Management Report
Improvements Needed in IRS's Internal Controls
Gao ID: GAO-08-368R June 4, 2008
In November 2007, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2007, and 2006, and on the effectiveness of its internal controls as of September 30, 2007. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2007, regarding internal controls that could be improved for which we currently do not have a specific recommendation outstanding. Although not all of these issues were discussed in our fiscal year 2007 audit report, they all warrant management's consideration. This report contains 24 recommendations that we are proposing IRS implement to improve its internal controls. We will issue a separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one. We conducted our audit in accordance with U.S. generally accepted government auditing standards.
During our audit of IRS's fiscal year 2007 financial statements, we identified several internal control matters not addressed by previous recommendations. These matters concern the following: summary information reported in the Interim Revenue Accounting Control System (IRACS), IRS's general ledger system for tax-related transactions, could not be traced to the underlying detailed transaction records. Supervisory review procedures for IRS's unpaid assessments estimation process were not effective in preventing or detecting errors. Controls over computer programs affecting penalty assessments did not ensure that the programs always functioned in accordance with IRS's policies and procedures. Documentation of off-site Taxpayer Assistance Center (TAC) managers' reviews was not always readily available and, when provided, lacked the information needed to effectively assess the internal control environment at 5 of the 10 TACs we visited. In addition, these managers lacked clear, comprehensive, and up-to-date guidance for conducting and documenting TAC reviews. Computer access rights of employees responsible for processing cash deposits were not properly restricted to prevent unauthorized adjustments to certain taxpayer account information at 4 of the 10 TACs we visited. First responders to duress alarms were not always qualified or located to effectively respond to emergencies at 5 of the 10 TACs we visited. Documentary evidence demonstrating that background investigations--with favorable results--had been completed for contractors before they were given unescorted access to the facilities was not obtained at six TACs and three field offices we visited. Documentary evidence that background investigations--with favorable results--had been completed for contractors working at off-site shredding facilities was not obtained before they were given access to taxpayer and sensitive information. IRS also was not performing periodic, unannounced inspections of these facilities. New policies and procedures for hiring juveniles were not fully implemented. Evidence of supervisory reviews of documentation demonstrating compliance with key controls related to the processing of Tax Exempt/Government Entity (TE/GE) user fees was lacking. Key controls over IRS's purchase card program were not adequate. Information on new assets was not always recorded in IRS's property and equipment inventory system within required time frames. Travel authorizations for employees were not always approved before travel was initiated. These internal control matters increase the risk that IRS may fail to prevent or timely detect (1) errors in financial data and reporting, computer-generated penalty assessments, and user fee processing; (2) the loss, theft, or misuse of taxpayer receipts, information, and government property; (3) improper or fraudulent procurement; and (4) unauthorized travel.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-08-368R, Management Report: Improvements Needed in IRS's Internal Controls
This is the accessible text file for GAO report number GAO-08-368R
entitled 'Management Report: Improvements Needed in IRS's Internal
Controls' which was released on June 4, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-08-368R:
United States Government Accountability Office:
Washington, DC 20548:
June 4, 2008:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Needed in IRS's Internal
Controls:
Dear Mr. Shulman:
In November 2007, we issued our report on the results of our audit of
the Internal Revenue Service's (IRS) financial statements as of, and
for the fiscal years ending, September 30, 2007, and 2006, and on the
effectiveness of its internal controls as of September 30, 2007.
[Footnote 1] We also reported our conclusions on IRS's compliance with
significant provisions of selected laws and regulations and on whether
IRS's financial management systems substantially comply with the
requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA).
The purpose of this report is to discuss issues identified during our
audit of IRS's financial statements as of, and for the fiscal year
ending, September 30, 2007, regarding internal controls that could be
improved for which we currently do not have a specific recommendation
outstanding. Although not all of these issues were discussed in our
fiscal year 2007 audit report, they all warrant management's
consideration. This report contains 24 recommendations that we are
proposing IRS implement to improve its internal controls. We will issue
a separate report on the implementation status of recommendations from
our prior IRS financial audits and related financial management
reports, including this one. We conducted our audit in accordance with
U.S. generally accepted government auditing standards.
Results in Brief:
During our audit of IRS's fiscal year 2007 financial statements, we
identified several internal control matters not addressed by previous
recommendations. These matters concern the following:
* Summary information reported in the Interim Revenue Accounting
Control System (IRACS), IRS's general ledger system for tax-related
transactions, could not be traced to the underlying detailed
transaction records.
* Supervisory review procedures for IRS's unpaid assessments estimation
process were not effective in preventing or detecting errors.
* Controls over computer programs affecting penalty assessments did not
ensure that the programs always functioned in accordance with IRS's
policies and procedures.
* Documentation of off-site Taxpayer Assistance Center (TAC) managers'
reviews was not always readily available and, when provided, lacked the
information needed to effectively assess the internal control
environment at 5 of the 10 TACs we visited.[Footnote 2] In addition,
these managers lacked clear, comprehensive, and up-to-date guidance for
conducting and documenting TAC reviews.
* Computer access rights of employees responsible for processing cash
deposits were not properly restricted to prevent unauthorized
adjustments to certain taxpayer account information at 4 of the 10 TACs
we visited.
* First responders to duress alarms were not always qualified or
located to effectively respond to emergencies at 5 of the 10 TACs we
visited.
* Documentary evidence demonstrating that background investigations--
with favorable results--had been completed for contractors before they
were given unescorted access to the facilities was not obtained at six
TACs and three field offices[Footnote 3] we visited.
* Documentary evidence that background investigations--with favorable
results--had been completed for contractors working at off-site
shredding facilities was not obtained before they were given access to
taxpayer and sensitive information. IRS also was not performing
periodic, unannounced inspections of these facilities.
* New policies and procedures for hiring juveniles were not fully
implemented.
* Evidence of supervisory reviews of documentation demonstrating
compliance with key controls related to the processing of Tax Exempt/
Government Entity (TE/GE) user fees was lacking.[Footnote 4]
* Key controls over IRS's purchase card program were not adequate.
* Information on new assets was not always recorded in IRS's property
and equipment inventory system within required time frames.
* Travel authorizations for employees were not always approved before
travel was initiated.
These internal control matters increase the risk that IRS may fail to
prevent or timely detect (1) errors in financial data and reporting,
computer-generated penalty assessments, and user fee processing; (2)
the loss, theft, or misuse of taxpayer receipts, information, and
government property; (3) improper or fraudulent procurement; and (4)
unauthorized travel.
At the end of our discussion of each of the internal control matters in
the following sections, we make recommendations for strengthening IRS's
internal controls. These recommendations are intended to bring IRS into
conformance with IRS's policies or with the Standards for Internal
Control in the Federal Government, or both.[Footnote 5]
In its comments, IRS agreed with our recommendations and described
actions it had taken or planned to take to address the control
weaknesses described in this report. At the end of our discussion of
each of the issues in this report, we have summarized IRS's related
comments and provide our evaluation. We have also reprinted IRS's
comments in enclosure II.
Scope and Methodology:
This report addresses issues we observed during our audit of IRS's
fiscal years 2007 and 2006 financial statements. As part of our audit,
we tested IRS's internal controls and its compliance with selected
provisions of laws and regulations. We designed our audit procedures to
test relevant controls, including those for proper authorization,
execution, accounting, and reporting of transactions. To assess
internal controls related to safeguarding taxpayer receipts and
information, we visited 5 service center campuses, 4 lockbox banks, 10
TACs, and 4 field offices. We conducted our fieldwork between January
2007 and November 2007.
Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2007 and 2006
financial statements.[Footnote 6] Additionally, details on our
methodology are reproduced in their entirety in enclosure I.
Interim Revenue Accounting Control System:
During our audit of IRS's fiscal year 2007 financial statements, we
found that balances reported in IRS's core general ledger system for
reporting tax-related transactions are not traceable to source
documents for underlying transactions, and reported this issue as a
component of the material weakness in IRS's financial reporting
process.[Footnote 7] This system, the Interim Revenue Accounting
Control System (IRACS), does not appropriately document, or permit
independent verification, that the transactions it reports were
recorded in conformance with the posting requirements of the U.S.
Government Standard General Ledger (SGL). As a result, IRACS does not
substantially comply with the (1) SGL at the transaction level or (2)
Federal Financial Management Systems Requirements (FFMSR) as embodied
in the Office of Management and Budget (OMB) Circular No. A-127,
Financial Management Systems. Thus, it did not comply with the
requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA).[Footnote 8] The transactions recorded in IRACS primarily
consist of tax revenue, tax refunds, and unpaid tax assessments,
including taxes receivable. Taxes receivable accounts for over 80
percent of the assets IRS reports on its balance sheet, and tax
revenues and related refunds preponderantly account for the activity
IRS reports on its Statement of Custodial Activity. However, since its
inception in October 1984, IRACS's reported balances have not been
supported by audit trails traceable to source documents for individual
transactions.
FFMSR require application of the SGL at the transaction level and state
that conformance requires, among other items, that transaction detail
for SGL accounts be readily available in the financial management
system and traceable to specific SGL account codes. Similarly, internal
control standards require that all transactions and other significant
events be clearly documented, and that the documentation be readily
available for examination. However, IRACS does not conform to these
standards because tax revenue and tax refund transactions are posted to
it at a summary level, and are not traceable from IRACS to underlying
supporting transaction records. Consequently, in order to assure that
IRACS balances reported in the financial statements for revenue and
refunds are supported by transaction detail in taxpayer accounts, IRS
must first compare IRACS to its master files to demonstrate that they
materially agree, and then trace individual items back from the master
files to underlying documentation.[Footnote 9] In addition, IRS's
balance for taxes receivable, which accounted for over 83 percent of
IRS's total assets on its balance sheet as of September 30, 2007, was
derived from a complex statistical estimation process rather than the
traditional posting of individual transactions. Consequently, IRS's
taxes receivable were neither posted to IRACS nor traceable to
underlying transaction detail.
