Management Report
Improvements Needed in IRS's Internal Controls
Gao ID: GAO-07-689R May 11, 2007
In November 2006, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2006, and 2005, and on the effectiveness of its internal controls as of September 30, 2006. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2006, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2006 audit report, they all warrant management's consideration. This report contains 21 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards.
During our audit of IRS's fiscal year 2006 financial statements, we identified a number of internal control issues that adversely affected tax data, tax receipts, tax refunds, taxpayer penalties and fees, tax liens, and property and equipment. These issues concern: (1) encryption of off-site taxpayer data files, (2) placement of security cameras at tax return processing facilities, (3) manual refund policies and procedures, (4) refunds to taxpayers who owe payroll taxes, (5) assessment of taxpayer penalties, (6) timeliness of tax lien releases, (7) processing of Installment Agreement fees, and (8) procurement and security of property and equipment. The issues noted increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) erroneous tax refunds could be issued; (3) taxpayers could be charged excess penalties or incorrect user fees; (4) tax liens may not be released promptly; and (5) physical assets could be stolen.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-07-689R, Management Report: Improvements Needed in IRS's Internal Controls
This is the accessible text file for GAO report number GAO-07-689R
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls' which was released on May 14, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
May 11, 2007:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls:
Dear Mr. Everson:
In November 2006, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of, and
for the fiscal years ending, September 30, 2006, and 2005, and on the
effectiveness of its internal controls as of September 30,
2006.[Footnote 1] We also reported our conclusions on IRS's compliance
with significant provisions of selected laws and regulations and on
whether IRS's financial management systems substantially comply with
requirements of the Federal Financial Management Improvement Act of
1996. A separate report on the implementation status of recommendations
from our prior IRS financial audits and related financial management
reports, including this one, will be issued shortly.
The purpose of this report is to discuss issues identified during our
audit of IRS's financial statements as of, and for the fiscal year
ending September 30, 2006, regarding internal controls that could be
improved for which we do not currently have any recommendations
outstanding. Although not all of these issues were discussed in our
fiscal year 2006 audit report, they all warrant management's
consideration. This report contains 21 recommendations that we are
proposing IRS implement to improve its internal controls. We conducted
our audit in accordance with U.S. generally accepted government
auditing standards.
Results in Brief:
During our audit of IRS's fiscal year 2006 financial statements, we
identified a number of internal control issues that adversely affected
tax data, tax receipts, tax refunds, taxpayer penalties and fees, tax
liens, and property and equipment. These issues concern: (1) encryption
of off-site taxpayer data files, (2) placement of security cameras at
tax return processing facilities, (3) manual refund policies and
procedures, (4) refunds to taxpayers who owe payroll taxes, (5)
assessment of taxpayer penalties, (6) timeliness of tax lien releases,
(7) processing of Installment Agreement fees, and (8) procurement and
security of property and equipment.
Specifically, we found the following:
* At three of the four lockbox banks[Footnote 2] we visited, the banks
did not encrypt off-site backup files containing taxpayer information
as required by IRS's guidelines.
* At two of the six service center campuses (SCCs) we visited, security
cameras did not provide complete coverage of the building exterior or
the facility's external perimeter.
* At two service center campuses, employees responsible for initiating
manual refunds were not always monitoring taxpayer accounts to prevent
duplicate refunds or documenting their review.
* IRS issued refunds to taxpayers who owed trust fund recovery
penalties associated with unpaid payroll taxes.
* Errors in IRS's computer programs caused it to charge taxpayers
excess penalties.
* IRS did not always timely release its liens against taxpayers because
it did not have procedures to expeditiously research and apply
available credits from one tax period of the taxpayer's account to
other tax periods that contained outstanding balances.
* IRS did not always timely release its liens against taxpayers because
it did not always follow its procedures to timely record bankruptcy
discharges.
* IRS did not always follow its policy of maintaining documentation to
demonstrate that it delivered lien releases to the local court house
after taxpayers fully satisfied their outstanding tax liabilities.
* Errors occurred in IRS's processing of installment agreement user
fees it collected from taxpayers.
* At one site we visited, internal controls were not adequate to secure
and safeguard property and equipment.
The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed; (2) erroneous
tax refunds could be issued; (3) taxpayers could be charged excess
penalties or incorrect user fees; (4) tax liens may not be released
promptly; and (5) physical assets could be stolen.
At the end of our discussion of each of the issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into
conformance with its own policies and with the internal control
standards that all federal executive agencies are required to
follow.[Footnote 3]
In its comments, IRS agreed with our recommendations and described
actions it had taken or planned to take to address the control
weaknesses described in this report. At the end of our discussion of
each of the issues in this report, we have summarized IRS's related
comments and provide our evaluation.
Scope and Methodology:
This report addresses issues we observed during our audit of IRS's
fiscal years 2006 and 2005 financial statements. As part of this audit,
we tested IRS's internal controls and its compliance with selected
provisions of laws and regulations. We designed our audit procedures to
test relevant controls, including those for proper authorization,
execution, accounting, and reporting of transactions. We conducted our
fieldwork between January 2006 and November 2006.
To assess internal control issues related to safeguarding taxpayer
receipts and information, we visited six SCCs and four lockbox banks;
for issues related to tax refunds, we visited two SCCs; and for issues
related to property and equipment, we performed our testing at five IRS
offices.
Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2006 and 2005
financial statements[Footnote 4] and are reproduced in enclosure II.
Safeguarding Backup Media:
Lockbox banks are financial institutions under contract with the
federal government to process mail-in tax payments and related
documents on behalf of IRS. IRS expects these lockbox banks to
appropriately safeguard the confidentiality of tax returns and the
related information they process. Accordingly, IRS established
requirements in its Internal Revenue Manual (IRM)[Footnote 5] and
lockbox security guidelines (LSG)[Footnote 6] addressing backup
procedures for information media (e.g., data tapes, cartridges, etc.)
processed at lockbox banks. Specifically, in addition to specifying
that backup media be stored off-site for recovery purposes and that the
off-site storage location be geographically separate from the lockbox
bank location, these requirements state that backup media containing
taxpayer information must be encrypted prior to transmitting the
information to a storage location outside of IRS's facilities. GAO's
Standards for Internal Control in the Federal Government require that
agencies establish physical controls to secure and safeguard vulnerable
data and media files to reduce the risk of unauthorized use or loss to
the government. In addition, the Office of Management and Budget (OMB)
issued a memorandum[Footnote 7] in June 2006 requiring that all federal
departments and agencies encrypt personally identifiable information
that is physically transported outside of the agency's secured,
physical perimeter.
However, during our fiscal year 2006 audit, we found that three of the
four lockbox banks we visited sent unencrypted backup tapes that
contained taxpayer information to off-site storage facilities. When we
initially notified IRS of the lack of encryption of backup tapes sent
to off-site locations, IRS responded that two of the three lockbox
banks would cease using off-site storage facilities and would instead
securely store these backup tapes on-site at the lockbox bank. While
retaining the backup information on-site avoids exposing it to
potential compromise during transmission, it is inconsistent with the
IRM and federal information security standards for off-site
storage[Footnote 8] and thus increases the risk that the backup
information may be lost along with the current information in the event
of disaster, whether of accidental, criminal, or natural origin. At the
third lockbox bank, we were informed that the bank would request a
waiver from IRS's encryption requirement. However, granting of such a
waiver by IRS is not consistent with the requirement contained in the
OMB memorandum. Shipping unencrypted backup data off-site increases the
risk that data containing taxpayer information may be compromised.
During fiscal year 2006, IRS began conducting annual physical security
reviews of lockbox banks to monitor their performance and adherence to
key IRS physical security policies and procedures. In carrying out its
reviews, IRS uses a physical security data collection instrument to
assess controls and record the results of those assessments. While
these reviews address various controls designed to safeguard taxpayer
receipts and information, they do not address key controls designed to
safeguard backup media containing personally identifiable information.
For example, there are no questions on the physical security data
collection instrument designed to ascertain whether lockbox banks are
complying with the requirement to have backup tapes, which contain
sensitive information, encrypted and stored at an approved off-site
location. The lack of routine monitoring by IRS officials regarding
data encryption and off-site storage of backup media increases the risk
that lockbox bank deviations from related IRS procedures may not be
timely identified, thereby increasing the risk of loss, theft, and/or
misuse of media files containing taxpayer information.
Recommendations:
We recommend that IRS:
* enforce the existing policy requiring that all lockbox banks encrypt
backup media containing federal taxpayer information;
* ensure that lockbox banks store backup media containing federal
taxpayer information at an off-site location as required by the 2006
LSG; and:
* revise instructions for its annual reviews of lockbox banks to
encompass routine monitoring of backup media containing personally
identifiable information to ensure that this information is (1)
encrypted prior to transmission and (2) stored in an appropriate off-
site location.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the encryption and
storage of backup media containing federal taxpayer information. IRS
indicated it will implement an Information Technology Security Audit
Process by July 2007 and use it to ensure compliance with its policy of
requiring that all lockbox banks encrypt backup media containing
federal taxpayer information. IRS also indicated it will use this audit
process to validate that all backup media, including files that may
need to be recovered, are stored off-site. In addition, IRS stated that
it will modify the Lockbox Security Guidelines to emphasize that all
backup media, including files that may need to be recovered, is to be
stored off-site. We will evaluate the effectiveness of IRS's efforts in
this area during our audit of IRS's fiscal year 2007 financial
statements.
Maintenance and Placement of Security Cameras:
To safeguard the hundreds of billions of dollars in payments and the
related information entrusted to it annually by the nation's taxpayers,
IRS has implemented physical security controls intended to prevent
unauthorized access to its tax return processing facilities. Among
these controls are security cameras, also referred to as closed circuit
television (CCTV) cameras, which are used to aid security personnel in
monitoring the exterior of these facilities. To be effective, security
cameras must be properly maintained and placed at critical locations to
collectively provide an unobstructed view of the entire exterior of the
facility. However, at two of the six SCCs we visited during our fiscal
year 2006 audit, we found that security cameras monitoring the
facilities' exterior did not allow security personnel unobstructed
coverage of the entire fence line of the property and the perimeter of
the facility. At one of these SCCs, we found that guards were aware of
the obstructions and had reported them to their superiors. However, no
corrective actions were initiated nor was a time frame established
identifying when the obstructions and weaknesses in the CCTV cameras
would be corrected.
Specifically, we found:
* At one SCC, the views of five security cameras used to monitor the
perimeter of the buildings were obstructed by trees situated between
the cameras and the property fence line. In addition, the views of two
other exterior security cameras were obstructed by a structural support
column.
* At the second SCC, three security cameras' views of entrances/exits
and the perimeter of certain buildings were obstructed by overgrown
trees and shrubs.
GAO's Standards for Internal Control in the Federal Government require
that management establish physical controls to secure and safeguard
vulnerable assets and that access to resources and records should be
limited to authorized individuals. Further, the IRM guidelines for
security cameras at SCCs include placing cameras at critical locations
to provide direct visual monitoring from a vantage point. However,
because IRS's security cameras at SCCs do not always provide
unobstructed exterior coverage of the entire fence line and perimeter
of its facilities, the risk is increased that unauthorized individuals
may access IRS facilities and compromise taxpayer records and data and/
or disrupt operations.
Over the past 2 years, IRS has implemented quarterly physical security
reviews of key perimeter access and other controls designed to monitor
physical security controls used to safeguard taxpayer information and
receipts and IRS's facilities, employees, taxpayers, and other
visitors. These reviews include assessing whether security cameras at
SCCs provide complete and unobstructed exterior coverage of the entire
fence line and perimeter of the facility. However, we found that
analysts performing these reviews are not required to (1) document
planned implementation dates of the corrective actions cited to address
any issues identified, and (2) follow up on prior findings to assess
whether they were appropriately addressed according to plans. To be
effective, any issues identified by these reviews should be
systematically documented, appropriate corrective actions planned, and
their status formally tracked to monitor disposition and final closure.
Absent this, IRS lacks assurance that issues affecting CCTV cameras
identified during these reviews are being effectively communicated and
promptly and appropriately addressed.
Recommendations:
We recommend that IRS:
* develop and implement appropriate corrective actions for any gaps in
CCTV camera coverage that do not provide an unobstructed view of the
entire exterior of the SCC's perimeter, such as adding or repositioning
existing CCTV cameras or removing obstructions; and:
* revise instructions for quarterly physical security reviews to
require analysts to (1) document any issues identified as well as
planned implementation dates of corrective actions to be taken and (2)
track the status of corrective actions identified during the quarterly
assessments to ensure they are promptly implemented.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the maintenance and
placement of security cameras at SCCs. IRS indicated that it is
developing a plan to assess all CCTVs and mitigate findings by December
30, 2007. IRS also indicated that by June 30, 2007, it will implement
procedures requiring Physical Security Analysts to document concerns
identified during quarterly reviews, establish corrective action
implementation dates, and track corrective actions to ensure they are
implemented. Because IRS's planned actions in this area will not be
completed for our fiscal year 2007 audit, we will evaluate the
effectiveness of IRS's efforts during future audits.
Manual Refund Policies and Procedures:
IRS's internal controls for processing manual refunds were not fully
effective in minimizing the risk of issuing duplicate refunds. We found
that employees responsible for initiating manual refunds at the two
service center campuses we visited were not always adhering to IRS's
policies and procedures intended to minimize this risk. Specifically,
manual refund initiators were not appropriately (1) monitoring taxpayer
accounts to prevent duplicate refunds, or (2) documenting their
monitoring activity. GAO's Standards for Internal Control in the
Federal Government require that control activities, which are
identified as necessary and described in the agency's policies and
procedures, are in place and being applied properly so that only valid
transactions are processed. Additionally, the IRM requires manual
refund initiators to monitor manual refund accounts and to
appropriately document their monitoring activities to prevent the
issuance of a duplicate refund. However, because IRS staff at the two
centers we visited did not consistently follow these procedures, the
risk of duplicate refunds is increased.
Most refunds are generated automatically by IRS's automated systems
after the taxpayers' returns are posted to their accounts. However, in
certain situations, various units within IRS's campuses process refunds
manually to expedite the refund process when it is considered to be in
the best interest of IRS or the taxpayer. A manual refund is a refund
that is not generated through routine IRS automated system processing.
Manual refunds bypass most of the automated validity checks performed
and may be issued within a few days of initiation. However, while
manual refunds can be paid out quickly, IRS's system does not record
the manual refund generated on the taxpayer's master file account until
several weeks after the manual refund is initiated. Conversely,
automated refunds are first posted to the taxpayer's master file
account and issued to taxpayers afterwards. The delay in recording
manual refunds to taxpayer accounts increases the potential for
erroneous or duplicate refunds because IRS's manual and automated
refund processing are not systematically coordinated to prevent both
refunds from being issued.
To prevent duplicate refunds from being issued, the IRM requires manual
refund initiators, who process manual refunds, to (1) closely monitor
the taxpayer's account and (2) document their monitoring activity until
the manual refund posts to the taxpayer's master file account. Once the
manual refund posts to the master file, IRS's automated system is to
prevent a duplicate automated refund from being issued. Throughout the
period it takes for the manual refund to post, the manual refund
initiators are responsible for monitoring the accounts for the posting
of duplicate automated refunds. When manual refund initiators identify
the posting of a duplicate automated refund, they must take the
necessary action to stop the automated refund from actually being
issued to the taxpayer. IRS provides a Manual Refund Desk Reference for
manual refund initiators to use as a guide to initiate and process
manual refunds. In most cases, the initiators primarily rely on the
Manual Refund Desk Reference to process manual refunds and do not refer
to the IRM.
