Internal Revenue Service
Status of GAO Financial Audit and Related Financial Management Report Recommendations Gao ID: GAO-08-693 July 2, 2008In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility in annually collecting trillions of dollars in taxes, processing hundreds of millions of tax and information returns, and enforcing the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective action to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO not only makes recommendations to address any new weaknesses identified but also follows up on the status of weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) assist IRS management in tracking the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations relate to control activities central to IRS's mission and goals.
IRS has made significant progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 8 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 200 financial management recommendations. This progress has been the result of hard work throughout the agency and sustained commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO's audit of IRS's fiscal year 2007 financial statements, 75 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2007 financial audit, IRS took actions that enabled GAO to close 18 of those recommendations. At the same time, GAO identified additional internal control issues resulting in 24 new recommendations. In total, 81 recommendations remain open at the end of fiscal 2007. To assist IRS in evaluating and improving internal controls, GAO categorized the 81 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning IRS's automated systems, are complex and will require several more years to fully and effectively address.
GAO-08-693, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations
This is the accessible text file for GAO report number GAO-08-693
entitled 'Internal Revenue Service: Status of GAO Financial Audit and
Related Financial Management Report Recommendations' which was released
on July 2, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Commissioner of Internal Revenue:
United States Government Accountability Office:
GAO:
July 2008:
Internal Revenue Service:
Status of GAO Financial Audit and Related Financial Management Report
Recommendations:
Status of Recommendations:
GAO-08-693:
GAO Highlights:
Highlights of GAO-08-693, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
In its role as the nation‘s tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility in annually collecting trillions
of dollars in taxes, processing hundreds of millions of tax and
information returns, and enforcing the nation‘s tax laws. Since its
first audit of IRS‘s financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS‘s financial management
operations. In related reports, GAO has recommended corrective action
to address those weaknesses. Each year, as part of the annual audit of
IRS‘s financial statements, GAO not only makes recommendations to
address any new weaknesses identified but also follows up on the status
of weaknesses GAO identified in previous years‘ audits. The purpose of
this report is to (1) assist IRS management in tracking the status of
audit recommendations and actions needed to fully address them and (2)
demonstrate how the recommendations relate to control activities
central to IRS‘s mission and goals.
What GAO Found:
IRS has made significant progress in improving its internal controls
and financial management since its first financial statement audit in
1992, as evidenced by 8 consecutive years of clean audit opinions on
its financial statements, the resolution of several material internal
control weaknesses, and actions resulting in the closure of over 200
financial management recommendations. This progress has been the result
of hard work throughout the agency and sustained commitment at the top
levels of the agency. However, IRS still faces financial management
challenges. At the beginning of GAO‘s audit of IRS‘s fiscal year 2007
financial statements, 75 financial management-related recommendations
from prior audits remained open because IRS had not fully addressed the
issues that gave rise to them. During the fiscal year 2007 financial
audit, IRS took actions that enabled GAO to close 18 of those
recommendations. At the same time, GAO identified additional internal
control issues resulting in 24 new recommendations. In total, 81
recommendations remain open at the end of fiscal 2007. To assist IRS in
evaluating and improving internal controls, GAO categorized the 81 open
recommendations by various internal control activities, which, in turn,
were grouped into three broad control categories.
Table: Summary of Open Recommendations by Control Category:
Safeguarding of assets and security activities;
Open at the beginning of 2007: 19;
Closed during 2007 audit: 4;
New from 2007 audit: 6;
Total open for 2008: 21.
Proper recording and documenting of transactions;
Open at the beginning of 2007: 33;
Closed during 2007 audit: 9;
New from 2007 audit: 9;
Total open for 2008: 33.
Effective management review and oversight;
Open at the beginning of 2007: 23;
Closed during 2007 audit: 5;
New from 2007 audit: 9;
Total open for 2008: 27.
Total;
Open at the beginning of 2007: 75;
Closed during 2007 audit: 18;
New from 2007 audit: 24;
Total open for 2008: 81.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
The continued existence of internal control weaknesses that gave rise
to these recommendations represents a serious obstacle that IRS needs
to overcome. Effective implementation of GAO‘s recommendations can
greatly assist IRS in improving its internal controls and achieving
sound financial management and can help enable it to more effectively
carry out its tax administration responsibilities. Most can be
addressed in the short term (the next 2 years). However, a few
recommendations, particularly those concerning IRS's automated systems,
are complex and will require several more years to fully and
effectively address.
What GAO Recommends:
GAO is making no new recommendations in this report. In commenting on
this draft report, IRS stated that it is committed to implementing
appropriate improvements to maintain sound financial management
practices.
To view the full product, including the scope and methodology, click on
[http://www.gao.gov/cgi-bin/getrpt?GAO-08-693]. For more information,
contact Steven J. Sebastian at (202)512-3406 or sebastians@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Scope and Methodology:
IRS's Progress on Financial Management Recommendations:
Open Recommendations Grouped by Control Activity:
Open Recommendations Arranged by Related Material Weakness, Significant
Deficiency, Compliance Issue, or Other Control Issue:
Concluding Observations:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports:
Appendix II: Open Recommendations Arranged by Control or Compliance
Issue:
Financial Reporting:
Unpaid Tax Assessments:
Tax Revenue and Refunds:
Information Security:
Hard-Copy Tax Receipts and Taxpayer Information:
Release of Federal Tax Liens:
Other Control Issues:
Appendix III: Comments from the Internal Revenue Service:
Appendix IV: Staff Acknowledgments:
Tables:
Table 1: Summary of Open Recommendations:
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
Table 3: Recommendations to Improve IRS's Segregation of Duties:
Table 4: Recommendation to Improve IRS's Controls over Information
Processing:
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control:
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording
of Transactions and Events:
Table 8: Recommendations to Improve IRS's Execution of Transaction and
Events:
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
Table 11: Recommendations to Improve IRS's Management of Human Capital:
Table 12: Material Weakness: Controls over Financial Reporting:
Table 13: Material Weakness: Controls over Unpaid Assessments:
Table 14: Material Weakness: Controls over Revenues and Issuing
Refunds:
Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and
Taxpayer Information:
Table 16: Compliance with Laws and Regulations: Timely Release of
Liens:
Table 17: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
Abbreviations:
ALS: Automated Lien System:
ATFR: Automated Trust Fund Recovery:
AUR: Automated Underreporter:
AWSS: Agency-Wide Shared Services:
BPMS: Business Performance Management System:
CCTV: closed-circuit television:
CDDB: Custodial Detail Data Base:
FA: Field Assistance:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
FMS: Financial Management Service:
IDRS: Integrated Data Retrieval System:
IFS: Integrated Financial System:
IRACS: Interim Revenue and Accounting Control System:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
LEM: Security Law Enforcement Manual:
LMSB: Large and Mid- sized Business:
LPG: Lockbox Processing Guidelines:
LSG: Lockbox Security Guidelines:
NFC: National Finance Center:
OMB: Office of Management and Budget:
P&E: property and equipment:
SB/SE: Small Business/Self-Employed:
SCC: service center campus:
SETS: Security Entry and Tracking System:
SP: Submission Processing:
TAC: taxpayer assistance center:
TE/GE: Tax Exempt and Government Entities:
TFRP: Trust Fund Recovery Penalty:
W&I: Wage and Investment:
United States Government Accountability Office:
Washington, DC 20548:
July 2, 2008:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Dear Mr. Shulman:
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2007, IRS
collected about $2.7 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $292 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.
IRS has made much progress in improving its financial management since
it was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress was reflected in its
ability to obtain and maintain a clean audit opinion on its financial
statements each year beginning in fiscal year 2000, and to correct
several material internal control weaknesses over the years and make
many other improvements in internal control. At the same time, more
remains to be done to address long-standing internal control issues
that continue to exist at the agency. IRS continues to have weak or
ineffective internal controls over fundamental elements of its
operations that leave it vulnerable to a greater risk of fraud, waste,
abuse, and mismanagement. This, in turn, has the potential to affect
the lives of the nation's taxpayers, as our audits over the years have
demonstrated.
An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.[Footnote 1] Unfortunately, IRS
continues to be challenged with several long-standing material
weaknesses in internal control that are at the heart of IRS's
operations.[Footnote 2] During our audit of IRS's fiscal year 2007
financial statements, we continued to find material weaknesses in
controls over:
* financial reporting,
* unpaid tax assessments,
* identifying and collecting tax revenues due and issuing tax refunds,
and:
* information systems security.
In addition to the material weaknesses, we continued to identify a
significant deficiency involving controls over hard-copy tax receipts
and taxpayer data, which increase the government's and taxpayer's risk
of loss or inappropriate disclosure or use of taxpayer data.
To assist IRS in strengthening its internal controls and improving its
operations, we have made numerous recommendations as part of our annual
financial statement audits and other financial management-related work
at IRS. This report is being provided to you to (1) assist IRS
management in tracking the status of financial audit and financial
management-related recommendations and the actions needed to address
them and (2) demonstrate how the recommendations relate to control
activities central to IRS's mission and goals. We are making no new
recommendations in this report.
Our work was performed from December 2007 through May 2008 in
accordance with generally accepted government auditing standards.
Results in Brief:
IRS management continues to make progress in addressing many of the
internal control issues that challenge the agency. IRS's actions have
enabled us to close over 200 financial management-related
recommendations over the years since our first audit of its financial
statements in 1992. At the beginning of our fiscal year 2007 IRS
financial statement audit, 75 financial management-related
recommendations from our prior audits remained open. During the fiscal
year 2007 financial statement audit, IRS took actions to effectively
address issues that gave rise to numerous recommendations, enabling us
to close 18 of those recommendations. Thus, 57 recommendations from
prior years' audits remained open at the end of fiscal year 2007. In
addition, during our fiscal year 2007 financial audit, we identified a
number of additional internal control issues and, in a separate report,
made 24 new recommendations to address these newly identified
issues.[Footnote 3] As a result, a total of 81 recommendations to
address IRS's internal control issues remained open at the end of
fiscal year 2007. Additionally, 76 recommendations as a result of our
assessment of IRS's information security controls over key financial
systems, data, and interconnected networks at IRS's critical data
processing facilities remained open at the end of fiscal year 2007.
Recommendations resulting from the information security portion of our
annual audits of IRS's financial statements are reported separately and
are not included in this report primarily because of the sensitive
nature of some of these issues.
In analyzing the nature of the 81 financial management recommendations
open at the end of fiscal year 2007, we determined that 21
recommendations (26 percent) relate to issues associated with IRS's
lack of effective controls over safeguarding assets and security
activities. Another 33 recommendations (41 percent) relate to issues
associated with IRS's inability to properly record and document
transactions. The remaining 27 recommendations (33 percent) relate to
issues associated with lack of effective management review and
oversight. Effectively and fully addressing these open recommendations
would greatly assist IRS in improving its internal controls and
achieving sound financial management. While most of our open
recommendations can be addressed in the short term (within the next 2
years), a few recommendations, particularly those concerning IRS's
automated systems, are complex and will require several more years to
fully and effectively address.
Finally, we analyzed the nature of the open recommendations to relate
them to the material weakness, significant deficiency, compliance
issue, and other control issues not associated with a material weakness
or significant deficiency identified as part of our annual financial
statement audits. Appendix II provides a listing of our 81 open
recommendations grouped according to their related material weakness,
significant deficiency, compliance issue, or other control issue as
described in our opinion report on IRS's financial statement[Footnote
4]s.
In commenting on a draft of this report, IRS expressed its appreciation
for our acknowledgment of the agency's progress in addressing its
financial management challenges as evidenced by our closure of 18 open
financial management recommendations from GAO's prior year report. We
have reprinted IRS's written comments in appendix III.
Background:
Internal control is not one event, but a series of actions and
activities that occur throughout an entity's operations and on an
ongoing basis. Internal control should be recognized as an integral
part of each system that management uses to regulate and guide its
operations rather than as a separate system within an agency. In this
sense, internal control is management control that is built into the
entity as a part of its infrastructure to help managers run the entity
and achieve their goals on an ongoing basis.
Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires
agencies to establish and maintain internal control. The agency head
must annually evaluate and report on the control and financial systems
that protect the integrity of federal programs. The requirements of
FMFIA serve as an umbrella under which other reviews, evaluations, and
audits should be coordinated and considered to support management's
assertion about the effectiveness of internal control over operations,
financial reporting, and compliance with laws and regulations.
Office of Management and Budget (OMB) Circular No. A-123, Management's
Responsibility for Internal Control, provides the implementing guidance
for FMFIA, and sets out the specific requirements for assessing and
reporting on internal controls consistent with the internal control
standards issued by the Comptroller General of the United
States.[Footnote 5] The circular defines management's responsibilities
related to internal control and the process for assessing internal
control effectiveness, and provides specific requirements for
conducting management's assessment of the effectiveness of internal
control over financial reporting. The circular requires management to
annually provide assurances on internal control in its performance and
accountability report, and for each of the 24 Chief Financial Officers
Act agencies to include a separate assurance on internal control over
financial reporting, along with a report on identified material
weaknesses and corrective actions.[Footnote 6] The circular also
emphasizes the need for integrated and coordinated internal control
assessments that synchronize all internal control-related activities.
FMFIA requires GAO to issue standards for internal control in the
federal government. The Standards for Internal Control in the Federal
Government (i.e., internal control standards) provides the overall
framework for establishing and maintaining effective internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.
As summarized in the internal control standards, the minimum level of
quality acceptable for internal control in the government is defined by
the following five standards, which also provide the basis against
which internal controls are to be evaluated:
* Control environment: Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management.
* Risk assessment: Internal control should provide for an assessment of
the risks the agency faces from both external and internal sources.
* Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives.
* Information and communications: Information should be recorded and
communicated to management and others within the entity who need it and
in a form and within a time frame that enables them to carry out their
internal control and other responsibilities.
* Monitoring: Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
The third control standard--control activities--helps ensure that
management's directives are carried out. Control activities are the
policies, procedures, techniques, and mechanisms that enforce
management's directives. In other words, they are the activities
conducted in the everyday course of business that are intended to
accomplish a control objective, such as ensuring IRS employees
successfully complete background checks prior to being granted access
to taxpayer information and receipts. As such, control activities are
an integral part of an entity's planning, implementing, reviewing, and
accountability for stewardship of government resources and achievement
of effective results.
A key objective in our annual audits of IRS's financial statements is
to obtain reasonable assurance about whether IRS maintained effective
internal controls with respect to financial reporting, including
safeguarding of assets, and compliance with laws and regulations. While
we use all five internal control standards as a basis for evaluating
the effectiveness of IRS's internal controls, we place a heavy emphasis
on testing control activities. Our evaluations and tests have resulted
in the identification of issues in certain internal controls over the
years and recommendations for corrective action.
Scope and Methodology:
To accomplish our objectives, we evaluated the effectiveness of IRS's
corrective actions implemented in response to open recommendations
during fiscal year 2007 as part of our fiscal years 2007 and 2006
financial audits. To determine the current status of the
recommendations, we (1) obtained IRS's reported status of each
recommendation and corrective action taken or planned as of April 2008,
and (2) compared IRS's reported status to our fiscal year 2007 audit
findings to identify any differences between IRS's and our conclusions
regarding the status of each recommendation.
In order to determine how these recommendations fit within IRS's
management and internal control structure, we compared the open
recommendations, and the issues that gave rise to them, to the control
activities listed in the internal control standards and to the list of
major factors and examples outlined in our Internal Control Management
and Evaluation Tool.[Footnote 7] We also considered how the
recommendations and the underlying issues were categorized in our prior
reports; whether IRS had addressed, in whole or in part, the underlying
control issues that gave rise to the recommendations; and other legal
requirements and implementing guidance, such as OMB Circular No. A-123;
FMFIA; and the Federal Information System Controls Audit Manual
(FISCAM).[Footnote 8]
Our work was performed from December 2007 through May 2008 in
accordance with generally accepted government auditing standards. We
requested comments on a draft of this report from the Commissioner of
Internal Revenue or his designee on June 9, 2008. We received comments
from the Commissioner on June 24, 2008.
IRS's Progress on Financial Management Recommendations:
IRS continues to make progress addressing its significant financial
management challenges. Over the years since we first began auditing
IRS's financial statements in fiscal year 1992, IRS has taken actions
enabling us to close over 200 of our financial management-related
recommendations. This includes 18 recommendations we are closing based
on actions IRS took during the period covered by our fiscal year 2007
financial audit. At the same time, however, our audits continue to
identify additional internal control issues, resulting in our making
further recommendations for corrective action, including 24 new
financial management-related recommendations resulting from our fiscal
year 2007 financial audit. These internal control issues, and the
resulting recommendations, can be directly traced to the control
activities in the internal control standards. As such, it is essential
that they be fully addressed and resolved to strengthen IRS's overall
financial management and to assist it in efficiently and effectively
achieving its goals and mission.
Status of Recommendations Based on the Year 2007 Financial Statement
Audit:
In June 2007, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2006 and prior year
financial audits and other financial management-related work.[Footnote
9] In that report, we identified 75 audit recommendations that at that
time remained open and thus required corrective action by IRS. A
significant number of these recommendations had been open for several
years, either because IRS had not taken corrective action or because
the actions taken had not yet fully and effectively resolved the issues
that gave rise to the recommendations.
IRS continued to work to address many of the internal control issues to
which these open recommendations relate. In the course of performing
our fiscal year 2007 financial audit, we identified numerous actions
IRS took to address many of its internal control issues. On the basis
of IRS's actions, which we were able to substantiate through our audit,
we are able to close 18 of these prior years' recommendations. IRS
considers another 23 of the prior years' recommendations to be
effectively addressed. However, we still consider them to be open
either because we had not yet been able to verify the effectiveness of
IRS's actions--they occurred subsequent to completion of our audit
testing and thus have not been verified, which is a prerequisite to our
closing a recommendation--or because the actions taken did not fully
address the issue that gave rise to the recommendation.
However, continued efforts are needed by IRS to address its internal
control issues. While we are able to close 18 financial management
recommendations made in prior years, 57 recommendations from prior
years remain open, a significant number of which have been outstanding
for several years. In some cases, IRS may have effectively addressed
the issues that gave rise to the recommendations subsequent to our
fiscal year 2007 audit testing. However, in many cases, we determined
based on the work performed for our fiscal year 2007 audit that IRS's
actions taken to date had not yet fully and effectively addressed the
underlying internal control issues. Additionally, during our audit of
IRS's fiscal year 2007 financial statements, we identified additional
issues that require corrective action by IRS. In a recent management
report to IRS,[Footnote 10] we discussed these issues, and made 24 new
recommendations to IRS to address them. Consequently, a total of 81
financial management-related recommendations were open at the end of
fiscal year 2007 and need to be addressed by IRS. While most of our
open recommendations can be addressed in the short term,[Footnote 11] a
few recommendations, particularly those concerning IRS's automated
systems, are complex and will require several more years to fully and
effectively address. We consider 71 recommendations to be short-term
and 10 to be long-term.