During fiscal year 2006, IRS implemented the first phase of the
Custodial Detail Data Base (CDDB), which is an automated system that
IRS ultimately intends will provide transaction traceability for all of
its tax-related transactions. As part of its progress toward this goal,
IRS informed us that during fiscal year 2008, it added trace
identification numbers to revenue and refund transactions to provide
the traceability required by FFMSR. We will follow-up during our audit
of IRS's fiscal year 2008 financial statements to assess the
effectiveness of this approach. However, it is unclear when IRS will
achieve similar traceability for its more complex taxes receivable
transactions.
Recommendation:
We recommend that you direct appropriate IRS officials to verify that
when it becomes fully operational, CDDB, when used in conjunction with
IRACS, will provide IRS with the direct transaction traceability for
all of its tax-related transactions as required by the SGL and FFMSR,
and thus FFMIA.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated it will verify that
summary tax revenue, tax refunds, and unpaid assessments recorded in
IRACS are directly traceable to transactions in CDDB when it is fully
implemented by September 30, 2009. We will evaluate the effectiveness
of IRS's efforts after they are fully implemented during future audits.
IRS's Unpaid Assessments Estimation Process:
During our fiscal year 2007 financial audit, we identified errors in
IRS's unpaid assessments[Footnote 10] estimation process that its
internal review procedures either did not detect or did not detect in a
timely manner. As we have reported previously,[Footnote 11] IRS lacks a
detailed listing, or subsidiary ledger, that tracks and accumulates
unpaid assessments and their status on an ongoing basis. This is a
primary reason we have been reporting a long-standing material internal
control weakness with respect to IRS's unpaid assessments.
Consequently, IRS must rely on a labor-intensive compensating
estimation process to report balances for taxes receivable and other
unpaid assessments in its financial statements and supplemental
information. This estimation process involves a combination of: (1)
computer programs, (2) statistical sampling, (3) manual case file
review, (4) statistical projections, and (5) the use of spreadsheets to
compile results and to roll forward the results to fiscal year-end.
Strong controls over its estimation process are critical to IRS's
ability to report a reliable balance for the largest component of its
balance sheet. However, we found several errors that were not detected
by its internal reviews. Specifically, we found that IRS personnel did
the following:
* They did not include all taxes receivable account modules[Footnote
12] in the population from which the taxes receivable sample was
selected. Although IRS did identify this error, it did not do so until
after it had begun obtaining the source documentation for the sample to
conduct the manual case file reviews. Since it had already expended
significant resources to obtain the source documents, IRS chose to
select and test an additional sample from the omitted subpopulation
rather than reselecting the taxes receivable sample from the population
of all taxes receivable account modules. This increased the total
number of cases its staff had to review.[Footnote 13] Consequently, IRS
expended additional resources to retrieve documents and to review
additional case files.
* IRS personnel made a $2,000 data entry error when entering the case
file review results into the statistical projection computer program,
resulting in an overstatement of the projected error in the write-off
population of approximately $10 million.
* IRS personnel erroneously deducted $2.6 billion when calculating the
fiscal year-end write-off balance, understating the write-off amount
that would have been reported in its supplemental information by $2.6
billion.
We also found that IRS currently does not have documented procedures
detailing the steps that its statistician should perform throughout the
process, nor does it have documented procedures supervisors should
perform as part of their reviews. Due to the complexity of the
estimation process, officials responsible for reviewing IRS's unpaid
assessments statistical estimates require documented detailed
procedural guidance to assist them in performing effective and timely
reviews.
Internal control standards require internal control and all
transactions and other significant events to be clearly documented, and
the documentation to be readily available for examination. Such
documentation should appear in management directives, administrative
policies, or operating manuals. Furthermore, internal control standards
require that qualified and continual supervision be provided to ensure
that internal control objectives are achieved. The lack of clear,
documented procedures for the preparation and review of IRS's unpaid
assessments estimation process inhibits effective supervisory review.
The lack of effective supervisory review, in turn, increases the risk
that errors made in the preparation of IRS's unpaid assessments
estimates will not be detected or detected in a timely manner,
increasing the risk that inaccurate amounts will be reported in its
financial statements.
According to IRS officials, the various aspects of its estimation
process undergo supervisory review. Nevertheless, these officials could
not explain why this review did not detect the errors we identified. In
addition, the lack of detailed guidance describing the procedures the
statistician should perform in the unpaid assessments estimation
process and detailed review procedures for supervisors increase the
risk that errors will not be detected and that erroneous balances will
be reported in IRS's financial statements.
Recommendations:
We recommend that you direct appropriate IRS officials to do the
following:
* Document and implement the specific procedures to be performed by the
statistician in each step of the unpaid assessments estimation process.
* Document and implement specific detailed procedures for reviewers to
follow in their review of unpaid assessments statistical estimates.
Specifically, IRS should require that a detailed supervisory review be
performed to ensure: (1) the statistical validity of the sampling
plans, (2) data entered into the sample selection programs agree with
the sampling plans, (3) data entered into the statistical projection
programs agree with IRS's sample review results, (4) data on the
spreadsheets used to compile the interim projections and roll-forward
results trace back to supporting statistical projection results, and
(5) the calculations on these spreadsheets are mathematically correct.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning documented procedures
for preparing and reviewing its unpaid assessments statistical
estimates. IRS stated that by June 30, 2008, it will document
procedures to be (1) performed by the statistician in each step of the
unpaid assessments estimation process and (2) followed by reviewers
during their review of the unpaid assessments statistical estimates. We
will evaluate the effectiveness of IRS's efforts in this area during
our audit of IRS's fiscal year 2008 financial statements.
Computer Programs Affecting Penalty Assessments:
IRS's controls over computer programs affecting penalty assessments did
not always ensure that the programs were designed or functioned in
accordance with the intent of established policies and procedures.
The Internal Revenue Code (IRC)[Footnote 14] grants IRS broad authority
to assess penalties against taxpayers for noncompliance with tax laws
such as failing to file a tax return, failing to pay taxes owed, or
inaccurately reporting taxes. IRS establishes the specific policies and
procedures for calculating and assessing penalties in its Internal
Revenue Manual (IRM).[Footnote 15] In accordance with the IRM, IRS's
business operating divisions work with its Modernization and
Information Technology Services to implement computerized programs
within its master files[Footnote 16] to calculate and assess penalties
against taxpayers in relation to unpaid tax assessments or violations
of the tax laws. Our tests of penalty and interest transactions in each
of the past 2 years have identified issues that, while not a violation
of the IRC, resulted in IRS making modifications to computer programs
affecting penalty assessments.
During our fiscal year 2007 IRS financial audit, we found that IRS did
not apply the same rule for assigning the effective date of accuracy
penalties against business and individual taxpayers. The IRC authorizes
IRS to assess taxes and penalize taxpayers if taxpayers substantially
underreport their income tax liability.[Footnote 17] If IRS determines
that a taxpayer substantially underreported the amount of taxes owed,
it can assess the taxpayer an accuracy penalty and a failure-to-pay
penalty, along with the additional taxes owed. Since IRS makes this
determination on examining the taxpayer's return, the assessment of the
additional taxes due and the related penalties occurs later than the
due date of the tax return. When IRS assesses a business an accuracy
penalty, the computer program in its Business Master File (BMF) assigns
the effective date of the accuracy penalty to match the due date of the
original tax return. However, when IRS assesses the same type of
penalty against an individual taxpayer, the computer program in its
Individual Master File (IMF) assigns the effective date of the accuracy
penalty to match the date of the subsequent additional tax assessment.
The date assigned as the effective date of the accuracy penalty is
significant because it ultimately affects the amount of the associated
failure to pay penalty[Footnote 18] that IRS assesses against the
taxpayers. IRS policies generally require that taxpayer payments first
be applied to reduce assessed tax until it is fully paid off, then to
reduce assessed penalties, and finally to reduce assessed interest.
However, IRS policies also allow it to apply taxpayer payments to pay
off penalties before the assessed tax if payment is made before the
subsequent deficiency tax assessment (deficiency assessment).[Footnote
19] The failure-to-pay penalty program uses the posted transaction date
of a penalty to determine the effective date of that penalty. BMF uses
the return due date as the transaction date for the accuracy penalty,
while IMF uses the deficiency assessment date. Consequently, if, as in
the case of the BMF, the effective date of the accuracy penalty is the
due date of the original tax return, any taxpayer payments received
prior to a deficiency assessment and a related accuracy penalty
assessment are applied first to this penalty before they are applied to
the deficiency assessment. In contrast, for IMF taxpayer accounts, any
taxpayer payments received are applied first to the deficiency
assessment because the accuracy penalty has the same effective date as
this deficiency assessment. The result is that, for individuals,
payments received before the effective date of the deficiency
assessment will always reduce the deficiency assessment before reducing
the accuracy penalty while, for businesses, those payments will first
reduce the accuracy penalty, then the deficiency assessment, when the
failure-to-pay is computed. Because of the inconsistent way that
transaction dates are assigned to the accuracy penalty between the BMF
and the IMF, businesses are assessed a higher failure-to-pay penalty
than individuals if they prepay part of the additional assessments but
fail to pay the balance by the date indicated on the notice and demand
for payment.
Neither the IRC nor the IRM specifically addresses the assignment of
effective dates for accuracy penalties. After we brought the
inconsistency we identified to their attention, IRS officials
determined that it would treat business and individual taxpayers the
same when assigning the effective date of an accuracy penalty, and that
the date of the deficiency assessment would be used as the effective
date of the accuracy penalty for both.
During our fiscal year 2006 financial audit,[Footnote 20] we also
identified and previously reported a computer program error that
overassessed penalties against some taxpayers.[Footnote 21] Internal
control standards require agencies to establish controls to enforce
adherence to management policies and procedural requirements. In each
of the above situations, IRS was unaware of the issues until we
identified them, and then it agreed that modifications to the computer
programs were needed. Although we determined that neither of these two
conditions constituted a violation of the IRC, the condition we
identified in fiscal year 2007 resulted in different treatment among
taxpayers, while the condition we identified in fiscal year 2006
resulted in the overassessment of penalties against some taxpayers.