However, during our review of monitoring actions to prevent duplicate
refunds at two service center campuses, we found the Manual Refund Desk
Reference did not provide instructions to (1) monitor refund accounts
to prevent duplicate refunds, and (2) document monitoring activity as
required by the IRM. For example, at one site, the various units
processing manual refunds were using different versions of the Manual
Refund Desk Reference (i.e., April 2002, January 2003, April 2003,
April 2004, March 2005, and April 2006), none of which complied with
the IRM requirements. We also found that some of the initiators and
their supervisors were not familiar with the procedures in the desk
reference. As a result, the manual refund initiators in some of the
units (1) were not monitoring the refund accounts to prevent the
issuance of a duplicate refund; (2) stated that they monitor the
taxpayer account, but were not documenting their monitoring activities;
or (3) were only observing the account to see if the manual refund
posted so they could close out their case, rather than also monitoring
to detect and stop the issuance of duplicate automated refunds. As a
result, the risk is increased that a duplicate refund generated will
not be detected and stopped before being disbursed.
Recommendations:
We recommend that IRS:
* revise procedures contained in the Manual Refund Desk Reference to
reflect the IRM requirements for manual refund initiators to (1)
monitor the manual refund accounts in order to prevent duplicate
refunds, and (2) document their monitoring actions;
* provide to all the IRS units responsible for processing manual
refunds the same and most current version of the Manual Refund Desk
Reference; and:
* require that managers or supervisors provide the manual refund
initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning monitoring manual
refunds to prevent duplicate refunds and the need to document such
monitoring actions. IRS stated that it will replace the Manual Refund
Desk Reference with revisions to sections of its Internal Revenue
Manual, which will be the official authoritative guidance for
processing manual refunds and stated that it plans to inform its staff
of this change by the end of May 2007. IRS also stated that it will
ensure its managers and supervisors conduct training for manual refund
initiators in its Submission Processing, Accounts Management, and
Compliance operations to prevent the issuance of duplicate refunds,
issue an information Alert to campuses, directing them to provide
refresher training to the areas responsible for initiating manual
refunds, and conduct classroom training for employees who initiate
manual refunds. In addition, IRS indicated that it will ensure that Tax
Examiners are reminded of their responsibility to monitor manual
refunds to prevent the issuance of duplicate refunds and to document
such monitoring. IRS stated that all of these actions will be complete
by the end of July 2007. We will evaluate the effectiveness of IRS's
efforts in this area during our audit of IRS's fiscal year 2007
financial statements.
Refunds to Tax Debtors With Unpaid Payroll Taxes:
During our fiscal year 2006 financial audit, we found that IRS issued
refunds to tax debtors who still owed the government for unpaid payroll
taxes. When an employer withholds taxes from an employee's wages, the
employer is deemed to have a responsibility to hold these amounts "in
trust" for the federal government until the employer makes a federal
tax deposit in that amount.[Footnote 9] Employers are required to
periodically deposit the withholdings from employees' wages with IRS.
To the extent these withheld amounts are not forwarded to the federal
government, the employer is liable for these amounts, as well as the
employer's matching Federal Insurance Contribution Act (FICA)[Footnote
10] contributions. Individuals within the business (e.g., corporate
officers) may be held personally liable for the withheld amounts not
forwarded and assessed a civil monetary penalty known as a Trust Fund
Recovery Penalty (TFRP).[Footnote 11] IRS has the authority to assess
all responsible officers individually for the unpaid payroll taxes.
Thus, IRS may record a TFRP assessment against several individuals for
the employee-withholding component of the payroll tax liability of a
given business in an effort to collect an employer's total tax
liability. Although assessed to multiple parties, the employer's
liability need only be paid once. When IRS records a TFRP assessment
against an individual, it creates a separate subaccount on the
taxpayer's master file account to distinguish this from the taxpayer's
personal income tax liability.
In our prior audits,[Footnote 12] we found errors involving IRS's
failure to properly record payments made by individual officers to all
related parties associated with the TFRP. Thus, as part of our fiscal
year 2006 audit, we tested a statistical sample of payments recorded on
TFRP accounts to determine the extent of any such errors in IRS's
systems. In performing our work, we found that IRS issued refunds to
seven individuals when they still had an outstanding balance in their
TFRP account.[Footnote 13] In one of these cases, IRS recorded a TFRP
assessment against the officer in 2001. The officer then filed joint
individual tax returns with the officer's spouse in subsequent years
and received three computer-generated refunds totaling approximately
$6,700.
According to the IRM, IRS is required to apply any overpayment of taxes
from one tax period[Footnote 14] against outstanding tax liabilities
from other tax periods before issuing a refund to the taxpayer. If a
taxpayer made payments that exceeded the balance owed for one tax
period (i.e., credits), IRS relies on its automated processes to check
the taxpayer's account for outstanding balances in other tax periods or
subaccounts and to apply these credits to outstanding balances before
issuing a refund. However, IRS's computer program only checks for
outstanding tax liabilities associated with the social security number
(SSN) of the first person listed on joint tax returns and does not
check for outstanding tax liabilities associated with the secondary SSN
listed on the return. In the cases we identified, the officer owing the
TFRP was the second person (secondary SSN) indicated on the joint tax
return. Consequently, IRS's automated process failed to detect that the
second person associated with the joint return owed the outstanding
penalty assessment. This control deficiency cost IRS the opportunity to
recover at least some of the outstanding balances owed on these
accounts.
Recommendations:
We recommend that IRS:
* enhance its computer program to check for outstanding tax liabilities
associated with both the primary and secondary SSNs shown on a joint
tax return and apply credits to those balances before issuing any
refund; and:
* instruct revenue officers making the TFRP assessments to research
whether the responsible officers are filing jointly with their spouses
and to place a refund freeze on the joint account until the computer
programming change can be completed.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning refunds to tax debtors
with Trust Fund Recovery Penalties. IRS stated that the IRM instructs
revenue officers to request entering a transaction code into its
systems to freeze any potential refunds for all individuals liable for
the TFRP. IRS noted that it has requested an IRS Counsel opinion on
whether it would be acceptable for revenue officers to also freeze the
refund of a liable taxpayer's spouse at the time of approval of the
TFRP assessment or at the time the assessment is made. IRS stated that
it would implement this change by August 2007 if the IRS Counsel
determines that this action is appropriate. We will evaluate the
effectiveness of IRS's efforts in this area during our audit of IRS's
fiscal year 2007 financial statements.
Assessment of Penalties:
IRS's controls over its process for assessing penalties against
taxpayers who owe outstanding taxes did not always ensure that the
correct amounts of penalties were assessed. Under the Internal Revenue
Code (IRC), IRS has the authority to assess penalties against taxpayers
for a variety of reasons, such as the failure to pay taxes owed. IRS
largely uses automated processes and systems to assess both interest
and penalties using the parameters contained in the IRC, as stipulated
in the IRM.[Footnote 15] For example, if the tax debtor fails to pay
the taxes owed, IRS is required to assess penalties at one-half of 1
percent of the outstanding tax liability. IRS then increases this
penalty rate from one-half of 1 percent to 1 percent if the taxpayer
does not comply after repeated notifications. If the taxpayer pays off
the outstanding balance, IRS is then required to reduce the penalty
rate back to one-half of 1 percent on any subsequent tax assessment
associated with this specific tax period.
In our testing of a statistical sample of IRS interest and penalty
calculations on 59 taxpayer accounts in IRS's master file from the
first 9 months of fiscal year 2006, we found 2 instances where IRS's
computer programs incorrectly calculated and assessed the failure to
pay the penalty amount. In each case, IRS's computer program
appropriately increased the penalty rate assessed against the taxpayer
for failing to pay taxes owed from one-half of 1 percent to 1 percent
when the taxpayer failed to pay following repeated notification of the
taxes due. The taxpayer eventually paid the outstanding balance for the
specific tax period. IRS then later assessed additional taxes against
the taxpayer for the same tax period. However, the penalty calculation
program did not reset the penalty rate back to one-half of 1 percent
and continued to assess penalties related to the subsequent tax
assessment at the higher 1 percent rate. As a result, IRS overassessed
penalties against these taxpayers.
After we brought this issue to its attention, IRS researched its master
files and determined that the program errors would have affected
taxpayer accounts where (1) the penalty rate had increased to 1
percent, (2) the taxpayer had subsequently paid off the balance for the
tax period, and (3) IRS later assessed the taxpayer additional taxes
owed for the same tax period. Its research indicated that the
programming errors may have affected about 62,000 taxpayers with about
69,000 accounts in its current inventory of unpaid
assessments.[Footnote 16] The total outstanding balance associated with
these accounts was approximately $745 million. Although IRS was able to
identify taxpayers who may have been affected by this error, its
research did not determine whether any of these taxpayers may have
already paid any overassessed penalties.
Recommendations:
We recommend that IRS:
* correct the penalty calculation programs in its master file so that
penalties are calculated in accordance with the applicable IRC and
implementing IRM guidance; and:
* research each of the taxpayer accounts that may have been affected by
the programming errors to determine whether they contain overassessed
penalties and correct the accounts as needed.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the overassessment of
tax penalties. IRS stated that it implemented system changes in January
2007 to correct the penalty calculation program and the taxpayer
accounts that were affected by the programming error. We will evaluate
the effectiveness of IRS's efforts in this area during our audit of
IRS's fiscal year 2007 financial statements.
Timeliness of Lien Releases:
Under the IRC, IRS has the power to file a lien against the property of
any taxpayer who neglects or refuses to pay all assessed federal taxes.
The lien serves to protect the interest of the federal government and
as a public notice to current and potential creditors of the
government's interest in the taxpayer's property.[Footnote 17] IRS uses
its Automated Lien System (ALS)[Footnote 18] to process the initial
filing of the lien as well as the lien release upon satisfaction of the
tax liability. ALS generates the physical lien document, which IRS
mails to the taxpayer's local courthouse to officially file the
lien.[Footnote 19] Concurrent with generating the lien document, ALS
electronically updates the taxpayer's account in IRS's master file to
show that a lien was filed. The lien becomes effective when it is filed
with a designated office, such as a courthouse, in the county where the
taxpayer's property is located. Under section 6325 of the IRC, IRS is
required to release federal tax liens within 30 days of the date the
tax liability is satisfied or becomes legally unenforceable. The
failure to promptly release tax liens could cause undue hardship and
burden to taxpayers who are attempting to sell property or apply for
commercial credit.
In each year beginning with our audit of IRS's fiscal year 1999
financial statements, we found that IRS did not always release the
applicable tax lien within 30 days of the tax liability being either
paid off or abated as required by the IRC. During our fiscal 2006
financial audit, we continued to find weaknesses in the IRS lien
release process that contributed to liens not being timely released.
These weaknesses resulted from IRS relying too heavily on automated
processes and employees who did not follow established procedures.
Specifically, IRS did not (1) have procedures to promptly research and
apply credits[Footnote 20] that were available in one tax period
against the taxpayers' outstanding tax liabilities in other tax
periods, (2) follow its procedures to promptly record bankruptcy
discharges of tax liabilities, and (3) follow its procedures to
maintain stamped billing support vouchers to document IRS's timely
issuance of lien releases to the local courthouse.
Timely Application of Credits:
IRS's lien release process relies heavily upon its automated systems
and the information that resides within these systems. Within its
master file database, IRS records collection actions and the current
status of tax debts through a series of codes. The codes, referred to
as status and transaction codes, display a host of information,
including whether the account is paid in full or otherwise satisfied.
Consequently, the status and transaction codes in each taxpayer's
account in IRS's database are critical to the timely release of liens.
IRS's automated lien release process begins when a taxpayer's account
is paid in full or otherwise relieved. Each week, the master file
database automatically downloads to ALS all the satisfied taxpayer
accounts with liens. When notified via the master file download that a
taxpayer account with a lien has been fully paid or otherwise
satisfied, ALS generates a lien release document. Since liens can cover
tax debt arising from one or more tax periods,[Footnote 21] ALS will
not generate a lien release document until all the tax periods covered
by the lien are satisfied.
In fiscal year 2006, IRS tested the effectiveness of its lien release
process as part of implementing the requirements of OMB Circular No. A-
123,[Footnote 22] and we validated these test results. In reviewing
IRS's test results for 84 statistically selected tax cases with liens
in which the taxpayers' total outstanding liabilities were either paid
off or abated, we identified 6 cases in which IRS did not release the
liens within 30 days because it did not promptly apply tax credits
available in one of the taxpayers' tax periods against the outstanding
balances the taxpayers owed in other tax periods.[Footnote 23] In these
6 cases, the time between the point at which the taxpayer had credits
available to satisfy all of their outstanding tax liabilities and
release of the lien ranged from 37 days to 183 days.
In one case, IRS recorded the taxpayer's entire payment against the
outstanding tax liability in one tax period of the taxpayer's master
file account and relied on the system to automatically transfer the
amounts paid that exceeded the balance owed for that tax period (i.e.,
credits) to pay off the balances in other tax periods. In another case,
IRS partially abated the tax assessed against the taxpayer for one tax
period, creating a credit, and waited for its automated systems to
transfer the credits or to generate a refund to the taxpayer. In each
of these six cases, IRS relied on its automated systems to
automatically transfer the credits. However, the automatic transfers
did not occur within 30 days because the taxpayers' accounts contained
freeze codes[Footnote 24] that prevented the automatic transfers. The
presence of these freeze codes required IRS personnel to manually
review and, as needed, resolve issues with the taxpayer's account
before the credits could be applied to other outstanding tax period
balances owed by the taxpayer. IRS eventually resolved the issues on
the accounts of each of these six taxpayers and did not assess
additional taxes against any of them. However, because IRS did not have
procedures in place to promptly research and properly apply the
credits, it did not release the liens against these taxpayers within
the statutorily required 30 days.
Timely Recording of Discharge by Bankruptcy Court:
Taxpayers may have their tax liability fully discharged through
bankruptcy filings. When a taxpayer is discharged of his or her tax
liability by the bankruptcy court and the court notifies IRS, employees
in IRS's Centralized Insolvency Office (CIO) are responsible for
recording the discharge on the taxpayer's master file account or to
manually record the lien release in ALS. As mentioned earlier, IRS's
lien release process relies heavily upon its automated computer
systems. Consequently, the Centralized Insolvency Office must record
this information timely in order for IRS to complete the lien release
process within 30 days.
In reviewing IRS's lien release test results, we identified five cases
in which IRS did not timely release the lien because it did not timely
record that the taxpayer had been fully discharged of his or her tax
liability by the bankruptcy courts.[Footnote 25] According to IRS, the
lien release was delayed because Centralized Insolvency Office
employees did not follow procedures established in the IRM. The IRM
requires Centralized Insolvency Office employees to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in ALS on bankruptcy cases
assigned to the unit. This was not done, resulting in the delay of the
release of the tax liens associated with these cases. The time between
the bankruptcy discharge and release of the liens in these five cases
ranged from 52 days to 298 days.
Maintaining Documentation to Support Lien Release:
In a prior audit, we noted instances of long delays between the time
that IRS generated the ALS lien release document and the official
release date recorded at the local courthouse.[Footnote 26] Although
some of these delays may have been attributable to delays by the
courthouse in legally releasing the liens, IRS did not have procedures
to track the status of lien releases up to the point of delivery to the
local courthouse. Consequently, neither IRS nor we could determine if
the delays occurred at IRS, at the local courthouse, or both. For this
reason, we recommended that IRS establish procedures to track the
status of lien releases up to the point of delivery to the local
courthouse. In response to our recommendation, in fiscal year 2003, IRS
established and implemented procedures to date stamp billing support
vouchers[Footnote 27] to document the date it sent the lien release to
the local courthouse.
In reviewing IRS's lien release test results, we found nine cases in
which IRS could not produce a date stamped billing support voucher to
document when it sent the lien release to the local
courthouse.[Footnote 28] During fiscal year 2005, IRS completed
consolidation of its lien processing into one Centralized Lien
Processing/Case Processing Unit at the Cincinnati Service Center
Campus. According to IRS officials, employees in the Centralized Lien
Processing/Case Processing Unit did not follow the IRM procedures for
date stamping and maintaining copies of the billing support vouchers.
Without a stamped billing support voucher, IRS was unable to provide
evidence that it had sent the lien release to the local courthouse
within the statutorily required 30 days.
Recommendations:
We recommend that IRS:
* establish procedures and specify in the IRM that at the time of
receipt, employees recording taxpayer payments should (1) determine if
the payment is more than sufficient to cover the tax liability of the
tax period specified on the payment or earliest outstanding tax period,
(2) perform additional research to resolve any outstanding issues on
the account, (3) determine whether the taxpayer has outstanding
balances in other tax periods, and (4) apply available credits to
satisfy the outstanding balances in other tax periods;
* establish procedures and specify in the IRM that employees review
taxpayer accounts with freeze codes that contain credits weekly to (1)
research and resolve any outstanding issues on the account, (2)
determine whether the taxpayer has outstanding balances in other tax
periods, and (3) apply available credits to satisfy the outstanding
balances in other tax periods;
* issue a memorandum to employees in the Centralized Insolvency Office
reiterating the IRM requirement to timely record bankruptcy discharge
information onto taxpayer accounts in the master file or to manually
release the liens in ALS; and:
* issue a memorandum to employees in the Centralized Lien Processing
Unit reiterating the IRM requirement to date stamp and maintain the
billing support voucher as evidence of timely processing by IRS.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the timeliness of tax
lien releases. IRS stated that it issued a memorandum to all functions
in January 2007 that directed liens to be released manually when
systemic processes do not release liens, including when credit
transfers are necessary between accounts, and noted that it plans to
update the IRM to include the information contained in the memorandum
by the end of May 2007. IRS also stated that it developed a report to
identify cases where a bankruptcy discharge was granted by the court
and a lien was filed on dischargeable periods so that, when
appropriate, manual lien releases are requested to ensure timely
release of the tax liens. IRS indicated that it updated the IRM in
March 2007 with instructions for the new report and conducted training
on the new report and process prior to issuing the IRM. In addition,
IRS stated that in November 2006 it began a new process of scanning
billing support vouchers and associating these vouchers with Specific
Lien Identification (SLID) numbers in order to ensure the voucher is
retrievable and to show liens were timely released. IRS noted that it
had trained its employees on this process as it was rolled out.
According to IRS, it will complete its 2007 OMB Circular A-123 review
on the timeliness of lien releases by the end of May 2007, and will
issue additional guidance by November 2007 if the review indicates that
untimely tax lien releases and BSV errors still exist. We will evaluate
the effectiveness of IRS's efforts in this area during our audit of
IRS's fiscal year 2007 financial statements.
Installment Agreement User Fees:
During our fiscal year 2006 audit, we found that IRS's control
procedures did not always prevent or detect errors that occurred in the
recording of installment agreement[Footnote 29] (IA) user fees that IRS
collects from taxpayers. When IRS enters into an IA arrangement with
taxpayers to satisfy tax debts, it charges a user fee for services
provided, whether establishing a new agreement or reinstating a
previous agreement.[Footnote 30] IRS requires taxpayers to pay the user
fee with the first installment payment by designating, on the
remittance coupon IRS provides to the taxpayer, the user fee and tax
payment amounts and submitting it to a lockbox bank. Errors can occur
when taxpayers do not make the proper designations on remittance
coupons, and IRS records improper user fee amounts or incorrectly
applies payments to the taxpayers' debts.
To identify and correct payment errors, IRS runs periodic edit routines
on its master file records to identify cases where it did not collect
IA user fees when it was entitled to do so and executes actions to
transfer such user fees from the taxpayers' tax accounts to user fee
accounts. IRS also runs edit checks to test the validity of the user
fees it records in the master file by identifying (1) fees for which
there is no installment agreement on file, (2) inconsistent user fee
codes used for recorded fees, (3) duplicate user fees recorded, and (4)
fees paid with dishonored checks from taxpayers. These edit checks
result in the generation of an Installment Agreement Accounts Listing
which provides details of items requiring further action. However, IRS
did not always timely follow up and resolve items that appeared on the
listing.
We tested 12 transactions in which IRS recorded IA user fees in amounts
that exceeded the amount that IRS was authorized to charge and found
that 9 were recorded in error. Specifically, we found the following:
* In four instances, IRS personnel erroneously recorded tax payments as
IA user fees when no user fee was due and the entire amount should have
been recorded against the taxpayers' tax debt. In the most egregious of
these instances, IRS recorded a $15,000 tax payment as an installment
agreement user fee when the maximum amount it could charge as IA fees
was $43. IRS did not detect or correct this error in its normal course
of operations.
* In three instances, IRS was entitled to collect an IA user fee but
deducted an incorrect user fee amount from the taxpayer's payment. For
example, in one case, IRS recorded a taxpayer's payment of $200 as an
IA user fee when only $43 should have been recorded as a user fee and
the remaining $157 should have been recorded against the taxpayer's
outstanding tax debt.
* In the remaining two instances, IRS made erroneous adjustments to
move payments from taxpayers' tax accounts to IA user fee accounts and
thus recorded more user fees than it was entitled to receive.
According to IRS, the errors we found that resulted in duplicate user
fees, such as the fees recorded when none were due, appeared on the
Installment Agreement Account Listing. The IRM requires that matters
that appear on the listing be addressed within 5 business days.
However, we found that IRS staff did not always timely and accurately
resolve user fee errors that appeared on the listing as required in its
IRM. The errors we found that appeared on the listing were not
corrected until we brought them to IRS's attention.
GAO's Standards for Internal Control in the Federal Government require
agencies to (1) implement internal control procedures to ensure the
accurate and timely recording of transactions and events, and (2)
perform sufficient management review to detect and eliminate errors. By
not properly recording IA user fees collected from taxpayers, IRS runs
the risk of misstating its unpaid assessments and exchange revenue.
Additionally, and most importantly, by not crediting taxpayer accounts
with proper payments, IRS faces increased risk of charging interest and
penalties to taxpayers who have satisfied their tax debts, or taking
more stringent enforcement actions and overcollecting tax debts.
Recommendations:
We recommend that IRS:
* monitor IA user fee activity on a regular basis,
* adjust errors in recorded IA user fees as necessary to correctly
reflect the user fees IRS earned and collected from taxpayers, and:
* establish sufficient review procedures to help ensure that
adjustments to IA user fees collected from taxpayers are accurately and
timely recorded.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the need for accurate
and timely recording of installment agreement user fees and routing
monitoring and review of this activity. IRS indicated that it currently
uses the Installment Agreement Accounts Listings report to identify and
resolve user fee errors, and that in January 2008 it will implement
enhancements to this report. IRS stated that it currently utilizes a
quarterly process to reconcile installment agreement payments and
adjusts those with discrepancies or errors, but that it will increase
the frequency of this reconciliation process from quarterly to weekly
beginning in January 2008. IRS also indicated it will update the
section of the IRM dealing with IA user fee review procedures by
January 2008. Because IRS's planned actions in this area will not be
completed for our fiscal year 2007 audit, we will evaluate the
effectiveness of IRS's efforts during future audits.
Property and Equipment:
During our fiscal year 2006 audit, we found that internal controls were
not adequate to ensure the security and safeguarding of property and
equipment at one of five locations we visited. At this location, IRS's
designated secured storage area was not large enough to store all of
the property and equipment not currently in use. Consequently, IRS
stored its overflow inventory items, including computer equipment, in
an unlocked room. At the same location, IRS allowed one individual to
both order property and equipment from vendors and perform receipt and
acceptance when the assets were delivered.
GAO's Standards for Internal Control in the Federal Government state
that an agency must establish physical control to secure and safeguard
vulnerable assets. In addition, the IRM requires Single Point Inventory
Function (SPIF)[Footnote 31] personnel to have secured storage space
where access is restricted to inventory personnel. GAO's standards
further state that key duties and responsibilities should be divided or
segregated among different people to reduce the risk of error or fraud.
Such control activities are an integral part of an agency's
accountability for stewardship of government resources. The storage of
equipment in an unlocked room increases the risk that assets may be
stolen or misplaced. Also, the lack of segregation of duties increases
the risk that error, waste, or fraud may occur in the procurement
process and not be detected and that IRS may pay for property and
equipment that it did not receive.