In addition to the 81 open recommendations from our financial audits
and other financial management-related work, we have 76 open
recommendations as a result of our assessment of IRS's information
security controls over key financial systems, data, and interconnected
networks at IRS's critical data processing facilities. One of those
open recommendations relates to IRS's need to implement an agencywide
information security program, the lack of which was a key reason for
the material weakness in IRS's information systems security controls
over its financial and tax processing systems. Unresolved, previously
reported recommendations and newly identified ones related to
information security increase the risk of unauthorized disclosure,
modification, or destruction of financial and sensitive taxpayer data.
Recommendations resulting from of the information security portion our
annual audits of IRS's financial statements are reported separately and
are not included in this report primarily because of the sensitive
nature of some of these issues.
Appendix I presents a list of (1) the 81 recommendations we have made
based on our financial statement audits and other financial management-
related work that we had not previously reported as closed prior to our
fiscal year 2007 audit, (2) the status of each of those recommendations
and corrective actions taken or planned as of April 2008 as reported to
us by IRS, and (3) our analysis of whether the issues that gave rise to
the recommendations have been effectively and fully addressed based on
the work performed during our fiscal year 2007 financial statement
audit. Appendix I also lists new recommendations we have made based on
our fiscal year 2007 financial statement audit. The appendix lists the
recommendations by the date on which the recommendation was made and by
report number. Appendix II presents the open recommendations arranged
by related material weakness, significant deficiency, compliance issue,
or other control issue as described in our opinion report on IRS's
financial statements.
Open Recommendations Grouped by Control Activity:
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to
them, to internal control activities that are central to IRS's tax
administration responsibilities provides insight regarding their
significance.
The internal control standards define 11 control activities. These
control activities can be further grouped into three broad categories:
* Safeguarding of assets and security activities:
- physical control over vulnerable assets,
- segregation of duties,
- controls over information processing, and:
- access restrictions to and accountability for resources and records.
* Proper recording and documenting of transactions:
- appropriate documentation of transactions and internal control,
- accurate and timely reporting of transactions and events, and:
- proper execution of transactions and events.
* Effective management review and oversight:
- reviews by management at the functional or activity level,
- establishment and review of performance measures and indicators,
- management of human capital, and:
- top-level reviews of actual performance.
Each of the open recommendations from our financial audits and
financial management-related work, and the underlying issues that gave
rise to them, can be traced back to 1 of the 11 control activities
(grouped into three broad categories). Table 1 presents a summary of
the open recommendations, each of which is categorized by the control
activity to which it best relates.
Table 1: Summary of Open Recommendations:
Control category/control activity: Safeguarding of assets and security
activities: Physical control over vulnerable assets;
Open at start of fiscal year 2007 audit: 12;
Closed during fiscal year 2007 audit: 3;
Control category/control activity: New from fiscal year 2007 audit: 0;
Total open as of the end of fiscal year 2007: 9;
Percentage: 11.
Control category/control activity: Safeguarding of assets and security
activities: Segregation of duties;
Open at start of fiscal year 2007 audit: 4;
Closed during fiscal year 2007 audit: 1;
New from fiscal year 2007 audit: 0;
Total open as of the end of fiscal year 2007: 3;
Percentage: 4.
Control category/control activity: Safeguarding of assets and security
activities: Controls over information processing[A];
Open at start of fiscal year 2007 audit: 1;
Closed during fiscal year 2007 audit: 0;
New from fiscal year 2007 audit: 0;
Total open as of the end of fiscal year 2007: 1;
Percentage: 1.
Control category/control activity: Access restrictions to and
accountability for resources and records;
Open at start of fiscal year 2007 audit: 2;
Closed during fiscal year 2007 audit: 0;
New from fiscal year 2007 audit: 6;
Total open as of the end of fiscal year 2007: 8;
Percentage: 10.
Control category/control activity: Subtotal;
Open at start of fiscal year 2007 audit: 19;
Closed during fiscal year 2007 audit: 4;
New from fiscal year 2007 audit: 6;
Total open as of the end of fiscal year 2007: 21;
Percentage: 26.
Control category/control activity: Proper recording and documenting of
transactions: Appropriate documentation of transactions and internal
controls;
Open at start of fiscal year 2007 audit: 13;
Closed during fiscal year 2007 audit: 6;
New from fiscal year 2007 audit: 5;
Total open as of the end of fiscal year 2007: 12;
Percentage: 15.
Control category/control activity: Proper recording and documenting of
transactions: Accurate and timely recording of transactions and events;
Open at start of fiscal year 2007 audit: 19;
Closed during fiscal year 2007 audit: 3;
New from fiscal year 2007 audit: 2;
Total open as of the end of fiscal year 2007: 18;
Percentage: 22.
Control category/control activity: Proper recording and documenting of
transactions: Proper execution of transactions and events;
Open at start of fiscal year 2007 audit: 1;
Closed during fiscal year 2007 audit: 0;
New from fiscal year 2007 audit: 2;
Total open as of the end of fiscal year 2007: 3;
Percentage: 4.
Control category/control activity: Proper recording and documenting of
transactions: Subtotal;
Open at start of fiscal year 2007 audit: 33;
Closed during fiscal year 2007 audit: 9;
New from fiscal year 2007 audit: 9;
Total open as of the end of fiscal year 2007: 33;
Percentage: 41.
Control category/control activity: Effective management review and
oversight: Reviews by management at the functional or activity level;
Open at start of fiscal year 2007 audit: 17;
Closed during fiscal year 2007 audit: 5;
New from fiscal year 2007 audit: 7;
Total open as of the end of fiscal year 2007: 19.
Percentage: 23.
Control category/control activity: Effective management review and
oversight: Establishment and review of performance measures and
indicators;
Open at start of fiscal year 2007 audit: 3;
Closed during fiscal year 2007 audit: 0;
New from fiscal year 2007 audit: 0;
Total open as of the end of fiscal year 2007: 3;
Percentage: 4.
Control category/control activity: Effective management review and
oversight: Management of human capital;
Open at start of fiscal year 2007 audit: 3;
Closed during fiscal year 2007 audit: 0;
New from fiscal year 2007 audit: 2;
Total open as of the end of fiscal year 2007: 5;
Percentage: 6.
Control category/control activity: Effective management review and
oversight: Subtotal;
Open at start of fiscal year 2007 audit: 23;
Closed during fiscal year 2007 audit: 5;
New from fiscal year 2007 audit: 9;
Total open as of the end of fiscal year 2007: 27;
Percentage: 33.
Total;
Open at start of fiscal year 2007 audit: 75;
Closed during fiscal year 2007 audit: 18.
New from fiscal year 2007 audit: 24;
Total open as of the end of fiscal year 2007:81;
Percentage: 100.
Source: GAO analysis of the status of financial management
recommendations made to IRS.
[A] Does not include an additional 76 information systems security
recommendations, which are reported separately because of the sensitive
nature of some of the issues that gave rise to these recommendations.
[End of table]
As table 1 indicates, 21 recommendations (26 percent) relate to issues
associated with IRS's lack of effective controls over safeguarding of
assets and security activities. Another 33 recommendations (41 percent)
relate to issues associated with IRS's inability to properly record and
document transactions. The remaining 27 open recommendations (33
percent) relate to issues associated with the lack of effective
management review and oversight.
On the following pages, we group the 81 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented
in the internal control standards and briefly identify some of the key
IRS operations that fall under that control activity. Although not
comprehensive, the descriptions are intended to help explain why
actions to strengthen these control activities are important for IRS to
efficiently and effectively carry out its overall mission. For each
recommendation, we also indicate whether it is a short-term or long-
term recommendation.
Safeguarding of Assets and Security Activities:
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of
the most important control activities at IRS is the safeguarding of
assets. Internal control in this important area should be designed to
provide reasonable assurance regarding prevention or prompt detection
of unauthorized acquisition, use, or disposition of an agency's assets.
We have grouped together the four control activities in the internal
control standards that relate to safeguarding of assets (including tax
receipts) and security activities (such as limiting access to only
authorized personnel): (1) physical control over vulnerable assets, (2)
segregation of duties, (3) controls over information processing, and
(4) access restrictions to and accountability for resources and
records.
Physical Control over Vulnerable Assets:
Internal control standard: an agency must establish physical control to
secure and safeguard vulnerable assets. Examples include security for
and limited access to assets such as cash, securities, inventories, and
equipment which might be vulnerable to risk of loss or unauthorized
use. Such assets should be periodically counted and compared to control
records.
IRS is charged with collecting trillions of dollars in taxes each year,
a significant amount of which is collected in the form of checks and
cash accompanied by tax returns and related information. IRS collects
taxes both at its own facilities as well as at lockbox banks that
operate under contract with the Department of the Treasury's Financial
Management Service (FMS) to provide processing services for certain
taxpayer receipts for IRS. IRS acts as custodian for (1) the tax
payments it receives until they are deposited in the General Fund of
the U.S. Treasury and (2) the tax returns and related information it
receives until they are either sent to the Federal Records Center or
destroyed. IRS is also charged with controlling many other assets, such
as computers and other equipment, but IRS's legal responsibility to
safeguard tax returns and the confidential information taxpayers
provide on tax returns makes the effectiveness of its internal controls
with respect to physical security essential.
IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at its offices. While effective physical
safeguards over receipts should exist throughout the year, it is
especially important during the peak tax filing season. Each year
during the weeks preceding and shortly after April 15, an IRS service
center campus (SCC) or lockbox bank may receive and process daily over
100,000 pieces of mail containing returns, receipts, or both. The
dollar value of receipts each service center and lockbox bank processes
increases to hundreds of millions of dollars a day during the April 15
time frame.
Of our 81 open recommendations, the following 9 open recommendations
are designed to improve IRS's physical controls over vulnerable assets.
All are short-term in nature. (See table 2.)
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
ID no.: 04-08;
Recommendations: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms. (short-term).
ID no.: 06-05;
Recommendations: Equip all Taxpayer Assistance Centers (TACs) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers such as locked doors marked with signs
barring entrance by unescorted customers. (short- term).
ID no.: 06-08;
Recommendations: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms regardless of the
circumstances that may have caused the activation. (short-term).
ID no.: 06-15;
Recommendations: Revise the physical security procedures in the
Internal Revenue Manual (IRM) to require that all SCCs and any
respective annex facilities processing taxpayer receipts and/or
information perform and document monthly tests of the facilities'
intrusion detection alarms. At a minimum, these procedures should (1)
outline the type of test to be conducted, (2) include criteria for
assessing whether the controls used to respond to the alarm were
effective, and (3) require that a logbook be maintained to document the
test dates, results, and response information. (short-term).
ID no.: 07-01;
Recommendations: Enforce the existing policy requiring that all lockbox
banks encrypt backup media containing federal taxpayer information.
(short-term).
ID no.: 07-02;
Recommendations: Ensure that lockbox banks store backup media
containing federal taxpayer information at an off-site location as
required by the 2006 Lockbox Security Guidelines. (short-term).
ID no.: 07-03;
Recommendations: Revise instructions for the annual reviews of lockbox
banks to encompass routine monitoring of backup media containing
personally identifiable information to ensure that this information is
(1) encrypted prior to transmission and (2) stored in an appropriate
off-site location. (short-term).
ID no.: 07-04;
Recommendations: Develop and implement appropriate corrective actions
for any gaps in closed circuit TV (CCTV) camera coverage that do not
provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions. (short-term).
ID no.: 07-20;
Recommendations: Establish and maintain sufficient secured storage
space to properly secure and safeguard its property and equipment
inventory, including in-stock inventories assets from incoming
shipments, and assets that are in the process of being excessed and/or
shipped out. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Segregation of Duties:
Internal control standard: Key duties and responsibilities need to be
divided or segregated among different people to reduce the risk of
error or fraud. This should include separating the responsibilities for
authorizing transactions, processing and recording them, reviewing the
transactions, and handling any related assets. No one individual should
control all key aspects of a transaction or event.
IRS employees are responsible for processing trillions of dollars of
tax receipts each year, of which hundreds of billions are received in
the form of cash or checks,[Footnote 12] and for processing hundreds of
billions of dollars in refunds to taxpayers. Consequently, it is
critical that IRS maintain appropriate separation of duties to allow
for adequate oversight of staff and protection of these vulnerable
resources so that no single individual would be in a position of
causing an error or irregularity, potentially converting the asset to
personal use, and then concealing it. For example, when an IRS field
office or lockbox bank receives taxpayer receipts and returns, it is
responsible for depositing the cash and checks in a depository
institution and forwarding the related information received to an SCC
for further processing. In order to adequately safeguard receipts from
theft, the person responsible for recording the information from the
taxpayer receipts on a voucher should be different from the individual
who prepares those receipts for transmittal to the SCC for further
processing. Also, for procurement of goods and services, the person who
places an order for goods and services should be different from the
person who receives the goods and services. Such separation of duties
will help to prevent the occurrence of fraud, theft of IRS assets, or
both.
The following three open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over
tax receipts and refunds and procurement activities. All are short-term
in nature. (See table 3.)
Table 3: Recommendations to Improve IRS's Segregation of Duties:
ID no.: 02-16;
Recommendations: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term).
ID no.: 05-32;
Recommendations: Establish policies and procedures to require
appropriate segregation of duties in small business/self- employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term).
ID no.: 07-21;
Recommendations: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered. (short- term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Controls over Information Processing:
Internal control standard: A variety of control activities are used in
information processing. Examples include edit checks of data entered,
accounting for transactions in numerical sequences, and comparing file
totals with control totals. There are two broad groupings of
information systems control--general control (for hardware such as
mainframe, network, end-user environments) and application control
(processing of data within the application software). General controls
include entitywide security program planning, management, and backup
recovery procedures and contingency and disaster planning. Application
controls are designed to help ensure completeness, accuracy,
authorization, and validity of all transactions during application
processing.
IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax
processing responsibilities, IRS relies extensively on interconnected
networks of computer systems to perform various functions, such as
collecting and storing taxpayer data, processing tax returns,
calculating interest and penalties, generating refunds, and providing
customer service.
As part of our annual audits of IRS's financial statements, we assess
the effectiveness of IRS's information security controls[Footnote 13]
over key financial systems, data, and interconnected networks at IRS's
critical data processing facilities that support the processing,
storage, and transmission of sensitive financial and taxpayer data.
From that effort over the years, we have identified information
security control weaknesses that impair IRS's ability to ensure the
confidentiality, integrity, and availability of its sensitive financial
and taxpayer data. As of January 2008, there were 76 open
recommendations from our information security work designed to improve
IRS's information security controls.[Footnote 14] As discussed
previously, recommendations resulting from our information security
work are reported separately and are not included in this report
primarily because of the sensitive nature of these issues.
However, the following open short-term recommendation is related to
systems limitations and IRS's need to enhance its computer programs.
(See table 4.)
Table 4: Recommendation to Improve IRS's Controls over Information
Processing:
ID no.: 02-18;
Recommendations: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short- term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Access Restrictions to and Accountability for Resources and Records:
Internal control standard: Access to resources and records should be
limited to authorized individuals, and accountability for their custody
and use should be assigned and maintained. Periodic comparison of
resources with the recorded accountability should be made to help
reduce the risk of errors, fraud, misuse, or unauthorized alteration.
Because IRS deals with a large volume of cash and checks, it is
imperative that it maintain strong controls to appropriately restrict
access to those assets, the records that track those assets, and
sensitive taxpayer information. Although IRS has a number of both
physical and information system controls in place, some of the issues
we have identified in our financial audits over the years pertain to
ensuring that those individuals who have direct access to these cash
and checks are appropriately vetted before being granted access to
taxpayer receipts and information and to ensuring that IRS maintains
effective access security control.
The following eight open short-term recommendations would help IRS
improve its access restrictions to assets and records. (See table 5.)
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
ID no.: 05-11;
Recommendations: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at service center campuses selected for
significant reductions in their submission processing functions. (short-
term).
ID no.: 05-13;
Recommendations: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers. (short- term).
ID no.: 08-09;
Recommendations: Establish a mechanism to monitor compliance with
existing requirement that TAC employees responsible for accepting
taxpayer payments in cash have their computer system access
appropriately restricted to limit their ability to adjust taxpayer
accounts. (short-term).
ID no.: 08-12;
Recommendations: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term).
ID no.: 08-13;
Recommendations: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term).
ID no.: 08-15;
Recommendations: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term).
ID no.: 08-16;
Recommendations: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles. (short-term).
ID no.: 08-17;
Recommendations: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact. (short- term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Recording and Documenting of Transactions:
One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers
need to assist in making well-informed day-to-day decisions. While IRS
is making progress in modernizing its financial management
capabilities, it nonetheless continues to face many pervasive internal
control weaknesses related to its long-standing systems deficiencies
that we have reported each year since we began auditing its financial
statements in fiscal year 1992. These deficiencies can only be
addressed as part of a longer-term effort to overhaul and integrate
IRS's financial management system structure. Because of the long-
standing, pervasive nature of these deficiencies, their resolution is
likely to require more than 2 additional years.
Nevertheless, IRS also has a number of internal control issues that
relate to recording transactions, documenting events, and tracking the
processing of taxpayer receipts or information, which do not depend
upon longer-term efforts to overhaul and integrate its information
systems.
We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate
documentation of transactions and internal controls, (2) accurate and
timely recording of transactions and events, and (3) proper execution
of transactions and events.
Appropriate Documentation of Transactions and Internal Control:
Internal control standard: Internal control and all transactions and
other significant events need to be clearly documented, and the
documentation should be readily available for examination. The
documentation should appear in management directives, administrative
policies, or operating manuals and may be in paper or electronic form.
All documentation and records should be properly managed and
maintained.
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract
to process taxpayer receipts for the federal government. Therefore, it
is important that IRS maintain effective controls to ensure that all
documents and records are properly and timely recorded, managed, and
maintained both at its facilities and at the lockbox banks. IRS must
adequately document and disseminate its procedures to ensure that they
are available for IRS employees. IRS must also document its management
reviews of those controls, such as those regarding refunds and returned
checks, credit card purchases, and reviews of TACs. Finally, to ensure
future availability of adequate documentation, IRS must ensure that its
systems, particularly those now being developed and implemented, have
appropriate capability to trace transactions.
The following 12 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. Eleven
of these recommendations are short-term, and one is long-term. (See
table 6.)
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control:
ID no.: 05-14;
Recommendations: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information. (short-term).
ID no.: 05-39;
Recommendations: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short- term).
ID no.: 06-01;
Recommendations: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term).
ID no.: 06-02;
Recommendations: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term).
ID no.: 06-04;
Recommendations: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term).
ID no.: 06-07;
Recommendations: Document supervisory visits by offsite managers to
TACs not having a manager permanently on-site. This documentation
should be signed by the manager and should (1) record the time and date
of the visit, (2) identify the manager performing the visit, (3)
indicate the tasks performed during the visit, (4) note any problems
identified, and (5) describe corrective actions planned. (short-term).
ID no.: 07-15;
Recommendations: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in the Automated Lien System
(ALS). (short-term).
ID no.: 08-01;
Recommendations: As IRS proceeds with its implementation of Custodial
Detail Data Base (CDDB), it should verify that when it becomes fully
operational, CDDB, when used in conjunction with the Interim Revenue
and Accounting Control System (IRACS), will provide IRS with the direct
transaction traceability for all of its tax-related transactions as
required by the U.S. Standard General Ledger (SGL), Federal Financial
Management System Requirements (FFMSR), and thus Federal Financial
Management Improvement Act of 1996 (FFMIA). (long- term).
ID no.: 08-02;
Recommendations: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid assessment
estimation process. (short-term).
ID no.: 08-07;
Recommendations: Develop and provide comprehensive guidance to assist
TAC managers to use in conducting reviews of outlying TACS and
documenting the results. This guidance should include a description of
the key controls that should be in place at outlying TACs, specify how
often these key controls should be reviewed, and specify how the
results of each review should be documented, including follow-up on
issues identified in previous TAC reviews. (short-term).
ID no.: 08-21;
Recommendations: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials update and maintain appropriate supporting documentation.
(short-term).
ID no.: 08-22;
Recommendations: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card holders and
purchase card approving officials retain copies of all supporting
documents for a reasonable period of time, such as 3 years. (short-
term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Accurate and Timely Recording of Transactions and Events:
Internal control standard: Transactions should be promptly recorded to
maintain their relevance and value to management in controlling
operations and making decisions. This applies to the entire process or
life cycle of a transaction or event from the initiation and
authorization through its final classification in summary records. In
addition, control activities help to ensure that all transactions are
completely and accurately recorded.
IRS is responsible for maintaining taxpayer records for tens of
millions of taxpayers in addition to maintaining its own financial
records. To carry out this responsibility, IRS often has to rely on
outdated computer systems or manual work-arounds. Unfortunately, some
of IRS's recordkeeping difficulties we have reported on over the years
will not be addressed until it can replace its aging systems, which is
a long-term effort and depends on future funding.
The following 18 open recommendations would strengthen IRS's
recordkeeping abilities. (See table 7.) Twelve of these recommendations
are short-term, and 6 are long-term. They include specific
recommendations regarding requirements for new systems for maintaining
taxpayer records. Several of the recommendations listed affect
financial reporting processes, such as subsidiary records and
appropriate allocation of costs. Some of the issues that gave rise to
several of our recommendations directly affect taxpayers, such as those
involving duplicate assessments, errors in calculating and reporting
manual interest, errors in calculating penalties, and recovery of trust
fund penalty assessments. About 38 percent of these recommendations are
5 years or older and 1 is over 10 years old, reflecting the complex
nature of the underlying system issues that must be resolved to fully
address of some of these issues.
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording
of Transactions and Events:
ID no.: 94-02;
Recommendations: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts and
test the effectiveness of these actions. (short- term).
ID no.: 99-01;
Recommendations: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received. (short-term).
ID no.: 99-03;
Recommendations: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term).
ID no.: 99-20;
Recommendations: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance. (long-term).
ID no.: 99-36;
Recommendations: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term).
ID no.: 01-17;
Recommendations: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term).
ID no.: 01-39;
Recommendations: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term).
ID no.: 02-08;
Recommendations: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term).
ID no.: 02-09;
Recommendations: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year. (long-term).
ID no.: 06-22;
Recommendations: Direct Facilities Management Branch managers to
research and resolve the aging reports (short-term).
ID no.: 07-09;
Recommendations: Enhance its computer program to check for outstanding
tax liabilities associated with both the primary and secondary Social
Security numbers shown on a joint tax return and apply credits to those
balances before issuing any refund. (short-term).
ID no.: 07-11;
Recommendations: Correct the penalty calculation programs in the master
file so that penalties are calculated in accordance with the applicable
Internal Revenue Code and implementing IRM guidance. (short-term).
ID no.: 07-12;
Recommendations: Research each of the taxpayer accounts that may have
been affected by the penalty programming errors to determine whether
they contain overassessed penalties and correct the accounts as needed.
(short-term).
ID no.: 07-13;
Recommendations: Establish procedures and specify in the IRM that at
the time of receipt, employees recording taxpayer payments should (1)
determine if the payment is more than sufficient to cover the tax
liability of the tax period specified on the payment or earliest
outstanding tax period, (2) perform additional research to resolve any
outstanding issues on the account, (3) determine whether the taxpayer
has outstanding balances in other tax periods, and (4) apply available
credits to satisfy the outstanding balances in other tax periods.
(short-term).
ID no.: 07-14;
Recommendations: Establish procedures and specify in the IRM that
employees review taxpayer accounts with freeze codes that contain
credits weekly to (1) research and resolve any outstanding issues on
the account, (2) determine whether the taxpayer has outstanding
balances in other tax periods, and (3) apply available credits to
satisfy the outstanding balances in other tax periods. (short-term).
ID no.: 07-18;
Recommendations: Adjust errors in recorded installment agreement user
fees as necessary to correctly reflect the user fees IRS earned and
collected from taxpayers. (short-term).
ID no.: 08-06;
Recommendations: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM. (short-term).
ID no.: 08-23;
Recommendations: Issue a memorandum addressed to all personnel
responsible for updating inventory records that reiterates IRS's
existing policy requiring that new assets be inputted into the
inventory system within 10 days of receipt. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Execution of Transactions and Events:
Internal control standard: Transactions and other significant events
should be authorized and executed only by persons acting within the
scope of their authority. This is the principal means of ensuring that
only valid transactions to exchange, transfer, use, or commit resources
and other events are initiated or entered into. Authorizations should
be clearly communicated to managers and employees.
IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak
of the tax filing season. Because of the significant number of
personnel involved, IRS must maintain effective control over which
employees are authorized to either view or change sensitive taxpayer
data. IRS's ability to establish access rights and permissions for
information systems is a critical control.
Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.[Footnote 15] IRS
requires that all manual refunds be approved by designated officials.
However, weaknesses in the authorization of such approving officials
expose the federal government to losses because of the issuance of
improper refunds. Likewise, the failure to ensure that employees obtain
appropriate authorizations to use purchase cards or initiate travel
similarly leave the government open to fraud, waste, or abuse. The
following three open short-term recommendations would improve IRS's
controls over its manual refund, purchase card, and travel
transactions. (See table 8.)
Table 8: Recommendations to Improve IRS's Execution of Transaction and
Events:
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term).
ID no.: 08-20;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders obtain
funding approval or verify that funds are available for the intended
purpose prior to making a purchase. (short-term).
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates the
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of travel. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Effective Management Review and Oversight:
All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set
the objectives, put control activities in place, and monitor and
evaluate controls to ensure that they are followed. Without effective
monitoring by managers, internal control activities may not be carried
out consistently and on time.
We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of
performance measures and indicators, and (3) management of human
capital. Although we also include the control activity "top-level
reviews of actual performance" in this grouping, we do not have any
open recommendations to IRS related to this internal control activity.
Reviews by Management at the Functional or Activity Level:
Internal control standard: Managers need to compare actual performance
to planned or expected results throughout the organization and analyze
significant differences.
IRS has over 71,000 full-time employees and hires over 23,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, Treasury's Financial Management Service contracts
with banks to process tens of thousands of individual receipts,
totaling hundreds of billions of dollars. At any organization,
management oversight of operations is important, but with an
organization as vast in scope as IRS, management oversight is
imperative.
The following 18 short-term and one long-term open recommendations
would improve IRS's management oversight of lockbox banks, courier
services, user fees, penalty calculations, issuance of manual refunds,
and the timely release of liens. (See table 9.) Many of these
recommendations were made to correct instances where an internal
control activity either does not exist or where an established control
is not being adequately or consistently applied. However, a number of
these recommendations are aimed at enhancing IRS's own assessment of
its internal controls over financial reporting in accordance with the
requirements of the revised OMB Circular No. A-123.
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
ID no.: 99-22;
Recommendations: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls. (short-term).
ID no.: 01-06;
Recommendations: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term).
ID no.: 05-33;
Recommendations: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term).
ID no.: 05-38;
Recommendations: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term).
ID no.: 07-17;
Recommendations: Monitor installment agreement user fee activity on a
regular basis. (short-term).
ID no.: 07-19;
Recommendations: Establish sufficient review procedures to help ensure
that adjustments to installment agreement user fees collected from
taxpayers are accurately and timely recorded. (short- term).
ID no.: 07-22;
Recommendations: Document the results of internal control tests
conducted in a manner sufficiently clear and complete to explain how
control procedures were tested, what results were achieved, and how
conclusions were derived from those results, without reliance on
supplementary oral explanation. (short-term).
ID no.: 07-23;
Recommendations: Clearly document how it considered existing reviews
and audits in determining the nature, scope, and timing of procedures
it planned to conduct under its OMB Circular No. A-123 process. (short-
term).
ID no.: 07-24;
Recommendations: To the extent that it intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work. (short- term).
ID no.: 07-25;
Recommendations: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term).
ID no.: 07-26;
Recommendations: Work with Treasury to identify laws and regulations
that are significant to financial reporting, test controls over
compliance with those laws and regulations, and evaluate and report on
the results of such control reviews. (short-term).
ID no.: 07-27;
Recommendations: Begin devising appropriate A-123 follow-up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. (short-term).
ID no.: 08-04;
Recommendations: To address the inconsistency in assigning the
effective date of an accuracy penalty, modify the Business Master File
computer program so that the date of the deficiency assessment is used
as the effective date of any related accuracy penalty. (long-term).
ID no.: 08-05;
Recommendations: Complete and document the review of existing programs
in the master files that affect penalty calculations to identify any
instances in which programs are not functioning in accordance with the
intent of the IRM. (short-term).
ID no.: 08-08;
Recommendations: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers. (short-term).
ID no.: 08-11;
Recommendations: Modify the IRM to specify qualifications and
geographical proximity requirements for individuals designated as first
responders to duress alarms at IRS facilities, and to require that the
responsibilities and qualifications of all designated first responders
be periodically reviewed to verify that over time, they continue to be
qualified and appropriately located, and to make any necessary
adjustments. (short-term).
ID no.: 08-14;
Recommendations: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information; document the
results, including identification of any security issues; and verify
that the contractor has taken appropriate corrective actions on any
security issues observed. (short-term).
ID no.: 08-18;
Recommendations: Issue a memorandum to Receipt Control Operations Unit
staff reiterating existing requirements for (1) supervisory reviews of
the processing of TE/GE user fee deposits and (2) key documentation to
be signed and dated by the supervisor as evidence of that review.
(short-term).
ID no.: 08-19;
Recommendations: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials and purchase cardholders sign and date monthly account
statements attesting to their review and completion of the required
reconciliation process. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Establishment and Review of Performance Measures and Indicators:
Internal control standard: Activities need to be established to monitor
performance measures and indicators. These controls could call for
comparisons and assessments relating different sets of data to one
another so that analyses of the relationships can be made and
appropriate actions taken. Controls should also be aimed at validating
the propriety and integrity of both organizational and individual
performance measures and indicators.
IRS's operations include a vast array of activities encompassing
educating taxpayers, processing of taxpayer receipts and data,
disbursing hundreds of billions of dollars in refunds to millions of
taxpayers, maintaining extensive information on tens of millions of
taxpayers, and seeking collection from individuals and businesses that
fail to comply with the nation's tax laws. Within its compliance
function, IRS has numerous activities, including identifying businesses
and individuals that underreport income, collecting from taxpayers that
do not pay taxes, and collecting from those receiving refunds for which
they are not eligible. Although IRS has at its peak over 94,000
employees, it still faces resource constraints in attempting to fulfill
its duties. Because of this, it is vitally important for IRS to have
sound performance measures to assist it in assessing its performance
and targeting its resources to maximize the government's return on
investment.
However, in past audits we have reported that IRS did not capture costs
at the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a
result, IRS is unable to measure the costs and benefits of its various
collection and enforcement efforts to best target its available
resources.
The following three long-term open recommendations are designed to
assist IRS in evaluating its operations, determining which activities
are the most beneficial, and establishing a good system for oversight.
(See table 10.) These recommendations call for IRS to measure, track,
and evaluate the costs, benefits, or outcomes of its operations--
particularly with regard to identifying its most effective tax
collection activities.
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
ID no.: 99-29;
Recommendations: Develop the data to support meaningful cost
information categories and cost-based performance measures. (long-
term).
ID no.: 01-04;
Recommendations: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, administrative support), as well as the expected
additional tax collections generated. (long-term).
ID no.: 01-12;
Recommendations: For (1) IRS's Automated Underreporter (AUR) and
Combined Annual Wage Reporting (CAWR) programs, (2) screening and
examination of Earned Income Tax Credit claims, and (3) identifying and
collecting previously disbursed improper refunds, use the best
available information to develop reliable cost-benefit data to estimate
the tax revenue collected by, and the amount of improper refunds
returned to, IRS for each dollar spent pursuing these outstanding
amounts. These data would include (1) an estimate of the full cost
incurred by IRS in performing each of these efforts, including the
salaries and benefits of all staff involved, as well as any related
nonpersonnel costs, such as supplies and utilities and (2) the actual
amount (a) collected on tax amounts assessed and (b) recovered on
improper refunds disbursed. (long-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Management of Human Capital:
Internal control standard: Effective management of an organization's
workforce--its human capital--is essential to achieving results and an
important part of internal control. Management should view human
capital as an asset rather than a cost. Only when the right personnel
for the job are on board and are provided the right training, tools,
structure, incentives, and responsibilities is operational success
possible. Management should ensure that skill needs are continually
assessed and that the organization is able to obtain a workforce that
has the required skills that match those necessary to achieve
organizational goals. Training should be aimed at developing and
retaining employee skill levels to meet changing organizational needs.
Qualified and continuous supervision should be provided to ensure that
internal control objectives are achieved. Performance evaluation and
feedback, supplemented by an effective reward system, should be
designed to help employees understand the connection between their
performance and the organization's success. As a part of its human
capital planning, management should also consider how best to retain
valuable employees, plan for their eventual succession, and ensure
continuity of needed skills and abilities.
IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens
of thousands of employees spread throughout the country, it is
imperative that management keeps its guidance up-to-date and its staff
properly trained.
The following five open short-term recommendations would assist IRS in
its management of human capital. (See table 11.)
Table 11: Recommendations to Improve IRS's Management of Human Capital:
ID no.: 99-25;
Recommendations: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes. (short-
term).
ID no.: 07-08;
Recommendations: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds. (short-
term).
ID no.: 07-28;
Recommendations: Provide A-123 review staff appropriate training, such
as that available for financial auditors, to enhance their skills in
workpaper documentation, identification and testing of internal
controls, and evaluation and documentation of results. (short- term).
ID no.: 08-03;
Recommendations: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a detailed
supervisory review be performed to ensure: (1) the statistical validity
of the sampling plans, (2) data entered into the sample selection
programs agree with the sampling plans, (3) data entered into the
statistical projection programs agree with IRS's sample review results,
(4) data on the spreadsheets used to compile the interim projections
and roll-forward results trace back to supporting statistical
projection results, and (5) the calculations on these spreadsheets are
mathematically correct. (short-term).
ID no.: 08-10;
Recommendations: Establish procedures requiring periodic verification
that all individuals designated as first responders to TAC duress
alarms are appropriately qualified and geographically located to
respond to the potentially dangerous situations in an effective and
timely manner. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Open Recommendations Arranged by Related Material Weakness, Significant
Deficiency, Compliance Issue, or Other Control Issue:
For several years, we have reported material weaknesses, a significant
deficiency, noncompliance with laws and regulations, and other control
issues in our annual financial statement audits and related management
reports.[Footnote 16] To assist IRS in addressing those control issues,
Appendix II provides summary information regarding the primary issue to
which each open recommendation is related. To compile this summary, we
analyzed the nature of the open recommendations to relate them to the
material weaknesses, significant deficiency, compliance issues, and
other control issues not associated with a material weakness or
significant deficiency identified as part of our financial statement
audit.
Concluding Observations:
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to carry out its mission
more efficiently and more effectively while protecting taxpayers'
information.
Sound financial management and effective internal controls are
essential if IRS is to efficiently and effectively achieve its goals.
IRS has made substantial progress in improving its financial management
since its first financial audit, as evidenced by consecutive clean
audit opinions on its financial statements for the past 8 years,
resolution of several material internal control weaknesses, and actions
taken resulting in the closure of hundreds of financial management
recommendations. This progress has been the result of hard work by many
individuals throughout IRS and sustained commitment of IRS leadership.
Nonetheless, more needs to be done to fully address the agency's
continuing financial management challenges. Further efforts are needed
to address the internal control deficiencies that continue to exist.
Effective implementation of the recommendations we have made and
continue to make through our financial audits and related work could
greatly assist IRS in improving its internal controls and achieving
sound financial management. While we recognize that some actions--
primarily those related to modernizing automated systems--will take a
number of years to resolve, most of our outstanding recommendations can
be addressed in the short-term.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS expressed its appreciation
for our acknowledgment of the agency's progress in addressing its
financial management challenges as evidenced by our closure of 18 open
financial management recommendations from GAO's prior year report. IRS
also commented that it is committed to implementing appropriate
improvements to ensure that the IRS maintains sound financial
management practices. We will review the effectiveness of further
corrective actions IRS has taken or will take and the status of IRS's
progress in addressing all open recommendations as part of our audit of
IRS's fiscal year 2008 financial statements.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term
Growth, Senate Committee on Finance. We are also sending copies to the
Chairmen and Ranking Members of the House Committee on Appropriations;
House Committee on Ways and Means; the Chairman and Vice Chairman of
the Joint Committee on Taxation; the Secretary of the Treasury; the
Director of OMB; the Chairman of the IRS Oversight Board; and other
interested parties. Copies will be made available to others upon
request. In addition, the report will be available at no charge on
GAO's Web site at [hyperlink, http://www.gao.gov].
If you have any questions concerning this report, please contact me at
(202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix IV.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director Financial Management and Assurance:
[End of section]
Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports:
ID no.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short- term);
Financial Management: Important IRS Revenue Information Is Unavailable
or Unreliable (GAO/AIMD-94-22; , Dec. 21, 1993);
Status per IRS: Open. The Internal Revenue Service's (IRS) Exam Policy
has expanded its action plan to include short-term actions for fiscal
year 2008. By June 30, 2008, it plans to issue a memorandum to
emphasize the importance of training employees who calculate interest
and outline available training modules. By September 30, 2008, it plans
to offer assistance reviews as requested to verify adherence to
procedures, and to improve the process for employees to elevate issues
to the program office for resolution. By January 1, 2009, Exam Policy
will coordinate additional interest- related training to target field
exam and collection personnel;
Status per GAO: Open. In testing a statistical sample of 45 manual
interest transactions recorded during fiscal year 2006, we found eight
errors relating to the calculation and recording of manually calculated
interest. Based on this, we estimated that 18 percent of IRS's manual
interest population contains errors and concluded that IRS's controls
over this area remain ineffective. The ineffectiveness of these
controls contributes to errors in taxpayer records, which is a major
component of the material weakness in IRS's unpaid assessments. During
fiscal year 2007, IRS did not make any significant improvements to
controls related to manual interest calculations. We will continue to
evaluate IRS's corrective actions in future audits.
ID no.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received. (short-term)Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Open. IRS's Small Business/Self-Employed (SB/SE)
Division began a Trust Fund Recovery Penalty (TFRP) Database Cleanup
Initiative in September 2006 that involved a combined systemic clean-up
and systemically-assisted, manual cleanup. SB/SE completed the clean-up
initiative in January 2008. According to IRS, one of the
accomplishments of the clean-up initiative was to reduce cross-
reference errors by 32.4 percent. IRS will continue to identify and
submit work requests to address current programming shortfalls,
corrections and enhancements to the Automated Trust Fund Recovery
(ATFR) program and database. The Work Request Tracking System will
improve the Area Office, Control Point Monitoring, and Campus
Compliance components of the database. These enhancements and
improvements include but are not limited to minimizing accounts
requiring manual intervention, providing increased managerial oversight
through the creation of various reports and improvements to the current
inventory delivery system;
Status per GAO: Open. IRS has taken several actions to strengthen
controls and correct programming or procedural deficiencies in the
cross-referencing of payments. To ensure quality, timeliness, and
accuracy of the TFRP process, IRS recently completed a quality review
process that improved the accuracy rate of cross- references recorded
in its master files. Additionally, IRS continues to monitor the
accuracy and effectiveness of the TFRP process and all corrective
actions already in place. However, IRS's actions have not been
completely successful in addressing this issue. As part of our fiscal
year 2007 financial audit, we reviewed a statistical sample of 76 TFRP
payments, made on accounts created since August 2001. We found nine
instances in which IRS did not properly record the payments to all
related taxpayer accounts. We estimate that 11.8 percent of these
payments may not be properly recorded. Thus, we conclude that IRS's
controls over this area remain ineffective. The ineffectiveness of
these controls contributes to errors in taxpayer records, which is a
major component of our reported material weakness in IRS's unpaid
assessments. We will continue to review IRS's corrective actions to
address this issue during our fiscal year 2008 audit.
ID no.: 99-03;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Open. IRS is developing the Custodial Detailed Data
Base (CDDB), which it believes will ultimately address many of the
outstanding financial management recommendations. IRS implemented the
first phase of the CDDB during fiscal year 2006. In fiscal year 2007,
IRS enhanced the CDDB to process a larger percentage of accounts
associated with unpaid payroll taxes and began journalizing unpaid
assessment information from CDDB to the Interim Revenue and Accounting
Control System (IRACS) weekly; the first step in establishing CDDB to
serve as the subsidiary ledger for unpaid assessments. For fiscal year
2008, IRS is continuing to enhance the CDDB in order to process an even
larger percentage of accounts associated with unpaid payroll taxes;
Status per GAO: Open. IRS's development and use of CDDB has improved
its ability to analyze and classify related taxpayer accounts
associated with unpaid payroll taxes. However, CDDB is currently not
able to analyze and classify 100 percent of such cases. In fiscal year
2007, IRS implemented CDDB programs to begin journalizing tax debt
information from its master files to its general ledger weekly, a first
step in establishing CDDB's capability to serve as a subsidiary ledger
for unpaid tax debt. However, IRS is presently unable to use CDDB as
its subsidiary ledger for posting tax debt information to its general
ledger in a manner that ensures reliable external reporting.
Specifically, to report balances for taxes receivables and other unpaid
tax assessments in its financial statements and required supplemental
information, IRS must continue to apply statistical sampling and
estimation techniques to master file data processed through CDDB at
year-end. Even though CDDB is capable of analyzing master file data
weekly to produce tax debt information classified into the various
financial reporting categories (taxes receivables, compliance
assessments, and write-offs), this information contains material
inaccuracies. For example, over $20 billion in adjustments to the year-
end gross taxes receivable balance produced by CDDB were needed to
correct for errors. Full operational capability of CDDB is several
years away and depends in part on the successful implementation of
future system releases through 2009. The lack of a fully functioning
subsidiary ledger capable of producing accurate, useful, and timely
information with which to manage and report externally is a major
component of our reported material weakness in IRS's unpaid
assessments. We will continue to monitor IRS's development of CDDB
during our fiscal year 2008 and future audits.
ID no.: 99-19;
Recommendation: Ensure that walk-in payment receipts are recorded in a
control log prior to depositing the receipts in the locked container
and ensure that the control log information is reconciled to receipts
prior to submission of the receipts to another unit for payment
processing. To ensure proper segregation of duties, an employee not
responsible for logging receipts in the control log should perform the
reconciliation. (short-term);
Status report: Internal Revenue Service: Physical Security Over
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30,
1998);
Status per IRS: Closed. Recommendation is no longer directly applicable
to IRS's current business operations. The Wage and Investment (W&I)
Division is no longer organized by districts, and no longer has teller
functions. The operations aspect of the recommendation has been
addressed with procedures and processes in recommendation 99-22.
Managerial aspects of the control logs and reviews are addressed in
recommendations 02-16 and 05-33, where IRS addresses its monitoring
activities and efforts to improve its current state of compliance;
Status per GAO: Closed. The original report issued in November 1998
directs the intent of this recommendation to the Customer Service Units
at district offices that collected walk-in payments. Since that time
IRS reorganized its operations into four operating divisions with
particular responsibility for the collection of individual and
corporate taxes, examination of returns, and taxpayer assistance.
Specifically, the W&I Division's Taxpayer Assistance Centers (TACs) now
handle the collection of walk-in payment receipts. Therefore, we agree
that recommendations 99-22, 02-16 and 05-33 address the substance of
the weaknesses reported in the November 1998 report. We will continue
to monitor those recommendations to assess IRS's corrective actions.
ID no.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance. (long-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Open. IRS implemented the Area Office (AO) ATFR Web
application. This implementation included the Web version of the
Control Point Monitoring (CPM) portion of the application. The CPM acts
as the conduit from the AO to the Campus for assessment. IRS drafted
new Internal Revenue Manual (IRM) procedures to complement the CPM AO
Web processing, and is currently testing these procedures. IRS plans to
assess the results of the test and implement the IRM procedures as
appropriate. IRS continues to identify and submit Work Requests and
Information Technology Assets Management System tickets to enhance the
assessment process and provide for efficiencies in the CPM process.
These include but are not limited to the systemic generation of the
Form 5942, redefining the current inventory assignment system and
creating inventory and management reports;
Status per GAO: Open. To ensure quality, timeliness, and accuracy of
the TFRP process, the IRS initiated a quality review process that
focused on two primary areas, the first being consolidation of all TFRP
work to one campus. Consolidation of all SB/SE ATFR work to the Ogden
Campus was completed in September 2005. All W&I business unit TFRP work
was transferred to SB/SE Campuses as of January 2006. The second area
IRS undertook was the task of rewriting the ATFR area office user
component to provide system flexibility that better replicates the
realities of the current trust fund investigation/proposal process. IRS
continues to monitor the accuracy and effectiveness of the TFRP process
and all corrective actions already in place. According to IRS, it
completed consolidation of ATFR work at its Ogden Campus by September
2005. However, during our fiscal year 2007 audit, we continued to find
long delays in IRS's processing and posting of TFRP assessments. In one
case, we noted that IRS did not record the assessment against the
responsible officer until 4 years after it made the determination that
the officer was responsible for the TFRP. In another case, IRS did not
record the TFRP assessment against the officer until almost 3 years
after it made the determination that the officer was responsible for
the TFRP. Such delays in recording taxpayer information contribute to
errors in taxpayer records, which is a major component of our reported
material weakness in IRS's unpaid assessments. We will continue to
review IRS's corrective actions related to this issue as part of our
fiscal year 2008 audit.
ID no.: 99-22;
Recommendation: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls. (short-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Closed. All IRS field offices continue to provide
training and to perform reviews to strengthen controls over
remittances. The Large and Mid-sized Business (LMSB) requires each
field executive to certify that each group either had in its possession
or was able to obtain the stamp. LMSB obtained certifications from the
LMSB Industry Headquarter Offices that field groups are maintaining and
using the US Treasury stamps, and that they are covering these
procedures periodically in group meetings or through issuance of
memorandums. LMSB implemented a training module on July 28, 2006 on the
responsibilities and procedures for payment processing and check
handling. SB/SE collection group managers have been instructed to
periodically review remittance packages transmitted by revenue officers
and designated clerical employees using a random selection process. In
addition, territory managers review the group manager's control of
those reviews. SB/SE Headquarters will be addressing this in interviews
with territory managers as part of their operational reviews. Tax
Exempt and Government Entities (TE/GE) continues to perform reviews to
ensure adherence to the IRM procedures and to require managers to
confirm that each group either had in its possession or was able to
obtain the stamp;
Status per GAO: Open. The objective of this recommendation was to
create a mechanism for IRS to monitor the status of pervasive
weaknesses in controls over taxpayer receipts and information that we
have found at IRS's field offices over the years. The purpose of this
monitoring is to facilitate the timely detection and effective
resolution of issues and to verify the effectiveness of new and
existing policies and procedures on an ongoing basis. During our fiscal
year 2007 audit, we identified one instance at an SB/SE unit where
employees did not have access to stamps needed to overstamp improper
payee lines. Also, at five SB/SE field offices we found that there was
no system in place or evidence maintained to track acknowledged
document transmittals. Had IRS periodically reviewed the effectiveness
of these controls in field offices as we recommended, these issues
might have been detected and corrected. In addition, during our review
of IRS's response to this recommendation, we asked IRS to provide a
list and blank copies of the reviews that are performed within the
LMSB, SBSE, and TEGE business units that address key controls over (1)
physical security, (2) procedural safeguards, and (3) the transfer of
taxpayer receipts and information. While IRS provided extensive
explanations of the various procedures and reviews that are performed,
IRS did not provide copies of the reviews covering all three business
units for our evaluation to assess the adequacy and frequency of these
reviews. We will continue to assess IRS's actions during our fiscal
year 2008 audit.
ID no.: 99-25;
Recommendation: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes. (short-
term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Open. The IRS is continuing to develop CDDB. Each
release is providing more detail for unpaid assessments, and new
functionality will be added for revenue and refunds in fiscal year 2008
to reduce the reliance on master file extracts and ad hoc procedures.
The Chief Financial Officers (CFO) office has hired three additional
staff and is cross-training existing staff to perform more of the ad
hoc procedures to reduce the work on Modernization & Information
Technology Services for financial reporting purposes. IRS continues to
have contractor support to ensure that master file extracts and other
ad hoc procedures are in place to continually develop reliable balances
for financial reporting purposes while it finalizes CDDB and develops
the IRACS redesign to be a compliant general ledger;
Status per GAO: Open. We will continue to assess IRS's actions during
our fiscal year 2008 audit.
ID no.: 99-29;
Recommendation: Develop the data to support meaningful cost information
categories and cost-based performance measures. (long- term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Status per IRS: Open. IRS now has 3 complete years of fully allocated
cost data in the Integrated Financial System (IFS). The Statement of
Net Costs is now produced from the cost accounting module of IFS. IRS
also initiated a project in fiscal year 2007 to identify the issues
associated with developing a methodology for determining the costs of
performance measures within IRS;
Status per GAO: Open. We confirmed that IRS continued to improve its
cost accounting capability in fiscal year 2007. However, while the cost
accounting module of IFS successfully produced the Statement of Net
Costs, it still does not provide IRS with the ability to produce full
cost information for its performance measures. IRS states that it
initiated a strategy to develop cost data for performance measures. We
will continue to review and assess IRS's initiatives during our fiscal
year 2008 audit.
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Status per IRS: Closed. IRS continues to strengthen internal controls
and procedures to enhance its ability to account for P&E in IFS. P&E,
including capital leases, are recorded as assets when purchased. During
fiscal year 2007, IRS revised the dollar threshold for review of P&E
accounting transactions and conducted intensive reviews of the large-
dollar transactions, increasing the accuracy of P&E reporting. IRS also
improved its capability to capitalize assets or expense other items and
to properly account for Business System Modernization costs in internal
use software;
Status per GAO: Open. Our fiscal year 2007 P&E valuation testing
revealed problems with the linking of the purchase of assets recorded
in the general ledger system to the P&E inventory system, which
indicates that IRS's detailed P&E records do not yet fully reconcile to
the financial records. We will continue to monitor IRS's strategy in
addressing these financial management system issues.
ID no.: 01-04;
Recommendation: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, administrative support), as well as the expected
additional tax collections generated. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status
per IRS: Open. IRS has developed a workload delivery model that
integrates the work plans of each source of assessment to evaluate the
overall impact on downstream collection operations. IRS is continuing
to look at case delivery practices from an overall perspective and make
recommendations for changes to case routing and assignment priorities.
IRS is also monitoring the nonfiler strategy and work plans to improve
the identification of and selection of nonfiler cases to balance the
working of nonfiler inventory with balance-due inventory. Additionally,
IRS is also continuing the project to enhance its decision analytical
models used for selecting cases based on their predicted collection
potential to apply decision analytics to both delinquent accounts and
unfiled returns; apply decision analytics to all categories of taxpayer
not just small business, self-employed; expand the use of internal and
external data sources to increase the portion of cases predicted by the
models; ultimately develop alternative treatment strategies based on
the least costly treatment indicated by the models; and update
definitions for complex cases to improve routing to field collection;
Status per GAO: Open. According to IRS, SB/SE has initiated several
projects to build additional decision analytical models to increase its
ability to route cases to the appropriate resource. These projects
utilize more sophisticated computer modeling and risk assessment
techniques to improve the targeting of cases to pursue. The Collection
Governance Council was established to ensure the inventory is balanced
and resources are expended appropriately. IRS has estimated several
billion dollars in additional tax collections have been realized
through the use of the collection approach developed from the projects.
Although these efforts have helped IRS target cases for collection, its
ability to assess the relative merits of these efforts continues to be
hindered by its inability to reliably measure how much it collects as a
result of these efforts, relative to their associated costs. In
addition, these efforts are primarily focused on SB/SE, thus they do
not represent an integrated agencywide systemic approach to managing
the collection of unpaid taxes across the scope of IRS's activities.
IRS has made some improvements in prioritizing its inventory of
collection cases; but more needs to be done by IRS to address the full
range of cost-benefit considerations. We will continue to review IRS's
initiatives to manage resource allocation levels for its collection
efforts.
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status
per IRS: Open. IRS continues to address and correct issues that cause
late lien releases through a Lien Release Action Plan, and conducting
reviews as a part of A-123. In April 2007 IRS's review of lien releases
found it had improved the timely release of liens to 88 percent, a 19
percentage point increase from the 69 percent timeliness rate in fiscal
year 2006. IRS added new action items and corrective actions to address
new and repeat issues. IRS's goal is to reduce overall lien release
error rates to below 5 percent by September 30, 2009;
Status per GAO: Open. IRS has taken a number of actions over the past
several years to address this issue. IRS developed an action plan to
incorporate the requirements of the revised OMB Circular No. A-123. The
overall action addresses untimely lien releases, including
identification of causes and where they occur organizationally. For
example, IRS centralized all lien processing at its Cincinnati Service
Center Campus in 2005. Additionally, in July 2006, IRS enhanced various
lien-processing exception reports to include a cumulative listing of
unresolved lien releases, allowing it to more readily track the release
status and take corrective action. However, during our fiscal year 2007
audit, we continued to find delays in the release of liens. In its OMB
No. A-123 testing of lien releases, IRS found 7 instances out of 59
cases tested in which it did not release the applicable federal tax
lien within the statutory period. The time between the satisfaction of
the liability and release of the lien ranged from 35 days to 135 days.
Based on its sample, IRS estimated that for about 12 percent of unpaid
tax assessment cases in which it had filed a tax lien that were
resolved in fiscal year 2007, it did not release the lien within 30
days. IRS is 95 percent confident that the percentage of cases in which
the lien was not released within 30 days does not exceed 21 percent.
IRS's ineffective controls over this area results in its non-compliance
with Internal Revenue Code section 6325 which requires IRS to release
its tax liens within 30 days of the date the related tax liability was
fully satisfied, had become legally unenforceable, or the Secretary of
the Treasury has accepted a bond for the assessed tax. We will continue
to assess the affect of IRS's actions and continue to review IRS's
testing of tax lien releases as part of our fiscal year 2008 audit.
ID no.: 01-12;
Recommendation: For (1) IRS's Automated Underreporter (AUR) and
Combined Annual Wage Reporting (CAWR) programs, (2) screening and
examination of Earned Income Tax Credit claims, and (3) identifying and
collecting previously disbursed improper refunds, use the best
available information to develop reliable cost-benefit data to estimate
the tax revenue collected by, and the amount of improper refunds
returned to, IRS for each dollar spent pursuing these outstanding
amounts. These data would include (1) an estimate of the full cost
incurred by IRS in performing each of these efforts, including the
salaries and benefits of all staff involved, as well as any related
nonpersonnel costs, such as supplies and utilities and (2) the actual
amount (a) collected on tax amounts assessed and (b) recovered on
improper refunds disbursed. (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status
per IRS: Open. IRS has taken steps to screen and examine Earned Income
Tax Credit (EITC) claims and to address the collection of AUR and CAWR
as part of the workload delivery model. For EITC IRS is pursuing
estimating the full cost of these programs, and in the interim IRS is
using information such as annual error rate estimates and high-level
return on investment (ROI) computations for EITC base compliance
activities and initiatives to make sound decisions about resource
investments. IRS employs a ROI estimate for compliance activities that
uses labor costs associated with protecting revenue for both pre-refund
and post-refund activities. Since labor represents approximately 73
percent of the total IRS budget (2007) and 91 percent of the EITC
budget, ROI calculations using labor costs provide valid cost/benefit
data which are used, along with other data and program considerations,
to make sound program decisions. The IRS released two reports that
include ROI discussions and it is in the process of finalizing a
summary report on the 3-year test to assess investments in a
certification requirement versus other potential compliance
investments. SB/SE is monitoring the nonfiler strategy and work plans
to improve the identification of and selection of non-filer cases to
balance the working of nonfiler inventory with balance-due inventory.
SB/SE continues to review this model to ultimately develop alternative
treatment strategies based on the least costly treatment indicated by
the models. The CFO also initiated a cost pilot during fiscal year 2007
to determine the costs of several performance measures within AUR, and
will share this information at the conclusion of the cost pilot;
Status per GAO: Open. In fiscal year 2008, we will continue to follow
up on IRS's progress on the various initiatives taken as well as IRS's
progress in estimating the full cost of these programs.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur;
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status
per IRS: Closed. IRS continues to strengthen internal controls and
procedures to enhance its ability to account for P&E in IFS. P&E,
including capital leases, are recorded as assets when purchased. During
fiscal year 2007, IRS revised the dollar threshold for review of P&E
accounting transactions and conducted intensive reviews of the large-
dollar transactions, increasing the accuracy of P&E reporting. IRS also
improved its capability to capitalize assets or expense other items and
to properly account for Business System Modernization costs in internal
use software. Currently, IRS does not have a subsidiary ledger for
leasehold improvements. A subsidiary ledger requires an enhancement to
IFS. Funding for enhancements was denied for fiscal years 2007, 2008
and 2009. Depending on the amount of any future funding and
prioritization of enhancements, it is not known when or if IRS can
accomplish what was originally agreed to. Considering the age of this
report and the long-term unknowns, IRS considers this action closed
until further follow-up is required;
Status per GAO: Open. IRS implemented the first release of IFS on
November 10, 2004, which allowed recording leasehold improvements as
assets when purchased. A subsidiary ledger for leasehold improvements
has not been developed. According to IRS, it lacks the funding to make
the enhancements to IFS that are needed to develop a subsidiary ledger
for leasehold improvements. Until it determines the amount of its
future funding and prioritization of IFS enhancements, IRS will remain
unsure of any additional actions it will take to accomplish this
recommendation. We will continue to evaluate IRS's efforts to enhance
its ability to account for P&E assets, including leasehold
improvements.
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Source report: Management Letter: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-01-880R, July 30,
2001);
Status per IRS: Closed. The CFO implemented IFS on November 10, 2004
which included a cost module. The cost module currently has 3 years of
data which provide managers with basic cost data for decision making in
relation to their activities. IRS continues to improve the allocation
methodology so that it can determine the detail behind the allocated
costs;
Status per GAO: Open. We confirmed that IRS has procedures for costing
reimbursable agreements that provide the basic framework for the
accumulation of both direct and indirect costs at the necessary level
of detail. IRS has improved its methodology for allocating its costs of
operations to its business units. However, further actions are needed
for it to accumulate and report actual costs associated with specific
reimbursable projects. We will continue to monitor IRS's efforts to
fully implement its cost accounting system and, once it has been fully
implemented, evaluate the effectiveness of IRS's procedures for
developing cost information for its reimbursable agreements.
ID no.: 02-08;
Recommendation: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Status per IRS: Open. IRS is exploring other system-based ways of
capturing both time and costs associated with its projects and
activities and does not anticipate implementing the requirement for
employees to itemize their time in the near future;
Status per GAO: Open. IRS states that it is exploring other system-
based ways of capturing both time and costs associated with its
projects and activities and does not anticipate implementing the
requirement for employees to itemize their time in the near future. We
will continue to monitor IRS's efforts to fully implement its cost
accounting system. Once it has been fully implemented, we will evaluate
the effectiveness of IRS's procedures for developing cost information
to use in resource allocation decisions, which is the underlying basis
for our making this recommendation.
ID no.: 02-09;
Recommendation: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Status per IRS: Closed. IRS now allocates all costs, both personnel and
nonpersonnel, to the major program areas described in the Statement of
Net Costs on a monthly basis;
Status per GAO: Open. We confirmed that IRS has improved its cost
accounting capabilities by developing and implementing procedures for
allocating its costs of operations to its business units and to the
cost categories in its Statement of Net Cost on a monthly basis.
However, the cost categories on the Statement of Net Cost are at a
higher level than specific programs and activities. Therefore, further
actions are still needed to enable IRS to allocate nonpersonnel costs
to the detailed level of specific programs and activities. We will
continue to monitor IRS's efforts to fully implement its cost
accounting system and, once it has been fully implemented, evaluate the
effectiveness of IRS procedures for developing cost information for
specific programs and activities to use in resource allocation
decisions.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Open. During fiscal year 2007, IRS conducted
Operational Reviews of its W&I Field Assistance area groups. These
reviews included compliance with this recommendation. While groups were
generally in compliance, IRS recognized the need for additional
training. Field Assistance is conducting Filing Season Readiness
training for Managers in fiscal year 2008 that includes remittance and
security training. The fiscal year 2008 performance commitments address
remittance security and shared responsibility for operational reviews.
Operational reviews at all levels will be conducted during fiscal year
2008 to ensure consistency;
Status per GAO: Open. During our fiscal year 2007 audit, we visited 10
TACs and identified weaknesses over the payment processing and TAC
managerial reviews that would address this recommendation at all 10
locations. We will review IRS's additional planned corrective actions
during our fiscal year 2008 audit.
ID no.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short- term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Closed. SETS data are reviewed on a bi-weekly basis to
detect and correct errors. Monitoring SETS falls across a broad group
of Chief Human Capital and Agency-Wide Shared Services (AWSS) staff.
IRS provided guidance in November 2007 to all involved staff reminding
them to monitor SETS systemic issues and immediately elevate those
issues for NFC correction. Until a SETS replacement is developed,
continuous monitoring will occur;
Status per GAO: Open. During our fiscal year 2007 audit, we continued
to identify technical limitations and weaknesses with the SETS
database. Specifically, during our analysis of the SETS data, we found
multiple instances where (1) employees entered on duty either prior to
the Office of Personnel Management completing their fingerprint check,
IRS receiving their fingerprint check results, or both and (2)
employees entered on duty with expired fingerprint check results (over
180 days old). The guidance provided to staff in November 2007 was
subsequent to the completion of our fiscal year 2007 audit. We will
evaluate IRS's additional corrective actions during our fiscal year
2008 audit.
ID no.: 04-03;
Recommendation: Develop procedures to require lockbox managers to
provide satisfactory evidence that managerial reviews are performed in
accordance with established guidelines. At a minimum, reviewers should
sign and date the reviewed documents and provide any comments that may
be appropriate in the event that their reviews identified problems or
raised questions. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004);
Status per IRS: Closed. IRS continues to conduct on-site reviews
looking at logs for desk and work area, date stamp, cash, candling,
shred, and mail. IRS uses the data collection instrument (DCI) entitled
"Processing-Internal Controls" and uses the results of these reviews to
roll them into a calculation to determine each bank's score in the new
bank performance measurement process. In addition, lockbox personnel
are required to perform similar reviews monthly and report results to
the lockbox field coordinators. The report must contain the date of
review, shifts reviewed, results of the review (even when no items are
found) and include a reviewer and site manager's initials; a signature
as required by the Lockbox Processing Guidelines (LPG); or both.
Additional reviews are performed on the monthly F9535/Discovered
Remittance, candling log, disk checks/ audits, and shred reports
received from the lockbox site by the lockbox field coordinators;
Status per GAO: Closed. We verified that IRS established and
implemented a Processing Internal Controls and Physical Security DCIs.
These DCIs are used to assess the required managerial reviews that are
performed at each lockbox bank.
ID no.: 04-08;
Recommendation: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms.;
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004);
Status per IRS: Closed. IRS continues to perform monthly unannounced
testing of guard response to alarms, and documentation from these
reviews is maintained at each service center campus. Roll-up
documentation from Physical Security Area managers is provided to the
Program, Planning, and Policy Office (PPPO) for reports to higher-level
management. PPPO also conducts random unannounced spot checks when on-
site at campuses and computing centers;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at two of five SCCs we visited in which security guards did
not respond properly to alarms. We will evaluate IRS's corrective
actions during our fiscal year 2008 audit.
ID no.: 05-11;
Recommendation: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at service center campuses selected for
significant reductions in their submission processing functions. (short-
term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar 10, 2005);
Status per IRS: Closed. Accounts Management is enforcing adherence to
existing instructions for securing access to restricted areas through
trained security monitors at consolidated sites. These clerks receive
training annually, as well as periodic briefings, on the issuance and
inventory of badges and the security of taxpayer information and
receipts. Candling procedures are reinforced through training and team
meetings. Local management ensures that correct procedures are followed
when reviewing equipment and candling logs;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at one SCC we visited with reduced submission processing
functions where (1) neither the door monitor nor the payment processing
supervisor in the receipt and control area inspected visitors'
belongings when they exited the restricted area and (2) the inside
envelope of the 3210 transmittal package did not contain a statement
indicating that the information inside is for limited official use. We
will continue to assess IRS's actions during our fiscal year 2008
audit.
ID no.: 05-12;
Recommendation: Document a methodology for estimating anticipated rapid
changes in mail volume at future SCCs selected for significant
reductions in their submission processing functions, taking into
consideration factors such as the prior rampdown experience at
Brookhaven. (short-term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar 10, 2005);
Status per IRS: Closed. IRS has developed and implemented a methodology
for estimating mail volumes and resource requirements for use in future
submission processing consolidations. IRS used the prior campus
consolidation experiences from both Brookhaven and Memphis in its
projections for the Philadelphia Campus Support Department;
Status per GAO: Closed. During our fiscal year 2007 audit, IRS W&I
staff provided us with a methodology and estimation for anticipated
rapid changes in mail volume at future SCCs selected for significant
reductions in their submission processing functions.
ID no.: 05-13;
Recommendation: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. PPPO issued notification in February 2007
reminding Physical Security area directors that required documentation
from contracting officers' technical representatives is needed to
support the issuance of identification media before granting staff-like
access to contractors, and that all forms must remain on file. The
Audit Management Checklist is also used to ensure that proper
documentation is received and filed. All IRMs have been updated and
renumbered. IRM 10.2.5 Identification Card specifies that Form 5519,
13716-A or similar identification request form (13760), and the interim
or final background investigation letter must be retained and filed in
the identification media file on each contractor for the life of the
identification card;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
four contractors at one of five SCCs we visited who were granted staff-
like access before background investigations had been completed. Also,
we obtained and reviewed SCC contractor background investigation data
from all 10 SCCs and found that 3 SCCs permitted five contractors staff-
like access before their background investigations had been completed.
In addition, IRM series 10.2 mentioned in IRS's response to this
recommendation is currently in draft, under review, and waiting to be
finalized. We will evaluate IRS's corrective actions during our fiscal
year 2008 audit.
ID no.: 05-14;
Recommendation: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information. (short-term)];
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr 27, 2005);
Status per IRS: Closed. PPPO issued notification in February 2007
reminding Physical Security area directors that documentation from the
contracting officer's technical representative is needed to support the
issuance of identification media before granting staff-like access to
contractors, and that all forms remain on file. The Audit Management
Checklist is also used to ensure that proper documentation is received
and filed. All IRMs have been updated and renumbered. IRM 10.2.5
Identification Card specifies that Form 5519, 13716-A or similar
identification request form (13760), and the interim or final
background investigation letter must be retained and filed in the
identification media file on each contractor for the life of the
identification card;
Status per GAO: Open. As of the time of our audit, the IRM 10.2 series
was in draft, under review, and waiting to be finalized. We will
monitor its final implementation and continue to evaluate IRS's
policies and procedures related to background investigations for
contractors during our fiscal year 2008 audit.
ID no.: 05-22;
Recommendation: Provide a written reminder to courier contractors of
the need to adhere to all courier service procedures. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. Submission Processing issued an annual reminder
memorandum to the courier contractors on February 27, 2007.
Additionally, the lockbox banks security team verified that all lockbox
bank sites issued an annual reminder memorandum to courier contractors
reminding them to adhere to all courier service procedures in the
Lockbox Security Guidelines (LSG);
Status per GAO: Closed. We verified that reminder memorandums were
issued to the SCC and lockbox bank couriers.
ID no.: 05-23;
Recommendation: Periodically verify that contractors entrusted with
taxpayer receipts and information off site adhere to IRS procedures.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr 27, 2005);
Status per IRS: Closed. Submission Processing revised the LSG 2.5
during 2007 to provide for periodic verification that couriers adhere
to IRS policy while transporting taxpayer receipts and information. In
IRS's campuses, IRS ensures couriers sign, date, and note the time of
pickup on Form 10160, Receipt for Transport of IRS Deposit. When the
couriers drop off the deposit, IRS ensures Form 10160 is date and time
stamped. Each campus reviews the form and notes any time discrepancies.
Couriers are questioned if discrepancies are found and the information
is noted in the Courier Incident Log. If inconsistencies are noted, the
centers use their discretion to determine whether it is necessary to
trail the couriers;
Status per GAO: Closed. We verified that IRS revised its LSG to include
provisions for periodic verification that couriers adhere to IRS
procedures for transporting taxpayer receipts and information. We also
noted that procedures were established at the campuses involving the
review of the returned Form 10160.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self- employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Open. SB/SE revised IRM 5.1.2, 1.4.50, 4.20.3, and
4.20.4 to address this recommendation. The Director, Examination sent a
memorandum to all Examination area directors on October 17, 2006
reminding them of the payment processes outlined in IRM 5.1.2, and
requiring periodic reviews of payment processing procedures during
their group operational reviews; Although SB/SE believes its current
field payment processing procedures sufficiently addresses segregation
of duties, it is currently conducting a risk assessment to identify
potential weaknesses;
Status per GAO: Open. The status information provided by IRS did not
clearly address segregation of duties within the SB/SE business units.
When we issued this recommendation, we noted that (1) individuals
responsible for preparing payment posting vouchers were the same
individuals who recorded the information from those vouchers on the
document transmittal and mailed those forms to the IRS service center
and (2) there was no independent review or reconciliation of documents
or payments before they were mailed by their preparer. During our
recent visits to selected SB/SE units in March 2008, we found that this
condition continued to exist. Duties involving the preparation of
payment posting vouchers, document transmittal forms, and transmittal
packages were not segregated. Employees informed us that there was no
related requirement in the IRM.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr 27, 2005);
Status per IRS: Open. W&I Field Assistance has taken a number of
actions to emphasize the requirement for including a document
transmittal form listing the Daily Report of Collection Activity forms
in transmittal packages, and ensuring that they are reconciled and
reviewed by the secretary, initial assistant representative, or manager
in offices where these positions are located. Territory managers review
and discuss the monthly Trends and Patterns reports with the group
manager. Results of the reviews are forwarded to the area director.
Operational reviews at all levels will be conducted annually to ensure
that field offices comply with the requirement to prepare Form 3210,
which lists all Forms 795 being shipped to the Submission Processing
Center; Beginning in March 2008 Collection began annual reviews of a
sample of groups in each area to ensure the reviews described in IRM
1.4.50 are taking place. The results of the headquarters review will be
documented in the area operational review. SB/SE is currently reviewing
the language in IRM 1.4.50, Collection Group Manager, Territory Manager
and Area Director Operational Aid to determine if clarification is
needed;
Status per GAO: Open. During our visits to several SB/SE business
units, we found that a document transmittal form was not being used to
transmit multiple Daily Report of Collection Activity forms to the
respective service center campus. We will continue to assess IRS's
actions during our fiscal year 2008 audit.
ID no.: 05-36;
Recommendation: Assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved
Automated Under Reporter (AUR) discrepancies, including placement of a
freeze or hold on all such accounts, until the AUR review has been
completed. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. The procedures to prevent the generation or
disbursement of refunds associated with AUR accounts are in place and
included in IRM 3.8.45. Employees are required to conduct Integrated
Data Retrieval System (IDRS) research after receiving an unidentified
remittance to determine if there is an open account that allows for
posting of the remittance. Submission Processing issued a Hot Topic on
January 25, 2007, which added procedures to IRM 3.17.10 to check for
cases that can be identified as an AUR payment and research IDRS for
CP2000 Indicators: TC 922, "F" Freeze Code, and campus under reporter
programs;
Status per GAO: Closed. We confirmed that IRS updated IRM 3.8.45 and
IRM 3.17.10 to include the requirement that employees conduct IDRS
research after receiving unidentified remittances.
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. IRS issued its annual memorandum in August 2007
and received the annual list of authorized signatures by October 31,
2007, per IRM 3.17.79.3.5(4)(d). Submission Processing completed a
sample review as part of the Monthly Security Review Checklist per
3.17.79.3.5(3), and completed a 100 percent review of the new annual
list in November 2007;
Status per GAO: Open. During our fiscal year 2007 audit, we continued
to find that the documentation requirements on memorandums, which are
submitted to the manual refund units listing officials authorized to
approve manual refunds, were incomplete. The annual memorandums issued,
the annual list of authorized signatures, and the reviews performed
noted in IRS's response to this recommendation were subsequent to our
fieldwork. We will follow up on IRS's efforts to improve the
documentation requirements during our fiscal year 2008 audit.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr 27, 2005);
Status per IRS: Closed. IRS issued guidance on enforcing requirements
for monitoring accounts and reviewing monitoring of accounts via Hot
Topics on April 30, 2007 and again on July 13, 2007. Department
managers provided subordinate managers and the employees refresher
training using IRM 21.4.4 and 3.17.79 as reference materials to
reinforce the monitoring requirements. Accounts Management completed
refresher training at all campuses from January through May 2007. SB/SE
Campus Compliance Services (CCS) continues to stress the importance of
following all IRM procedures for the manual refunds. To ensure that the
campuses continue to comply with all IRM provisions for manual refunds,
the CCS directors are covering this topic in both filing & payment
compliance and campus reporting compliance operations during their
fiscal year 2008 campus reviews. The Taxpayer Advocate Service (TAS)
has specific IRM requirements and controls for all employees and
managers to monitor the posting of manual refunds to prevent duplicate
refunds, and to document in the Taxpayer Advocate Management
Information System (TAMIS) that all actions were completed. TAS also
updated its manual refund training on March 12, 2007, re-emphasizing
the requirement to monitor manual refunds to prevent duplicate refunds;
Status per GAO: Open. We verified that IRS issued the Hot Topics, which
included providing managers and the employees training to reinforce
monitoring requirements. However, during our fiscal year 2007 audit, we
continued to find instances where the manual refund initiators, leads,
or both did not monitor accounts to prevent duplicate refunds. We also
found that some of the supervisors did not review the initiators' or
leads' work to ensure that the monitoring of accounts was performed. We
will continue to review IRS's monitoring and review efforts during our
fiscal year 2008 audit.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring actions
and supervisory review for manual refunds. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. Submission Processing (SP) issued guidance on
enforcing requirements for monitoring accounts and reviewing monitoring
of accounts via Hot Topics on April 30, 2007 and again on July 13,
2007. Department managers provided subordinate managers and the
employees refresher training using IRM 21.4.4 and 3.17.79 as reference
materials to reinforce the monitoring requirements. Accounts Management
completed refresher training at all campuses from January through May
2007. IRS continues to use the Manual Refund Check Sheet and monthly
security reviews to ensure compliance with IRM requirements, and these
reviews are forwarded monthly to SP headquarters for consolidation and
review by headquarters analysts and management. The SB/SE Campus
Compliance Services continues to stress the importance of following all
IRM procedures for the manual refunds. To ensure that the campuses
continue to comply with all IRM provisions for manual refunds, the CCS
directors are covering this topic in both filing & payment compliance
and campus reporting compliance operations during their fiscal year
2008 campus reviews. The TAS has specific IRM requirements and controls
for all employees and managers to monitor the posting of manual refunds
until posted to prevent duplicate refunds, and to document in TAMIS
that all actions were completed. TAS also updated its manual refund
training on March 12, 2007, re-emphasizing the requirement to monitor
manual refunds to prevent duplicate refunds;
Status per GAO: Open. We verified that IRS issued the Hot Topics, which
included providing managers and employees training to reinforce the
monitoring requirements. However, during our fiscal year 2007 audit, we
continued to find instances where the requirement for documenting
monitoring actions and documenting supervisory review were not
enforced. We will continue to review IRS's monitoring and review
efforts during our fiscal year 2008 audit.
ID no.: 05-40;
Recommendation: Enforce the requirement that command code profiles be
reviewed at least once annually. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 05-247R, Apr 27, 2005);
Status per IRS: Closed. IRS issued a Hot Topic on January 10, 2007 and
again on March 30, 2007 as a reminder to ensure adherence to the
existing process of enforcing the requirement that command code
profiles be reviewed at least once annually. The Manual Refund Unit has
included a signed and dated copy of the Command Code: RSTRK input
(action performed through the use of IDRS in the file with the
authorization memorandums to verify compliance with IRM 3.17.79.1.7.
The Monthly Security Review Checklist was updated to add this review;
Status per IRS: Closed. During our fiscal year 2007 audit, we found
that the requirements that command code profiles be reviewed at least
once annually were enforced.
ID no.: 05-41;
Recommendation: Specify in the IRM that staff members are not to review
their own command code profiles. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. IRS updated IRM 10.8.34 IDRS Security Handbook
replacing the IDRS Security Law Enforcement Manual (LEM) 25.10.3.
Section 10.8.34.5.3.1 (3) - (6) prohibits managers from being in the
same IDRS unit as the employees they review. Section 10.8.34.8.2.2.5
(2) (f) requires managers to review reports monthly to ensure profiles
have appropriate restrictions. Section 10.8.34.8.2.2.5 (2) (m)
prohibits employees from reviewing their own profile or any other
report data pertaining to themselves. IRS also updated the IDRS section
of the annual FMFIA Self-Assessment Tool for Managers with item 4.50
requiring the quarterly review of IDRS user profiles in accordance with
the IRM, and item 4.52 requiring managers to indicate that they
completed a review of IDRS security reports and appropriate action has
been taken to correct weaknesses;
Status per GAO: Closed. During our fiscal year 2007 audit, we found no
instances of staff members reviewing their own command codes. We
verified that IRS has updated IRM 10.8.34 IDRS Security Handbook, which
has replaced IDRS Security LEM 25.10.3. We also verified that section
10.8.34.5.3.1 (3) - (6) prohibits managers from being in the same IDRS
unit as the employees they oversee; section 10.8.34.8.2.2.5 (2) (f)
requires managers to review reports monthly to ensure that profiles
have appropriate restrictions; and section 10.8.34.8.2.2.5 (2) (m)
prohibits employees from reviewing their own profile or any other
report data pertaining to themselves.
ID no.: 06-01;
Status per IRS: Recommendation: Require that Refund Inquiry Unit
managers or supervisors document their review of all forms used to
record and transmit returned refund checks prior to sending them for
final processing. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. W&I's Accounts Management will confirm during the
site operational reviews that managers are performing a follow-up and
documentation acknowledgement of receipt of Form 3210. This item will
be monitored during the fiscal year 2008 quarterly reviews. During
fiscal year 2007, IRS completed conference calls prior to each
directorates filing season readiness (FSR) certification, and will
continue to provide directions during the fiscal year 2008 FSR
conference calls to enforce management controls to complete, review,
approve, and follow up on receipt of Forms 3210 in Accounts Management;
Status per GAO: Open. We will continue to evaluate IRS's corrective
actions during our fiscal year 2008 audit.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. LMSB has issued procedures to the field on the
responsibilities for using receipt transmittals. LMSB employees are
reminded annually through executive memorandum of Form 3210 procedures
and responsibilities. LMSB has also issued memos to the field to remind
and reinforce the use of Form 3210 and establishment of a follow-up
system for unacknowledged 3210s. A Closing Checklist for LMSB Cases
which includes Form 3210 requirement reminders was created to assist
LMSB employees when transmitting cases. LMSB Technical training has
certified that Form 3210 procedures and responsibilities are included
in revenue agent training materials. LMSB Human Capital Office has
included the requirement that Industry Territory Managers review Form
3210 utilization and follow-up procedures during operational reviews in
a memorandum dated December 13, 2006; IRMs 21.3.4.7 and 1.4.11.19.1
were revised during 2007 to provide procedures for requiring TACs to
follow-up with SP centers when acknowledgments are not received within
10 days. Similarly, W&I Accounts Management revised IRMs 21.5.4.2 and
1.4.16 for this requirement. W&I Field Assistance will conduct
operational reviews during and after filing season to monitor
compliance, and is currently enhancing the existing TAC Security and
Remittance Review Database to provide more comprehensive and
quantitative data for analysis. Reviews conducted during 2007 showed
that offices transmitting receipts have a system to track acknowledged
copies of document transmittals. Planned reviews will enforce existing
requirements for both organizations;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at one SCC and four TACs where there was no system in place
or evidence maintained to track acknowledged document transmittals. We
will continue to evaluate IRS's corrective actions during our fiscal
year 2008 audit.
ID no.: 06-03;
Recommendation: Provide instructions to document the follow-up
procedures performed in those cases where transmittals have not been
timely acknowledged. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 06-543R, May 12, 2006);
Status per IRS: Closed. LMSB has issued procedures to the field on the
responsibilities for using receipt transmittals. LMSB employees are
reminded annually through executive memorandum of Form 3210 procedures
and responsibilities. LMSB has also issued memos to the field to remind
and reinforce the use of Form 3210 and establishment of a follow-up
system for unacknowledged 3210s. A closing checklist for LMSB cases was
created to assist LMSB employees when transmitting cases. LMSB
technical training has certified that Form 3210 procedures and
responsibilities are included in revenue agent training materials. LMSB
Human Capital Office has included the requirement that Industry
Territory Managers review Form 3210 utilization and follow-up
procedures during operational reviews in a memorandum dated December
13, 2006. IRMs 21.3.4.7 and 1.4.11.19.1 were revised to provide
procedures for requiring TACs to follow-up with SP centers when
acknowledgments are not received within 10 days. IRM 1.4.11.19.1
Maintaining Form 795/795A Centralized Files provides instruction to
document follow-up of unacknowledged document transmittals. To help
reinforce the importance of the follow-up managers are required to
attend classroom training. New and acting managers attended ’Managing a
TAC“ training in 2007, and all managers attend a filing season
readiness workshop. W&I Accounts Management revised IRMs 21.5.4.2 and
1.4.16 for this requirement. Planned reviews will enforce existing
requirements;
Status per GAO: Closed. During our fiscal year 2007 audit, we verified
that the IRM includes procedures for LMSB and TE/GE units to follow up
with the destination sites if remittance transmittals are not returned
within 10 days or if all remittances were not marked with a distinctive
checkmark. Also, we verified that the IRM contains Field Assistance
(TAC) procedures for monitoring document transmittal acknowledgments.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. LMSB has issued procedures to the field on the
responsibilities for using receipt transmittals. LMSB employees are
reminded annually through executive memorandum of Form 3210 procedures
and responsibilities. LMSB has also issued memos to the field to remind
and reinforce the use of Form 3210 and establishment of a follow-up
system for unacknowledged 3210s. A closing checklist for LMSB cases was
created to assist LMSB employees when transmitting cases. LMSB
technical training has certified that Form 3210 procedures and
responsibilities are included in revenue agent training materials. LMSB
Human Capital Office has included the requirement that Industry
Territory Managers review Form 3210 utilization and follow-up
procedures during operational reviews in a memorandum dated December
13, 2006. IRM 1.4.11.19.5 Field Assistance Manager Review outlines
instructions for managers to perform a minimum of two reviews per
quarter per employee for payment processing and reconciliation
procedures that include 3210 and 795 segregation of duties. A
certification template has been created and placed in the IRM 1.4.11-10
for managers to confirm the review being conducted. To help reinforce
the importance of the follow-up managers are required to attend
classroom training. New and acting managers attended ’Managing a TAC“
training in 2007 and all managers will attend a Filing Season Readiness
Workshop. During the training the requirement to conduct reviews and
document results will be emphasized. W&I Accounts Management revised
IRMs 21.5.4.2 and 1.4.16 for this requirement;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at seven TACs where there was no evidence of managerial
review of document transmittals and one instance at one of five SCCs we
visited in which one Refund Inquiry Unit manager did not document his
review of the document transmittals. We will continue to evaluate IRS's
corrective actions during our fiscal year 2008 audit.
ID no.: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers (TACs) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers such as locked doors marked with signs
barring entrance by unescorted customers. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. W&I Field Assistance (FA) and AWSS are currently
implementing plans to correct security and control access issues in
TACs. Field Assistance identified 120 locations and AWSS completed a
detailed analysis on each one. Most locations were identified as space
and design issues that require implementation of the TAC Model Design.
For locations that were not space and design issues, AWSS provided the
funding and implemented corrective actions. Most of the security and
control access issues affect small TACs. FA and AWSS have developed a
strategic TAC Model implementation plan and the new "Mini TAC Model
Design" to correct security and control access issues in the remaining
offices;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at two TACs where the controlled area was not equipped with
physical security controls adequate to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units.
We will continue to evaluate IRS's corrective actions during our fiscal
year 2008 audit.
ID no.: 06-07;
Recommendation: Document supervisory visits by offsite managers to TACS
not having a manager permanently on-site. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. Effective November 27, 2007, FA managers are no
longer required to document visits to outlying TACs by using a
checklist. Instead, new processes were implemented that will better
gauge managers' adherence to remittance and physical security internal
controls. The new process includes the following: (1) A performance
commitment for each level of FA management (director, area director,
territory manager (TM), and TAC manager). The commitment requires
managers to conduct and document reviews to ensure protection of data
and equipment and ensure compliance with remittance and security
procedures. (2) Implementation of a tiered operational review approach.
This will allow FA to determine if TAC managers are performing required
reviews, conducting periodic visits, and focusing on actions that
mitigate control weaknesses. Headquarters (HQ) reviews focus on the
Area Offices, Area Office operational reviews focus on TMs, and TM
reviews focus on each TAC manager. (3) TAC managers and TMs using DCIs
to conduct physical security and remittance reviews. (4) TAC managers
inputting review results into the TAC Security and Remittance Review
Database. Database information will be analyzed at the headquarters
level to identify top issues needing attention and to develop
corrective actions;
Status per GAO: Open. IRS no longer requires TAC managers to document
their visits to outlying TACs by using a checklist but has implemented
new procedures involving FA managers at all levels to ensure that
periodic reviews are performed and centrally documented. However, these
changes occurred subsequent to our fiscal year 2007 audit. We will
assess, during our fiscal year 2008 audit, whether the new procedures
will effectively mitigate the risks that the previous recommendation of
documenting supervisory visits was originally designed to address.
ID no.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at service center campuses (SCC) and lockbox
banks record all instances involving the activation of intrusion alarms
regardless of the circumstances that may have caused the activation.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. In January 2006, the lockbox bank LSG 2.2.3.1.5
(6) was revised to add the requirement that banks maintain a logbook of
incident reports and any applicable supporting documentation, and note
corrective follow-up actions taken on each incident. IRS reinforced the
requirement to maintain a logbook in sequential date order in the 2007
LSG. For SCCs, the requirement for all activations of alarms to be
logged in security console logs has been on the Audit Management
Checklist since June 2006. Interim IRM 1.16.12A Security Guard Service
and Explosive Detection Dogs, issued in November 2006, states the
requirement for the guard console blotter/event log to be annotated to
record and document the guard force response to each alarm activation
exercise. Draft IRM 10.2.14 Methods of Providing Protection (awaiting
finalization) states, "A record of all instances involving the
activation of any alarm regardless of the circumstances that may have
caused the activation, must be documented in a Daily Activity Report/
Event Log, or other log book and maintained for two-years." The IRM
1.16 series is being changed to 10.2;
Status per GAO: Open. As of the time of our audit, the IRM changes were
in draft, under review, and waiting to be finalized. During our fiscal
year 2007 audit, we identified three instances at one of four lockbox
banks we visited in which the activation of intrusion alarms were not
recorded by security guards. We will continue to evaluate IRS's
corrective actions during our fiscal year 2008 audit.
ID no.: 06-09;
Recommendation: Reemphasize the need for the security guards at all
TACs to ensure that key posts of duty, such as entrances to facilities,
are not left unattended. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. W&I issued a memorandum on April 5, 2007, to
address this issue. Additionally, a letter was issued to the Director,
Security and Law Enforcement of Homeland Security, to ensure that
security officers are aware of their duties and responsibilities at key
post of duty;
Status per GAO: Closed. We did not identify any instances where key
posts of duty were left unattended by security guards during our fiscal
year 2007 audit.
ID no.: 06-11;
Recommendation: Refine the scope and nature of its periodic reviews of
candling processes at SCCs to ensure they (1) encompass tests of
whether envelopes are properly candled through observation of candling
in process and inquiry of employees who perform initial and final
candling and (2) document the nature and scope of the test and
observation results. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. IRS continues to use the Security Review Check
List to document the effectiveness of the initial and final candling
process, and to talk to employees who perform initial and final
candling as part of the monthly campus and national office security
reviews;
Status per GAO: Closed. We verified that IRS revised its Security
Review Checklist to document, through observation, the effectiveness of
the initial and final candling process. During our fiscal year 2007
audit, we non-statistically selected and reviewed several campus
security review reports and found no instances where the reports did
not document the number of employees who were questioned about their
knowledge of candling procedures and the responses received from the
employees.
ID no.: 06-14;
Recommendation: Refine the scope and nature of its periodic security
reviews to encompass (1) testing the effectiveness of controls intended
to ensure that only individuals with proper credentials are permitted
access to SCCs and lockbox banks, and (2) reviewing the integrity of
perimeter security at SCCs. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. As of January 1, 2007, IRS revised LSG section
2.2.3.1(6) k to restrict access of all delivery personnel. The IRS
Lockbox Security Review Team observed the lockbox site's process of
delivery personnel while on-site to ensure compliance with the LSG
requirement. In addition, section 2.2.2.13.1 (CCTV Cameras) (2)g of the
LSG was revised to add that cameras must capture images of all persons
entering and exiting perimeter doors and other critical ingress/egress
points, including but not limited to the computer room and closets
containing main utility feeds. AWSS continues to complete compliance
reviews, risk assessments, and quarterly audit management checklist
reviews. Since April 2006, the service center campuses have been
providing quarterly verification that all guards have been reminded to
inspect and scrutinize all badges of personnel accessing IRS
facilities. During the past year, IRS has accessed closed-circuit
television (CCTV) capabilities and is currently taking corrective
actions to allow the unobstructed surveillance of campus fence lines
and the facility perimeters;
Status per GAO: Closed. We verified that IRS refined the scope and
nature of its periodic security reviews by (1) performing periodic
tests of whether lockbox personnel are only allowing authorized
individuals to access the facility and verifying that CCTVs are
capturing key areas and (2) conducting quarterly assessments of the
integrity of perimeter access controls.
ID no.: 06-15;
Recommendation: Revise the physical security procedures in the Internal
Revenue Manual (IRM) to require that all SCCs and any respective annex
facilities processing taxpayer receipts and/or information perform and
document monthly tests of the facility's intrusion detection alarms. At
a minimum, these procedures should (1) outline the type of test to be
conducted, (2) include criteria for assessing whether the controls used
to respond to the alarm were effective, and (3) require that a logbook
be maintained to document the test dates, results, and response
information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. IRM 1.16.12 was revised and documents the
requirements to test, document, report and follow-up on service center
campus intrusion detection alarms. Physical Security area directors
began implementing the new procedures in January 2007. Test results are
rolled-up to PPPO for quarterly reports for upper management;
Status per IRS: Open. IRS officials informed us that the IRM section is
in draft and currently in the review stage. We will follow up on the
finalization of this IRM and continue to assess IRS's actions during
our fiscal year 2008 audit.
ID no.: 06-21;
Recommendation: Generate aging reports when an asset remains in pending
disposal status for longer than a specified period of time. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. This recommendation remains closed, as IRS
reported in fiscal year 2006. AWSS reports that the re-engineered
process is working as intended. Aging record reports are monitored
monthly, and AWSS staff follows up on disposal actions to identify
issues or problems;
Status per GAO: Closed. During fiscal year 2006, IRS re-engineered the
P&E asset retirement and disposal process. The new process generates
exception reports that enable management to monitor the aging of
transactions during the disposal process. Our fiscal year 2007 review
of P&E internal controls showed that anomaly reports are now being
generated when an asset remains in a disposal code for an extended
period of time.
ID no.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. This recommendation remains closed as IRS
reported in fiscal year 2006. AWSS reports that the reengineered
process is working as intended. Aging record reports are monitored
monthly and AWSS staff follows up on disposal actions to identify
issues or problems;
Status per GAO: Open. During fiscal year 2006, IRS re-engineered the
P&E asset retirement and disposal process. The new process generates
exception reports that enable management to monitor the aging of
transactions during the disposal process. While our fiscal year 2007
review of P&E internal controls showed that anomaly reports are now
being generated when an asset remains in a disposal code for an
extended period of time, our audit testing revealed that disposals are
still not being recorded in a timely manner. Our inquiries of IRS
management revealed that management is not always reviewing the anomaly
reports as required by the reengineered process. We will continue to
evaluate IRS's corrective actions during our fiscal year 2008 audit.
ID no.: 07-01;
Recommendation: Enforce the existing policy requiring that all lockbox
banks encrypt backup media containing federal taxpayer information.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. IRS is currently evaluating this recommendation
to determine the best means to safeguard (e.g. encryption) and/or
retain taxpayer data. To assist in the evaluation process, IRS plans to
complete a cost-benefit analysis to determine the best solution. The
tentative date for completion of the cost-benefit analysis and any
resulting solution is September 30, 2008. In the interim, to mitigate
the risk of losing personally identifiable information (PII), IRS plans
to incorporate specific guidelines in the calendar year 2008 LSG to
clearly require that all lockbox sites store backup media containing
PII in locked containers. The calendar year 2008 LSG was issued on
December 19, 2007;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at all four lockbox banks we visited where backup data tapes
containing federal taxpayer information were not encrypted. We will
evaluate IRS's planned corrective actions during our fiscal year 2008
audit.
ID no.: 07-02;
Recommendation: Ensure that lockbox banks store backup media containing
federal taxpayer information at an off-site location as required by the
2006 Lockbox Security Guidelines (LSG). (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 07-689R, May 11, 2007);
Status per IRS: Open. IRS is currently evaluating this recommendation
to determine the best means to safeguard (e.g. encryption) and/or
retain taxpayer data. To assist in the evaluation process, IRS plans to
complete a cost-benefit analysis to determine the best solution. The
tentative date for completion of the cost-benefit analysis and any
resulting solution is September 30, 2008. In the interim, to mitigate
the risk of losing PII, IRS plans to incorporate specific guidelines in
the calendar year 2008 LSG to clearly require that all lockbox sites
store backup media containing PII in locked containers. The calendar
year 2008 LSG was issued in December 19, 2007;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at all four lockbox banks we visited where backup media
containing federal taxpayer information was not stored at an off-site
location. We will evaluate IRS's planned corrective actions during our
fiscal year 2008 audit.
ID no.: 07-03;
Status per IRS: Recommendation: Revise instructions for the annual
reviews of lockbox banks to encompass routine monitoring of backup
media containing personally identifiable information to ensure that
this information is (1) encrypted prior to transmission and (2) stored
in an appropriate off-site location. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. IRS is currently evaluating this recommendation
to determine the best means to safeguard (e.g. encryption) and/or
retain taxpayer data. To assist in the evaluation process, IRS plans to
complete a cost-benefit analysis to determine the best solution. The
tentative date for completion of the cost-benefit analysis and any
resulting solution is September 30, 2008. In the interim, to mitigate
the risk of losing PII, IRS plans to incorporate specific guidelines in
the calendar year 2008 LSG to clearly require all lockbox sites store
backup media containing PII in locked containers. The calendar year
2008 LSG was issued in December 19, 2007. For the Lockbox Electronic
Network (LEN), it electronically transmits all transactional data,
including federal taxpayer information, from the lockbox banks to IRS
via the Martinsburg Computing Center, which is currently going to the
Tennessee Computing Center. The electronic transmission securely
transmits the data through the use of Virtual Private Network devices
like the devices used at the computing centers which will encrypt the
data as it is being transmitted. Effective March 2008, the LEN is being
used to transmit the data to the SP centers. Cartridges will only be
used in the event of an emergency or contingency situation where the
LEN transmission fails;
Status per GAO: Open. We will continue to evaluate IRS's corrective
actions during our fiscal year 2008 audit.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit TV (CCTV) camera coverage that do not
provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 07-689R, May 11, 2007);
Status per IRS: Open. All SCCs conducted an assessment of the CCTV
systems concerning unobstructed views of fence lines and perimeter, and
identified problems that were documented in an action plan developed in
May 2007 and completed by February 2008;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
instances at three of five SCCs we visited where security cameras did
not provide an unobstructed view of the entire perimeter of the
facility. We will evaluate IRS's corrective actions during our fiscal
year 2008 audit.
ID no.: 07-05;
Recommendation: Revise instructions for quarterly physical security
reviews to require analysts to (1) document any issues identified as
well as planned implementation dates of corrective actions to be taken
and (2) track the status of corrective actions identified during the
quarterly assessments to ensure they are promptly implemented. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. Procedures were implemented requiring Physical
Security analysts to document issues/problems during quarterly reviews,
establish corrective action due dates, and track progress to ensure
implementation of all corrective actions. The new procedures and
reporting formats were implemented in June 2007. Compliance with the
procedures is monitored during Physical Security area director
operational reviews and random sampling by PPPO;
Status per GAO: Closed. We verified that IRS revised its procedures and
reporting formats to require its Physical Security analysts to (1)
document concerns identified during quarterly physical security
reviews, (2) establish corrective action implementation dates, and (3)
track those actions to ensure and monitor implementation.
ID no.: 07-06;
Recommendation: Revise procedures contained in the Manual Refund Desk
Reference to reflect the IRM requirements for manual refund initiators
to (1) monitor the manual refund accounts in order to prevent duplicate
refunds, and (2) document their monitoring actions. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. Employees have been instructed to recognize
only IRM 3.17.79 and IRM 21 as the official authoritative guidance for
processing manual refunds. Submission Processing (SP) conducted a
conference call with designated campus planning and analysis staff, SP
Headquarters staff and the IRM owner for 21.4.4, and issued a Hot Topic
on April 30, 2007. SP also provided sites with this information and
contacted authors of IRM 21.4.4 and IRM 4.4.19. Accounts Management and
SB/SE Compliance will review the IRM to ensure that instructions are
correct and that related training course modules are correct;
Status per GAO: Closed. IRS's action satisfies the intent of this
recommendation.
ID no.: 07-07;
Recommendation: Provide to all IRS units responsible for processing
manual refunds the same most current version of the Manual Refund Desk
Reference. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. W&I reinforced IRM 3.17.79.0 and 21.4.4 as the
official authoritative guidance for processing manual refunds. SP
provided sites with this information and also contacted authors of IRM
21.4.4 and IRM 4.4.19. The Account Management analyst and the SB/SE
Compliance analyst will review the IRM to ensure that instructions are
correct and that related training course modules are accurate;
Status per IRS: Closed. IRS's action satisfies the intent of this
recommendation.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the manual
refund initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 07-689R, May 11, 2007);
Status per IRS: Open. All W&I business functions conducted training by
July 2007, except for Compliance, which is planned to be completed by
April 2008. SP management reviews history sheets annotated with
taxpayer identification numbers, tax period, transaction code, date,
and initials of initiator. SP conducted team refresher training by July
30, 2007. This refresher training will also be included in fiscal year
2008 continuing professional education. A manual refunds refresher
course was distributed by the Accounts Management Program
Management/Process Assurance and training was completed by June 2007.
The course emphasized the required monitoring of manual refunds and the
documentation of monitoring actions. Accounts Management will conduct
additional training by July 15, 2008, for employees who initiate manual
refunds;
Status per GAO: Open. We will review IRS's records of training during
our fiscal year 2008 audit.
ID no.: 07-09;
Recommendation: Enhance its computer program to check for outstanding
tax liabilities associated with both the primary and secondary Social
Security Numbers shown on a joint tax return and apply credits to those
balances before issuing any refund. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS submitted a work request on June 26, 2007,
to update its computer programs to check for outstanding liabilities
associated with both the primary and secondary Social Security numbers
on a joint tax return and offsetting to any outstanding TFRP liability
before issuance of a refund. The programming change was implemented on
January 20, 2008;
Status per GAO: Open. The programming change was initiated after our
fiscal year 2007 audit was complete. We will evaluate the effectiveness
of IRS's corrective action during our fiscal year 2008 audit.
ID no.: 07-10;
Recommendation: Instruct Revenue Officers making the TFRP assessments
to research whether the responsible officers are filing jointly with
their spouses and to place a refund freeze on the joint account until
the computer programming change can be completed. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS counsel said that it was acceptable for the
revenue officer to also freeze the refund of any spouse at the time of
approval of recommendation for a TFRP assessment or at the time the
TFRP assessment is made, Therefore, IRS's SB/SE issued interim guidance
on July 23, 2007, for input of transaction code 130 to freeze potential
individual master file refunds for all individuals determined
responsible for the TFRP;
Status per GAO: Closed. Based on our review of the IRS interim guidance
issued on July 23, 2007, we verified that IRS instructed revenue
officers making TFRP assessments to research whether responsible
officers are filing jointly with their spouses and to place refund
freezes on the joint accounts.
ID no.: 07-11;
Recommendation: Correct the penalty calculation programs in the master
file so that penalties are calculated in accordance with the applicable
Internal Revenue Code and implementing IRM guidance. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS implemented a system change in January 2007
to correct the penalty calculation program;
Status per GAO: Open. We will evaluate the effectiveness of IRS's
corrective action during our fiscal year 2008 audit.
ID no.: 07-12;
Recommendation: Research each of the taxpayer accounts that may have
been affected by the penalty programming errors to determine whether
they contain overassessed penalties and correct the accounts as needed.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS implemented a system change in January 2007
that corrected debit balance taxpayer accounts affected by the
programming error;
Status per GAO: Open. We will evaluate the effectiveness of IRS's
corrective action during our fiscal year 2008 audit.
ID no.: 07-13;
Recommendation: Establish procedures and specify in the IRM that at the
time of receipt, employees recording taxpayer payments should (1)
determine if the payment is more than sufficient to cover the tax
liability of the tax period specified on the payment or earliest
outstanding tax period, (2) perform additional research to resolve any
outstanding issues on the account, (3) determine whether the taxpayer
has outstanding balances in other tax periods, and (4) apply available
credits to satisfy the outstanding balances in other tax periods.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. The Deputy Commissioner for Services and
Enforcement issued a memorandum to all functions titled "Service wide
Action to Prevent Late Lien Releases," in January 2007. The memorandum
directed manual lien releases when systemic processes do not release
liens. Based on the memorandum, IRS revised several IRM sections. In
addition, IRS plans to revise IRM 5.1.2 by May 2008 to include all four
elements contained in this recommendation;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
issues that resulted in the untimely release of a tax lien. We will
continue to review IRS's corrective actions to address this issue
during our fiscal year 2008 audit[Empty].
ID no.: 07-14;
Recommendation: Establish procedures and specify in the IRM that
employees review taxpayer accounts with freeze codes that contain
credits weekly to (1) research and resolve any outstanding issues on
the account, (2) determine whether the taxpayer has outstanding
balances in other tax periods, and (3) apply available credits to
satisfy the outstanding balances in other tax periods. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. IRS completed programming changes in January 2007
that allow lien releases regardless of freeze codes. In addition, the
Deputy Commissioner for Services and Enforcement issued a memorandum to
all functions titled "Service wide Action to Prevent Late Lien
Releases," in January 2007. The memorandum directed manual lien
releases when systemic processes do not release liens. Based on the
memorandum IRS revised several IRM sections. Finally, IRS plans to
revise IRM 5.1.2 by May 2008 to include all of the elements contained
in this recommendation;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
issues that resulted in the untimely release of a tax lien. We will
continue to review IRS's corrective actions to address this issue
during our fiscal year 2008 audit.
ID no.: 07-15;
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in the Automated Lien System
(ALS). (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. In order to facilitate timely lien releases, IRS
put a new "My Eureka" report in place for the Centralized Insolvency
Office. IRS generates and resolves issues on this report weekly. IRS
revised IRM 5.9.17.11.6 in March 2007 to reference the report and
request manual lien releases. Campus Compliance analysts conduct
reviews quarterly to ensure appropriate actions are taken. However,
IRS's fiscal year 2007 OMB Circular No. A-123 review of its lien
release process identified two lien release errors associated with
bankruptcy discharges. Therefore, IRS has added new action items to the
Lien Release Action Plan, to establish new controls and oversight by
management in CIO and Field Insolvency to ensure that IRM guidelines
are followed and new procedures for Field Insolvency. In addition, IRS
identified an instance where Field Insolvency failed to release a lien
after an Exempt/Abandoned Asset review. Therefore, Collection Policy
will review Field Insolvency by June 30, 2008, and consider the
addition of new corrective actions to reduce lien errors based on this
issue;
Status per GAO: Open. During our fiscal year 2007 audit, we identified
issues that resulted in the untimely release of a tax lien. We will
continue to review IRS's corrective actions to address this issue
during our fiscal year 2008 audit.
ID no.: 07-16;
Recommendation: Issue a memorandum to employees in the Centralized Lien
Processing Unit reiterating the IRM requirement to date stamp and
maintain the billing support voucher as evidence of timely processing
by IRS. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. The IRM for the Centralized Lien Unit (CLU)
provides specific direction to date stamp and maintain billing support
vouchers (BSVs) as evidence of timely releases of federal tax liens. In
November 2006 CLU began a new process of scanning BSVs, and associating
BSVs with Specific Lien Identification (SLID) numbers in order to
ensure that BSVs are retrievable and show that liens were timely
released. IRS trained employees on this process as it was rolled out.
In May 2007 IRS completed the 2007 OMB Circular No. A-123 review on the
timeliness of lien releases. The review found that BSVs were stamped
appropriately in all cases reviewed;
Status per GAO: Closed. In our review of IRS's fiscal year 2007 OMB
circular No. A-123 lien testing results, we verified that IRS was able
obtain the date stamped billing vouchers for all of its sample items.
ID no.: 07-17;
Recommendation: Monitor installment agreement user fee activity on a
regular basis. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 07-689R, May 11, 2007);
Status per IRS: Closed. The collection activity reports (CAR) capture
data each month on installment agreement activity. The number of
installment agreements, number of user fees paid and user fee dollar
amounts are extracted from the installment agreement reports. These
reports are utilized by Headquarters to conduct month-to-month and year-
to-year comparisons for trend analysis. Headquarters will monitor
collections on the CAR and balance those collections against what is
projected and what is in the financial system, and use historical
trends to identify issues;
Status per IRS: Open. IRS's actions to monitor and analyze installment
agreement user fee collections at headquarters were initiated after our
fiscal year 2007 audit was completed. We will review and evaluate IRS's
efforts to monitor installment agreement user fee activity during our
fiscal year 2008 audit.
ID no.: 07-18;
Recommendation: Adjust errors in recorded installment agreement user
fees as necessary to correctly reflect the user fees IRS earned and
collected from taxpayers. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. A sweep process that collects paid fees and
records them in the user fee account has been established. Effective
January 2008, the sweep is run weekly to ensure accurate and more
timely accounting of fee dollars;
Status per GAO: Open. The action described in IRS's response does not
fully ensure that recorded installment agreement user fees correctly
reflect user fees earned and collected from taxpayers because it is not
designed for that purpose. IRS's sweep (recovery) process is designed
to identify and correct for unrecorded user fees collected with the
initial installment agreement payment but incorrectly posted against
the taxpayer's debt (tax module). We will continue to review and
evaluate IRS's efforts to address issues related to installment
agreement user fees during our fiscal year 2008 audit.
ID no.: 07-19;
Recommendation: Establish sufficient review procedures to help ensure
that adjustments to installment agreement user fees collected from
taxpayers are accurately and timely recorded. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. Steps to ensure appropriate assessment and
collection of user fees are already in place. The user fee category on
the Installment Agreement Accounts Listing (IAAL) compares unpaid and
overpaid user fee money and makes adjustments accordingly. The IAAL for
W&I is consolidated at one site. For both W&I and SBSE, the IAAL is
subjected to Planning and Analysis Support, Managerial, Operations and
Headquarters review;
Status per GAO: Open. IRS was in the process of updating its operating
procedures to account for and record new installment agreement user fee
amounts when we completed our fiscal year 2007 audit. We will review
and evaluate IRS's use of the IAAL and Managerial, Operations, and
Headquarters review processes during our fiscal year 2008 audit.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage space
to properly secure and safeguard its property and equipment inventory,
including in-stock inventories assets from incoming shipments, and
assets that are in the process of being excessed and/or shipped out.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. IRS is identifying locations that need additional
secured storage space and will obtain the necessary space as
appropriate. Scheduled completion date is October 1, 2009. Processes
and procedures are in place for business units to request space, either
secured or non-secured. AWSS negotiated processes and procedures with
the business units that are now part of AWSS's Senior Commissioner
Representative Handbook. Business units needing secured space must
follow established guidance. Also, processes have been set for business
units to approve and fund their space requests;
Status per GAO: Open. IRS has implemented a plan to obtain additional
secured storage space as deemed necessary, with a scheduled completion
date of October 1, 2009. We will monitor IRS's corrective actions
during our fiscal years 2008 and 2009 audits.
ID no.: 07-21;
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 07-689R, May 11, 2007);
Status per IRS: Closed. IRS updated the IRM in September 2007 and sent
a reminder to those with acquisition authority about the IRS
acquisition procedures developed in December 2002. The update included
reference to Policy and Procedures Memorandum No. 46.5, "Receipt,
Quality Assurance and Acceptance," reiterating requirements for
separation of duties;
Status per GAO: Open. Our fiscal year 2007 review of internal controls
over property and equipment revealed that at least one IRS employee was
permitted to place orders with vendors and perform receipt and
acceptance functions when the orders were delivered. We will continue
to evaluate IRS's corrective actions during our fiscal year 2008 audit.
ID no.: 07-22;
Recommendation: Document the results of internal control tests
conducted in a manner sufficiently clear and complete to explain how
control procedures were tested, what results were achieved, and how
conclusions were derived from those results, without reliance on
supplementary oral explanation. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. In the fiscal year 2007 A-123 cycle, IRS expanded
its A-123 guidance, improved review procedures, and improved training.
As IRS prepares for the fiscal year 2008 A-123 cycle, it plans to
continue to further enhance its in-house training and has instituted
procedures to address the clarity and completeness of its explanations;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-23;
Recommendation: Clearly document how it considered existing reviews and
audits in determining the nature, scope, and timing of procedures it
planned to conduct under its A-123 process.;
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. In fiscal year 2007, IRS made progress on this
recommendation by adding a requirement to test plan templates to
document audits reviewed. During the fiscal year 2008 planning phase,
IRS plans to fully document the existing reviews and audits;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-24;
Recommendation: To the extent that it intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work. (short- term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS plans to continue to work with the Department
of the Treasury and GAO to fully implement OMB Circular No. A-123
requirements for evaluating controls over information technology
relating to financial statement reporting;
Status per IRS: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS is piloting a limited set of fiscal year 2008
test plans, which include an analysis of the design for each
transaction control set tested, with full implementation expected in
the fiscal year 2009 A-123 cycle;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-26;
Recommendation: Work with Treasury to identify laws and regulations
that are significant to financial reporting, test controls over
compliance with those laws and regulations, and evaluate and report on
the results of such control reviews. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. In fiscal year 2007, IRS established an internal
crosswalk between A-123 tests and laws and regulations significant to
financial reporting. IRS plans to further refine this linkage for the
fiscal year 2008 A-123 process;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-27;
Recommendation: Begin devising appropriate A-123 follow- up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. Although implementation of such procedures is not
necessary until elimination of the outstanding material weaknesses, IRS
plans to develop follow-up procedures that provide assurance for the
last 3 months of the fiscal year;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 07-28;
Recommendation: Provide A-123 review staff appropriate training, such
as that available for financial auditors, to enhance their skills in
workpaper documentation, identification and testing of internal
controls, and evaluation and documentation of results. (short- term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS has enhanced training at the beginning of
each A-123 cycle to include an external course designed for financial
auditors on preparing workpapers. IRS evaluated results from fiscal
year 2007 and has incorporated improvements to the fiscal year 2008
training to ensure its curriculum addresses issues in testing approach,
testing methodology, workpaper reviews, and lessons learned;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing its OMB Circular No. A-123 review
procedures.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of CDDB, it
should verify that when it becomes fully operational, CDDB, when used
in conjunction with IRACS, will provide IRS with the direct transaction
traceability for all of its tax-related transactions as required by the
U.S. Standard General Ledger (SGL), Federal Financial Management System
Requirements (FFMSR), and thus Federal Financial Management Improvement
Act of 1996 (FFMIA). (long-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid assessment
estimation process. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures for
reviewers to follow in their review of unpaid assessments statistical
estimates. Specifically, IRS should require that a detailed supervisory
review be performed to ensure: (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data on
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-04;
Recommendation: To address the inconsistency in assigning the effective
date of an accuracy penalty, modify the Business Master File computer
program so that the date of the deficiency assessment is used as the
effective date of any related accuracy penalty. (long-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-05;
Recommendation: Complete and document the review of existing programs
in the master files that affect penalty calculations to identify any
instances in which programs are not functioning in accordance with the
intent of the IRM. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-06;
Recommendation: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers to use in conducting reviews of outlying TACS and
documenting the results. This guidance should include a description of
the key controls that should be in place at outlying TACs, specify how
often these key controls should be reviewed, and specify how the
results of each review should be documented, including follow-up on
issues identified in previous TAC reviews. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-08;
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-09;
Recommendation: Establish a mechanism to monitor compliance with
existing requirement that TAC employees responsible for accepting
taxpayer payments in cash have their computer system access
appropriately restricted to limit their ability to adjust taxpayer
accounts. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-10;
Recommendation: Establish procedures requiring periodic verification
that all individuals designated as first responders to TAC duress
alarms are appropriately qualified and geographically located to
respond to the potentially dangerous situations in an effective and
timely manner. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-11;
Recommendation: Modify the IRM to specify qualifications and
geographical proximity requirements for individuals designated as first
responders to duress alarms at IRS facilities, and to require that the
responsibilities and qualifications of all designated first responders
be periodically reviewed to verify that over time, they continue to be
qualified and appropriately located, and to make any necessary
adjustments. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-13;
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information; document the
results, including identification of any security issues; and verify
that the contractor has taken appropriate corrective actions on any
security issues observed. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and reviewing
documentation of completed background investigations for all shredding
contractors before granting them access to taxpayer or other sensitive
IRS information. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-16;
Recommendation: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact. (short- term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-18;
Recommendation: Issue a memorandum to Receipt Control Operations Unit
staff reiterating existing requirements for (1) supervisory reviews of
the processing of TE/GE user fee deposits and (2) key documentation to
be signed and dated by the supervisor as evidence of that review.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-19;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials and purchase cardholders sign and date monthly account
statements attesting to their review and completion of the required
reconciliation process. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-20;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders obtain
funding approval or verify that funds are available for the intended
purpose prior to making a purchase. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO- 08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-21;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials update and maintain appropriate supporting documentation.
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-22;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders and
purchase card approving officials retain copies of all supporting
documents for a reasonable period of time, such as 3 years. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-23;
Recommendation: Issue a memorandum addressed to all personnel
responsible for updating inventory records that reiterates IRS's
existing policy requiring that new assets be inputted into the
inventory system within 10 days after receipt. (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will review
IRS's corrective actions during future audits.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will review
IRS's corrective actions during future audits.
Source: IRS updates detailing its actions to address GAO's
recommendations and GAO's analysis of IRS's actions.
[End of table]
[End of section]
Appendix II: Open Recommendations Arranged by Control or Compliance
Issue:
Financial Reporting:
IRS does not have financial management systems adequate to enable it to
accurately generate and report, in a timely manner, the information
needed to both prepare financial statements and manage operations on an
ongoing basis. To overcome these systemic deficiencies with respect to
preparation of its annual financial statements, IRS was compelled to
employ extensive compensating procedures. Specifically, IRS (1) did not
have an adequate general ledger system for tax-related transactions,
and (2) was unable to readily determine the costs of its activities and
programs and did not have cost-based performance information to assist
in making or justifying resource allocation decisions. As a result, IRS
does not have real-time data needed to assist in managing operations on
a day-to-day basis and to provide an informed basis for making or
justifying resource allocation decisions.
Table 12: Material Weakness: Controls over Financial Reporting:
ID no.: 99-25;
Recommendation: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes. (short-
term);
Control Activity: Management of human capital.
ID no.: 99-29;
Recommendation: Develop the data to support meaningful cost information
categories and cost-based performance measures. (long- term);
Control Activity: Establishment and review of performance measures and
indicators.
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 02-08;
Recommendation: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 02-09;
Recommendation: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of CDDB, it
should verify that when it becomes fully operational, CDDB, when used
in conjunction with IRACS, will provide IRS with the direct transaction
traceability for all of its tax-related transactions as required by the
U.S. Standard General Ledger (SGL), Federal Financial Management System
Requirements (FFMSR), and thus Federal Financial Management Improvement
Act of 1996 (FFMIA). (long-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Unpaid Tax Assessments:
IRS has serious internal control issues that affected its management of
unpaid tax assessments. Specifically, (1) IRS lacked a subsidiary
ledger for unpaid tax assessments that would allow it to produce
accurate, useful, and timely information with which to manage and
report externally, and (2) IRS experienced errors and delays in
recording taxpayer information, payments, and other activities.
Table 13: Material Weakness: Controls over Unpaid Assessments:
ID. No.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short- term);
Control Activity: Accurate and timely recording of transactions and
events.
ID. No.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID. No.: 99-03;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving TFRP, the subsidiary
ledger should ensure that (1) the TFRP assessment is appropriately
tracked for all taxpayers liable but counted only once for reporting
purposes and (2) all payments made are properly credited to the
accounts of all individuals assessed for the liability. (short- term);
Control Activity: Accurate and timely recording of transactions and
events.
ID. No.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID. No.: 07-11;
Recommendation: Correct the penalty calculation programs in the master
file so that penalties are calculated in accordance with the applicable
Internal Revenue Code and implementing IRM guidance. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID. No.: 07-12;
Recommendation: Research each of the taxpayer accounts that may have
been affected by the penalty programming errors to determine whether
they contain overassessed penalties and correct the accounts as needed.
(short-term);
Control Activity: Accurate and timely recording of transactions and
events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Tax Revenue and Refunds:
IRS does not, at present, have agencywide cost-benefit information,
related cost-based performance measures, or a systematic process for
ensuring it is using its resources to maximize its ability to collect
what is owed and minimize the disbursements of improper tax refunds in
the context of its overall mission and responsibilities. These
deficiencies inhibit IRS's ability to appropriately assess and
routinely monitor the relative merits of its various initiatives and
adjust its strategies as needed. This, in turn, can significantly
affect both the level of tax revenue collected and the magnitude of
improper refunds paid.
Table 14: Material Weakness: Controls over Revenues and Issuing
Refunds:
ID no.: 01-04;
Recommendation: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, administrative support), as well as the expected
additional tax collections generated. (short-term);
Control Activity: Establishment and review of performance measures and
indicators.
ID no.: 01-12;
Recommendation: For (1) IRS's Automated Underreporter (AUR) and
Combined Annual Wage Reporting (CAWR) programs, (2) screening and
examination of Earned Income Tax Credit claims, and (3) identifying and
collecting previously disbursed improper refunds, use the best
available information to develop reliable cost-benefit data to estimate
the tax revenue collected by, and the amount of improper refunds
returned to, IRS for each dollar spent pursuing these outstanding
amounts. These data would include (1) an estimate of the full cost
incurred by IRS in performing each of these efforts, including the
salaries and benefits of all staff involved, as well as any related
nonpersonnel costs, such as supplies and utilities and (2) the actual
amount (a) collected on tax amounts assessed and (b) recovered on
improper refunds disbursed. (long-term);
Control Activity: Establishment and review of performance measures and
indicators.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Information Security:
Significant weaknesses in information security controls continue to
threaten the confidentiality, integrity, and availability of IRS's
financial processing systems and information. IRS has weaknesses in
controls for protecting access to systems and information, as well as
other information security controls that affect key financial systems-
-particularly IFS and IRACS. For example, sensitive information,
including user identification, passwords, and software code for mission-
critical applications, was accessible on an internal Web site to anyone
who could connect to IRS's internal network--without having to log in
to the network. The information gained through this access could be
used to alter data flowing to and from IFS. In addition, configuration
flaws in the mainframe allowed users unrestricted access to all
programs and data on the mainframe, including IRACS. Because this
access was not controlled by the security system, no security violation
logs would be created, reducing IRS's ability to detect unauthorized
access. Weaknesses also existed in other areas, such as protecting
against unauthorized physical access to sensitive computer resources
and patching servers to protect against known vulnerabilities.
Material Weakness: Controls over Information Systems Security:
Although IRS has made some progress in addressing previous weaknesses
we identified in its information systems security controls and physical
security controls, these and new weaknesses in information systems
security continue to impair IRS's ability to ensure the
confidentiality, integrity, and availability of financial and tax-
processing systems. As of January 2008, there were 76 open
recommendations from our information systems security work designed to
help IRS improve its information systems security controls. Our
recommendations resulting from our information systems security work
are reported separately and are not included in this report primarily
because of the sensitive nature of some of those issues.
Hard-Copy Tax Receipts and Taxpayer Information:
IRS manually processes hundreds of billions of dollars of hard-copy
taxpayer receipts and related taxpayer information at its service
center campuses, field office taxpayer assistance centers, other field
office units, and commercial lockbox banks. However, we have identified
weaknesses in IRS's controls designed to safeguard these taxpayer
receipts and information which increase the risk that receipts in the
form of checks, cash, and the like could be misappropriated or that the
information could be compromised.
Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and
Taxpayer Information:
ID no.: 99-22;
Recommendation: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term);
Control Activity: Segregation of duties.
ID no.: 04-08;
Recommendation: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 05-11;
Recommendation: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at service center campuses selected for
significant reductions in their submission processing functions. (short-
term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 05-13;
Recommendation: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers. (short- term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 05-14;
Recommendation: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self- employed
units of field offices with respect to preparation of payment posting
vouchers, document transmittal forms, and transmittal packages. (short-
term);
Control Activity: Segregation of duties.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers (TACs) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers such as locked doors marked with signs
barring entrance by unescorted customers. (short- term);
Control Activity: Physical control over vulnerable assets.
ID no.: 06-07;
Recommendation: Document supervisory visits by offsite managers to TACS
not having a manager permanently on-site. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at service center campuses (SCC) and lockbox
banks record all instances involving the activation of intrusion alarms
regardless of the circumstances that may have caused the activation.
(short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 06-15;
Recommendation: Revise the physical security procedures in the Internal
Revenue Manual (IRM) to require that all SCCs and any respective annex
facilities processing taxpayer receipts and/or information perform and
document monthly tests of the facility's intrusion detection alarms. At
a minimum, these procedures should (1) outline the type of test to be
conducted, (2) include criteria for assessing whether the controls used
to respond to the alarm were effective, and (3) require that a logbook
be maintained to document the test dates, results, and response
information. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-01;
Recommendation: Enforce the existing policy requiring that all lockbox
banks encrypt backup media containing federal taxpayer information.
(short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-02;
Recommendation: Ensure that lockbox banks store backup media containing
federal taxpayer information at an off-site location as required by the
2006 Lockbox Security Guidelines. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-03;
Recommendation: Revise instructions for the annual reviews of lockbox
banks to encompass routine monitoring of backup media containing
personally identifiable information to ensure that this information is
(1) encrypted prior to transmission and (2) stored in an appropriate
off-site location. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit TV (CCTV) camera coverage that do not
provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers to use in conducting reviews of outlying TACS and
documenting the results. This guidance should include a description of
the key controls that should be in place at outlying TACs, specify how
often these key controls should be reviewed, and specify how the
results of each review should be documented, including follow-up on
issues identified in previous TAC reviews. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-08;
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-09;
Recommendation: Establish a mechanism to monitor compliance with
existing requirement that TAC employees responsible for accepting
taxpayer payments in cash have their computer system access
appropriately restricted to limit their ability to adjust taxpayer
accounts. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-10;
Recommendation: Establish procedures requiring periodic verification
that all individuals designated as first responders to TAC duress
alarms are appropriately qualified and geographically located to
respond to the potentially dangerous situations in an effective and
timely manner. (short-term);
Control Activity: Management of human capital.
ID no.: 08-11;
Recommendation: Modify the IRM to specify qualifications and
geographical proximity requirements for individuals designated as first
responders to duress alarms at IRS facilities, and to require that the
responsibilities and qualifications of all designated first responders
be periodically reviewed to verify that over time, they continue to be
qualified and appropriately located, and to make any necessary
adjustments. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-13;
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information, document the
results, including identification of any security issues, and verify
that the contractor has taken appropriate corrective actions on any
security issues observed. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and reviewing
documentation of completed background investigations for all shredding
contractors before granting them access to taxpayer or other sensitive
IRS information. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-16;
Recommendation: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact. (short- term);
Control Activity: Management of human capital.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Release of Federal Tax Liens:
IRS did not always release the applicable federal tax lien within 30
days of the tax liability being either paid off or abated, as required
by the Internal Revenue Code. The Internal Revenue Code grants IRS the
power to file a lien against the property of any taxpayer who neglects
or refuses to pay all assessed federal taxes. The lien serves to
protect the interest of the federal government and as a public notice
to current and potential creditors of the government's interest in the
taxpayer's property. Under section 6325 of the Internal Revenue Code,
IRS is required to release federal tax liens within 30 days after the
date the tax liability is satisfied or has become legally unenforceable
or the Secretary of the Treasury has accepted a bond for the assessed
tax.
Table 16: Compliance with Laws and Regulations: Timely Release of
Liens:
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-13;
Recommendation: Establish procedures and specify in the IRM that at the
time of receipt, employees recording taxpayer payments should (1)
determine if the payment is more than sufficient to cover the tax
liability of the tax period specified on the payment or earliest
outstanding tax period, (2) perform additional research to resolve any
outstanding issues on the account, (3) determine whether the taxpayer
has outstanding balances in other tax periods, and (4) apply available
credits to satisfy the outstanding balances in other tax periods.
(short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 07-14;
Recommendation: Establish procedures and specify in the IRM that
employees review taxpayer accounts with freeze codes that contain
credits weekly to (1) research and resolve any outstanding issues on
the account, (2) determine whether the taxpayer has outstanding
balances in other tax periods, and (3) apply available credits to
satisfy the outstanding balances in other tax periods. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 07-15;
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in the Automated Lien System
(ALS). (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Other Control Issues:
The recommendations listed below do not rise to the level of a
significant deficiency or a material weakness. However, these issues do
represent weaknesses in various aspects of IRS's control environment
that should be addressed.
Table 17: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short- term);
Control Activity: Controls over Information processing.
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term);
Control Activity: Proper execution of transactions and events.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring actions
and supervisory review for manual refunds. (short- term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the manual
refund initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds. (short-term);
Control Activity: Management of human capital.
ID no.: 07-09;
Recommendation: Enhance its computer program to check for outstanding
tax liabilities associated with both the primary and secondary Social
Security numbers shown on a joint tax return and apply credits to those
balances before issuing any refund. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 07-17;
Recommendation: Monitor installment agreement user fee activity on a
regular basis. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-18;
Recommendation: Adjust errors in recorded installment agreement user
fees as necessary to correctly reflect the user fees IRS earned and
collected from taxpayers. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 07-19;
Recommendation: Establish sufficient review procedures to help ensure
that adjustments to installment agreement user fees collected from
taxpayers are accurately and timely recorded. (short- term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage space
to properly secure and safeguard its property and equipment inventory,
including in-stock inventory assets from incoming shipments, and assets
that are in the process of being excessed and/or shipped out. (short-
term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-21;
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered. (short- term);
Control Activity: Segregation of duties.
ID no.: 07-22;
Recommendation: Document the results of internal control tests
conducted in a manner sufficiently clear and complete to explain how
control procedures were tested, what results were achieved, and how
conclusions were derived from those results, without reliance on
supplementary oral explanation. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-23;
Recommendation: Clearly document how it considered existing reviews and
audits in determining the nature, scope, and timing of procedures it
planned to conduct under its A-123 process. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-24;
Recommendation: To the extent that it intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work. (short- term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-26;
Recommendation: Work with Treasury to identify laws and regulations
that are significant to financial reporting, test controls over
compliance with those laws and regulations, and evaluate and report on
the results of such control reviews. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-27;
Recommendation: Begin devising appropriate A-123 follow- up procedures
for the last three months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-28;
Recommendation: Provide A-123 review staff appropriate training, such
as that available for financial auditors, to enhance their skills in
workpaper documentation, identification and testing of internal
controls, and evaluation and documentation of results. (short- term);
Control Activity: Management of human capital.
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid assessment
estimation process. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures for
reviewers to follow in their review of unpaid assessments statistical
estimates. Specifically, IRS should require that a detailed supervisory
review be performed to ensure: (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data on
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct. (short-term);
Control Activity: Management of human capital.
ID no.: 08-04;
Recommendation: To address the inconsistency in assigning the effective
date of an accuracy penalty, modify the Business Master File computer
program so that the date of the deficiency assessment is used as the
effective date of any related accuracy penalty. (long-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-05;
Recommendation: Complete and document the review of existing programs
in the master files that affect penalty calculations to identify any
instances in which programs are not functioning in accordance with the
intent of the IRM. (long-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-06;
Recommendation: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 08-18;
Recommendation: Issue a memorandum to Receipt Control Operations Unit
staff reiterating existing requirements for (1) supervisory reviews of
the processing of TE/GE user fee deposits, and (2) key documentation to
be signed and dated by the supervisor as evidence of that review.
(short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-19;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials and purchase cardholders sign and date monthly account
statements attesting to their review and completion of the required
reconciliation process. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-20;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders obtain
funding approval or verify that funds are available for the intended
purpose prior to making a purchase. (short-term);
Control Activity: Proper execution of transactions and events.
ID no.: 08-21;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials update and maintain appropriate supporting documentation.
(short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-22;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders and
purchase card approving officials retain copies of all supporting
documents for a reasonable period of time, such as three years. (short-
term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-23;
Recommendation: Issue a memorandum addressed to all personnel
responsible for updating inventory records that reiterates IRS's
existing policy requiring that new assets be inputted into the
inventory system within 10 days after receipt. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Control Activity: Proper execution of transactions and events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
[End of section]
Appendix III: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
June 24, 2008:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.:
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled, IRS: Status of GAO Financial Audit and Related
Financial Management Report Recommendations (GAO-08-693).
As GAO noted in the report, IRS continues to make significant progress
in improving our internal controls and financial management as
evidenced by eight consecutive years of clean audit opinions on our
financial statements. We are pleased that you acknowledged our progress
in addressing our financial management challenges and agreed to close
18 prior year financial management recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions, please contact Alison Doone, Chief Financial
Officer, at (202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman
[End of section]
Appendix IV Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov:
Acknowledgments:
In addition to the contact named above, the following individuals made
major contributions to this report: William J. Cordrey, Assistant
Director; Gloria Cano; Stephanie Chen; Nina Crocker; John Davis;
Charles Ego; Charles Fox; Valerie Freeman; Ted Hu; Delores Lee; John
Sawyer; Angel Sharma; Peggy Smith; Cynthia Teddleton; and Gary Wiggins.
[End of section]
Footnotes:
[1] Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient
operations, reliable financial reporting, and compliance with
applicable laws and regulations. Part of the actions required by
agencies and individual federal managers includes taking proactive
measures to develop and implement appropriate, cost-effective internal
control for results-oriented management; to assess the adequacy of
internal control in federal programs and operations; to identify needed
improvements; and to take corresponding corrective actions.
[2] A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected. A significant deficiency is a control
deficiency, or combination of deficiencies, that adversely affects the
entity's ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote likelihood
that a misstatement of the entity's financial statements that is more
than inconsequential will not be prevented or detected. A control
deficiency exists when the design or operation of a control does not
allow management or employees, in the course of performing their
assigned functions, to prevent or detect misstatements on a timely
basis.
[3] GAO, Management Report: Improvements Needed in IRS's Internal
Controls, GAO-08-368R (Washington, D.C.: June 4, 2008).
[4] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial
Statements, GAO-08-166 (Washington, D.C.: Nov. 9, 2007).
[5] GAO, Standards for Internal Control in the Federal Government, GAO/
AIMD-00-21.3.1 (Nov. 1999).
[6] The circular requires agencies and individual federal managers to
take systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
Appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
control through management assurance statements.
[7] GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001).
[8] GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). FISCAM contains
guidance for reviewing information system controls that affect the
security of computerized data (revised June 2001).
[9] GAO, Internal Revenue Service: Status of Financial Audit and
Related Financial Management Report Recommendations, GAO-07-629
(Washington, D.C.: June 7, 2007).
[10] GAO-08-368R.
[11] We define short-term recommendations as those that we believe
could be addressed within 2 years at the time we made the
recommendation. We define long-term recommendations as those we
expected to require 2 years or more to implement at the time we made
the recommendation.
[12] The vast majority of federal tax payments are made for both
businesses and individuals via the Electronic Federal Tax Payment
System.
[13] Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access
to data is appropriately restricted, only authorized changes to
computer programs are made, physical access to sensitive computing
resources and facilities is protected, computer security duties are
segregated, and backup and recovery plans are adequate to ensure the
continuity of essential operations.
[14] GAO, Information Security: IRS Needs to Address Pervasive
Weaknesses, GAO-08-211 (Washington, D.C.: Jan. 8, 2008).
[15] Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers
for immediate payment due to hardship or emergency, those to
beneficiaries of deceased taxpayers, and those that need to be
expedited because IRS is in jeopardy of paying interest for exceeding
the 45-day limit for processing a return.
[16] GAO -08-166.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