According to IRS officials, these issues date back to when these
programs were initially implemented in the 1980s. Consequently, IRS did
not have adequate procedures in place to ensure that programs affecting
penalty calculations were designed and functioning in accordance with
management policies and procedures.
IRS has instituted additional internal control procedures to ensure
that current computer programs are designed and function in accordance
with the intent of IRS policies and procedures. However, until mid-
2007, IRS had not implemented any processes or procedures to review
existing computer programs to ensure they were functioning in
accordance with IRS policies. According to IRS officials, IRS formed a
task force in August 2007 to initiate a broad-based review of the
various programs affecting penalty calculations in its master files.
These officials informed us that they have identified other issues that
may require additional changes to existing programs in its master files
that affect penalty assessments. Until IRS completes a comprehensive
review of its computer programs affecting penalty assessments to verify
that these programs are designed and functioning in accordance with its
policies, it will continue to be at risk that its computer programs may
not function as intended by its established policies, which could
result in inequitable treatment of taxpayers or potential lost revenue
to the federal government.
Recommendations:
To address the inconsistency in assigning the effective date of an
accuracy penalty, we recommend that you direct the appropriate IRS
officials to modify the BMF computer program so that the date of the
deficiency assessment is used as the effective date of any related
accuracy penalty.
To address other issues that may exist in IRS's master files that
affect penalty calculations, we recommend that you direct appropriate
IRS officials to do the following:
* Complete and document the review of existing programs in the master
files that affect penalty calculations to identify any instances in
which programs are not functioning in accordance with the intent of the
IRM.
* In instances where programs are not functioning in accordance with
the intent of the IRM, take appropriate action to correct the programs
so that they function in accordance with the IRM.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning computer programs
affecting penalty assessments. IRS plans to complete its ongoing review
of the master file programs to identify instances where they are not
functioning in accordance with the intent of the IRM by July 31, 2008.
We will evaluate the results of IRS's study as part of our fiscal year
2008 audit. IRS also stated that it will not be able to implement
changes to the BMF computer program to establish the date of the
deficiency assessment as the effective date of any related accuracy
penalty until July 31, 2009. We will evaluate the effectiveness of
IRS's efforts after they are fully implemented during future audits.
Reviews Performed by Off-site Taxpayer Assistance Center Managers:
During our fiscal year 2007 financial audit, we found that the
documentation maintained by IRS to summarize managerial visits by off-
site taxpayer assistance center (TAC) managers was not always readily
available and, when provided, did not address whether the visits
determined whether key controls and policies governing the safeguarding
of taxpayer receipts and information were operating as intended.
Additionally, the documentation of their visits did not include
evidence showing whether previously identified weaknesses were
addressed. This occurred because TAC managers were not provided clear
and comprehensive guidance instructing them to cover these key controls
and policies during their reviews and how to document the results of
these reviews. We also found that TAC managers were not always aware of
recent IRM updates. As a result, IRS lacks assurance that the scope and
content of these reviews are sufficient to achieve management's
objectives, and their utility as a tool to facilitate timely and
effective resolution of any issues identified is impaired.
Some TACs do not have an on-site TAC manager to provide day-to-day
supervision of personnel and monitoring of daily activities. In such
cases, IRS policy requires that a designated off-site TAC manager
periodically visit and perform various supervisory reviews intended to
ensure that operations are performed according to applicable IRS
policies and procedures outlined in the IRM. However, during our audit,
we found the following:
* At the five TACs we visited that were managed by an off-site manager,
documentation supporting the TAC managers' routine reviews was not
readily available and did not address controls intended to safeguard
taxpayer receipts and information nor the status of previously
identified issues.
* TAC managers did not have clear and comprehensive guidance
instructing them both to review, and how to review, key controls
designed to (1) prevent unauthorized access to the TAC; (2) process and
protect taxpayer receipts present in the TAC; and (3) safeguard
taxpayer receipts and related taxpayer information during transit from
one IRS location to another. In addition, there was no guidance clearly
instructing the managers how to document the results of their reviews.
* TAC managers and their supervisors were either unaware of the July
2006 IRM update or were unaware of the specific procedures it required.
Internal control standards require agencies to establish controls to
enforce adherence to management policies and procedural requirements,
such as management review, to create and maintain records providing
evidence that these controls are executed, and to assure that ongoing
monitoring occurs to assess the quality of performance over time. These
monitoring controls include ongoing management and supervisory
activities, comparisons, and reconciliations. However, if TAC managers
are not adequately documenting reviews, are not provided clear guidance
for conducting reviews, and are not aware of updated IRM requirements
and procedures, IRS cannot be assured that the internal controls over
this activity are being effectively carried out. This, in turn,
increases the risk that IRS will not timely detect or prevent the
theft, loss, or unauthorized accessing of taxpayer receipts and
information.
Recommendations:
We recommend that you direct appropriate IRS officials to do the
following:
* Develop and provide comprehensive guidance to assist TAC managers in
conducting reviews of outlying TACs and documenting the results. This
guidance should include a description of the key controls that should
be in place at outlying TACs, specify how often these key controls
should be reviewed, and specify how the results of each review should
be documented, including follow-up on issues identified in previous TAC
reviews.
* Establish a process to periodically update and communicate the
specific required reviews for all off-site TAC managers.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the need to develop and
better communicate updated guidance to help off-site TAC managers
conduct reviews of outlying TACs. IRS stated that it would update the
IRM to include (1) the expectation that Area Directors are responsible
and accountable for the oversight of all TAC activities, and (2) the
requirement to maintain documentation of managerial reviews. IRS
indicated that Field Assistance will use the remittance and security
database to validate that all required reviews are complete, and it
will include directions related to this issue in the field operational
reviews at the group, area, and territory levels by July 31, 2008. IRS
also stated that the Director, Field Assistance, will issue a quarterly
reminder for the required reviews beginning in July 2008. We will
verify the changes to IRS guidance during our audit of IRS's fiscal
year 2008 financial statements and evaluate the effectiveness of IRS's
efforts during future audits.
Computer Access Rights of Employees Accepting Cash Payments:
During our fiscal year 2007 financial audit, we found that at 4 of the
10 TACs we visited, TAC managers did not always properly restrict the
computer access rights of those employees who had the authority to
accept cash payments from taxpayers. By not ensuring that the computer
access rights of employees responsible for accepting cash payments from
taxpayers have been appropriately restricted, IRS increases the risk of
loss, theft, or misappropriation of such receipts.
The IRM requires that for TAC employees who receive cash payments from
taxpayers, computer access to taxpayer account information be
restricted to prevent them from improperly adjusting taxpayer account
balances or changing the status of the taxpayer's liability. In
addition, the IRM states that TAC managers are responsible for ensuring
that the computer access rights of these employees be restricted.
Internal control standards require key duties and responsibilities to
be divided, or segregated, among different people to reduce the risk of
error or fraud. This includes separating the responsibilities for
authorizing transactions, processing and recording transactions,
reviewing the transactions, and handling any related assets. No one
individual should be in a position to both cause and conceal an error
or irregularity by controlling certain key aspects of a transaction or
event.
Recommendation:
We recommend that you direct appropriate IRS officials to establish a
mechanism to monitor compliance with the existing requirement that TAC
employees responsible for accepting taxpayer payments in cash have
their computer system access appropriately restricted to limit their
ability to adjust taxpayer accounts.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it updated the IRM
in April 2008 to require the use of the "restrict" command code on
computer access rights for all employees with the responsibility for
collecting cash. IRS indicated that the Form 809 annual reconciliation
will now include a reminder to group managers of the requirement to use
restrict command codes. IRS also stated that it will direct areas and
territories to review command code restrictions during ongoing
operational reviews, and it will look for ways to systemically monitor
compliance. We will verify the changes to IRS guidance during our audit
of IRS's fiscal year 2008 financial statements and evaluate the
effectiveness of IRS's efforts during future audits.
Duress Alarm First Responders:
During our fiscal year 2007 financial audit, we found that the persons
IRS designated as the first person contacted by the central monitoring
station (first responder) in the event a duress alarm sounds were not
always appropriately qualified nor were they geographically located in
sufficiently close proximity to the facility to enable them to provide
a timely and effective response. IRS uses duress alarms to notify
security personnel of situations that are potentially dangerous to its
employees and to help protect its facilities, property, and taxpayer
information and receipts. In about 97 percent of all TACs, the duress
alarms are linked to a central monitoring station that is responsible
for notifying a designated official or officials when an alarm is set
off. We found that for one large metropolitan area, IRS had designated
a physical security analyst to be contacted as the first responder by
the central monitoring station for five of the TACs we visited.
However, IRS officials informed us that physical security analysts are
not qualified to act as first responders to duress alarm incidents
because such alarms may indicate an event that the analyst is not
trained to deal with, such as a crime in progress. In addition, we
found that at any given time, this specific physical security analyst
could be as far as 100 miles away from one of the five TACs. Depending
on where the analyst happened to be at the time an alarm sounded, this
could preclude a timely response. Also, the effectiveness of the
central monitoring stations in facilitating timely and effective
response to such emergencies can be diminished over time due to changes
in the status or contact information of the individuals who are
designated as first responders, or due to ongoing changes in IRS's
policies and procedures that might alter their responsibilities and
thereby require additional training or otherwise affect which
individuals are qualified to fulfill these responsibilities. However,
we found that IRS did not routinely monitor the first responder
designations provided to central monitoring stations to verify that on
an ongoing basis, they were current, accurate and included only
qualified personnel.