Recommendations:
We recommend that IRS:
* establish and maintain sufficient secured storage space to properly
secure and safeguard its property and equipment inventory, including in-
stock inventories, assets from incoming shipments, and assets that are
in the process of being excessed and/or shipped out; and:
* develop and implement procedures to require that separate individuals
place orders with vendors and perform receipt and acceptance functions
when the orders are delivered.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the secure storage of
property and equipment and the separation of ordering and receipt
duties. IRS stated that it is identifying locations that need
additional secured storage space and will obtain the necessary space as
appropriate. IRS also stated that it has policies and procedures in
place regarding the separation of receipt and acceptance duties but
will reissue communications to remind those with procurement authority
about the specific IRS acquisition procedure which provides this
guidance. We will evaluate the effectiveness of IRS's efforts in this
area during our audit of IRS's fiscal year 2007 financial statements.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and Governmental
Affairs and the House Committee on Oversight and Government Reform
within 60 days of the date of this report. A written statement must
also be sent to the House and Senate Committees on Appropriations with
the agency's first request for appropriations made more than 60 days
after the date of the report.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Minority Members of the
Senate Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; and
Subcommittee on Taxation and IRS Oversight and Long-Term Growth, Senate
Committee on Finance. We are also sending copies to the Chairmen and
Ranking Minority Members of the House Committee on Appropriations;
House Committee on Ways and Means; the Chairman and Vice-Chairman of
the Joint Committee on Taxation; the Secretary of the Treasury; the
Director of the Office of Management and Budget; the Chairman of the
IRS Oversight Board; and other interested parties. The report is
available at no charge on GAO's Web site at http://www.gao.gov.
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years 2006
and 2005 financial statements. Please contact me at (202) 512-3406 or
sebastians@gao.gov if you or your staff have any questions concerning
this report. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report. GAO
staff who made major contributions to this report are listed in
enclosure III.
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures - 3:
[End of section]
Enclosure I: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
Commissioner:
May 2, 2007:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft of the Fiscal Year (FY) 2006 Management Report titled,
Improvements Needed in IRS's Internal Controls (GAO-07-689R). As GAO
noted in the report titled, Financial Audit. IRS's Fiscal Years 2006
and 2005 Financial Statements, we continue to make progress in
addressing our financial management challenges and have substantially
mitigated weaknesses in our internal controls.
In FY 2006, we improved the reliability of our property and equipment
(P&E) accounting records and streamlined our analysis of P&E
transactions most susceptible to misclassification. These improvements
along with the progress we made last year enabled you to conclude that
P&E no longer constitutes a reportable condition. We believe our work
this year in implementing corrective actions will further improve our
financial management. I have enclosed a response which addresses all of
your recommendations separately.
We appreciate your recommendations to strengthen our controls over
encryption of data files, facilities security, property and equipment,
and improving financial management. We are committed to implementing
appropriate improvements to ensure that the IRS maintains sound
financial management practices. If you have any questions, please
contact Janice Lambert, Chief Financial Officer, at (202) 622-6400.
Sincerely,
Signed by:
Mark W. Everson:
Enclosure:
GAO Recommendations and IRS Responses to GAO FY 2006 Management Report
Improvements Needed in the IRS's Internal Controls GAO-07-689R:
Recommendation: Enforce the existing policy requiring that all lockbox
banks encrypt backup media containing federal taxpayer information.
Comments: We agree with this recommendation. We will ensure compliance
with the policy of requiring all lockbox banks to encrypt backup media
containing federal taxpayer information through the Information
Technology Security Audit Process that will be implemented by July
2007.
Recommendation: Ensure that lockbox banks store backup media containing
federal taxpayer information at an offsite location as required by the
2006 Lockbox Security Guidelines (LSG).
Comments: We agree with this recommendation. By July 2007, as part of
our Information Technology Security Audit Process, we will validate
that all backup media, including files that may need to be recovered,
are stored offsite. By July 2007, we will modify the Lockbox Security
Guidelines (LSG) to emphasize that all backup media, including files
that may need to be recovered, will be stored offsite.
Recommendation: Revise instructions for IRS annual reviews of lockbox
banks to encompass routine monitoring of backup media containing
personally identifiable information to ensure that this information is
(1) encrypted prior to transmission and (2) stored in an appropriate
offsite location.
Comments: We agree with this recommendation. We will ensure that the
annual Information Technology Security Audit Process which will be
implemented by July 2007 includes a review to ensure backup media
containing personally identifiable information (PII) are encrypted and
also stored at an appropriate offsite location.
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
service center campuses (SCC's) perimeter, such as adding or
repositioning existing CCTV cameras or removing obstructions.
Comments: We agree with this recommendation. Mission Assurance and
Security Services (MA&SS) Physical Security & Emergency Preparedness
(PS&EP) is developing a plan to assess all CCTVs and mitigate findings
by December 30, 2007.
Recommendation: Revise instructions for quarterly physical security
reviews to require analysts (1) document any issues identified and
planned implementation dates of corrective actions to be taken and (2)
track the status of corrective actions identified during the quarterly
assessments to ensure they are promptly implemented.
Comments: We agree with this recommendation. By June 30, 2007, MA&SS
will implement procedures requiring Physical Security Analysts to
document concerns identified during quarterly reviews, establish
corrective action implementation dates, and track corrective actions to
ensure they are implemented.
Recommendation: Revise procedures contained in the Manual Refund Desk
Reference to reflect the Internal Revenue Manual (IRM) requirements for
manual refund initiators to (1) monitor the manual refund accounts in
order to prevent duplicate refunds, and (2) document their monitoring
actions.
Comments: We agree with this recommendation. We will replace the Manual
Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official
authoritative guidance for processing manual refunds. We will inform
Submission Processing sites and other IRS staff of this change by the
end of May 2007.
Recommendation: Provide to all the IRS units responsible for processing
manual refunds the same and most current version of the Manual Refund
Desk Reference.
Comments: We agree with this recommendation. We will replace the Manual
Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official
authoritative guidance for processing manual refunds. We will inform
Submission Processing sites and other IRS staff of this change by the
end of May 2007.
Recommendation: Require that managers or supervisors provide the manual
refund initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds.
Comments: We agree with this recommendation. Wage and Investment (W&I)
will ensure its managers and supervisors conduct training for manual
refund initiators in its Submission Processing, Accounts Management,
and Compliance operations to prevent the issuance of duplicate refunds.
Submission Processing will issue an Information Alert to the campuses,
directing them to provide refresher training to the areas responsible
for initiating manual refunds. Accounts Management will also conduct
classroom training for employees who initiate manual refunds.
Compliance will ensure the Integrated Data Retrieval System (IDRS)
Morning Message includes a reminder about Tax Examiners responsibility
to monitor manual refunds to prevent the issuance of duplicate refunds
and document monitoring accordingly. The IDRS Morning Message will
refer Tax Examiners to the appropriate IRM, and this issue will also be
discussed in follow-up unit meetings in all W&I Compliance campuses. We
will complete all of these actions by the end of July 2007.
Recommendation: Enhance IRS's computer program to check for outstanding
tax liabilities associated with both the primary and secondary social
security numbers (SSNs) shown on a joint tax return and apply credits
to those balances before issuing any refund.
Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs
the revenue officer to prepare Form 3177, Notice of Action on the
Master File, to request input of the transaction code (TC) 130 to
freeze any potential refunds for all individuals liable for the Trust
Fund Recovery Penalty (TFRP). While the systemic cross reference will
occur when a joint return is filed, we have requested an IRS Counsel
opinion to determine if it would be acceptable for the revenue officer
to also freeze the refund of any spouse at the time of the approval of
the Form 4183, Recommendation re: Trust Fund Recovery Penalty
Assessment, or at the time the TFRP assessment is made because the TC
130 freeze would also freeze the refund of the non-liable spouse if a
separate return was filed. If IRS Counsel determines that this action
is appropriate, we will implement this change by August 2007.
Recommendation: Instruct Revenue Officers making the TFRP assessments
to research whether the responsible officers are filing jointly with
their spouses and to place a refund freeze on the joint account until
the computer programming change can be completed.
Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs
the revenue officer to prepare Form 3177, Notice of Action on the
Master File, to request input of the transaction code (TC) 130 to
freeze any potential refunds for all individuals liable for the Trust
Fund Recovery Penalty (TFRP). While the systemic cross reference will
occur when a joint return is filed, we have requested an IRS Counsel
opinion to determine if it would be acceptable for the revenue officer
to also freeze the refund of any spouse at the time of the approval of
the Form 4183, Recommendation re: Trust Fund Recovery Penalty
Assessment, or at the time the TFRP assessment is made because the TC
130 freeze would also freeze the refund of the nonliable spouse if a
separate return was filed. If IRS Counsel determines that this action
is appropriate, we will implement this change by August 2007.
Recommendation: Correct the penalty calculation programs in IRS's
master file so that penalties are calculated in accordance with the
applicable Internal Revenue Code (IRC) and implementing IRM guidance.
Comments: We agree with this recommendation. We implemented a system
change in January 2007 to correct the penalty calculation program.
Recommendation: Research each of the taxpayer accounts that may have
been affected by the programming errors to determine whether they
contain over-assessed penalties and correct the accounts as needed.
Comments: We agree with this recommendation. We implemented a system
change in January 2007 that corrected debit balance taxpayer accounts
affected by the programming error.
Recommendation: Establish procedures and specify in the IRM that at the
time of receipt, employees recording taxpayer payments should (1)
determine if the payment is more than sufficient to cover the tax
liability of the tax period specified on the payment or earliest
outstanding tax period, (2) perform additional research to resolve any
outstanding issues on the account, (3) determine whether the taxpayer
has outstanding balances in other tax periods, and (4) apply available
credits to satisfy the outstanding balances in other tax periods.
Comments: We agree with this recommendation. The Deputy Commissioner
for Services and Enforcement issued a memorandum to all functions
titled, "Servicewide Action to Prevent Late Lien Releases" in January
2007. The memorandum directed manual lien releases when systemic
processes do not release liens, including when credit transfers are
necessary between accounts. The IRM will be updated to include the
information contained in the Deputy Commissioner memorandum by the end
of May 2007.
Recommendation: Establish procedures and specify in the IRM that
employees review taxpayer accounts with freeze codes that contain
credits weekly to (1) research and resolve any outstanding issues on
the account, (2) determine whether the taxpayer has outstanding
balances in other tax periods, and (3) apply available credits to
satisfy the outstanding balances in other tax periods.
Comments: We agree with this recommendation. The Deputy Commissioner
for Services and Enforcement issued a memorandum to all functions
titled, "Servicewide Action to Prevent Late Lien Releases" in January
2007. The memorandum directed manual lien releases when systemic
processes do not release liens, including when credit transfers are
necessary between accounts. The IRM will be updated to include the
information contained in the Deputy Commissioner memorandum by the end
of May 2007.
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in master file
or to manually release the liens in the Automated Lien System (ALS).
Comments: We agree with this recommendation. The Centralized Insolvency
Operation developed a report to identify cases where a discharge was
granted by the court, and a lien was filed on dischargeable periods.
When appropriate, manual lien releases are requested to ensure timely
release of Notice of Federal Tax Liens. This report is generated and
worked weekly, and quarterly reviews are conducted by Campus Compliance
analysts to ensure that appropriate actions were taken. We included
instructions in IRM 5.9 dated March 2007 and conducted training on the
new report and process prior to the issuance of the IRM.
IRS will complete its 2007 A-123 review on the timeliness of lien
releases at the Centralized Lien Unit by the end of May 2007. We will
determine if the new bankruptcy discharge guidance reduced the
incidence of untimely releases, and if errors still exist, we will
issue additional guidance by November 2007.
Recommendation: Issue a memorandum to employees in the Centralized Lien
Processing Unit reiterating the IRM requirement to date stamp and
maintain the billing support voucher as evidence of timely processing
by IRS.
Comments: We agree with this recommendation. The IRM for the
Centralized Lien Unit (CLU) contains direction to date stamp and
maintain the billing support voucher (BSV) as evidence of timely
release of the federal tax lien. In November 2006, the CLU began a new
process of scanning BSVs, and associated BSVs with Specific Lien
Identification (SLID) Numbers in order to ensure the BSV is retrievable
and to show liens were timely released. We trained employees on this
process as it was rolled out.
IRS will complete the 2007 A-123 review on the timeliness of lien
releases at the CLU by the end of May 2007. We will determine if new
BSV procedures reduced the incidence of missing BSVs, and if we find
BSV errors occurred after implementation of the new process, we will
issue additional guidance by November 2007.
Recommendation: Monitor installment agreement (IA) user fee activity on
a regular basis.
Comments: We agree with this recommendation. We currently use reports
from the Collection Activity and Interim Revenue Accounting Control
System (IRACS) to monitor and report on IA activity each month. We
extract from these reports the number of IA's issued, number of user
fees paid, and user fee dollar amounts. The Chief Financial Officer
(CFO) and Small Business/Self-Employed (SB/SE) Headquarters offices use
these reports to conduct trend analyses, such as month-to-month and
year-to-year comparisons, and to identify potential issues related to
the proper posting of user fee revenue. We also use the Installment
Agreement Accounts Listings (IAAL) report to resolve user fee errors.
In January 2008, we will implement enhancements to the IAAL, add it to
Desktop Integration (DI), and will increase the frequency of the sweep
process used to correct accounts from quarterly to weekly.
Recommendation: Adjust errors in recorded IA user fees as necessary to
correctly reflect the user fees IRS earned and collected from
taxpayers.
Comments: We agree with this recommendation. We currently use a
quarterly sweep process that reconciles installment agreement payments
and adjusts those with discrepancies or errors to ensure that fees are
accurately posted to the user fee account. In January 2008, we will
increase the frequency of the sweep process from quarterly to weekly.
Recommendation: Establish sufficient review procedures to help ensure
that adjustments to IA user fees collected from taxpayers are
accurately and timely recorded.
Comments: We agree with this recommendation. We currently use the
Installment Agreement Accounts Listings (IAAL) to identify accounts
with user fee errors, underpayments, and overpayments that require
adjustments. W&I consolidated the IAAL at one location to provide
improved oversight of the process. The IAAL is reviewed by W&I and SB/
SE program analysts, managers, operations management, and headquarters
staff. In January 2008, we will implement enhancements to the IAAL, add
it to Desktop Integration (DI), and will increase the frequency of the
sweep process used to correct accounts from quarterly to weekly. We
will update IRM 5.19.1 to include DI requirements for case analysis and
documentation by the January 2008 implementation.
Recommendation: Establish and maintain sufficient secured storage space
to properly secure and safeguard IRS property and equipment inventory,
including in-stock inventories, assets from incoming shipments, and
assets that are in the process of being excessed and/or shipped out.
Comments: We agree with this recommendation. We are identifying
locations that need additional secured storage space and will obtain
the necessary space as appropriate.
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered.
Comments: We agree with this recommendation. Policy and procedures are
in place regarding separation of receipt and acceptance duties. We will
reissue communications to remind those with procurement authority about
IRS Acquisition Procedure, dated December 2002, which provides this
guidance. Also, we will reference Policy and Procedures Memorandum No.
46.5, "Receipt, Quality Assurance and Acceptance," issued by the Office
of Procurement Policy, which reiterates the separation of duties
requirement.
[End of section]
Enclosure II: Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements for fiscal years 2006 and 2005, we
took the following actions:
² Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included selecting
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, accounts
payable, and undelivered order transactions. These statistical samples
were selected primarily to substantiate balances and activities
reported in IRS's financial statements. Consequently, dollar errors or
amounts can and have been statistically projected to the population of
transactions from which they were selected. In testing these samples,
certain attributes were identified that indicated either significant
deficiencies in the design or operation of internal control or
compliance with provisions of laws and regulations. These attributes,
where applicable, can be and have been statistically projected to the
appropriate populations.
² Assessed the accounting principles used and significant estimates
made by management.
² Evaluated the overall presentation of the financial statements.
² Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and the existence and completion assertions related
to performance measures reported in the Management Discussion and
Analysis.
² Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.
² Considered IRS's process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. § 3512 (c),
(d), commonly referred to as the Federal Managers' Financial Integrity
Act of 1982, and Office of Management and Budget (OMB) Circular No. A-
123, Management's Responsibility for Internal Control.
² Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1)
and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. § 1301); Release
of lien or discharge of property (26 U.S.C. § 6325); Interest on
underpayment, nonpayment, or extensions of time for payment of tax (26
U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611);
Determination of rate of interest (26 U.S.C. § 6621); Failure to file
tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to
pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to
pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31
U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance
System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C.
§ 206); Federal Employees' Retirement System Act of 1986, as amended (5
U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26
U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health
Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909);
Transportation, Treasury, Independent Agencies, and General Government
Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit. II, 118
Stat. 2809, 3199 (Dec. 8, 2004); and Department of the Treasury
Appropriations Act, 2006, Pub. L. No. 109-115, div. A, tit. II, 119
Stat. 2396, 2432 (Nov. 30, 2005).
Tested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996):
[End of section]
Enclosure III: Staff Acknowledgments:
Acknowledgments: The following individuals made major contributions to
this report: John Davis, Assistant Director, Gloria Cano, Stephanie
Chen, Nina Crocker, Oliver Culley, Chuck Fox, John Gates, Ted Hu,
Richard Larsen, Olivia Lopez, Joshua Marcus, George Ogilvie, Jerrod
O'Nelio, John Sawyer, Angel Sharma, Peggy Smith, LaDonna Towler, and
Gary Wiggins.
(196152):
FOOTNOTES
[1] GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial
Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006).
[2] Lockbox banks are financial institutions designated as depositories
and financial agents of the U.S. government to perform certain
financial services, including processing tax documents, depositing the
receipts, and then forwarding the documents and data to IRS service
center campuses, which update taxpayers' accounts. During fiscal year
2006, there were eight lockbox banks processing taxpayer receipts on
behalf of IRS.
[3] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal
control standards to be followed by executive agencies in establishing
and maintaining systems of internal control as required by 31 U.S.C. §
3512 (c), (d) (commonly referred to as the Federal Managers' Financial
Integrity Act of 1982).
[4] GAO-07-136.
[5] The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct its operations and contains policy,
direction, and delegations of authority necessary to carry out IRS's
responsibilities to administer tax law and other legal provisions.
[6] The LSG outlines security guidelines for lockbox bank managers to
use so that they adhere to IRS's physical, personnel, and data
protection requirements to ensure protection of taxpayer receipts and
information.
[7] OMB, Protection of Sensitive Agency Information, M-06-16
(Washington, D.C.: June 23, 2006).
[8] U.S. Department of Commerce, National Institute of Standards and
Technology, Recommended Security Controls for Federal Information
Systems (Washington, D.C.: December 2006).
[9] 26 U.S.C. § 7501(a) The law further provides that withheld income
and employment taxes are to be held in a separate bank account
considered to be a special fund in trust for the federal government. 26
U.S.C. § 7512(b).
[10] FICA provides for a federal system of old-age, survivors,
disability, and hospital insurance benefits. Payments to trust funds
established for these programs are financed by payroll taxes on
employee wages and tips, employers' matching payments, and a tax on
self-employment income.
[11] See 26 U.S.C. § 6672 and implementing IRS guidance in the Internal
Revenue Manual at § 4.23.9.13, Trust Fund Recovery Penalty (Mar. 1,
2003).
[12] GAO-06-137.
[13] The primary purpose of our test was to determine whether IRS
properly recorded the sample payment to all related parties. However,
we also performed other tests of IRS's controls using this same sample.
Although we identified officers with outstanding balances on their TFRP
accounts that received refunds from IRS, we are unable to project these
results to IRS's population of TFRP accounts because the sampling unit
was payments rather than accounts.
[14] A "tax period" varies by tax type. For example, the tax period for
individual income or corporate tax is 1 year. In contrast, a tax period
for payroll and excise taxes is generally one quarter of a year.
[15] See 26 U.S.C. § 6651 and implementing IRS guidance in the Internal
Revenue Manual at § 20.1.2, Failure to File/Failure to Pay Penalties
(July 31, 2001).
[16] We reviewed IRS's criteria for identifying the affected taxpayers
and concur that the problem was confined to those identified by IRS.
Consequently, we did not project these errors to IRS's population of
penalty assessments.
[17] 26 U.S.C. §§ 6321, 6323.
[18] ALS is a comprehensive database that prints federal tax liens and
lien releases, stores taxpayer information, and documents lien
activity.
[19] The local courthouse is the courthouse in the county where the
taxpayer's property is located. Liens can also be filed elsewhere as
determined by state law. 26 U.S.C. § 6323.
[20] Tax credits can result from taxpayer payments in excess of the tax
liability owed for a specific tax period or from IRS's abatement of
taxes in a specific tax period which the taxpayer had previously paid.
Abatements are reductions to taxpayers' tax liabilities. In cases where
the taxpayer had already paid the tax liability, the abatement would
result in a credit that could be applied against other outstanding tax
liabilities owed by the taxpayer or if none exist, would be refunded to
the taxpayer.
[21] IRS can file a lien on the taxpayer's property for one or multiple
tax periods that contain an outstanding tax liability.
[22] OMB revised Circular A-123, Management's Responsibility for
Internal Control, in December 2004. The revised OMB Circular No. A-123,
which first became effective in fiscal year 2006, included a new
appendix, Appendix A, which prescribed a strengthened management
process for assessing internal control over financial reporting for the
24 major executive branch departments and agencies. Circular A-123 also
required a new management assurance statement specifically addressing
the effectiveness of the internal control over financial reporting
based on the results of management's assessment.
[23] The primary purpose of IRS's test was to determine whether it
released liens filed against taxpayers whose liability had either been
paid off or abated in a timely manner. However, the sample was not
designed to specifically identify the causes for any instances in which
IRS did not release liens timely. Consequently, while we were able to
determine the causes for those sampled cases in which liens were not
timely released, we are unable to project each cause to the total
population. We reviewed IRS's test procedures and concurred with its
results.
[24] IRS records "freeze codes" onto taxpayer accounts in the master
file to prevent certain automated processes from occurring because
these accounts may require additional manual review.
[25] As noted earlier, the primary purpose of IRS's test was to
determine whether it released liens filed against taxpayers whose
liability had either been paid off or abated in a timely manner. The
sample was not designed to specifically identify the causes for any
instances in which IRS did not release liens timely. Consequently,
while we were able to determine the causes for those sampled cases in
which liens were not timely released, we are unable to project each
cause to the total population.
[26] GAO, Management Report: Improvements Needed in IRS's Accounting
Procedures and Internal Controls, GAO-02-746R (Washington, D.C.: July
18, 2002).
[27] IRS uses the "billing support voucher" to support its payment for
recording fees to the local courthouse. The billing support voucher
lists all the lien releases sent to the local courthouse for processing
on a given date.
[28] Again, as the primary purpose of IRS's test was to determine
whether it released liens filed against taxpayers whose liability had
either been paid off or abated in a timely manner, the sample was not
designed to specifically identify the causes for any instances in which
IRS did not release liens timely. Consequently, we are unable to
project each cause to the total population.
[29] IRS is authorized by 26 U.S.C. § 6159 to allow taxpayers to enter
into installment agreement arrangements to satisfy their tax debts.
Under such arrangements, IRS agrees to let taxpayers pay their tax
liabilities in installments over a specified period of time instead of
immediately paying the amount in full.
[30] IRS charges taxpayers IA user fees under the authority of 31
U.S.C. § 9701. For fiscal year 2006, the fee to establish a new IA was
$43 and the fee to reinstate an old IA was $24.
[31] Single Point Inventory Function units are responsible for the
management and control of all computer equipment at all IRS offices.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548: