that envelopes opened (either manually or by OPEX) on three or more
sides must be candled once on the candling tables. All other envelopes
must be candled twice on the candling tables;
Per GAO: Closed. We verified that IRS updated the LPG to clarify
requirements concerning the number of candlings.
Count: 73;
ID. No.: 05-31;
Recommendation: Establish guidelines and a testing requirement to
ensure satisfactory lighting conditions for effective candling. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRM 3.10.72.6.2 (2) (a) requires that all candling
equipment on both initial and final candling tables shall be adjusted
as necessary to maintain maximum envelope recognition. Maximum envelope
recognition is determined by the measurement of foot candles through
use of a light meter. Minimum reading on the light meter should be 174.
The testing of the candling equipment should be completed twice
annually for IMF sites and quarterly for BMF sites. Testing will be
completed prior to peak time-frames. Management or a designated
employee will complete the candling equipment review log to verify
lights are meeting minimum requirements. Light meters are available and
testing has been completed at all SPCs to ensure requirements are met.
Sorting table vendors have been contacted and are aware of this
requirement and are adjusting all new tables that are purchased to
ensure they are in compliance;
Per GAO: Closed. During our fiscal year 2005 audit, we verified that
IRS revised its IRM to include guidelines for testing lighting
conditions for candling equipment.
Count: 74;
ID. No.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed units
of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Open. IRS will establish a procedure(s) for SB/SE field office
units to track Document Transmittal forms and acknowledgments of
receipt of Document Transmittal forms. IRS will also strengthen
guidance to revenue officers and will develop procedures specifically
for its field clerical staff. IRS's procedures will clarify that
revenue officers are responsible for submitting an appropriately
labeled sealed envelope containing the Daily Report of Collection
Activity form to a designated clerical contact in the post of duty
(POD). This guidance will apply unless the revenue officers are working
away from the POD on extended field calls, flexiplace, or are working
in a single revenue officer POD. Those revenue officers will send the
envelope directly to Submission Processing;
Per GAO: Open. IRS's proposed corrective actions to this recommendation
have not been finalized and published in the IRM. We will continue to
monitor future developments in this area during our fiscal year 2006
audit.
Count: 75;
ID. No.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. In 2005, Remittance Training covering the procedures
for remittance processing was conducted for all TAC managers. The
requirement for including a document transmittal form listing the Daily
Report of Collection Activity forms in the transmittal package was
emphasized. Field Assistance headquarters began operational reviews on
February 28, 2006 to, among other things, ensure TAC adherence to
required IRM procedures. Additional emphasis was placed on development
of internal controls and the oversight and accountability of both
employees and managers within Field Assistance. Specifically, Field
Assurance headquarters began conducting operational reviews on February
28, 2006. The operational reviews include assessing their ability to
engage employees in process and program improvement, identifying best
practice ideas, ensuring elements of accountability and responsibility
are clearly communicated at each level, and assessing conformance to
the current policies and procedures;
Per GAO: Open. During our fiscal year 2005 audit, we found that three
of eight TACs we visited did not use a document transmittal to transmit
multiple Daily Report of Collection Activity forms to their respective
SCC for further processing. We will continue to evaluate IRS's
implementation of its corrective actions during our fiscal year 2006
audit.
Count: 76;
ID. No.: 05-34;
Recommendation: Establish a procedure for SB/SE field office units to
track Document Transmittal forms and acknowledgments of receipt of
Document Transmittal forms. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Open. IRS will update its procedures to clarify that the
managers should ensure continuous coverage of the designated clerical
contact duties so that absence due to illness or leave does not disrupt
the processing of remittances;
Per GAO: Open. IRS's corrective actions were not implemented during our
fiscal year 2005 audit. In addition, our audit continued to find
numerous instances of SB/SE groups not properly tracking document
transmittal forms to ensure that taxpayer receipts and information were
received by the recipient. We will evaluate IRS's corrective actions
during our fiscal year 2006 audit.
Count: 77;
ID. No.: 05-35;
Recommendation: Require evidence of managerial review of recording,
transmittal, and receipt of acknowledgments of taxpayer receipts and
information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Open. IRS will establish a procedure(s) to require evidence of
managerial review of recording, transmittal, and receipt of
acknowledgments of taxpayer receipts and information. However, IRS will
not implement any procedure requiring 100 percent managerial review.
IRS's new procedures will call for random managerial spot-checking of
packages prepared for submission to Submission Processing by revenue
officers working in PODs or by the designated clerical contacts in the
PODs. The new procedure(s) will not call for any random managerial spot-
checking of packages prepared by revenue officers working away from the
POD on extended field calls or flexiplace. Instead, on those packages,
IRS will continue to rely on the remittance reviews conducted by
remittance processing personnel in Submission Processing. These reviews
will be documented by the revenue officer group manager and be retained
for the appropriate period required under record management guidelines;
Per GAO: Open. IRS's corrective actions were not implemented during our
fiscal year 2005 audit. In addition, we continued to find numerous
instances where SB/SE groups did not provide evidence that managers, or
a designee, reviewed the recording, transmittal, and receipt of
acknowledgements of taxpayer receipts and information to ensure that
they were received and acknowledged by the recipient. We will evaluate
IRS's corrective actions during our fiscal year 2006 audit.
Count: 78;
ID. No.: 05-36;
Recommendation: Assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved AUR
discrepancies, including placement of a freeze or hold on all such
accounts, until the AUR review has been completed. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS's position is that, if followed, the procedures it
has in place adequately address preventing the generation or
disbursement of refunds associated with AUR accounts. IRM 3.8.45
requires employees receiving an unidentified remittance to conduct
Integrated Data Retrieval System (IDRS) research to determine if there
is an open account that allows for posting of the remittance. Also, AUR
will partner with SP to ensure that employees receiving unidentified
remittances are aware of the need to conduct IDRS research and how to
properly post AUR remittances in these instances;
Per GAO: Open. During our fiscal year 2005 audit, we found a technician
in the Unidentified Remittance unit unaware of how to properly post
remittances for AUR cases. We will continue to monitor IRS's efforts in
preventing the generation or disbursements of refunds associated with
AUR accounts during our fiscal year 2006 financial audit.
Count: 79;
ID. No.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. A memorandum was issued on August 3, 2005, as a
reminder to solicit the annual list of authorized signatures
(individuals formally delegated authority to sign manual refunds). The
campuses were advised to submit a memorandum to National Office no
later than October 31, certifying they had completed the request for
authorized signatures. This information was also conveyed via
Information Alert: W&I-IA-2002-1149-2005, dated March 17, 2005;
and will be covered by BMF headquarter staff during their unannounced
visits;
Per GAO: Open. During our fiscal year 2005 audit, we continued to find
issues with the documentation requirements relating to authorizing
officials charged with approving manual refunds. For example, IRS
policy requires that IRS submit a memorandum identifying the personnel
designated to authorize manual refunds. The list must include the name,
title/position, and signature of the designated person and official
issuing the memorandum. However, during our July 2005 testing, we found
memorandums that were either over a year old or lacked the required
information. The reminder memorandum Submission Processing issued on
August 3, 2005, was issued subsequent to our July 2005 fieldwork. We
will continue to follow up on IRS's efforts to improve the
documentation requirements during our fiscal year 2006 financial audit.
Count: 80;
ID. No.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. Submission Processing issued an alert on the SP Web
site on March 17, 2005. A reminder memorandum was issued on August 3,
2005. IRM check sheets were included, and campuses were required to
confirm actions taken. IRS determined this item would not be included
in the management accountability review process. As part of our
commitment to improve the manual refund process, an attachment covering
monitoring was included with the annual memorandum soliciting
authorized manual refund signers. In response to the Service-wide
Electronic Research Program (SERP) alert issued by Accounts Management,
we included items that should be considered when Accounting Operations
reviewed manual refund requests initiated by employees in the SP
campuses. This will be covered by BMF headquarter staff during their
unannounced visits;
Per GAO: Open. During our fiscal year 2005 audit, we continued to find
instances where the manual refund initiators did not monitor accounts
to prevent duplicate refunds, and supervisors did not review the
monitoring of accounts. We reviewed the alerts that IRS issued on April
1, 2005 (Monitoring Manual Refunds) and May 13, 2005 (Managerial
Procedures for Manual Refunds). However, we found that some of the
manual refund initiators, leads, supervisors and managers were unaware
of the alerts. The reminder memorandum issued on August 3, 2005 was
issued subsequent to our July 2005 testing. We will continue to review
IRS's monitoring and review efforts during our fiscal year 2006
financial audit.
Count: 81;
ID. No.: 05-39;
Recommendation: Enforce requirements for documenting monitoring actions
and supervisory review. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. Submission Processing issued a reminder memorandum on
August 3, 2005. IRM check sheets were included, and campuses were
required to confirm actions taken. IRS determined this item would not
be included in the management accountability review process. As part of
our commitment to improve the manual refund process, an attachment
covering monitoring was included with the annual memorandum soliciting
authorized manual refund signers. In response to the SERP alert issued
by Accounts Management, we included items that should be considered
when Accounting Operations reviewed manual refund requests initiated by
employees in the SP campuses. This will be covered by BMF headquarter
staff during their unannounced visits;
Per GAO: Open. During our fiscal year 2005 audit, we found the
requirements for documenting monitoring actions and documenting
supervisory review were not always enforced. The reminder memorandum
issued on August 3, 2005, was issued subsequent to our July 2005
testing. We will continue to monitor IRS's efforts in documenting the
monitoring actions and documenting the supervisory review during our
fiscal year 2006 financial audit.
Count: 82;
ID. No.: 05-40;
Recommendation: Enforce the requirement that command code profiles be
reviewed at least once annually. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Closed. SP supports Mission Assurance in enforcing IDRS
security by ensuring appropriate officials are reminded annually of
their security obligations. A memorandum, including IDRS security and
the Automated Command Code Access Control, was issued August 3, 2005.
IRS determined this item would not be included in the management
accountability review process. An overview of the Automated Command
Code Access Control (ACCAC) program was included in our Annual
Solicitation for Authorized Signatures - Manual Refunds memorandum,
dated August 3, 2005. This will be covered by BMF headquarter staff
during their unannounced visits;
Per GAO: Open. During our fiscal year 2005 audit, we found that the
requirement for the annual review of command code profiles was not
always enforced. The reminder memorandum issued on August 3, 2005 was
issued subsequent to our July 2005 fieldwork. We will continue to
follow up on IRS's efforts in enforcing the requirement to review
command code profiles at least once annually during our fiscal year
2006 financial audit.
Count: 83;
ID. No.: 05-41;
Recommendation: Specify in the IRM that staff members are not to review
their own command code profiles. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr. 27, 2005);
Per IRS: Open. The IRM wording will be updated, and recommendations
will be included in annual reminders (memos, notices, etc.) to
management officials that the approver's manager is responsible for
ensuring that approvers' profiles have appropriate restrictions and
have been reviewed. Mission Assurance updated its project Web page in
January 2005, advising managers and unit security representatives to
review IDRS user profiles to ensure that the appropriate restrictions
have been added to the user's profile. Limited staffing resources have
impacted the actual updating of the IDRS Security Law Enforcement
Manual (LEM). The LEM wording will be updated to require managers and
unit security representatives to review the IDRS security profiles to
ensure that appropriate restrictions have been placed against the
user's IDRS account. The LEM is expected to be revised by July 15,
2006;
Per GAO: Open. During our fiscal year 2005 audit, we found that the IRM
wording to specify that staff members to not review their own command
code profiles had not been updated. We will continue to monitor IRS's
efforts in preventing staff members to review their own command code
profiles during our fiscal year 2006 audit.
Count: 84;
ID. No.: 05-42;
Recommendation: Specify in the IRM how to properly verify interest and
penalties for accounts with liens with manually calculated interest or
penalties. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr. 27, 2005);
Per IRS: Closed. IRS revised the IRM to instruct employees to check the
IDRS to determine if restricted interest or penalty is due. The IRM now
clearly states that there are only two instances where restricted
interest and penalty should not be computed, offer-in-compromise and
bankruptcy cases. Also, instructions for computing restricted interest
and penalty are found in the ALS User Guide as well as in training
material and desk guides. In addition, tax examiners hired to staff the
Centralized Case Processing (CCP), Lien Processing Unit were provided
hands-on training in the computation of restricted interest and
penalty. Resolution of these cases moved to CCP effective February
2005. The centralized site has created a special group of employees who
were trained in the resolution of restricted interest and penalty
cases. New hires for this group will also receive this training. The
LEM will be updated to reflect the changes made by the RIS;
Per GAO: Open. According to IRS, an internal study determined that the
dollar amounts of additional interest and penalty to be assessed on
cases with liens requiring manual calculations was not significant.
Consequently, IRS is in the process of revising the IRM to no longer
require the additional manual computation and assessment of interest
and penalty on such cases. In addition, IRS updated its computer
programs to automatically release liens once the current account
balance had been satisfied. IRS's actions are based on its
determination that the additional interest and penalty amounts are not
significant. We will review the results of IRS's internal analysis
during our fiscal year 2006 audit.
Count: 85;
ID. No.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 86;
ID. No.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within LMSB and
TE/GE, establish a system to track acknowledged copies of document
transmittals. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 87;
ID. No.: 06-03;
Recommendation: Provide instructions to document the follow-up
procedures performed in those cases where transmittals have not been
timely acknowledged. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 88;
ID. No.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 89;
ID. No.: 06-05;
Recommendation: Equip all TACs with adequate physical security controls
to deter and prevent unauthorized access to restricted areas or office
space occupied by other IRS units, including those TACs that are not
scheduled to be reconfigured to the "new TAC" model in the near future.
This includes appropriately separating customer service waiting areas
from restricted areas by physical barriers such as locked doors marked
with signs barring entrance by unescorted customers. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 90;
ID. No.: 06-06;
Recommendation: Connect duress alarms to a central monitoring station
or local police department or institute appropriate compensating
controls when these alarm systems are not operable or in place. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 91;
ID. No.: 06-07;
Recommendation: Document supervisory visits by offsite managers to TACs
not having a manager permanently on-site. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 92;
ID. No.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms regardless of the
circumstances that may have caused the activation. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 93;
ID. No.: 06-09;
Recommendation: Reemphasize the need for the security guards at all
TACs to ensure that key PODs, such as entrances to facilities, are not
left unattended. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 94;
ID. No.: 06-10;
Recommendation: Revise lockbox bank's security review checklist to
ensure that it encompasses reviewing security incident reports to
validate whether security personnel are providing corrective actions
related to the incidents cited. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 95;
ID. No.: 06-11;
Recommendation: Refine the scope and nature of its periodic reviews of
candling processes at SCCs to ensure they (1) encompass tests of
whether envelopes are properly candled through observation of candling
in process and inquiry of employees who perform initial and final
candling, and (2) document the nature and scope of the test and
observation results. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 96;
ID. No.: 06-12;
Recommendation: Enforce its existing policies and procedures at lockbox
banks to ensure that all remittances of $50,000 or more are processed
immediately and deposited at the first available opportunity. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 97;
ID. No.: 06-13;
Recommendation: Refine the scope and nature of its periodic reviews of
lockbox banks to include high dollar remittances to better monitor
adherence to the requirement that they are processed immediately and
deposited at the first available opportunity. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 98;
ID. No.: 06-14;
Recommendation: Refine the scope and nature of its periodic security
reviews to encompass (1) testing the effectiveness of controls intended
to ensure that only individuals with proper credentials are permitted
access to SCCs and lockbox banks, and (2) reviewing the integrity of
perimeter security at SCCs. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 99;
ID. No.: 06-15;
Recommendation: Revise the physical security procedures contained in
the IRM to require that all SCCs and any respective annex facilities
processing taxpayer receipts and/or information perform and document
monthly tests of the facility's intrusion detection alarms. At a
minimum, these procedures should (1) outline the type of test to be
conducted, (2) include criteria for assessing whether the controls used
to respond to the alarm were effective, and (3) require that a logbook
be maintained to document the test dates, results, and response
information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 100;
ID. No.: 06-16;
Recommendation: Amend its policy to require that a completed form 13094
with a positive recommendation be provided for every juvenile hired to
any position that will allow access to taxpayer receipts and/or
taxpayer information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 101;
ID. No.: 06-17;
Recommendation: Require IRS personnel to verify the information on the
form 13094 by contacting the reference directly. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 102;
ID. No.: 06-18;
Recommendation: Revise the form 13094 to require the reference to
describe his/her relationship with the juvenile, including extent of
first-hand contact, to allow IRS to review the forms and assess whether
the referencer has sufficient basis to recommend that juvenile to a
position of trust. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 103;
ID. No.: 06-19;
Recommendation: Establish procedures for hiring juveniles who do not
have a current teacher, principal, counselor, employer or former
employer, and clarify that IRS's current policies and procedures should
not be interpreted to mean that such juveniles should be allowed access
to taxpayer receipts and information without a form 13094 or its
equivalent. These procedures could include a list of acceptable
alternatives that may serve as references for juveniles who do not have
a current teacher, principal, or guidance counselor. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 104;
ID. No.: 06-20;
Recommendation: To assure proper accounting treatment of expense and
P&E transactions and reliable financial reporting, we recommend that
IRS enforce its property and equipment capitalization policy to ensure
that it is properly implemented to fully achieve management's
objectives, including recognizing assets when its capitalization
criteria is met and recognizing expenses when it is not. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Because this is a recent recommendation, GAO did not obtain
information on IRS's status in addressing it;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 105;
ID. No.: 06-21;
Recommendation: Generate aging reports when an asset remains in pending
disposal status for longer than a specified period of time. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Open. In March 2006 the chief information officer (CIO)
property program manager informed GAO that issues raised in the FY 2005
Financial Statement Audit are being addressed via a re-engineering
effort focused on the entire asset retirement and disposal process. As
such, reports are currently available to monitor aging transactions
during the disposal life cycle. Additionally, procedures are being
developed to require reviews of aging reports for the timely recording
of disposal transactions. Substantial software modifications are being
designed to improve the recording of information by replacing manual
data entry methods by using electronic forms, signatures, and
processes. In August 2006 these modifications and review procedures
will be implemented to streamline the recording of asset disposal
activity as required by IRS policy;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Count: 106;
ID. No.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Per IRS: Open. AWSS and CIO property managers have been working on
reengineering the entire asset retirement and disposal process to
mitigate issues raised in GAO's FY 2005 Financial Statement Audit. CIO
staff reported on that initiative to GAO in March 2006. As such,
reports are currently available for management to monitor the status of
aging transaction dates until the disposal process is complete. Also,
review procedures are being developed to streamline the process to
ensure the timely recording of disposal transactions. In August 2006,
reengineered process modifications and review procedures will be
implemented and guidance for conducting reviews will be issued;
Per GAO: Open. This is a recent recommendation. We will review IRS's
corrective actions during future audits.
Sources: IRS updates detailing IRS actions to address GAO's
recommendations and GAO's analysis of IRS's actions.
[End of table]
[End of section]
Appendix II: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
Commissioner:
May 25, 2006:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
Thank you for the opportunity to review and comment on your draft
report entitled, "Internal Revenue Service: Status of Recommendations
from Financial Audits and Related Financial Reports" (GAO-06-560).
We are pleased that you acknowledged our progress in addressing our
financial management challenges and agreed to close 34 of the 84 open
financial management recommendations from last year's report. Although
22 new recommendations were added, the total number of open
recommendations continues to decrease.
We have taken actions to address your recommendations and improve our
internal controls. For example, we expanded our reportable condition
plan for controls over hard-copy tax receipts. This plan now includes
comprehensive actions to address your recommendations for lockboxes,
submission processing campuses, Taxpayer Assistance Centers, and field
offices. The Financial and Management Controls Executive Steering
Committee will monitor the plan until completed.
We appreciate your mapping the 72 open recommendations to specific
internal control activities and grouping them into three broad control
activities, Safeguarding of assets and security activities, Proper
recording and documenting of transactions, and Effective management
review and oversight. This approach provides additional information on
the internal control issues and facilitates our strategy to address the
financial management issues.
I appreciate your willingness to work with us throughout the year to
improve our internal controls. Your staff has met with representatives
of the business units on many occasions to assist us in developing
action plans to resolve these issues.
If you have any questions, please contact Janice Lambert, Chief
Financial Officer, at (202) 622-6400.
Sincerely,
Signed by:
Mark W. Everson:
[End of section]
Appendix III: Staff Acknowledgments:
The following individuals made major contributions to this report:
William J. Cordrey, Charles Fox, Paul Foderaro, Nina Crocker, John
Davis, Charles Ego, David Elder, Ted Hu, Jerrod O'Nelio, John Sawyer,
Peggy Smith, Lisa Warde, Gary Wiggins, and Mark Yoder.
(196093)
Footnotes:
[1] Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient
operations, reliable financial reporting, and compliance with
applicable laws and regulations. Part of the actions required by
agencies and individual federal managers includes taking proactive
measures to develop and implement appropriate, cost-effective internal
control for results-oriented management;
to assess the adequacy of internal control in federal programs and
operations;
to identify needed improvements;
and to take corresponding corrective actions.
[2] A material weakness is a reportable condition that precludes the
entity's internal controls from providing reasonable assurance that
material misstatements in the financial statements would be prevented
or detected on a timely basis. Reportable conditions represent
significant deficiencies in the design or operation of internal
controls that could adversely affect an entity's ability to initiate,
authorize, record, process, or report financial data reliably.
[3] The Circular was revised in December 2004. The circular states that
the revision followed a reexamination of the existing internal control
requirements for federal agencies that was initiated in light of the
new internal control requirements for publicly traded companies
contained in the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116
stat. 745 (July 30, 2002). However, the revised circular states that it
is not effective until fiscal year 2006. Therefore, during the period
covered by our fiscal year 2005 audit of IRS's financial statements,
IRS had to comply with the requirements contained in the prior circular
version, OMB Circular No. A-123, Management Accountability and Control
(June 21, 1995).
[4] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (November 1999).
[5] The circular requires agencies and individual federal managers to
take systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management;
(2) assess the adequacy of internal control in federal programs and
operations;
(3) separately assess and document internal control over financial
reporting consistent with the process defined in Appendix A of the
circular;
(4) identify needed improvements;
(5) take corresponding corrective action;
and (6) report annually on internal control through management
assurance statements.
[6] GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001).
[7] GAO, Internal Revenue Service: Status of Recommendations from
Financial Audits and Related Financial Management Reports, GAO-05-393
(Washington, D.C.: Apr. 29, 2005).
[8] GAO, Management Report: Improvements Needed in IRS's Internal
Controls, GAO-06-543R (Washington, D.C.: May 12, 2006).
[9] Short-term recommendations are defined as those that could be
addressed within 2 years at the time we made the recommendation. Long-
term recommendations are defined as those expected to require 2 years
or more to implement at the time we made the recommendation.
[10] The vast majority of federal tax payments are made for both
businesses and individuals via the Electronic Federal Tax Payment
System (EFTPS).
[11] Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access
to data is appropriately restricted, that only authorized changes to
computer programs are made, that physical access to sensitive computing
resources and facilities is protected, that computer security duties
are segregated, and that backup and recovery plans are adequate to
ensure the continuity of essential operations.
[12] GAO, Information Security: Continued Progress Needed to Strengthen
Controls at the Internal Revenue Service, GAO-06-328 (Washington, D.C.:
Mar. 23, 2006).
[13] Exception reports are one of the measures listed in GAO's Internal
Control Management Evaluation Tool (GAO-01-1008G) as an information
processing function.
[14] Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers
for immediate payment due to hardship or emergency, those to
beneficiaries of deceased taxpayers, and those that need to be
expedited because IRS is in jeopardy of paying interest for exceeding
the 45-day limit for processing a return.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