Internal control standards require physical controls to limit access to
vulnerable assets and require that access to resources and records,
such as IRS receipts and taxpayer information, be limited to authorized
individuals to reduce the risk of unauthorized use or loss to the
government. IRS's IRM establishes security requirements intended to
minimize the potential for loss of life and property, the disruption of
services and functions, and the unauthorized disclosure of documents
and information. However, the IRM does not establish requirements
governing the qualifications or geographical proximity of individuals
designated as first responders to duress alarms installed at IRS
facilities, nor does it require that IRS peridocially review these
elements to enforce adherence to such requirements over time. The
effectiveness of security procedures, such as responding to a duress
alarm, is impaired if the first responders are not appropriately
qualified and properly positioned to handle emergency situations in an
effective and timely manner. This increases the risk that IRS will not
appropriately respond in an emergency situation to protect its
employees and facilities, and to safeguard taxpayer receipts and
information.
Recommendations:
We recommend that you direct appropriate IRS officials to do the
following:
* Establish procedures requiring periodic verification that all
individuals designated as first responders to TAC duress alarms are
appropriately qualified and geographically located to respond to the
potentially dangerous situations in an effective and timely manner.
* Modify the IRM to specify qualifications and geographical proximity
requirements for individuals designated as first responders to duress
alarms at IRS facilities, and to require that the responsibilities and
qualifications of all designated first responders be periodically
reviewed to verify that over time, they continue to be qualified and
appropriately located, and to make any necessary adjustments.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning the qualifications and
proximity of designated first responders to TAC duress alarms. IRS
stated that by August 31, 2008, it would reissue guidance on the
requirement that first responders be armed officials, such as on-site
contract guards, Federal Protective Service Police, or local police,
and that it is revising the IRM to include this requirement. IRS
indicated that it will monitor that Territory Managers are periodically
verifying the accuracy of the call listing for first responders
provided to the Security Console/Mega Center by requiring that managers
put the date of verification on the monthly TAC Duress Alarm Report. We
will verify the changes to IRS guidance during our audit of IRS's
fiscal year 2008 financial statements and evaluate the effectiveness of
IRS's efforts during future audits.
Contractor Access to Taxpayer Assistance Centers and Field Offices:
During our fiscal year 2007 financial audit, we found that IRS's
physical security controls at several TACs and IRS field office units
we visited were not adequate to prevent unauthorized individuals from
accessing areas that contained taxpayer receipts and information. This
occurred at locations where contractors were working under General
Services Administration-negotiated (GSA) cleaning service contracts and
had unescorted access to IRS space during nonoperating hours.[Footnote
22] We found that IRS does not have evidence demonstrating completion
of favorable background investigations for contractors performing work
at IRS facilities under GSA-negotiated contracts.
Specifically, during our fiscal year 2007 financial audit, we found the
following:
* At 6 of 10 TACs we visited, IRS was unable to provide evidence
documenting that contractors performing janitorial services in IRS
space during nonoperating hours received favorable background
investigation results prior to being allowed access. In addition, at
one of the TACs we visited, we observed a janitor disarm and then reset
the security system to the IRS space.
* At three field offices we visited, IRS was unable to provide evidence
documenting that janitorial contractors, who had unescorted access to
IRS-controlled space, received favorable background investigation
results prior to being given access.
Internal control standards require that agencies establish physical
control to secure and safeguard vulnerable assets, including providing
security for, and limiting access to, assets that might be vulnerable
to unauthorized use, such as taxpayer receipts and related confidential
information.
On August 27, 2004, the President signed Homeland Security Presidential
Directive 12, Policy for a Common Identification Standard for Federal
Employees and Contractors, which requires federal agencies to conduct
background investigations on contractors who require routine access to
federally controlled facilities. Under this directive, background
investigations were to be completed on all applicable contractors,
including those covered under GSA-negotiated contracts, by October 27,
2007.
IRS's policies prohibit individuals without favorable background
investigations from entering IRS space without an IRS escort. According
to the IRM, all contractor employees associated with IRS-administered
contracts whose duration of employment equals or exceeds 30 days must
undergo, at a minimum, limited criminal history background checks as a
condition of employment under the government contract. When a
contractor's access is to be limited to less than 30 days total or
access is infrequent, a background investigation is not required but he
or she is to be escorted while in the IRS space. In addition, IRS
issued a memorandum in August 2006 establishing a requirement for new
and replacement leases and cleaning contracts negotiated by GSA. Under
this requirement, new and replacement leases and new cleaning contracts
for all IRS office space provide for janitorial services during normal
business hours. Under this 2006 requirement, individuals responsible
for review and clearance of the request for space will be expected to
include this new provision in these leases and contracts. While
requiring cleaning only during operating hours may reduce the risks
associated with permitting cleaning staff to enter a controlled area
after nonoperating hours, it will not address the risk of unauthorized
access during operating hours. In addition, this policy will take time
to implement due to the large number of existing leases and contracts
that the IRS currently has in place that will need to be modified.
While the IRM requires that background investigations be completed and
adequate documentation maintained for all contractors performing work
at IRS facilities under IRS-administered contracts, it does not contain
comparable requirements for contractors working at IRS facilities under
contracts negotiated by GSA. Until IRS obtains evidence that favorable
background investigations have been completed for contractors working
at IRS facilities under non-IRS contracts, IRS will continue to lack
assurance that contractor personnel with unescorted access to its
facilities had the required background investigations completed before
being allowed access.
Recommendation:
We recommend that you direct appropriate IRS officials to establish
procedures to require documentation demonstrating that favorable
background checks have been completed for all contractors prior to
allowing them access to TAC and other field offices.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it expects to have
agreement with GSA on established procedures for performing background
investigations on GSA contractors by October 31, 2009. IRS also stated
that it will use compensating controls outlined in the IRM to safeguard
valuable assets, such as financial instruments and taxpayer and other
sensitive data, from GSA contractors until background check
requirements are implemented. We will evaluate the effectiveness of
IRS's efforts after they are fully implemented during future audits.
Off-site Contractor Access to Sensitive Information:
During our fiscal year 2007 financial audit, we found that IRS did not
have evidence that background investigations were being performed on
shredding contractor personnel before they began work at the
contractor's off-site facilities where sensitive IRS information was
being shredded. IRS contracts with vendors to perform shredding of
federal taxpayer information and other sensitive materials at many of
its facilities, including Service Center Campuses, Computing Centers,
TACs, and field offices. At these facilities, materials to be shredded
are picked up by the contractor and taken to the contractor's off-site
shredding facility for destruction. The materials being entrusted to
these contractors for purposes of being shredded routinely include
taxpayer and other sensitive information. We also found that IRS did
not perform periodic unannounced inspections of contractor off-site
shredding facilities where sensitive information was sent for disposal
to ensure that sensitive IRS information was being properly
safeguarded.
Specifically, during our audit, we found the following:
* Of the 16 shredding services contracts we reviewed: (1) 11 contracts,
covering 14 IRS facilities, did not require that off-site contractors
undergo background investigations before being granted access to
sensitive IRS information, including federal taxpayer information, and
(2) 10 contracts, covering 13 IRS facilities, did not require routine
IRS inspections of off-site shredding contractor facilities.
* At 10 IRS facilities we visited (one service center campus, six TACs,
and three field office units), IRS officials were unable to provide
evidence indicating that off-site shredding contractors had undergone
background investigations prior to being granted access to sensitive
IRS information.
* At two of the five service center campuses we visited, IRS officials
were unable to provide evidence that inspections of the off-site
shredding facilities were performed.
The IRM requires that when the work is performed outside an IRS
facility, contractor employees may not have access to IRS sensitive
information or data unless IRS has received favorable background
investigation results. However, as noted above, IRS's contracts with
vendors providing IRS with off-site shredding services did not always
require background checks or make provisions for periodic inspections
by IRS. In addition, we found that the IRM does not require that IRS
perform periodic unannounced inspections of off-site shredding
contractor facilities to ensure that contractors continue to
appropriately safeguard sensitive IRS information on an ongoing basis.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, which includes
taxpayer information. The standards also state that internal controls
should be designed to assure that ongoing monitoring occurs in the
course of normal operations. By not requiring background investigations
for off-site shredding contractors and not continually monitoring
adherence to related safeguard requirements by performing periodic
unannounced inspections of off-site contractor facilities, IRS
increases the risk of allowing unauthorized access to sensitive IRS
information, including federal taxpayer information.
Since IRS did not always enforce its requirement that background checks
be performed on contractor employees at off-site shredding locations
nor conduct periodic unannounced inspections of these facilities, IRS
lacked assurance that the sensitive information being entrusted to
these contractors was being properly safeguarded.
Recommendations:
We recommend that you direct appropriate IRS officials to do the
following:
* Require including, in all shredding service contracts, provisions
requiring (1) completed background investigations for contractor
employees before they are granted access to sensitive IRS information,
and (2) periodic, unannounced inspections at off-site shredding
facilities by IRS to verify ongoing compliance with IRS safeguards and
security requirements.
* Revise the IRM to include a requirement that IRS conduct periodic,
unannounced inspections at off-site contractor facilities entrusted
with sensitive IRS information, document the results, including
identification of any security issues, and verify that the contractor
has taken appropriate corrective actions on any security issues
observed.
* Establish procedures to require obtaining and reviewing documentation
of completed background investigations for all shredding contractors
before granting them access to taxpayer or other sensitive IRS
information.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning off-site contractor
access to sensitive information. IRS stated that it is developing a
statement of work for a National Shred/Burn Contract that will result
in standard security procedures for the handling of sensitive
information and will require specialized background investigations for
employees who handle these materials before granting them access to IRS
information. IRS also stated that these contracts will include
provisions requiring periodic, random, and unannounced inspections of
contractor facilities in line with the IRM, which requires contract
provisions to allow IRS inspections in order to ensure the safeguarding
of IRS information. IRS stated that it expects to implement the
National Contract by October 31, 2008. Because IRS's planned actions in
this area will not be completed until near the end of our fiscal year
2008 audit, we will evaluate the effectiveness of IRS's efforts during
future audits.
Juvenile Hiring Practices:
During our fiscal year 2007 financial audit, we found that IRS
employment office staff had not fully implemented new policies and
procedures recently formulated to address related issues we identified
during our audit of IRS's fiscal year 2005 financial statements.
Specifically, during our fiscal year 2005 IRS financial audit, we found
that for juvenile employee candidates, IRS (1) only required references
for those individuals hired to work in receipt-processing functions,
although taxpayer receipts and information are also accessible in other
functions, and (2) accepted written references that were hand-delivered
to IRS by the candidates themselves without independently verifying
their source.[Footnote 23] This condition increased the risk of
unsuitable candidates being hired and permitted access to taxpayer
receipts and information. In response to recommendations we made to
address these issues, IRS issued a new Human Capital policy in August
2006 requiring employment office staff to utilize a revised Form 13094,
Recommendation for Juvenile Employment with the Internal Revenue
Service. The revised form required prospective juvenile employees to
provide a character reference and detail the relationship and number of
years the juvenile has known the reference. The new policy also
required that employment office staff make direct contact with
character references provided by juveniles on the Form 13094 to verify
that information. However, as noted above, IRS did not fully implement
these new policies in fiscal year 2007.
Specifically, we found that of the 142 juveniles IRS hired from October
2006 through April 2007:
* 118 were hired without the use of the newly revised Form 13094, and:
* 140 were hired without IRS contacting and verifying character
references provided by the potential juvenile hires.
IRS attributed these issues to its employment office staff's lack of
awareness of recent revisions to its juvenile hiring policies.
Internal control standards require that agencies establish controls to
safeguard vulnerable assets, including limiting access to these assets
to only authorized persons. By not fully implementing its revised
juvenile hiring policies, IRS increases the risk that juveniles with
unacceptable backgrounds could be hired, thus increasing the risk of
theft of taxpayer receipts and unauthorized access to taxpayer receipts
and information.
Recommendations:
We recommend that you direct the appropriate IRS officials to reinforce
existing policies requiring IRS personnel to do the following:
* Use the revised Form 13094 when hiring juveniles.
* Verify the information on Form 13094 by contacting the reference
directly and documenting the details of this contact.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning reinforcing existing
policies related to hiring juveniles. IRS stated that its Human Capital
Office (HCO) issued notices in July and September 2007 to each
Employment Branch Chief emphasizing the requirement to use the revised
Form 13094 and to follow up on juvenile hiring recommendations. IRS
also stated that it revised the form 13094 in December 2007 to include
a signature and date block to document the verification process. IRS
indicated that it reemphasized these policies during a recent
Continuing Professional Education meeting and will monitor policy
compliance as a part of the HCO's accountability program reviews. We
will evaluate the effectiveness of IRS's efforts in this area during
our audit of IRS's fiscal year 2008 financial statements.
Review of Tax Exempt/Government Entity User Fee Deposit Processing:
During our fiscal year 2007 financial audit, we found that IRS lacked
evidence of supervisory reviews of key functions in its processing of
Tax Exempt/Government Entity (TE/GE) user fees it collected from
employee pension plans and other organizations for making rulings and
determinations about their tax exempt status. IRS's Receipt and Control
Operations Unit (RCO), at the Cincinnati Service Center Campus, records
TE/GE user fee information in the Letter Information Network User Fee
System (LINUS), a database established for tracking such fees collected
from tax exempt entities. Using the fee code, LINUS automatically
calculates the amount of user fees to be allocated to the Treasury
General Fund and the amount to be retained by the IRS.[Footnote 24]
We tested a statistical sample of 14 TE/GE user fee transactions IRS
recorded in LINUS from October 1, 2006, through June 30, 2007, to
determine whether IRS adequately supported, properly classified, and
recorded the TE/GE user fees in its accounting systems.[Footnote 25]
While conducting the substantive testing, we found several cases that
did not include evidence of required supervisory review and approval by
the RCO Unit Manager or Lead Technician of various key documents used
in the TE/GE user fee receipt and deposit process. Specifically, of the
14 user fee transactions we reviewed, we found:
* 11 transactions in which there was no evidence of supervisory review
on the encoding tapes, which list the checks received and grouped for
processing by sequence number;
* 8 transactions in which there was no evidence of supervisory review
on the Recapitulation of Remittances, which is a concise summary of
TE/GE user fees IRS processed for deposit on a particular day at a
specific IRS location; and;
* 7 transactions in which there was no evidence of supervisory review
on the deposit ticket, which in some cases contained manual adjustments
to computer-generated amounts.
The IRM requires the Unit Manager or Lead Technician to conduct
supervisory reviews of the TE/GE deposit encoding tapes, Recapitulation
of Remittances, and deposit tickets, and sign or initial the documents
as evidence of their reviews. However, IRS staff did not adhere to its
policy requiring signatures on deposit documentation. In addition,
internal control standards require internal control activities to help
ensure that management's directives are carried out and that all
transactions are completely and accurately recorded. Control activities
include the proper execution and accurate recording of transactions and
events and reviews by management at the functional and activity level.
Internal control should assure that monitoring, which includes regular
management and supervisory activities, comparisons, reconciliations,
and other actions people take in performing their duties, occurs in the
course of normal operations.
By not conducting and documenting supervisory reviews of TE/GE user fee
collection and deposit activities, IRS faces increased risk that it may
not detect errors in the processing of TE/GE user fee receipts or that
it may incur losses from unrecorded and improperly recorded receipts.
Recommendation:
We recommend that you issue a memorandum to RCO Unit staff reiterating
existing requirements for (1) supervisory reviews of the processing of
TE/GE user fee deposits, and (2) key documentation to be signed and
dated by the supervisor as evidence of that review.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated it issued a memorandum in
April 2008 to appropriate managers reiterating the requirement to
follow IRM procedures for supervisory review of key TE/GE documents and
to sign and initial these documents as evidence of their review. We
will evaluate the effectiveness of IRS's efforts in this area during
our audit of IRS's fiscal year 2008 financial statements.
Controls over Purchase Card Processing:
During our fiscal year 2007 financial audit, we found that IRS lacked
key internal controls over the processing of its purchase card
transactions to prevent or detect erroneous, improper, or fraudulent
purchases. IRS's business units use purchase cards primarily to make
micropurchases. For micropurchases, IRS established a per transaction
limit of $2,000 for construction transactions, $2,500 for services, and
$3,000 for goods or supplies.[Footnote 26]
As part of our fiscal year 2007 financial audit, we statistically
sampled 49 purchase and travel card transactions processed between
October 9, 2006, and May 8, 2007.[Footnote 27] In testing these
transactions, we identified internal control weaknesses related to the
lack of (1) evidence of supervisory reviews, (2) fund control, and (3)
key documentation for purchase card transactions. Based on the results
of our work, we estimate that 92.9 percent of total purchase and travel
card transactions processed between October 9, 2006 and May 8, 2007 had
control weaknesses and we are 95 percent confident that the actual
percent is not more than 98.0 percent. This estimate exceeds the
tolerable percentage in error of 5 percent.
Specifically, of the 49 sampled transactions we reviewed, we found the
following:
* Thirty-five transactions in which the purchase card approving
officials did not sign and date the monthly reports provided by the
credit card company attesting to their review of the purchase card
accounts' activity under their authority. On the basis of this work, we
estimate that 79.6 percent of total purchase card transactions were not
signed and dated by an approving official, and we are 95 percent
confident that the actual percentage of purchase card transactions that
are not signed and dated by an approving official is not more than 88.9
percent.
* One transaction in which the purchase cardholder did not obtain
funding approval or verify that funds were available for the specific
unit before making purchases. On the basis of this work, we estimate
that 2.3 percent of total purchase card transactions did not have
funding approval, and we are 95 percent confident that the actual
percentage of purchase card transactions that did not have funding
approval is not more than 10.3 percent.
* Twenty transactions in which the purchase cardholders did not
properly document their purchase card monthly statement reconciliations
to supporting documents or sign and date them when completed. On the
basis of this work, we estimate that 45.5 percent of the total purchase
card monthly statement reconciliations were not signed and dated, and
we are 95 percent confident that the actual percentage of purchase card
monthly statement reconciliations that were not signed and dated is not
more than 58.9 percent.
* One transaction in which the purchase cardholder and purchase card
approving official failed to retain their reconciliation documents for
a reasonable period of time, such as 3 years. Based on this work, we
estimate that for 2.3 percent of total purchase card transactions, the
cardholders and approving officials did not retain their reconciliation
documentation for a reasonable period of time, and we are 95 percent
confident that the actual percentage of purchase card transactions for
which the cardholders and approving officials did not retain their
reconciliation documentation is not more than 10.3 percent.
Internal control standards require transactions to be authorized and
executed only by persons acting within their scope and authority. This
is defined as the principal means of assuring that only valid
transactions to exchange, transfer, use, or commit resources and other
events occur. The standards further state that internal control should
assure that ongoing monitoring occurs in the course of normal
operations. Monitoring includes regular management and supervisory
activities, comparisons, and reconciliations. Finally, the standards
require that internal control and all transactions and other
significant events be clearly documented, and that documentation be
readily available for examination.
Although IRS issued guidelines to govern the use of purchase cards, we
found that the guidelines did not provide the detailed documented
procedures needed to minimize the occurrence of the control weaknesses
that we identified. By not requiring the proper documentation and
implementation of appropriate controls over the processing of purchase
card transactions, IRS's risk is increased that it may not detect
erroneous, improper, or fraudulent purchase card transactions and
uncontrolled or unintended use of agency funds.
Recommendations:
We recommend that you direct appropriate IRS officials to modify
existing guidelines to require documentation and implementation of
detailed internal control procedures for IRS's purchase card program.
Specifically, existing guidelines should be modified to provide for
detailed internal control procedures requiring that:
* purchase card approving officials and purchase cardholders sign and
date monthly account statements attesting to their review and
completion of the required reconciliation process,
* purchase cardholders obtain funding approval or verify that funds are
available for the intended purpose prior to making a purchase,
* purchase card approving officials update and maintain appropriate
supporting documentation, and:
* purchase cardholders and purchase card approving officials retain
copies of all supporting documents for a reasonable period of time,
such as 3 years.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations concerning detailed internal
control procedures over its purchase card program. IRS stated that in
October 2007, it implemented its electronic Purchase Card Module, which
allows cardholders and approving officials to electronically reconcile
and approve purchase card transactions and maintains evidence of their
signatures, approvals, and dates of action. IRS also stated it issued
guidance in July 2007 requiring verification of funds availability
before purchases are made by cardholders and approved by managers. This
guidance was incorporated in the IRM and purchase card training
courses. IRS added that its Requisition Tracking System must show
available funds in order to create a commitment for any purchase.
Furthermore, IRS indicated that it modified its purchase card
documentation guidelines in October 2007. Under this modified guidance,
electronic records of purchase card activities and paper documents,
such as packing slips and receipts, will be retained by IRS for 3
years. We will evaluate the effectiveness of IRS's efforts in this area
during our audit of IRS's fiscal year 2008 financial statements.
Recording of Property and Equipment:
During our fiscal year 2007 financial audit, we found that IRS did not
always record new assets in its property and equipment inventory system
within required time frames. IRS policy requires that new assets be
recorded in its inventory system within 10 days after receipt. In
addition, internal control standards require agencies to implement
internal control procedures to ensure the accurate and timely recording
of transactions and events. The standards further state that
transactions should be promptly recorded to maintain their relevance
and value to management in controlling operations and making decisions.
As part of our fiscal year 2007 audit, we selected 168 transactions of
new assets IRS paid for between October 1, 2006, and May 31, 2007, on a
nonstatistical basis and tested whether IRS recorded the assets in its
inventory records. For each of the selected items, we obtained
identifying information from the purchase documents such as requisition
numbers, receipt dates, descriptions, order numbers, and serial numbers
from invoices and traced the asset to IRS's property and equipment
inventory records. In performing this test, we found four instances in
which the recently acquired asset was not recorded in IRS's inventory
system as of July 12, 2007. These assets had receipt and acceptance
dates ranging from August 31, 2006, to February 27, 2007, which well
exceeded the 10 days required by IRS for recording new assets into its
inventory system.[Footnote 28]
Property records that are incomplete or out of date impede management's
ability to make sound operating decisions and control operations.
Furthermore, these control weaknesses impede IRS's ability to timely
detect the loss, theft, or misuse of government property.
Recommendation:
We recommend that you direct appropriate IRS officials to issue a
memorandum addressed to all personnel responsible for updating
inventory records that reiterates IRS existing policy requiring that
new assets be inputted into the inventory system within 10 days after
receipt.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated it will issue a
memorandum by October 31, 2008, to all personnel responsible for
updating the inventory records reiterating the IRS policy to record
accountability data related to new assets into the inventory system
within 10 days after receipt. We will review the memorandum to be
issued during our audit of IRS's fiscal year 2008 financial statements
and evaluate the effectiveness of IRS's efforts during future audits.
Employee Travel Authorization:
During our fiscal year 2007 financial audit, we found that IRS lacked
controls to ensure that all employee travel was authorized before
employees were allowed to travel. In conducting detailed testing of
nonpayroll expense transactions that occurred from October 1, 2006 to
May 31, 2007, we tested 14 employee travel transactions. In 5 of the 14
travel transactions, we found that an IRS approving official had not
approved the employee's travel authorization prior to the beginning of
the travel period.[Footnote 29] As a result, IRS lacked assurance that
these travel costs were necessary to accomplish the mission in the most
economic and effective manner and that they were in compliance with
IRS's travel policies.
In accordance with IRS's Official Travel Guide as reflected in the IRM,
travel authorizations must be approved before travel commences.
Furthermore, internal control standards require that transactions and
other significant events be authorized and executed only by persons
acting within the scope of their authority. According to the standards,
this is the principal means of assuring that only valid transactions to
exchange, transfer, use, or commit resources and other events occur.
In the five cases cited above, IRS did not follow its documented travel
procedures or the federal internal control standards and, as a result,
was at risk of being unable to ensure that the costs incurred for
employee travel were valid or necessary.
Recommendation:
We recommend that you direct the appropriate IRS officials to issue a
memorandum to employees that reiterates IRS policy requiring all
employees to obtain appropriate approval of travel authorizations prior
to the initiation of their travel.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated it has already issued
periodic notices to employees in 2007 and 2008 that reiterated the
policy to obtain approval of travel authorizations before initiation of
travel. IRS also stated that from May through July 2008, it will
implement an integrated travel system that will prevent employees from
completing reservations in its online booking tool without an approved
travel authorization. We will evaluate the effectiveness of IRS's
efforts in this area during our audit of IRS's fiscal year 2008
financial statements.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and Governmental
Affairs and the House Committee on Oversight and Government Reform
within 60 days of the date of this report. A written statement must
also be sent to the House and Senate Committees on Appropriations with
the agency's first request for appropriations made more than 60 days
after the date of the report. Furthermore, to assure GAO has accurate,
up-to-date information on the status of your agency's actions on our
recommendations, we request that you also provide us with a copy of
your agency's statement of actions taken on open recommendations.
Please send your statement of action to me or Ted Hu, Assistant
Director, at HuT@gao.gov.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; and
Subcommittee on Taxation and IRS Oversight, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking Members
of the House Committee on Appropriations and House Committee on Ways
and Means, the Chairman and Vice-Chairman of the Joint Committee on
Taxation, the Secretary of the Treasury, the Director of OMB, the
Chairman of the IRS Oversight Board, and other interested parties. The
report is available at no charge on GAO's Web site at [hyperlink,
http://www.gao.gov].
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years 2007
and 2006 financial statements. Please contact me at (202) 512-3406 or
sebastians@gao.gov if you or your staff have any questions concerning
this report. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report. GAO
staff who made major contributions to this report are listed in
enclosure III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures - 3:
Enclosure I:
Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:
* We examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included selecting
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, accounts
payable, and undelivered order transactions. These statistical samples
were selected primarily to substantiate balances and activities
reported in IRS's financial statements. Consequently, dollar errors or
amounts can and have been statistically projected to the population of
transactions from which they were selected. In testing some of these
samples, certain attributes were identified that indicated deficiencies
in the design or operation of internal control. These attributes, where
applicable, can be and have been statistically projected to the
appropriate populations.
* We assessed the accounting principles used and significant estimates
made by management.
* We evaluated the overall presentation of the financial statements.
* We obtained an understanding of internal controls related to
financial reporting (including safeguarding assets) and compliance with
laws and regulations (including the execution of transactions in
accordance with budget authority).
* We obtained an understanding of the design of internal controls
relating to the existence and completeness assertions related to the
performance measures reported in IRS's Management Discussion and
Analysis, and determined that they have been placed in operation.
* We tested relevant internal controls over financial reporting
(including safeguarding assets) and compliance, and evaluated the
design and operating effectiveness of internal controls.
* We considered IRS's process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. § 3512 (c),
(d), commonly referred to as the Federal Managers' Financial Integrity
Act of 1982, and Office of Management and Budget Circular No. A-123,
Management's Responsibility for Internal Control.
* We tested compliance with selected provisions of the following laws
and regulations: Anti-Deficiency Act, as amended (31 U.S.C. §
1341(a)(1) and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. §
1301); Release of lien or discharge of property (26 U.S.C. § 6325);
Interest on underpayment, nonpayment, or extensions of time for payment
of tax (26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611);
Determination of rate of interest (26 U.S.C. § 6621); Failure to file
tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to
pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to
pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31
U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance
System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C.
§ 206); Federal Employees' Retirement System Act of 1986, as amended (5
U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26
U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health
Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909);
Department of the Treasury Appropriations Act, 2006, Pub. L. No. 109-
115, div. A, tit. II, 119 Stat. 2396, 2432 (Nov. 30, 2005); and Revised
Continuing Appropriations Resolution, 2007, Pub. L. No. 110-5, 121
Stat. 8 (Feb. 15, 2007).
* We tested whether IRS's financial management systems substantially
comply with the three requirements of the Federal Financial Management
Improvement Act of 1996. Pub. L. No. 104-208, div. A, § 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996).
Enclosure II:
Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
May 16, 2008:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft of the Fiscal Year (FY) 2007 Management Report titled,
Improvements Needed in IRS's Internal Controls (GAO-08-386R). As GAO
noted in the report titled, Financial Audit: IRS's Fiscal Years 2007
and 2006 Financial Statements, we continue to make progress in
addressing our financial management challenges and have substantially
mitigated weaknesses in our internal controls.
In FY 2007, we separately reported estimated receipts of Social
Security and Medicare taxes in our other accompanying information to
the financial statements and significantly accelerated the
certification of excise tax receipts to the recipient trust funds.
These improvements enabled you to conclude that these matters no longer
constitute internal control deficiencies. We also enhanced the
capabilities of the Custodial Detail Database (CDDB) to begin
journalizing tax debt information from our master file systems to our
general ledger weekly. These improvements enabled you to conclude that
this was the first step in establishing CDDB's capability to serve as a
subsidiary ledger for unpaid tax debt. We believe our work this year in
implementing corrective actions will further improve our financial
management. I have enclosed a response which addresses all of your
recommendations separately.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions, please contact Alison Doone, Chief Financial
Officer, at (202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman:
Enclosure:
GAO Recommendations and IRS Responses to GAO FY 2007 Management Report
Improvements Needed in IRS Internal Controls (GAO-08-386R):
Recommendation: Verify that when it becomes fully operational,
Custodial Detail Database (CDDB), when used in conjunction with Interim
Revenue Control System (IRACS), will provide the Internal Revenue
Service (IRS) with the direct transaction traceability for all of its
tax related transactions as required by the Standard General Ledger
(SGL) and Federal Financial Management Systems Requirement (FFMSR), and
thus Federal Financial Managers Integrity Act (FFMIA).
Comments: We agree with this recommendation. The Revenue Financial
Management Unit will verify that the summary tax revenue, tax refunds,
and unpaid assessments recorded in IRACS are traceable to the direct
transactions in CDDB when CDDB is fully implemented by September 30,
2009. As part of the FY 2008 financial statement audit, the IRS is
providing GAO the information posted in CDDB to show that tax revenue
is traceable through use of the Trace ID number and that tax refunds
are traceable using the refund schedule number. The IRS also provided
GAO the high-level requirements to incorporate the SGL into Redesign
Revenue Accounting Control System (RRACS) Release 1 scheduled for
Fiscal Year (FY) 2010 implementation.
Recommendation: Document and implement the specific procedures to be
performed by the statistician in each step of the unpaid assessments
estimation process.
Comments: We agree with this recommendation. The Revenue Financial
Management Unit will document the procedures the statistician performs
in each step of the unpaid assessments estimation process by June 30,
2008.
Recommendation: Document and implement specific detailed procedures for
reviewers to follow in their review of unpaid assessments statistical
estimates. Specifically, IRS should require that a detailed supervisory
review be performed to ensure: (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with the IRS sample review results, (4) data
on the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct.
Comments: We agree with this recommendation. The Revenue Financial
Management Unit will document procedures for reviewers to follow during
their review of the unpaid assessments statistical estimates by June
30, 2008.
Recommendation: Modify the Business Master File (BMF) computer program
so that the date of the deficiency assessment is used as the effective
date of any related accuracy penalty.
Comments: We agree with this recommendation. The IRS plans to implement
changes to the BMF computer program so that the date of the deficiency
assessment is the effective date of any related accuracy penalty by
July 31, 2009.
Recommendation: Complete and document the review of existing programs
in the master files that affect penalty calculations to identify any
instances in which programs are not functioning in accordance with the
intent of the IRM.
Comments: We agree with this recommendation. The IRS is reviewing
master file programs to identify any instances in which programs are
not functioning in accordance with the IRM and plans to complete the
review by July 31, 2008.
Recommendation: To address other issues that may exist in the IRS
master files that affect penalty calculations, in instances where
programs are not functioning in accordance with the intent of the IRM,
take appropriate action to correct the programs so that they function
in accordance with the IRM.
Comments: We agree with this recommendation. The IRS has initiated
corrective actions in instances where programs were not functioning in
accordance with the IRM.
Recommendation: Develop and provide comprehensive guidance to assist
Taxpayer Assistance Centers (TAG) managers to use in conducting reviews
of outlying TACs and documenting the results. This guidance should
include a description of the key controls that should be in place at
outlying TACs, specify how often these key controls should be reviewed,
and specify how the results of each review should be documented,
including follow-up on issues identified in previous TAC reviews.
Comments: We agree with this recommendation. The Director, Field
Assistance established the expectation that Area Directors are
responsible and accountable for the oversight of all TAC activities,
including outlying posts of duty, and is updating IRM 1.4.11.6 to
include this statement. IRM 1.4.11.6 also will include the requirement
to maintain documentation of managerial reviews, including operational
reviews and site visits. IRM 1.4.11.9, "Reviews/Reports/Certifications
Template" provides a description of the key controls that should be in
place in all TACs, including the frequency of the reviews and how to
document the results of the reviews. Field Assistance will review the
reports and annotate which reports are required for each TAC location
with the necessary documentation and summarize these in IRM 1.4.11.6.
Field Assistance will validate the reviews are complete using the
remittance and security database and will include these directions in
the field operational reviews at the group, area, and territory levels
by July 31, 2008.
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers.
Comments: We agree with this recommendation. The Director, Field
Assistance will issue a quarterly reminder for the required reviews
beginning in July 2008. Field Assistance will review IRM 1.4.11.9
before the issuance of the quarterly reminders to ensure its accuracy.
Field Assistance requires the area offices to routinely report on
corrective actions identified during the operational review process to
ensure completion of needed improvements.
Recommendation: Establish a mechanism to monitor compliance with the
existing requirement that TAC employees responsible for accepting
taxpayer payments in cash have their computer system access
appropriately restricted to limit their ability to adjust taxpayer
accounts.
Comments: We agree with this recommendation. The Director, Field
Assistance revised the language in IRM 1.4.11.19.4.1.1 in April 2008 to
mandate the use of the "restrict" command code in all cases. The change
is reflected in the annual reconciliation of official receipts process,
IRM 1.4.11.19.4.1.1, that provides for the Separation of Duties and
Form 809, Receipt for Payment of Taxes. Group managers will continue to
be reminded as part of the Form 809 annual reconciliation of the
existing requirements to restrict command codes. We will direct areas
and territories to include restricted Integrated Data Retrieval System
(IDRS) command codes in on-going operational reviews. Field Assistance
will explore systemic ways to monitor use of restricting command codes.
Recommendation: Establish procedures requiring periodic verification
that all individuals designated as first responders to TAC duress
alarms are appropriately qualified and geographically located to
respond to the potentially dangerous situations in an effective and
timely manner.
Comments: We agree with this recommendation. Agency-Wide Shared
Services (AWSS) will reissue by August 31, 2008, guidance requiring
that first responders to TAC duress alarms be armed officials such as
onsite contract guards, Federal Protective Service Police, or local
police, whoever may respond in the most expedient manner. We are
modifying the existing monthly TAC Duress Alarm Report that the
Territory Managers submit to the Physical Security Headquarters Office
to show the date the managers verified that the call listing for first
responders located at the Security Console/Mega Center is accurate.
Recommendation: Modify the IRM to specify qualifications and
geographical proximity requirements for individuals designated as first
responders to duress alarms at IRS facilities, and to require that the
responsibilities and qualifications of all designated first responders
be periodically reviewed to verify that over time, they continue to be
qualified and appropriately located, and to make any necessary
adjustments.
Comments: We agree with this recommendation. AWSS is revising IRM
10.2.14 to include the requirement that first responders to duress
alarms be armed officials such as onsite contract guards, Federal
Protective Service Police, or local police.
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices.
Comments: We agree with this recommendation. AWSS is working with the
General Services Administration (GSA) to establish procedures for
performing background investigations on GSA contractors/janitors and
expects completion by October 31, 2009, contingent on full cooperation
and support from GSA. In the interim, the controls identified in IRMs
1.16.3, 5.1.2, 1.16.14.2, 1.16.14.5, and 1.16.15 address safeguarding
valuable assets, including financial instruments and protection of
taxpayer and other sensitive data. Compliance with these IRMs should
address concerns regarding physical controls to secure and safeguard
vulnerable assets from GSA contractors.
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements.
Comments: We agree with this recommendation. AWSS is developing a
Statement of Work (SOW) for a National Shred/Burn Contract. This will
result in standard security procedures for the handling of shred and
specialized background investigations for employees who will handle IRS
materials to be shredded. Additionally, the IRS will establish
provisions to ensure periodic, unannounced inspections of contractor
facilities, and combine local contracts into the national contract to
create a standardized process for overseeing thorough and timely
background investigations and maintaining records. We expect
implementation by October 31, 2008.
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information, document the
results, including identification of any security issues, and verify
that the contractor has taken appropriate corrective actions on any
security issues observed.
Comments: We agree with this recommendation. IRM 1.16.13 Document
Protection requires contract provisions to allow IRS inspection of the
contractor facility and operations to ensure the safeguarding of IRS
information. We are currently developing a National Shred/Burn Contract
and will include provisions for off-site inspections on a periodic,
random, and unannounced basis by October 31, 2008.
Recommendation: Establish procedures to require obtaining and reviewing
documentation of completed background investigations for all shredding
contractors before granting them access to taxpayer or sensitive IRS
information.
Comments: We agree with this recommendation. AWSS is working on a SOW
for a National Shred/Burn Contract that will ensure that contractor
background investigations are completed before granting access to IRS
information. The IRS expects to combine local contracts into the
national contract by October 31, 2008.
Recommendation: Reinforce existing policies requiring use of the
revised Form 13094, Recommendation for Juvenile Employment with IRS
when hiring juveniles.
Comments: We agree with this recommendation. The Human Capital Office
(HCO) issued a notice in September 2007 to each Employment Branch Chief
emphasizing adherence and compliance with these policies and reinforced
adherence at a recent Continuing Professional Education (CPE) meeting
and through periodic reminders to the Employment Offices.
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
document the details of this contact.
Comments: We agree with this recommendation. In July 2007, the HCO
issued a notice to the Employment Operations Centers reemphasizing the
requirement to use the revised Form 13094 and to implement follow-up
procedures on juvenile recommendations. The IRS revised Form 13094 in
December 2007 to include a signature and date block for the Human
Resources specialist to document completion of the verification
process. HCO provided the form and accompanying instructions to
employment staff in January 2008, and HCO reiterated compliance with
this policy and mandatory use of the revised Form 13094 during a recent
CPE with Human Resources specialists. HCO will monitor policy
compliance as a part of its accountability program reviews.
Recommendation: Issue a memorandum to Receipt Control Operations Unit
staff reiterating existing requirements for supervisory reviews of the
processing of TE/GE user fee deposits and for key documentation to be
signed and dated by the supervisor as evidence of that review.
Comments: We agree with this recommendation. Wage and Investment issued
a memorandum in April 2008 to the Operations Manager, Receipt and
Control, reiterating the requirement to follow procedures in IRM 3.45.1
to conduct supervisory reviews of the deposit encoding tapes, the
Recapitulation of Remittances, deposit tickets, and to sign or initial
the documents as evidence that the reviews were completed.
Recommendation: Modify existing guidelines to require documentation and
implementation of detailed internal control procedures for the IRS
purchase card program. Specifically, existing guidelines should be
modified to provide for detailed internal control procedures requiring
that purchase card approving officials and purchase cardholders sign
and date monthly account statements attesting to their review and
completion of the required reconciliation process.
Comments: We agree with this recommendation. In October 2007, AWSS
began using the electronic Purchase Card Module that provides the
cardholder and approving official the ability to electronically
reconcile and approve the transactions and provides evidence they
signed and approved the transactions. This electronic reconciliation
maintains separation of duties between purchaser and approver and
produces an audit trail by maintaining history on the user login name
and date of the action.
Recommendation: Modify existing guidelines to require documentation and
implementation of detailed internal control procedures for the IRS
purchase card program. Specifically, existing guidelines should be
modified to provide for detailed internal control procedures requiring
that purchase cardholders obtain funding approval or verify that funds
are available for the intended purpose prior to making a purchase.
Comments: We agree with this recommendation. AWSS included funds
verification requirements in guidance issued in July 2007, Purchase
Card Holder Roles and Responsibilities, and in IRMs 1.32.4 and 1.32.6.
Cardholders receive these requirements and guidelines, including the
requirement to verify funds availability before making a purchase,
during initial training and refresher training. The guidelines are also
available in the Purchase Card Guide and on the IRS intranet. In
addition, the requirement was included in the transition guidelines
provided during conversion to the Purchase Card Module in October 2007.
These controls also exist during the approval process. The business
unit plan manager must approve all purchases, verifying both
appropriateness of the purchase and available funds. The Requisition
Tracking System must show available funds in order to create a
commitment for any purchase.
Recommendation: Modify existing guidelines to require documentation and
implementation of detailed internal control procedures for the IRS
purchase card program. Specifically, existing guidelines should be
modified to provide for detailed internal control procedures requiring
that purchase card approving officials update and maintain appropriate
supporting documentation.
Comments: We agree with this recommendation. AWSS modified the existing
guidelines in October 2007 with the implementation of the Purchase Card
Module. Documentation for purchase card activity is maintained
electronically in the Purchase Card Module, and packing slips and
receipts are kept by the cardholder. This documentation is available
for review by the approving official.
Recommendation: Modify existing guidelines to require documentation and
implementation of detailed internal control procedures for the IRS
purchase card program. Specifically, existing guidelines should be
modified to provide for detailed internal control procedures requiring
that purchase cardholders and purchase card approving officials retain
copies of all supporting documents for a reasonable period of time,
such as three years.
Comments: We agree with this recommendation. AWSS modified the
guidelines in October 2007 to require cardholders and approving
officials to maintain documentation for three years; paper
documentation by the cardholders and electronic archives in the
Purchase Card Module.
Recommendation: Issue a memorandum addressed to all personnel
responsible for updating inventory records that reiterates its existing
policy requiring that new assets be input into the inventory system
within 10 days after receipt.
Comments: We agree with this recommendation. MITS will issue a
memorandum by October 31, 2008, to all personnel responsible for
updating inventory records reiterating the IRS policy that new assets
be input into the inventory system within 10 days after receipt.
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approval of travel
authorizations prior to the initiation of their travel.
Comments: We agree with this recommendation. We issue communications to
all employees reiterating the policy requiring employees to obtain
approval of travel authorizations before initiation of travel through
periodic notices on the IRS intranet with links to Travel Times. In
Travel Times, we have issued: Travel Authorization Reminders (October
2007 and February 2008) and Travel Authorization Reminder News from the
business units (December 2007, February 2008, and May 2008). Further,
the IRS is implementing GovTrip, an integrated travel system, from May
through July 2008. GovTrip will not allow an employee to complete
reservations in the on-line booking tool until the travel authorization
has been approved.
[End of section]
Enclosure III:
GAO Contact and Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov:
Acknowledgments:
The following individuals made major contributions to this report: Ted
Hu, Assistant Director; Stephanie Chen; Oliver Culley; John Davis;
Charles Fox; Margery Glover; Bradley Klingsporn; Delores Lee; Gail
Luna; Cynthia Ma; Joshua Marcus; Charles Payton; John Sawyer; Angel
Sharma; Peggy Smith; Christopher Spain; LaDonna Towler; Gary Wiggins;
Danietta Williams; and Ting-Ting Wu.
[End of section]
Footnotes:
[1] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial
Statements, GAO-08-166 (Washington, D.C.: Nov. 9, 2007).
[2] TACs are field assistance units, located within IRS's Wage and
Investment operating division, designed to serve taxpayers who choose
to seek help from IRS in person. Services provided include interpreting
tax laws and regulations, preparing tax returns, resolving inquiries on
taxpayer accounts, receiving payments, forwarding those payments to
appropriate service center campuses for deposit and further processing,
and performing other services designed to minimize the burden on
taxpayers in satisfying their tax obligations. These offices are much
smaller facilities than service center campuses or lockbox banks, with
staffing ranging from 1 to about 35 employees.
[3] Field offices comprise various units located within IRS's Small
Business and Self Employed (SB/SE), Large and Mid-Size Business (LMSB),
and Tax-Exempt and Government Entities (TE/GE) operating divisions that
administer tax services to corporations, partnerships, small
businesses, state and Indian tribal governments, major universities,
community organizations, municipalities, pension funds, and individuals
with certain types of nonsalary income.
[4] IRS collects user fees from employee pension plans and other
organizations for making rulings and determinations about their tax
exempt status.
[5] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal
control standards to be followed by executive agencies in establishing
and maintaining systems of internal control as required by 31 U.S.C. §
3512 (c), (d) (commonly referred to as the Federal Managers' Financial
Integrity Act of 1982).
[6] GAO-08-166.
[7] GAO-08-166.
[8] Federal Financial Management Improvement Act of 1996, Pub. L. No.
104-208, div. A., § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept.
30, 1996).
[9] The master files contain detailed records of taxpayer accounts.
However, the information residing in this system is not integrated with
nor directly traceable to related information in IRACS.
[10] Unpaid tax assessments consist of (1) federal taxes receivable,
which are taxes due from taxpayers for which IRS can support the
existence of a receivable through taxpayer agreement or a favorable
court ruling; (2) compliance assessments where neither the taxpayer nor
the court has affirmed that the amounts are owed; and (3) write-offs,
which represent unpaid tax assessments for which IRS does not expect
further collections because of factors such as the taxpayer's death,
bankruptcy, or insolvency. Of these three classifications of unpaid tax
assessments, only net federal taxes receivable are reported on the
principal financial statements.
[11] GAO-08-166.
[12] A taxpayer may have multiple account modules within IRS's master
files under a unique taxpayer identification number (i.e., social
security number or an employer identification number). Each unique
account module is identified by the taxpayer identification number,
specific tax period (e.g., year, quarter), and tax type (e.g., excise
tax, individual tax, payroll tax, etc.)
[13] IRS's estimation methodology requires the selection and testing of
465 taxes receivable account modules. If IRS reselected this sample
from the complete taxes receivable population, the number of items
selected and tested would still have been 465. However, by choosing to
select and test an additional sample from the omitted subpopulation,
IRS tested the original 465 account modules plus an additional 20
account modules.
[14] See 26 U.S.C. § 6651, 6654, 6655, 6662.
[15] See IRM, § 20.1.2, Failure to File/Failure to Pay Penalties (July
31, 2001).
[16] IRS's master file system consists of two major files, the
individual master files (IMF) and business master files (BMF).
[17] See 26 U.S.C. § 6662 and IRS guidance in the Internal Revenue
Manual at Section 20.1.5, Return Related Penalties (Oct. 1, 2005).
[18] Failure-to-pay penalty is a penalty that IRS assesses against
taxpayers when taxpayers fail to pay their outstanding tax liability by
the return due date. The failure-to-pay penalty is calculated based on
the amount of taxes outstanding in the taxpayer's account module, a
penalty rate stipulated in the IRC and IRM, and the number of months
the taxes remain unpaid.
[19] Internal Revenue Manual, § 20.2.6.7.1, Payment Allocation (March
1, 2002).
[20] GAO, Management Report: Improvements Needed in IRS's Internal
Controls, GAO-07-689R (Washington, D.C.: May 11, 2007).
[21] The specific situation involved taxpayers who: (1) owed
outstanding taxes for a specific tax period, (2) failed to pay
following repeated notification of taxes due, (3) subsequently paid off
the outstanding taxes, and (4) were assessed additional taxes by IRS on
the same tax period after paying off the original balance.
[22] The GSA is responsible for contracting cleaning services at
federal government buildings and when the IRS leases space from third
parties.
[23] GAO, Management Report: Improvements Needed in IRS's Internal
Controls, GAO-06-543R (Washington, D.C.: May 12, 2006).
[24] IRS is allowed to retain a portion of the user fees it collects,
based on criteria established in legislation, primarily in a provision
included in the Treasury, Postal Service and General Government
Appropriations Act, 1995, Pub. L. No. 103-329, 108 Stat. 2382, 2388
(Sept. 30, 1994) (reprinted in 26 U.S.C. § 7801 note). For the user
fees it is allowed to retain, IRS records revenue and offsetting
collections which are credited back to the operating appropriations.
For the user fees it is not allowed to retain, IRS records revenue and
transfers the funds to the General Fund of the Treasury.
[25] We selected a monetary unit sample from a population of 55,384 TE/
GE user fee transactions totaling $31.9 million primarily for the
purpose of testing the accuracy of the recorded balance and projecting
any substantive exceptions that occur to the entire population. While
our testing included reviewing certain internal control attributes, our
sample was not specifically designed for the purpose of projecting
internal control exceptions.
[26] This is consistent with the "micro-purchase threshold" in the
Federal Acquisition Regulation. See 48 C.F.R. § 2.101.
[27] The sample population consisted of 155,264 purchase and travel
card transactions totaling $29.8 million.
[28] We selected transactions on a nonstatistical basis from IRS asset
payments made during the first 8 months of fiscal year 2007. Therefore,
we could and do select items that were delivered in an earlier period
and paid in our audit year. Such items should be accrued in the period
received but they are reversed out and recorded anew when paid.
[29] We selected two monetary unit samples, from a population of all
nonpayroll expense transactions, consisting of those transactions
greater than or equal to $50,000 and those less than $50,000. The
sample populations consisted of 740,589 nonpayroll transactions
totaling $1,525.3 million. Because our sample was designed to test all
nonpayroll expense transactions, not just those related to travel, we
are unable to project the exceptions that only applied to travel
transactions to the entire population.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: