Internal Revenue Service
Status of GAO Financial Audit and Related Financial Management Report Recommendations Gao ID: GAO-09-514 June 25, 2009In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS's efforts to address the weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) provide the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations relate to control activities central to IRS's mission and goals.
IRS has made significant progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 9 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 200 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO's audit of IRS's fiscal year 2008 financial statements, 81 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2008 financial audit, IRS took actions that GAO considered sufficient to close 35. At the same time, GAO identified additional internal control issues resulting in 16 new recommendations. In total, 62 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 62 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning IRS's automated systems, are complex and will require several more years to effectively address.
GAO-09-514, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations
This is the accessible text file for GAO report number GAO-09-514
entitled 'Internal Revenue Service: Status of GAO Financial Audit and
Related Financial Management Report Recommendations' which was released
on June 25, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Commissioner of Internal Revenue:
United States Government Accountability Office:
GAO:
June 2009:
Internal Revenue Service:
Status of GAO Financial Audit and Related Financial Management Report
Recommendations:
GAO-09-514:
GAO Highlights:
Highlights of GAO-09-514, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
In its role as the nation‘s tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to annually collect trillions of
dollars in taxes, process hundreds of millions of tax and information
returns, and enforce the nation‘s tax laws. Since its first audit of
IRS‘s financial statements in fiscal year 1992, GAO has identified a
number of weaknesses in IRS‘s financial management operations. In
related reports, GAO has recommended corrective actions to address
those weaknesses.
Each year, as part of the annual audit of IRS‘s financial statements,
GAO makes recommendations to address any new weaknesses identified and
follows up on the status of IRS‘s efforts to address the weaknesses GAO
identified in previous years‘ audits. The purpose of this report is to
(1) provide the status of audit recommendations and actions needed to
fully address them and (2) demonstrate how the recommendations relate
to control activities central to IRS‘s mission and goals.
What GAO Found:
IRS has made significant progress in improving its internal controls
and financial management since its first financial statement audit in
1992, as evidenced by 9 consecutive years of clean audit opinions on
its financial statements, the resolution of several material internal
control weaknesses, and actions resulting in the closure of over 200
financial management recommendations. This progress has been the result
of hard work throughout IRS and sustained commitment at the top levels
of the agency. However, IRS still faces financial management
challenges. At the beginning of GAO‘s audit of IRS‘s fiscal year 2008
financial statements, 81 financial management-related recommendations
from prior audits remained open because IRS had not fully addressed the
issues that gave rise to them. During the fiscal year 2008 financial
audit, IRS took actions that GAO considered sufficient to close 35. At
the same time, GAO identified additional internal control issues
resulting in 16 new recommendations. In total, 62 recommendations
remain open.
To assist IRS in evaluating and improving internal controls, GAO
categorized the 62 open recommendations by various internal control
activities, which, in turn, were grouped into three broad control
categories.
Table: Summary of Open Recommendations by Control Category:
Safeguarding of assets and security activities:
Open at the beginning of 2008: 21;
Closed during 2008 audit: 7;
New from 2008 audit: 6;
Total remaining open: 20.
Proper recording and documenting of transactions:
Open at the beginning of 2008: 33;
Closed during 2008 audit: 13;
New from 2008 audit: 4;
Total remaining open: 24.
Effective management review and oversight:
Open at the beginning of 2008: 27;
Closed during 2008 audit: 15;
New from 2008 audit: 6;
Total remaining open: 18.
Total:
Open at the beginning of 2008: 81;
Closed during 2008 audit: 35;
New from 2008 audit: 16;
Total remaining open: 62.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
The continued existence of internal control weaknesses that gave rise
to these recommendations represents a serious obstacle that IRS needs
to overcome. Effective implementation of GAO‘s recommendations can
greatly assist IRS in improving its internal controls and achieving
sound financial management and can help enable it to more effectively
carry out its tax administration responsibilities. Most can be
addressed in the short term (the next 2 years). However, a few
recommendations, particularly those concerning IRS‘s automated systems,
are complex and will require several more years to effectively address.
What GAO Recommends:
GAO is not making any recommendations in this report. In commenting on
this draft report, IRS stated that it is committed to implementing
appropriate improvements to maintain sound financial management
practices.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/products/GAO-09-514]. For more
information, contact Steven J. Sebastian at (202)512-3406 or
sebastians@gao.gov.
[End of section]
Contents:
Letter:
Background:
Scope and Methodology:
IRS's Progress on Financial Management Recommendations:
Open Recommendations Grouped by Control Activity:
Open Recommendations Arranged by Related Material Weakness, Significant
Deficiency, Compliance Issue, or Other Control Issue:
Concluding Observations:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations from Internal Revenue Service
Financial Audits and Related Management Reports:
Appendix II: Open Recommendations Arranged by Control or Compliance
Issue:
Financial Reporting:
Unpaid Tax Assessments:
Information Security:
Tax Revenue and Refunds:
Release of Federal Tax Liens:
Other Control Issues:
Appendix III: Comments from the Internal Revenue Service:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Summary of Open Recommendations:
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
Table 3: Recommendations to Improve IRS's Segregation of Duties:
Table 4: Recommendation to Improve IRS's Controls over Information
Processing:
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control:
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording
of Transactions and Events:
Table 8: Recommendations to Improve IRS's Execution of Transaction and
Events:
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
Table 11: Recommendations to Improve IRS's Management of Human Capital:
Table 12: Material Weakness: Controls over Financial Reporting:
Table 13: Material Weakness: Controls over Unpaid Assessments:
Table 14: Significant Deficiency: Controls over Revenues and Issuing
Refunds:
Table 15: Compliance with Laws and Regulations: Timely Release of
Liens:
Table 16: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
Abbreviations:
CCTV: closed circuit television:
CDDB: Custodial Detail Data Base:
FFMIA: Federal Financial Management Improvement Act of 1996:
FISCAM: Federal Information System Controls Audit Manual:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
IDRS: Integrated Data Retrieval System:
IRACS: Interim Revenue and Accounting Control System:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
LMSB: Large and Mid-sized Business:
NFC: National Finance Center:
OMB: Office of Management and Budget:
P&E: property and equipment:
SCC: service center campus:
SETS: Security Entry and Tracking System:
TAC: taxpayer assistance center:
TE/GE: Tax Exempt and Government Entities:
TFRP: Trust Fund Recovery Penalty:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 25, 2009:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Dear Mr. Shulman:
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2008, IRS
collected about $2.7 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $426 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities affect virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.
IRS has made much progress in improving its financial management since
it was first required to prepare a set of financial statements and have
them in fiscal year 1992. This progress was reflected in its ability to
obtain and maintain a clean audit opinion on its financial statements
each year beginning in fiscal year 2000, to correct several material
internal control weaknesses over the years, and to make many other
improvements in internal control. At the same time, more remains to be
done to address long-standing internal control issues that continue to
exist at the agency. IRS continues to have weak or ineffective internal
controls over fundamental elements of its operations that leave it
vulnerable to a greater risk of fraud, waste, abuse, and mismanagement.
This, in turn, has the potential to affect the lives of the nation's
taxpayers, as our audits over the years have demonstrated. For example,
IRS's continued failure to promptly release federal tax liens could
cause undue hardship and burden to taxpayers who are attempting to sell
property or apply for commercial credit.
An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.[Footnote 1] Unfortunately, IRS
continues to be challenged with several long-standing material
weaknesses in internal control that are at the heart of IRS's
operations.[Footnote 2] During our audit of IRS's fiscal year 2008
financial statements, we continued to find material weaknesses in
controls over:
* financial reporting,
* unpaid tax assessments, and:
* information systems security.
In addition to the material weaknesses, we continued to identify a
significant deficiency involving IRS's control over tax revenue and
refunds, which hampers IRS's ability to optimize the use of its
resources to collect unpaid taxes and minimize payments of improper
refunds. This significant deficiency was downgraded from a material
weakness in fiscal year 2008 because IRS took significant steps to
address the deficiencies comprising the material weakness, such as
enhancing its cost accounting capabilities and performance measures.
To assist IRS in strengthening its internal controls and improving its
operations, we have made numerous recommendations as part of our annual
financial statement audits and other financial management-related work
at IRS. This report is being provided to you to (1) provide the status
of financial audit and financial management-related recommendations and
the actions needed to address them and (2) demonstrate how the
recommendations relate to control activities central to IRS's mission
and goals. We are not making any recommendations in this report.
Our work was performed from December 2008 through May 2009 in
accordance with generally accepted government auditing standards. For
further details regarding our approach to this audit, see the Scope and
Methodology section.
Background:
Internal control is not one event, but a series of activities that
occur throughout an entity's operations and on an ongoing basis.
Internal control should be recognized as an integral part of each
system that management uses to regulate and guide its operations rather
than as a separate system within an agency. In this sense, internal
control is management control that is built into the entity as a part
of its infrastructure to help managers run the entity and achieve their
goals on an ongoing basis.
Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires
agencies to establish and maintain internal control. The agency head
must annually evaluate and report on the control and financial systems
that protect the integrity of federal programs. The requirements of
FMFIA serve as an umbrella under which other reviews, evaluations, and
audits should be coordinated and considered to support management's
assertion about the effectiveness of internal control over operations,
financial reporting, and compliance with laws and regulations.
Office of Management and Budget (OMB) Circular No. A-123, Management's
Responsibility for Internal Control, provides the implementing guidance
for FMFIA, and sets out the specific requirements for assessing and
reporting on internal controls consistent with the internal control
standards issued by the Comptroller General of the United States.
[Footnote 3] The circular defines management's responsibilities related
to internal control and the process for assessing internal control
effectiveness, and provides specific requirements for conducting
management's assessment of the effectiveness of internal control over
financial reporting. The circular requires management to annually
provide assurances on internal control in its performance and
accountability report, and for each of the 24 Chief Financial Officers
Act agencies to include a separate assurance on internal control over
financial reporting, along with a report on identified material
weaknesses and corrective actions.[Footnote 4] The circular also
emphasizes the need for integrated and coordinated internal control
assessments that synchronize all internal control-related activities.
FMFIA requires GAO to issue standards for internal control in the
federal government. The Standards for Internal Control in the Federal
Government (i.e., internal control standards) provides the overall
framework for establishing and maintaining effective internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.
As summarized in the internal control standards, internal control in
the government is defined by the following five elements, which also
provide the basis against which internal controls are to be evaluated:
* Control environment: Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management.
* Risk assessment: Internal control should provide for an assessment of
the risks the agency faces from both external and internal sources.
* Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives.
* Information and communications: Information should be recorded and
communicated to management and others within the entity who need it and
in a form and within a time frame that enables them to carry out their
internal control and other responsibilities.
* Monitoring: Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
A key objective in our annual audits of IRS's financial statements is
to obtain reasonable assurance that IRS maintained effective internal
controls with respect to financial reporting, including safeguarding of
assets, and compliance with laws and regulations. While we use all five
elements of internal control as a basis for evaluating the
effectiveness of IRS's internal controls, our ongoing evaluations and
tests have focused heavily on control activities to identify internal
control weaknesses and offer recommendations for corrective action.
Control activities are the policies, procedures, techniques, and
mechanisms that enforce management's directives. In other words, they
are the activities conducted in the everyday course of business that
are intended to accomplish a control objective, such as ensuring IRS
employees successfully complete background checks prior to being
granted access to taxpayer information and receipts. As such, control
activities are an integral part of an entity's planning, implementing,
reviewing, and accountability for stewardship of government resources
and achievement of effective results.
Scope and Methodology:
To accomplish our objectives, we evaluated the effectiveness of
corrective actions IRS implemented during fiscal year 2008 in response
to open recommendations as part of our fiscal years 2008 and 2007
financial audits. To determine the current status of the
recommendations, we (1) obtained IRS's reported status of each
recommendation and corrective action taken or planned as of April 2009,
(2) compared IRS's reported status to our fiscal year 2008 audit
findings to identify any differences between IRS's and our conclusions
regarding the status of each recommendation, and (3) performed
additional follow-up work regarding IRS's actions taken to address the
open recommendations.
In order to determine how these recommendations fit within IRS's
management and internal control structure, we compared the open
recommendations and the issues that gave rise to them, to the control
activities listed in the internal control standards and to the list of
major factors and examples outlined in our Internal Control Management
and Evaluation Tool.[Footnote 5] We also considered how the
recommendations and the underlying issues were categorized in our prior
reports; whether IRS had addressed, in whole or in part, the underlying
control issues that gave rise to the recommendations; and other legal
requirements and implementing guidance, such as OMB Circular No. A-123;
FMFIA; and the Federal Information System Controls Audit Manual
(FISCAM).[Footnote 6]
Our work was performed from December 2008 through May 2009 in
accordance with generally accepted government auditing standards.
Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2008 and 2007
financial statements.[Footnote 7]
We requested comments on a draft of this report from the Commissioner
of Internal Revenue or his designee on May 26, 2009. We received
comments from the Commissioner on June 11, 2009. We have reprinted
IRS's written comments in appendix III.
IRS's Progress on Financial Management Recommendations:
IRS continues to make progress addressing its significant financial
management challenges. Over the years since we first began auditing
IRS's financial statements in fiscal year 1992, IRS has taken actions
that enabled us to close over 200 of our financial management-related
recommendations. This includes 35 recommendations we are closing based
on actions IRS took during the period covered by our fiscal year 2008
financial audit. At the same time, however, our audits continue to
identify additional internal control issues, resulting in further
recommendations for corrective action, including 16 new financial
management-related recommendations resulting from our fiscal year 2008
financial audit. These internal control issues, and the resulting
recommendations, can be directly traced to the control activities in
the internal control standards. As such, it is essential that they be
fully addressed and resolved to strengthen IRS's overall financial
management to efficiently and effectively achieve its goals and
mission.
Status of Recommendations Based on the Fiscal Year 2008 Financial
Statement Audit:
In July 2008, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2007 and prior year
financial audits and other financial management-related work.[Footnote
8] In that report, we identified 81 audit recommendations that remained
open and thus required corrective action by IRS. A significant number
of these recommendations had been open for several years, either
because IRS had not taken corrective action or because the actions
taken had not yet effectively resolved the issues that gave rise to the
recommendations.
IRS continued to work to address many of the internal control issues to
which these open recommendations relate. In the course of performing
our fiscal year 2008 financial audit, we identified numerous actions
IRS took to address many of its internal control issues. On the basis
of IRS's actions, which we were able to substantiate through our audit,
we are able to close 35 of these prior years' recommendations. IRS
considers another 18 of the prior years' recommendations to be
effectively addressed. However, we still consider them to be open
either because we have not yet been able to verify the effectiveness of
IRS's actions or because, in our view, the actions taken did not fully
address the issue that gave rise to the recommendation.
Forty-six recommendations from prior years remain open, a significant
number of which have been outstanding for several years. During our
audit of IRS's fiscal year 2008 financial statements, we identified
additional issues that require corrective action. In a recent
management report to IRS,[Footnote 9] we discussed these issues, and
made 16 new recommendations to address them. Consequently, 62 financial
management-related recommendations need to be addressed. While most of
these can be addressed in the short term,[Footnote 10] a few,
particularly those concerning IRS's automated systems, are complex and
will require several more years to fully and effectively address. We
consider 52 recommendations to be short-term and 10 to be long-term.
In addition to the 62 open recommendations from our financial audits
and other financial management-related work, there are 74 open
recommendations stemming from our assessment of IRS's information
security controls over key financial systems, information, and
interconnected networks. Those 74 primarily relate to lack of an
agencywide information security program, which was a key reason for the
material weakness in IRS's information systems security controls over
its financial and tax processing systems. Unresolved, previously
reported recommendations and newly identified recommendations related
to information security increase the risk of unauthorized disclosure,
modification, or destruction of financial and sensitive taxpayer data.
Recommendations resulting from the information security issues
identified in our annual audits of IRS's financial statements are
reported separately because of the sensitive nature of these issues.
Appendix I presents a list of (1) the 81 recommendations based on our
financial statement audits and other financial management-related work
that we had not previously reported as closed, (2) IRS-reported
corrective actions taken or planned as of April 2009, and (3) our
analysis of whether the issues that gave rise to the recommendations
have been effectively addressed based primarily on the work performed
during our fiscal year 2008 financial statement audit. Appendix I
includes recommendations based on our fiscal year 2008 financial
statement audit. The appendix lists the recommendations by the date on
which the recommendation was made and by report number. Appendix II
presents the open recommendations arranged by related material
weakness, significant deficiency, compliance issue, or other control
issue as described in our opinion report on IRS's financial statements.
[Footnote 11]
Open Recommendations Grouped by Control Activity:
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to
them, to internal control activities that are central to IRS's tax
administration responsibilities provides insight regarding their
significance.
The internal control standards define 11 control activities grouped
into three broad categories as shown in table 1.[Footnote 12] The open
recommendations from our financial audits and financial management-
related work, and the underlying issues that gave rise to them, can be
traced to one of the control activities.
Table 1: Summary of Open Recommendations:
Control category/control activity: Safeguarding of assets and security
activities: Physical control over vulnerable assets;
Open at the beginning of 2008: 9;
Closed during 2008 audit: 4;
New from 2008 audit: 6;
Total remaining open: 11;
Percentage: 18.
Control category/control activity: Safeguarding of assets and security
activities: Segregation of duties;
Open at the beginning of 2008: 3;
Closed during 2008 audit: 0;
New from 2008 audit: 0;
Total remaining open: 3;
Percentage: 5.
Control category/control activity: Safeguarding of assets and security
activities: Controls over information processing;
Open at the beginning of 2008: 1;
Closed during 2008 audit: 0;
New from 2008 audit: 0;
Total remaining open: 1;
Percentage: 1.
Control category/control activity: Safeguarding of assets and security
activities: Access restrictions to and accountability for resources and
records;
Open at the beginning of 2008: 8;
Closed during 2008 audit: 3;
New from 2008 audit: 0;
Total remaining open: 5;
Percentage: 8.
Control category/control activity: Safeguarding of assets and security
activities: Subtotal;
Open at the beginning of 2008: 21;
Closed during 2008 audit: 7;
New from 2008 audit: 6;
Total remaining open: 20;
Percentage: 32.
Control category/control activity: Proper recording and documenting of
transactions: Appropriate documentation of transactions and internal
controls;
Open at the beginning of 2008: 12;
Closed during 2008 audit: 3;
New from 2008 audit: 0;
Total remaining open: 9;
Percentage: 15.
Control category/control activity: Proper recording and documenting of
transactions: Accurate and timely recording of transactions and events;
Open at the beginning of 2008: 18;
Closed during 2008 audit: 9;
New from 2008 audit: 3;
Total remaining open: 12;
Percentage: 19.
Control category/control activity: Proper recording and documenting of
transactions: Proper execution of transactions and events;
Open at the beginning of 2008: 3;
Closed during 2008 audit: 1;
New from 2008 audit: 1;
Total remaining open: 3;
Percentage: 5.
Control category/control activity: Proper recording and documenting of
transactions: Subtotal;
Open at the beginning of 2008: 33;
Closed during 2008 audit: 13;
New from 2008 audit: 4;
Total remaining open: 24;
Percentage: 39.
Control category/control activity: Effective management review and
oversight: Reviews by management at the functional or activity level;
Open at the beginning of 2008: 19;
Closed during 2008 audit: 9;
New from 2008 audit: 3;
Total remaining open: 13;
Percentage: 21.
Control category/control activity: Effective management review and
oversight: Establishment and review of performance measures and
indicators;
Open at the beginning of 2008: 3;
Closed during 2008 audit: 3;
New from 2008 audit: 3;
Total remaining open: 3;
Percentage: 5.
Control category/control activity: Effective management review and
oversight: Management of human capital;
Open at the beginning of 2008: 5;
Closed during 2008 audit: 3;
New from 2008 audit: 0;
Total remaining open: 2;
Percentage: 3.
Control category/control activity: Effective management review and
oversight: Subtotal;
Open at the beginning of 2008: 27;
Closed during 2008 audit: 15;
New from 2008 audit: 6;
Total remaining open: 18;
Percentage: 29.
Control category/control activity: Total;
Open at the beginning of 2008: 81;
Closed during 2008 audit: 35;
New from 2008 audit: 16;
Total remaining open: 62;
Percentage: 100.
Source: GAO analysis of the status of financial management
recommendations made to IRS.
[End of table]
As table 1 indicates, 20 recommendations (32 percent) relate to issues
associated with IRS's lack of effective controls over safeguarding of
assets and security activities. Another 24 recommendations (39 percent)
relate to issues associated with IRS's inability to properly record and
document transactions. The remaining 18 open recommendations (29
percent) relate to issues associated with the lack of effective
management review and oversight.
On the following pages, we group the 62 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented
in the internal control standards and briefly identify some of the key
IRS operations that fall under that control activity. Although not
comprehensive, the descriptions are intended to help explain why
actions to strengthen these control activities are important for IRS to
efficiently and effectively carry out its overall mission. For each
recommendation, we also indicate whether it is a short-term or long-
term recommendation. For those characterized as short-term, we believe
that IRS has the capability to implement solutions within 2 years.
Safeguarding of Assets and Security Activities:
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of
the most important control activities at IRS is the safeguarding of
assets. Internal control in this important area should be designed to
provide reasonable assurance regarding prevention or prompt detection
of unauthorized acquisition, use, or disposition of an agency's assets.
We have grouped together the four control activities in the internal
control standards that relate to safeguarding of assets (including tax
receipts) and security activities (such as limiting access to only
authorized personnel): (1) physical control over vulnerable assets, (2)
segregation of duties, (3) controls over information processing, and
(4) access restrictions to and accountability for resources and
records.
Physical Control over Vulnerable Assets:
Internal control standard: An agency must establish physical control to
secure and safeguard vulnerable assets. Examples include security for
and limited access to assets such as cash, securities, inventories, and
equipment which might be vulnerable to risk of loss or unauthorized
use. Such assets should be periodically counted and compared to control
records.
IRS collects trillions of dollars in taxes each year, a significant
amount of which is collected in the form of checks and cash accompanied
by tax returns and related information. IRS collects taxes both at its
own facilities as well as at lockbox banks that operate under contract
with the Department of the Treasury's (Treasury) Financial Management
Service. IRS acts as custodian for (1) the tax payments it receives
until they are deposited in the General Fund of the U.S. Treasury and
(2) the tax returns and related information it receives until they are
either sent to the Federal Records Center or destroyed. IRS is also
charged with controlling many other assets, such as computers and other
equipment, but IRS's legal responsibility to safeguard tax returns and
the confidential information taxpayers provide on tax returns makes the
effectiveness of its internal controls with respect to physical
security essential.
While effective physical safeguards over receipts should exist
throughout the year, such safeguards are especially important during
the peak tax filing season. Each year during the weeks preceding and
shortly after April 15, an IRS service center campus (SCC) or lockbox
bank may receive and process daily over 100,000 pieces of mail
containing returns, receipts, or both. The dollar value of receipts
each SCC and lockbox bank processes increases to hundreds of millions
of dollars a day during the April 15 time frame.
The following 11 recommendations are designed to improve IRS's physical
controls over vulnerable assets. We consider all of them to be
correctable on a short-term basis. (See table 2.)
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
ID no.: 04-08;
Recommendations: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms. (short-term)
ID no.: 06-05;
Recommendations: Equip all Taxpayer Assistance Centers (TACs) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers such as locked doors marked with signs
barring entrance by unescorted customers. (short-term)
ID no.: 06-08;
Recommendations: Enforce the requirement that all security or other
responsible personnel at service center campuses (SCC) and lockbox
banks record all instances involving the activation of intrusion
alarms, regardless of the circumstances that may have caused the
activation. (short-term)
ID no.: 07-04;
Recommendations: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions. (short-term)
ID no.: 07-20;
Recommendations: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed and/or
shipped out. (short-term)
ID no.: 09-03;
Recommendations: Document in the Internal Revenue Manual (IRM) minimum
requirements for establishing criteria for time discrepancies or other
inconsistencies, which if noted as part of the required monitoring of
Form 10160, Receipt for Transport of IRS Deposit, would require off-
site surveillance of couriers. (short-term)
ID no.: 09-04;
Recommendations: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term)
ID no.: 09-06;
Recommendations: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each test
is conducted. (short-term)
ID no.: 09-07;
Recommendations: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date. (short-term)
ID no.: 09-08;
Recommendations: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term)
ID no.: 09-09;
Recommendations: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Segregation of Duties:
Internal control standard: Key duties and responsibilities need to be
divided or segregated among different people to reduce the risk of
error or fraud. This should include separating the responsibilities for
authorizing transactions, processing and recording them, reviewing the
transactions, and handling any related assets. No one individual should
control all key aspects of a transaction or event.
IRS employees process trillions of dollars of tax receipts each year,
of which hundreds of billions are received in the form of cash or
checks, and for processing hundreds of billions of dollars in refunds
to taxpayers.[Footnote 13] Consequently, it is critical that IRS
maintain appropriate separation of duties to allow for adequate
oversight of staff and protection of these vulnerable resources so that
no single individual would be in a position of causing an error or
irregularity, potentially converting the asset to personal use, and
then concealing it. For example, when an IRS field office or lockbox
bank receives taxpayer receipts and returns, it is responsible for
depositing the cash and checks in a depository institution and
forwarding the related information received to an SCC for further
processing. In order to adequately safeguard receipts from theft, the
person responsible for recording the information from the taxpayer
receipts on a voucher should be different from the individual who
prepares those receipts for transmittal to the SCC for further
processing. Also, for procurement of goods and services, the person who
places an order for goods and services should be different from the
person who receives the goods and services. Such separation of duties
will help to prevent the occurrence of fraud, theft of IRS assets, or
both.
Implementing the following three recommendations would help IRS improve
its separation of duties, which will in turn strengthen its controls
over tax receipts and refunds and procurement activities. All are short-
term in nature. (See table 3.)
Table 3: Recommendations to Improve IRS's Segregation of Duties:
ID no.: 02-16;
Recommendations: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments. (short-
term)
ID no.: 05-32;
Recommendations: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed units
of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term)
ID no.: 07-21;
Recommendations: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Controls over Information Processing:
Internal control standard: A variety of control activities are used in
information processing. Examples include edit checks of data entered,
accounting for transactions in numerical sequences, and comparing file
totals with control totals. There are two broad groupings of
information systems control--general control (for hardware such as
mainframe, network, end-user environments) and application control
(processing of data within the application software). General controls
include entitywide security program planning, management, and backup
recovery procedures and contingency and disaster planning. Application
controls are designed to help ensure completeness, accuracy,
authorization, and validity of all transactions during application
processing.
IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax
processing responsibilities, IRS relies extensively on interconnected
networks of computer systems to perform various functions, such as
collecting and storing taxpayer data, processing tax returns,
calculating interest and penalties, generating refunds, and providing
customer service.
As part of our annual audits of IRS's financial statements, we assess
the effectiveness of IRS's information security controls over key
financial systems, data, and interconnected networks at IRS's critical
data processing facilities that support the processing, storage, and
transmission of sensitive financial and taxpayer data.[Footnote 14]
From that effort over the years, we have identified information
security control weaknesses that impair IRS's ability to ensure the
confidentiality, integrity, and availability of its sensitive financial
and taxpayer data. As of January 2009, there were 74 open
recommendations from our information security work designed to improve
IRS's information security controls.[Footnote 15] As discussed
previously, recommendations resulting from our information security
work are reported separately and are not included in this report
primarily because of the sensitive nature of these issues.
However, the following short-term recommendation is related to systems
limitations and IRS's need to enhance its computer programs. (See table
4.)
Table 4: Recommendation to Improve IRS's Controls over Information
Processing:
ID no.: 02-18;
Recommendations: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Access Restrictions to and Accountability for Resources and Records:
Internal control standard: Access to resources and records should be
limited to authorized individuals, and accountability for their custody
and use should be assigned and maintained. Periodic comparison of
resources with the recorded accountability should be made to help
reduce the risk of errors, fraud, misuse, or unauthorized alteration.
Because IRS deals with a large volume of cash and checks, it is
imperative that it maintain strong controls to appropriately restrict
access to those assets, the records that track those assets, and
sensitive taxpayer information. Although IRS has a number of both
physical and information systems controls in place, some of the issues
we have identified in our financial audits over the years pertain to
ensuring that those individuals who have direct access to these cash
and checks are appropriately vetted before being granted access to
taxpayer receipts and information and to ensuring that IRS maintains
effective access security control.
The following five short-term recommendations were intended to help IRS
improve its access restrictions to assets and records. (See table 5.)
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
ID no.: 08-12;
Recommendations: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term)
ID no.: 08-13;
Recommendations: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term)
ID no.: 08-15;
Recommendations: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term)
ID no.: 08-16;
Recommendations: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles. (short-term)
ID no.: 08-17;
Recommendations: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Recording and Documenting of Transactions:
IRS has a number of internal control issues that relate to recording
transactions, documenting events, and tracking the processing of
taxpayer receipts or information. We have grouped three control
activities together that relate to proper recording and documenting of
transactions: (1) appropriate documentation of transactions and
internal controls, (2) accurate and timely recording of transactions
and events, and (3) proper execution of transactions and events.
Appropriate Documentation of Transactions and Internal Control:
Internal control standard: Internal control and all transactions and
other significant events need to be clearly documented, and the
documentation should be readily available for examination. The
documentation should appear in management directives, administrative
policies, or operating manuals and may be in paper or electronic form.
All documentation and records should be properly managed and
maintained.
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract
to process taxpayer receipts for the federal government. Therefore, it
is important that IRS maintain effective controls to ensure that all
documents and records are properly and timely recorded, managed, and
maintained both at its facilities and at the lockbox banks. IRS must
adequately document and disseminate its procedures to ensure that they
are available for IRS employees. IRS must also document its management
reviews of controls, such as those regarding refunds and returned
checks, credit card purchases, and reviews of taxpayer assistance
centers (TAC). Finally, to ensure future availability of adequate
documentation, IRS must ensure that its systems, particularly those now
being developed and implemented, have appropriate capability to trace
transactions.
Resolving the following nine recommendations would assist IRS in
improving its documentation of transactions and internal control
procedures. Eight of these recommendations are short-term, and one is
long-term. (See table 6.)
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control:
ID no.: 05-39;
Recommendations: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term)
ID no.: 06-01;
Recommendations: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term)
ID no.: 06-02;
Recommendations: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term)
ID no.: 06-04;
Recommendations: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term)
ID no.: 06-07;
Recommendations: Document supervisory visits by offsite managers to
TACs not having a manager permanently on-site. This documentation
should be signed by the manager and should (1) record the time and date
of the visit, (2) identify the manager performing the visit, (3)
indicate the tasks performed during the visit, (4) note any problems
identified, and (5) describe corrective actions planned. (short-term)
ID no.: 07-15;
Recommendations: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the Internal Revenue Manual (IRM)
requirement to timely record bankruptcy discharge information onto
taxpayer accounts in the master file or to manually release the liens
in the Automated Lien System. (short-term)
ID no.: 08-01;
Recommendations: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA). (long-
term)
ID no.: 08-02;
Recommendations: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid assessment
estimation process. (short-term)
ID no.: 08-07;
Recommendations: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting the
results. This guidance should include a description of the key controls
that should be in place at outlying TACs, specify how often these key
controls should be reviewed, and specify how the results of each review
should be documented, including follow-up on issues identified in
previous TAC reviews. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Accurate and Timely Recording of Transactions and Events:
Internal control standard: Transactions should be promptly recorded to
maintain their relevance and value to management in controlling
operations and making decisions. This applies to the entire process or
life cycle of a transaction or event from the initiation and
authorization through its final classification in summary records. In
addition, control activities help to ensure that all transactions are
completely and accurately recorded.
IRS maintains taxpayer records for tens of millions of taxpayers in
addition to maintaining its own financial records. To carry out this
responsibility, IRS often has to rely on outdated computer systems or
manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, an effort that is long-term and
partly depends on future funding.
Implementation of the following 12 recommendations would strengthen
IRS's recordkeeping abilities. (See table 7.) Seven of these
recommendations are short-term, and 5 are long-term regarding
requirements for new systems for maintaining taxpayer records. Several
of the recommendations listed deal with financial reporting processes,
such as maintaining subsidiary records, recording budgetary
transactions, and tracking program costs. Some of the issues that gave
rise to several of our recommendations directly affect taxpayers, such
as those involving duplicate assessments, errors in calculating and
reporting manual interest, errors in calculating penalties, and
recovery of trust fund penalty assessments. Seven of these
recommendations have remained open at least 5 years and one over 10
years, reflecting the complex nature of the underlying systems issues
that must be resolved to fully address some of these issues.
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording
of Transactions and Events:
ID no.: 94-02;
Recommendations: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term)
ID no.: 99-01;
Recommendations: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received. (short-term)
ID no.: 99-03;
Recommendations: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term)
ID no.: 99-20;
Recommendations: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance. (long-term)
ID no.: 99-36;
Recommendations: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term)
ID no.: 01-17;
Recommendations: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term)
ID no.: 01-39;
Recommendations: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term)
ID no.: 06-22;
Recommendations: Direct Facilities Management Branch managers to
research and resolve the aging reports. (short-term)
ID no.: 08-06;
Recommendations: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM. (long-term)
ID no.: 09-01;
Recommendations: Correct the Integrated Data Retrieval System (IDRS)
computer program for identifying individual taxpayers who have entered
into an installment agreement so that except in situations where the
taxpayer did not file the tax return timely, failure-to-pay penalty
assessments made after the date of the installment agreement are
calculated using the monthly one-quarter of one percent penalty rate on
all of the taxpayer's accounts covered by the installment agreement.
(short-term)
ID no.: 09-12;
Recommendations: Reiterate IRS's existing policy requiring that
transactions be recorded accurately to the undelivered orders
obligation accounts. (short-term)
ID no.: 09-13;
Recommendations: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Execution of Transactions and Events:
Internal control standard: Transactions and other significant events
should be authorized and executed only by persons acting within the
scope of their authority. This is the principal means of ensuring that
only valid transactions to exchange, transfer, use, or commit resources
and other events are initiated or entered into. Authorizations should
be clearly communicated to managers and employees.
Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.[Footnote 16] IRS
requires that all manual refunds be approved by designated officials.
However, weaknesses in controls for authorizing such refunds expose the
federal government to losses because of the issuance of improper
refunds. Likewise, the failure to ensure that employees obtain
appropriate authorizations to use purchase cards or initiate travel
similarly leave the government open to fraud, waste, or abuse. Dealing
with the following three short-term recommendations would improve IRS's
controls over its manual refund, travel, and purchase card
transactions. (See table 8.)
Table 8: Recommendations to Improve IRS's Execution of Transaction and
Events:
ID no.: 05-37;
Recommendations: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term)
ID no.: 08-24;
Recommendations: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term)
ID no.: 09-10;
Recommendations: Develop, document, and implement procedures to
regularly monitor the timeliness of purchase card approvals. This
should include establishing procedures and responsibility for
identifying and following up on instances of noncompliance with
required approval timeframes. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Effective Management Review and Oversight:
All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set
the objectives, put control activities in place, and monitor and
evaluate controls to ensure that they are followed. Without adequate
monitoring by managers, there is a risk that internal control
activities may not be carried out effectively and in a timely manner.
We have grouped three control activities related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of
performance measures and indicators, and (3) management of human
capital. Although we also include the control activity "top-level
reviews of actual performance" in this grouping, we do not have any
open recommendations to IRS related to this internal control activity.
Reviews by Management at the Functional or Activity Level:
Internal control standard: Managers need to compare actual performance
to planned or expected results throughout the organization and analyze
significant differences.
IRS employs over 100,000 full-time and seasonal employees. In addition,
as discussed earlier, Treasury's Financial Management Service contracts
with banks to process tens of thousands of individual receipts,
totaling hundreds of billions of dollars. Management oversight of
operations is important at any organization, but is imperative at IRS
given its mission.
Implementing the following 11 short-term and 2 long-term
recommendations would improve IRS's management oversight of courier
services, contractor facilities, penalty calculations, timely release
of liens, issuance of manual refunds, and use of appropriated funds.
(See table 9.) These recommendations were made because an internal
control activity either did not exist or the existing control was not
being adequately or consistently applied.
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
ID no.: 99-22;
Recommendations: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls. (short-term)
ID no.: 01-06;
Recommendations: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term)
ID no.: 05-33;
Recommendations: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term)
ID no.: 05-38;
Recommendations: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term)
ID no.: 07-24;
Recommendations: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work. (short-term)
ID no.: 07-25;
Recommendations: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term)
ID no.: 07-27;
Recommendations: Begin devising appropriate A-123 follow-up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. (short-term)
ID no.: 08-04;
Recommendations: To address the inconsistency in assigning the
effective date of an accuracy-related penalty, modify the Business
Master File computer program so that the date of the deficiency
assessment is used as the effective date of any associated accuracy-
related penalty. (long-term)
ID no.: 08-08;
Recommendations: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers. (short-term)
ID no.: 08-14;
Recommendations: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information; document the
results, including identification of any security issues; and verify
that the contractor has taken appropriate corrective actions on any
security issues observed. (short-term)
ID no.: 09-02;
Recommendations: Add specific requirements to the IRM to require that
manual refund units assign back up staff to perform manual refund
monitoring activities whenever a manual refund initiator is absent for
an extended period of time. (short-term)
ID no.: 09-05;
Recommendations: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide. (long-term)
ID no.: 09-11;
Recommendations: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help employees
distinguish between procurement actions that constitute new obligations
and those that merely adjust or liquidate prior obligations that the
IRS incurred during an expired appropriation's original period of
availability. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Establishment and Review of Performance Measures and Indicators:
Internal control standard: Activities need to be established to monitor
performance measures and indicators. These controls could call for
comparisons and assessments relating different sets of data to one
another so that analyses of the relationships can be made and
appropriate actions taken. Controls should also be aimed at validating
the propriety and integrity of both organizational and individual
performance measures and indicators.
IRS's operations include a vast array of activities encompassing
educating taxpayers, processing of taxpayer receipts and data,
disbursing hundreds of billions of dollars in refunds to millions of
taxpayers, maintaining extensive information on tens of millions of
taxpayers, and seeking collection from individuals and businesses that
fail to comply with the nation's tax laws. Within its compliance
function, IRS has numerous activities, including identifying businesses
and individuals that underreport income, collecting from taxpayers who
do not pay taxes, and collecting from those receiving refunds for which
they are not eligible. Although IRS has at its peak over 100,000
employees, it still faces resource constraints in attempting to fulfill
its duties. It is vitally important for IRS to have sound performance
measures to assist it in assessing its performance and targeting its
resources to maximize the government's return on investment.
However, in past audits we have reported that IRS did not capture costs
at the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a
result, IRS is unable to measure the costs and benefits of its various
collection and enforcement efforts to best target its available
resources.
The following short-term and two long-term recommendations are designed
to assist IRS in (1) evaluating its operations, (2) determining which
activities are the most beneficial, and (3) establishing a good system
for oversight. (See table 10.) These recommendations call for IRS to
measure, track, and evaluate the costs, benefits, or outcomes of its
operations--particularly with regard to identifying its most cost-
effective tax collection activities.
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
ID no.: 09-14;
Recommendations: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means; (2)
define the roles and responsibilities of the CFO and other business
units in the process; and (3) be focused on the goal of determining
what cost information would be useful and the most appropriate means of
developing and reporting it for both existing programs and new programs
as they are initiated. (short-term)
ID no.: 09-15;
Recommendations: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed and should include both personnel costs based
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial
accounting system. (long-term)
ID no.: 09-16;
Recommendations: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and activities
that include measures of the full cost of, and the revenue collected
from, those programs and activities (return on investment) to assist
IRS's managers in optimizing resource allocation decisions and
evaluating the effectiveness of their activities. (long-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Management of Human Capital:
Internal control standard: Effective management of an organization's
workforce--its human capital--is essential to achieving results and an
important part of internal control. Management should view human
capital as an asset rather than a cost. Only when the right personnel
for the job are on board and are provided the right training, tools,
structure, incentives, and responsibilities is operational success
possible. Management should ensure that skill needs are continually
assessed and that the organization is able to obtain a workforce that
has the required skills that match those necessary to achieve
organizational goals. Training should be aimed at developing and
retaining employee skill levels to meet changing organizational needs.
Qualified and continuous supervision should be provided to ensure that
internal control objectives are achieved. Performance evaluation and
feedback, supplemented by an effective reward system, should be
designed to help employees understand the connection between their
performance and the organization's success. As a part of its human
capital planning, management should also consider how best to retain
valuable employees, plan for their eventual succession, and ensure
continuity of needed skills and abilities.
IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens
of thousands of employees spread throughout the country, it is
imperative that management keeps its guidance up-to-date and its staff
properly trained.
Putting the following two short-term recommendations into effect would
assist IRS in its management of human capital. (See table 11.)
Table 11: Recommendations to Improve IRS's Management of Human Capital:
ID no.: 07-08;
Recommendations: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds. (short-
term)
ID no.: 08-03;
Recommendations: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a detailed
supervisory review be performed to ensure: (1) the statistical validity
of the sampling plans, (2) data entered into the sample selection
programs agree with the sampling plans, (3) data entered into the
statistical projection programs agree with IRS's sample review results,
(4) data on the spreadsheets used to compile the interim projections
and roll-forward results trace back to supporting statistical
projection results, and (5) the calculations on these spreadsheets are
mathematically correct. (short-term)
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Open Recommendations Arranged by Related Material Weakness, Significant
Deficiency, Compliance Issue, or Other Control Issue:
For several years, we have reported material weaknesses, significant
deficiencies, noncompliance with laws and regulations, and other
control issues in our annual financial statement audits and related
management reports.[Footnote 17] To assist IRS in addressing those
control issues, appendix II provides summary information regarding the
primary issue to which each open recommendation is related. To compile
this summary, we analyzed the nature of the open recommendations to
relate them to the material weaknesses, significant deficiency,
compliance issue, and other control issues not associated with a
material weakness or significant deficiency identified as part of our
financial statement audit.
Concluding Observations:
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to carry out its mission
more efficiently and more effectively while protecting taxpayers'
information.
Sound financial management and effective internal controls are
essential if IRS is to efficiently and effectively achieve its goals.
IRS has made substantial progress in improving its financial management
since its first financial audit, as evidenced by unqualified audit
opinions on its financial statements for the past 9 years, resolution
of several material internal control weaknesses and significant
deficiencies, and actions taken resulting in the closure of hundreds of
financial management recommendations. This progress has been the result
of hard work by many individuals throughout IRS and sustained
commitment of IRS leadership. Nonetheless, more needs to be done to
fully address the agency's continuing financial management challenges.
Further efforts are needed to address the internal control deficiencies
that continue to exist. Effective implementation of the recommendations
we have made and continue to make through our financial audits and
related work could greatly assist IRS in improving its internal
controls and achieving sound financial management. While we recognize
that some actions--primarily those related to modernizing automated
systems--will take a number of years to resolve, most of the open
recommendations can be addressed in the short term.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS expressed its appreciation
for our acknowledgment of the agency's progress in addressing its
financial management changes as evidenced by our closure of 35 open
financial management recommendations from prior GAO reports. IRS also
commented that it is committed to implementing appropriate improvements
to ensure that it maintains sound financial management practices. We
will review the effectiveness of further corrective actions IRS has
taken or will take to address all open recommendations as part of our
audit of IRS's fiscal year 2009 financial statements.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term
Growth, Senate Committee on Finance. We are also sending copies to the
Chairmen and Ranking Members of the House Committee on Appropriations;
House Committee on Ways and Means; the Chairman and Vice Chairman of
the Joint Committee on Taxation; the Secretary of the Treasury; the
Director of OMB; the Chairman of the IRS Oversight Board; and other
interested parties. The report is also available at no charge on the
GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staffs have any questions concerning this report, please
contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made major contributions
to this report are listed in appendix IV.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
[End of section]
Appendix I: Status of GAO Recommendations from Internal Revenue Service
Financial Audits and Related Management Reports:
This appendix presents a list of (1) the 81 recommendations that we had
not previously reported as closed, (2) Internal Revenue Service (IRS)
reported corrective actions taken or planned as of April 2009, and (3)
our analysis of whether the issues that gave rise to the
recommendations have been effectively addressed. It also includes
recommendations based on our fiscal year 2008 financial statement
audit. The appendix lists the recommendations by the date on which the
recommendation was made and by report number.
ID no.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions (short-term);
Source report: Financial Management: Important IRS Revenue Information
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993);
Status per IRS: Open. The Deputy Commissioner, Services and Enforcement
issued a memorandum in July 2008 emphasizing the need to use training
modules and on-site assistance from the Servicewide Interest Program to
ensure accurate calculations. Interest-related training was provided to
personnel by January 2009, and additional guidance will be issued to
Collection field personnel. SB/SE updated Internal Revenue Manual
provisions and made upgrades to the commercial software program
utilized to compute manual interest. SB/SE is developing a random
sampling process to be completed by October 2009 to measure the
accuracy of interest computations;
Status per GAO: Open. During our fiscal year 2006 audit, we tested a
statistical sample of manual interest transactions and estimated that
18 percent of IRS's manual interest population contains errors. We
concluded that IRS controls over this area was still ineffective. The
ineffectiveness of these controls contributes to errors in taxpayer
records, which is a major component of the material weakness in IRS's
management of unpaid assessments. While IRS has undertaken several
actions to strengthen controls over this area, such as updating
guidance and providing training related to manual interest
calculations, it has yet to develop a sampling methodology to monitor
the accuracy of its manual interest computation and assess the
effectiveness of its corrective actions. Consequently, we did not test
IRS controls in this area as part of our fiscal year 2008 audit, as
both we and IRS believed that the actions taken by IRS thus far would
not improve the accuracy of the manual interest calculations. We will
continue to monitor IRS's actions to address this recommendation during
future audits.
ID no.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Open. Small Business/Self-Employed (SB/SE) continues to
request programming changes to increase Automated Trust Fund Recovery
systemic processing to reduce the number of accounts requiring manual
intervention. IRS reviews Trust Fund Recovery Penalty (TFRP)
transactions to ensure accurate and timely recording, including
Performance Assurance System reviews by a daily random selection of
closed cases, management reviews of a random selection of both closed
and open casework, and Headquarters Operational Reviews. In addition to
the above reviews, Campus Compliance Services is exploring the
development and implementation of a statistically valid sampling plan
to monitor the accuracy and timeliness of the cross-referencing of
payments and credits to TFRP accounts. The frequency and process for
performing these internal reviews will be considered during
development;
Status per GAO: Open. IRS has made significant progress in this area
over the past several years. For example, IRS established procedures to
more clearly link each penalty assessment against a responsible
corporate officer to a specific tax period of the business account and
began phasing in the use of the Automated Trust Fund Recovery system
intended to properly cross-reference payments received. IRS also
enhanced the Automated Trust Fund Recovery system in fiscal year 2008
to begin automatically reducing the amounts owed on all related
accounts when a payment is received from one related party. However,
the system is currently unable to process all payments related to such
cases. Consequently, IRS must continue to manually reduce the account
balance on related accounts for some payments. Thus, the opportunity
for errors and omissions continues to exist. Our most recent test
indicates that IRS's controls in this area are still not effective in
ensuring that all TFRP payments are correctly credited to all related
parties in a timely manner. We will continue to monitor IRS's actions
to address this recommendation during future audits.
ID no.: 99-03;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Open. IRS is developing the Custodial Detailed Data
Base (CDDB), which it believes will ultimately address many of the
outstanding financial management recommendations. IRS implemented the
first phase of the CDDB during fiscal year 2006. In fiscal year 2008,
IRS enhanced CDDB to record unpaid assessments, including accrued
penalties and interest in the general ledger by the various financial
reporting categories. The Chief Financial Officer's (CFO) office
continues to ensure the accuracy of the TFRP cross-referencing using
weekly CDDB reports. The CFO provides SB/SE with identified errors so
SB/SE can correct the taxpayers account and CDDB can correctly classify
the transactions. CDDB is now classifying approximately 80 percent of
the TFRP inventory where TFRP assessments are appropriately tracked for
all taxpayers liable but counted only once for reporting purposes;
Status per GAO: Open. During fiscal year 2008, IRS enhanced CDDB to
begin regularly recording unpaid assessments, including accrued
penalties and interest, from its master files to its general ledger by
the various financial reporting categories (taxes receivable,
compliance assessments, and write-offs). These enhancements established
CDDB's capability to function as a subsidiary ledger for unpaid tax
debt. However, due to inherent limitations in CDDB programs for
classifying unpaid assessments into the correct financial reporting
categories and inaccuracies in taxpayer records, IRS is still unable to
use CDDB as its subsidiary ledger for external reporting of its unpaid
assessments, and must continue to use a labor-intensive, manual
compensating process to estimate the year-end balances of the various
categories of unpaid tax assessments to avoid material misstatements to
its financial statements. Specifically, IRS had to make over $28
billion in adjustments to the fiscal year-end 2008 gross taxes
receivable balance produced by CDDB as part of its manual estimation
process for financial reporting. Full operational capability of CDDB
depends on the successful implementation of future system releases
planned through 2009 and the ability of these releases to address
current limitations in accurately classifying all of IRS's unpaid
assessments. The lack of a fully functioning subsidiary ledger capable
of producing accurate, useful, and timely information with which to
manage and report externally is a major component of the material
weakness in IRS's management of unpaid assessments. We will continue to
monitor IRS's development of CDDB during our fiscal year 2009 and
future audits.
ID no.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting TFRP assessments. Once these factors have been
determined, IRS should develop procedures to reduce the impact of these
factors and to ensure timely posting to all applicable accounts and
proper offsetting of refunds against unpaid assessments before issuance
(long-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Open. SB/SE completed the Control Point Monitor (CPM)
pilot in May 2008 and prepared a CPM manual. The CPM serves as a
conduit from the Area Office to the Campus for assessment. The CPM
manual establishes specific timeframes in which the CPM must
process/complete required TFRP actions. Implementation of the manual is
currently being negotiated with the National Treasury Employees Union
to address impact and implementation issues resulting from the changes
to the CPM process. SB/SE has created a suite of managerial reports to
provide oversight of the TFRP process. SB/SE continues to submit Work
Requests and Information Technology Assets Management System tickets to
enhance the assessment process to provide greater efficiencies in the
processing and posting of TFRP assessments;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to identify long delays in processing and posting TFRP assessments.
Although IRS has developed a draft of the CPM manual to provide better
guidance for the timely processing of TFRP assessments, the manual is
currently undergoing internal reviews and awaiting final approval for
official use. We will continue to monitor IRS's actions to address this
recommendation during our fiscal year 2009 audit.
ID no.: 99-22;
Recommendation: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls (short-term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Closed. All IRS field offices continue to provide
training and to perform reviews to strengthen controls over
remittances. SB/SE conducts reviews with each territory manager.
Headquarters staff ensures Territory managers are enforcing the
requirement for group managers to randomly sample remittance packages
for review. Each area director receives a report with any findings and
recommendations for implementation. All Tax Exempt and Government
Entities (TE/GE) Division Directors continue to perform operational
reviews to ensure their subordinate groups are properly processing all
checks. TE/GE provides training and notices on these procedures. During
fiscal year 2008, all managers certified in their 2008 Annual Assurance
Review that vulnerable assets, such as cash, securities, and equipment,
are physically secured and access to them is controlled. TE/GE will
also implement by September 2009 requirements to verify that control
procedures are in place during operational reviews, and include
information on proper check handling procedures during training for new
hires and Revenue Agents. Large and Mid-sized Business (LMSB) has
incorporated instructions on the use of the U.S. Treasury Stamp in
training given to new hires as part of their on the job training and
periodically in group meetings. The use of the U.S. Treasury Stamp has
also been incorporated into the Internal Revenue Manual (IRM) and is
part of IRS's standard operating procedure used for processing
payments;
Status per GAO: Open. The objective of this recommendation was to
create a mechanism for IRS to monitor the status of pervasive
weaknesses in controls over taxpayer receipts and information that we
have found at IRS's field offices over the years. The purpose of this
monitoring is to facilitate the timely detection and effective
resolution of issues and to verify the effectiveness of new and
existing policies and procedures on an ongoing basis. During our fiscal
year 2008 audit, we identified instances at (1) four SB/SE units where
there was no segregation of duties between preparation of the payment
posting vouchers and subsequent preparation of the related document
transmittals and transmittal package; (2) four SB/SE units where a
document transmittal form was not prepared when transmitting multiple
Daily Report of Collection Activity forms to the Submission Processing
(SP) Center; (3) three SB/SE units where there was no system in place
to monitor acknowledged/unacknowledged transmittals to the submission
processing center; (4) five SB/SE units where there was no evidence of
managerial review of document transmittals; and (5) all 10 field
offices where there were no procedures in place to verify that names on
the duress alarm contact list were current and that appropriate first
responders were contacted in the event of an emergency. Had IRS
periodically reviewed the effectiveness of these controls in field
offices as we recommended, these issues might have been detected and
corrected. We will continue to assess IRS's actions during our fiscal
year 2009 audit.
ID no.: 99-25;
Recommendation: Ensure that additional staff are employed or existing
staff appropriately cross-trained to be able to perform the master file
extractions and other ad hoc procedures needed for IRS to continually
develop reliable balances for financial reporting purposes (short-
term);
Source report: Internal Revenue Service: Custodial Financial Management
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Closed. IRS augmented its Modernization & Information
Technology Services staff, and cross-trained employees to increase the
appropriate depth of experience to perform the master file extractions
and other ad hoc procedures for financial reporting purposes.
Modernization & Information Technology Services reduced the Assembler
Language Code programmer shortages and increased contractor support by
17 percent. IRS also continues to expand the use of CDDB during the
annual audit, and the addition of trained Modernization & Information
Technology Services and contractor staff ensures development of
reliable balances for financial reporting purposes on a continuing
basis;
Status per GAO: Closed. IRS hired additional staff in the Custodial
Accounting Branch, which has responsibility for the custodial financial
statements. Also, employees were cross-trained and current systems
expanded to better support the financial reporting of revenue, refunds,
and unpaid assessments. In addition, IRS reduced its shortage of
assembly language programmers by holding training classes for
employees.
ID no.: 99-29;
Recommendation: Develop the data to support meaningful cost information
categories and cost-based performance measures (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Status per IRS: Closed. IRS developed a cost accounting policy that
provides guidance on managerial cost concepts for the agency,
established an Office of Cost Accounting within the CFO, and completed
several cost pilot projects to demonstrate the viability of its full
cost methodology at the program level. Performance measures were
enhanced, and the return on investment for the Earned Income Tax Credit
program was completed with full cost information. As demonstrated by
the cost pilots, IRS has the capability to use the cost data within the
Integrated Financial System (IFS) and the associated workload and
production data from IFS and its business unit systems to calculate the
full costs of its products, services, and programs. The IFS contains 4
years of fully allocated cost data;
Status per GAO: Closed. IRS has taken several actions to address this
recommendation and improve its cost accounting capability. For example,
in fiscal year 2007, IRS developed and issued its first cost accounting
policy to provide guidance on the concepts and requirements for
managerial cost accounting within IRS. In addition, in fiscal year
2008, IRS (1) established an Office of Cost Accounting within its CFO,
(2) completed several cost pilots to demonstrate its capability to use
the cost data within IFS and the associated workload and production
data from its business unit systems to calculate the full costs of its
products, services, and programs, and (3) completed development of the
return on investment for the Earned Income Tax Credit program that
includes full cost information. However, IRS has not extended the cost
pilot methodology to develop full cost information on the full range of
IRS's programs. Nevertheless, in order to provide recommendations more
closely aligned with the current status, we have agreed with IRS to
close this recommendation based on IRS's progress to date and have
reported the remaining issues, along with related recommendations for
corrective action, in our June 2009 management report. See GAO-09-513R
and recommendations 09-14 and 09-15 in this report.
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Status per IRS: Open. IRS has established strong internal controls and
procedures to enhance its ability to account for property and equipment
in IFS. IRS is looking at enhancing its asset-tracking system to more
closely reconcile physical asset records to the financial records. This
would enable targeted reconciliations to occur;
Status per GAO: Open. Our fiscal year 2008 property and equipment
valuation testing revealed problems with the linking of the purchase of
assets recorded in the general ledger system to the P&E inventory
system, which indicates that IRS's detailed P&E records do not fully
reconcile to the financial records. We will continue to monitor IRS's
strategy in addressing these financial management systems issues.
ID no.: 01-04;
Recommendation: As an alternative to prematurely suspending active
collection efforts, and using the best available information, develop
reliable cost-benefit data relating to collection efforts for cases
with some collection potential. These cost-benefit data would include
the full cost associated with the increased collection activity (i.e.,
salaries, benefits, administrative support), as well as the expected
additional tax collections generated (Short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Closed. IRS is using a workload delivery model in the
development and monitoring of an Enterprise Collection Plan that aligns
performance measures across all collection organizations to match
results against the corporate measures. Results of the model are used
to project inventory receipt patterns by function and category of work,
allowing for improved management of corporate collection inventory and
resource allocation. New models were implemented in the Inventory
Delivery System on January 12, 2009. The use of a rules engine has also
been incorporated in the Inventory Delivery System to systemically make
changes to case routing based on modeling predictions and rules.
Collection Case Selection continues to provide ad hoc case assignments
for testing case routing. Cases are selected based on a set of criteria
and routed to different treatments to determine where like cases should
be routed in the future. The CFO also included return on investment
calculations for its collection initiatives in the 2007, 2008, and 2009
Budget Submissions;
Status per GAO: Closed. IRS has taken significant steps to address this
recommendation. IRS built sophisticated computer modeling and risk
assessment techniques with increased predictive power to improve IRS's
ability to route unpaid tax cases to the appropriate enforcement
resource. IRS estimated that those changes have resulted in several
billion dollars in additional tax collections. IRS has also established
governance councils for IRS's examination and collection activities.
Finally, IRS has completed several actions to improve its ability to
develop full cost information for its enforcement programs. Although
IRS's actions taken to date are important, they have not fully
addressed the objectives of our recommendation, such as completing the
development of full cost methodologies for IRS's programs and
activities. In order to provide recommendations more closely aligned
with the current status, we have agreed with IRS to close this
recommendation based on IRS's progress to date and have reported the
remaining issues, along with related recommendations for corrective
action, in our June 2009 management report. See GAO-09-513R and
recommendations 09-14, 09-15, and 09-16 in this report.
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Open. IRS continues to address issues that cause late
lien releases through an internal Lien Release Action Plan and by
conducting reviews as a part of its A-123 controls assessment process.
Based on the annual sample of lien releases, the results of seven
errors (liens released in an untimely manner) in 59 observations, yield
a net most likely error of 12 percent, and (at greater than 95 percent
confidence level), an upper error limit that could be as high as 21
percent. IRS added corrective actions to address issues found during
the review. SB/SE is re-evaluating the fiscal years 2009 and 2010
overall lien release error rate goals and will submit changes to the
Lien Release Action Plan;
Status per GAO: Open. IRS has taken a number of actions over the past
several years to address this issue. However, during our fiscal year
2008 audit, we continued to find that IRS did not always release liens
in a timely manner. In IRS's own Office of Management and Budget (OMB)
A-123 testing of lien releases, it identified 7 instances out of 59
cases tested in which it did not release the applicable federal tax
lien within the statutory 30-day period. The time between the
satisfaction of the liability and release of the lien ranged from 33
days to more than 494 days. Based on these results, IRS estimated that
for about 12 percent of unpaid tax assessment cases that were resolved
in fiscal year 2008, in which it had filed a tax lien, it did not
release the lien within 30 days of the resolution of the case. IRS is
95 percent confident that the percentage of cases in which the lien was
not released within 30 days does not exceed 21 percent. IRS's
ineffective controls over this area results in its noncompliance with
Internal Revenue Code Section 6325 which requires IRS to release its
tax liens within 30 days of the date the related tax liability is fully
satisfied. We will continue to monitor IRS's actions to address this
recommendation in future audits.
ID no.: 01-12;
Recommendation: For (1) IRS's Automated Underreporter and Combined
Annual Wage Reporting programs, (2) screening and examination of Earned
Income Tax Credit claims, and (3) identifying and collecting previously
disbursed improper refunds, use the best available information to
develop reliable cost-benefit data to estimate the tax revenue
collected by, and the amount of improper refunds returned to, IRS for
each dollar spent pursuing these outstanding amounts. These data would
include (1) an estimate of the full cost incurred by IRS in performing
each of these efforts, including the salaries and benefits of all staff
involved, as well as any related nonpersonnel costs, such as supplies
and utilities, and (2) the actual amount (a) collected on tax amounts
assessed and (b) recovered on improper refunds disbursed (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Closed. IRS has taken steps to examine Earned Income
Tax Credit claims, and to address the collection of Automated
Underreporter and Combined Annual Wage Reporting as part of the
workload delivery model. IRS updated the Earned Income Tax Credit error
estimates and identified root causes of non-compliance. Additionally,
in fiscal year 2008, IRS calculated a full-cost return on investment
for Earned Income Tax Credit and completed an Automated Underreporter
cost accounting pilot using IFS cost data. This pilot calculated the
return on investment of Automated Underreporter case closures, which
represented those cases that were closed after a notice was sent to the
taxpayer. IRS established Exam and Collection governance bodies to
improve collection efforts and implemented a modeling tool to better
target collection efforts;
Status per GAO: Closed. IRS has taken significant steps to address this
recommendation, including those listed in the "status per IRS" column.
IRS's cost pilot projects completed in fiscal year 2008, demonstrated
IRS's ability to determine the full cost of its programs. Although
IRS's actions taken to date are important, they have not fully
addressed the objectives of our recommendation. For example, IRS's cost
pilot project methodology is time-consuming and requires intensive
manual intervention, and IRS has not completed the task of developing
methodologies for its programs and activities. In order to provide
recommendations more closely aligned with the current status, we have
agreed with IRS to close this recommendation based on IRS's progress to
date and have reported the remaining issues, along with related
recommendations for corrective action, in our June 2009 management
report. See GAO-09-513R and recommendations 09-14, 09-15, and 09-16 in
this report.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Open. IRS will continue to pursue alternative
approaches to enhance its ability to account for leasehold
improvements;
Status per GAO: Open. We will continue to monitor IRS's development of
alternative approaches to enhance its ability to account for P&E
assets.
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities (long-term);
Source report: Management Letter: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-01-880R, July 30,
2001);
Status per IRS: Closed. The IRS is tracking and reporting the actual
costs associated with reimbursable agreements through various business
unit work load management tracking systems and IFS. The IRS
Reimbursable Operating Guidelines established the procedures and
processes for capturing direct and indirect costs associated with
reimbursable agreements;
Status per GAO: Open. IRS has improved its methodology for allocating
its costs of operations at the business unit level. However, further
actions are needed for it to accumulate and report actual costs
associated with specific reimbursable projects. We confirmed that IRS's
workload management tracking systems now capture details of time
worked; however, these systems do not capture the full costs associated
with specific reimbursable projects and do not interface with the
general ledger (IFS) to capture all costs. We also noted that the
fiscal year 2008 Reimbursable Operating Guidelines provide detail on
determining the costs that should be included in the cost projection
for a reimbursable agreement. However, the guidelines do not describe a
process for determining the total actual costs incurred at the end of
the agreement term, determining the difference between actuals and the
original cost estimate, and refunding or billing for the difference. We
will continue to monitor IRS's efforts to fully implement its cost
accounting system and, once it has been fully implemented, evaluate the
effectiveness of IRS's procedures for developing cost information for
its reimbursable agreements.
ID no.: 02-08;
Recommendation: Implement policies and procedures to require that all
employees itemize on their time cards the time spent on specific
projects. (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Status per IRS: Closed. Employees itemize how their time is spent on
specific projects/tasks in various workload management systems, and
this information is utilized in the development of cost information
which is used in resource allocation decisions;
Status per GAO: Closed. IRS has taken action to address our
recommendation. We confirmed that IRS currently uses 24 separate
functional tracking (workload management) systems for various
categories of employees to itemize and track their time charges.
Collectively, these systems now capture details of time worked by
project for all employees.
ID no.: 02-09;
Recommendation: Implement policies and procedures to allocate
nonpersonnel costs to programs and activities on a routine basis
throughout the year (long-term);
Source report: Internal Revenue Service: Progress Made, but Further
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19,
2001);
Status per IRS: Closed. IFS allocates nonpersonnel costs to programs
monthly and makes available cost data to managers, including the full
cost of operating business units, and details on the allocated costs
(i.e., building rent, depreciation, support costs, etc.). All business
units can run cost reports as needed;
Status per GAO: Closed. IRS has taken actions to address this
recommendation. We confirmed that IRS has improved its cost accounting
capabilities by developing and implementing a methodology for
allocating its costs of operations to its business units and to the
cost categories on the Statement of Net Cost on a monthly basis.
However, the cost categories on the Statement of Net Cost are at a
higher level than specific programs and activities. Although IRS has
developed full cost information on several IRS programs, IRS has not
developed such information on the full range of IRS programs. However,
in order to provide recommendations more closely aligned with the
current status, we have agreed with IRS to close this recommendation
based on IRS's progress to date and have reported the remaining issues,
along with related recommendations for corrective action, in our June
2009 management report. See GAO-09-513R and recommendations 09-14 and
09-15 in this report.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Closed. Wage and Investment (W&I) has taken a number of
actions to address this recommendation. Field Assistance emphasizes the
requirement for including a document transmittal form listing the Daily
Report of Collection Activity forms in transmittal packages, and
ensuring that they are reconciled and reviewed. Territory managers
review and discuss monthly reports with the group manager. Results of
the reviews are forwarded to the area director. Operational reviews at
all levels are conducted annually to ensure that field offices comply
with the requirement to prepare Form 3210, which lists all Forms 795
being shipped to the SP Center. W&I completed its annual Filing Season
Readiness Workshop for all taxpayer assistance center (TAC) managers,
which addressed remittance and data security. New managers will attend
the "Managing a TAC" course during fiscal year 2009, which provides
ongoing training on payment processing and managerial reviews.
Operational reviews completed for fiscal year 2008 revealed that the
TAC managers are validating employee profiles to ensure restricted
command codes were used according to guidelines;
Status per GAO: Open. While IRS has cited that it is taking a number of
actions to ensure existing receipt control policy requirements for
segregation of duties are followed, one of the main mechanisms it uses
to enforce this policy is training. IRS conducts an annual Filing
Season Readiness Workshop for TAC managers and provides training for
new TAC managers on collecting taxpayer receipts and conducting
managerial reviews. During our review of the handouts provided for the
annual readiness workshop we noted several sections that discussed
IRS's policies related to segregation of duties. In contrast, we found
that the "Managing a TAC" course for new TAC managers did not
specifically address those policies. From our discussions with IRS
officials, the Filing Season Readiness Workshop is conducted annually
during the first quarter of the fiscal year. Consequently, new TAC
managers assigned after the first quarter of the fiscal year will not
receive the same level of training regarding segregation of duties. In
addition, during our recent visits to selected TACs in March 2009, we
found instances where segregation of duties related to accepting and
recording walk-in payments were not implemented.
ID no.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors (short-term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Open. Agency-Wide Shared Services (AWSS) Personnel
Security has taken several short and long term measures to reduce the
instance of SETS errors. The short-term measures include (1) publishing
instructions on the Personnel Security intranet site for SETS users to
follow while reviewing bi-weekly SETS reports, (2) issuing bi-weekly
emails to all SETS users with the most current reports to be used in
identifying and reporting errors to NFC, and (3) compiling weekly
extracts of all enter-on-duty dates where there were no fingerprint
results or where the results were after the enter-on-duty date and
sending those to each employment office for updates and feedback. The
long-term measures included requesting revisions to SETS;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to identify technical limitations and weaknesses with the SETS
database. In addition, we found 248 instances where SETS was not
updated in a timely manner or correctly for new-hire employees
resulting in errors in the database. We will continue to assess IRS's
actions during our fiscal year 2009 audit.
ID no.: 04-08;
Recommendation: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004);
Status per IRS: Closed. IRS performs monthly unannounced testing of
guard response to alarms and test results are reviewed by the Security
Programs Office to enforce and ensure compliance. Test results on guard
response to alarms are consistently 98 percent or higher, indicating
substantial compliance with IRS guidelines. Test procedures were
formalized in IRM 10.2.14 Methods of Providing Protection, issued on
October 1, 2008. In addition, the Guard Program Specialists from the
Security Programs Office conduct unannounced alarm tests whenever they
visit a site to do a Quality Assurance check of security posture and
programs. Physical Security and Emergency Preparedness (PSEP) continues
to utilize the Audit Management Checklist as a repeatable process where
service center campuses (SCC) quarterly validate the performance and
documentation of monthly unannounced alarm testing;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at two of the three SCCs we visited in which security guards
did not respond to alarms within the time limit outlined in the IRM. In
addition, at another SCC we visited, we identified an instance in which
security guards did not fully investigate the source of an alarm. We
will continue to evaluate IRS's enforcement of these policies and
procedures during our fiscal year 2009 audit.
ID no.: 05-11;
Recommendation: Enforce adherence to existing instructions on
safeguarding taxpayer receipts and information, such as securing access
and candling procedures, at service center campuses selected for
significant reductions in their submission processing functions (short-
term);
Source report: Management Report: Review of Controls over Safeguarding
Taxpayer Receipts and Information at the Brookhaven Service Center
Campus (GAO-05-319R, Mar 10, 2005);
Status per IRS: Closed. W&I Accounts Management continues to enforce
the restricted area access through periodic training. Candling
procedures are reinforced through monthly internal control reviews of
the process. In January 2008, Accounts Management increased management
oversight of internal controls by implementing formal monthly internal
control reviews at the former Submission Processing rampdown sites. A
revised review template was developed to evaluate the quality of IRS's
internal control performance, identify potential deficiencies, and
allow corrective actions to be taken immediately. The monthly results
from each field director are forwarded to the Director, Accounts
Management, and GAO. AWSS provides training when notified by W&I that a
new monitor has been selected or when an existing monitor requires
refresher training. Each campus badge office provides training to the
restricted area door monitors as it pertains to the control, issuance,
and inventory of the non-photo badges that are assigned at each site;
Status per GAO: Closed. Accounts Management implemented a monthly
review to monitor internal controls over taxpayer receipts and
information at campuses selected for reductions in their submission
processing functions.
ID no.: 05-13;
Recommendation: Enforce its existing requirement that appropriate
background investigations be completed for contractors before they are
granted staff-like access to service centers (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. The Program, Planning, and Policy Office
finalized and issued IRM 10.2.5 Identification Card on September 30,
2008. Section 10.2.5.6.2(2)a specifies that red photo ID cards may be
issued to IRS contract employees who have a daily need on a continuing
basis to be on site at a facility over a period of time, and who have
been granted interim or final staff-like access to a facility/work area
with sensitive systems or information. Before a red photo ID card may
be issued, the contracting officer's technical representative must
provide the Physical Security Office with a copy of the Personnel
Security & Investigation background investigation letter approving
interim or final staff-like access. PSEP continues to utilize the Audit
Management Checklist as a repeatable process where SCCs quarterly
validate the filing of contractor background investigation
documentation;
Status per GAO: Closed. We verified that IRS finalized and issued IRM
10.2.5 and continues to utilize the Audit Management Checklist to
ensure that proper documentation is received and on file for
contractors before they are granted staff-like access to service
centers. During our fiscal year 2008 audit, we found no exceptions
relating to SCCs granting contractors staff-like access before
appropriate background investigations were completed.
ID no.: 05-14;
Recommendation: Require that background investigation results for
contractors (or evidence thereof) be on file where necessary, including
at contractor worksites and security offices responsible for
controlling access to sites containing taxpayer receipts and
information (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. The Program, Planning, and Policy Office
finalized and issued IRM 10.2.5 Identification Card on September 30,
2008. IRM 10.2.5.6.2(2)a specifies that the Form 5519, 13716-A or
similar identification request Form 13760, and the interim or final
background investigation letter must be retained and filed in the
identification media file for each contractor for the life of the
identification card. PSEP continues to utilize the Audit Management
Checklist as a repeatable process where SCCs quarterly validate the
filing of contractor background investigation documentation;
Status per GAO: Closed. We verified that IRS finalized and issued IRM
10.2.5 and continues to utilize the Audit Management Checklist to
ensure that proper documentation is received and on file for
contractors before they are granted staff-like access to service
centers. During our fiscal year 2008 audit, we found no exceptions.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed units
of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Open. IRS revised IRM 5.1.2.4, Daily Report of
Collection Activity-Form 795/795A, to establish segregation of duties
procedures with respect to the preparation of Payment Posting Vouchers,
Document Transmittal forms, and transmittal packages in the Collection
Field function;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at four SB/SE units we visited where duties involving the
preparation of payment posting vouchers, document transmittal forms,
and transmittal packages were not segregated. Employees informed us
that they were unaware of a related requirement in the IRM. We will
continue to assess IRS's actions during our fiscal year 2009 audit.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. W&I Field Assistance continues to take actions
to emphasize the requirement for including a document transmittal form
listing the Daily Report of Collection Activity forms in transmittal
packages. Operational reviews were conducted at all levels during
fiscal years 2007 and 2008 to ensure that field offices comply with the
requirement to prepare Form 3210, which lists all Forms 795 shipped to
the SP Center. Further, IRM 1.4.11-11 was revised on October 7, 2008,
to include the purpose, frequency, and documentation required for
managerial reviews, which includes a review of Form 3210s, and trends
and error reports. The outcome of the operational reviews revealed that
managers are complying with the IRM procedures outlined for document
transmittal;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at four SB/SE units where a document transmittal form was not
prepared when transmitting multiple Daily Report of Collection Activity
forms to the SP Center. We will continue to evaluate this issue during
our fiscal year 2009 audit.
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Closed. The IRS enforces documentation requirements
relating to authorizing officials charged with approving manual
refunds. IRS created a standard authorization memorandum in September
2008 for all offices to use. This will negate the disparity among the
campuses in creating local authorization forms. IRS issued its annual
solicitation memorandum for authorizing officials charged with
approving manual refunds in August 2008 and received the annual list of
authorized signatures by October 31, 2008, per IRM 3.17.79.3.5(4) (d).
SP completed a sample review as part of the Monthly Security Review
Checklist per IRM 3.17.79.3.5(3), and completed a 100 percent review of
the new annual list by December 31, 2008;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to find that the documentation requirements on memorandums, which are
submitted to the manual refund units listing officials authorized to
approve manual refunds, were not always complete. For example, some of
the memorandums did not contain the signatures of the Heads of Office
that delegated officials the authority to approve manual refunds while
others did not contain the authorizing official's campus or field
office organization information as required by the IRM. We verified
that IRS created a standard authorization memorandum in September 2008.
However, IRS implemented this corrective action and completed its
review of the new annual list subsequent to our fiscal year 2008 field
work. We will evaluate IRS's corrective actions during our fiscal year
2009 audit.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Open. IRS continued to enforce the requirements for
monitoring accounts and reviewing monitoring of accounts for manual
refunds in fiscal year 2008. SB/SE Campus Compliance Services covered
this topic in both Filing & Payment Compliance and Campus Reporting
Compliance Operations during fiscal year 2008 reviews to ensure
compliance with all IRM provisions for manual refunds. Submission
Processing conducted refresher training at all sites by September 30,
2008, in team meetings and annual continuing professional education
classroom training using IRM 21.4.4 and 3.17.79 as reference materials
to reinforce the monitoring requirements. As a result of recent
findings and quarterly review of the manual refund process in Accounts
Management, both the monitoring and supervisory review process are
being examined to identify means for improvement. Once the review is
complete, consideration will be given to implementing any
recommendations. Accounts Management continues its quarterly reviews of
the manual refund process;
Status per GAO: Open. During our fiscal year 2008 audit, we found
instances where the manual refund initiators did not monitor accounts
to prevent duplicate refunds and supervisors did not review the
monitoring of accounts. IRS's review of the monitoring and supervisory
review process for manual refunds has not been completed. We will
continue to evaluate IRS's corrective actions during our fiscal year
2009 audit.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring actions
and supervisory review for manual refunds (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-05-247R, Apr 27, 2005);
Status per IRS: Open. IRS continued to enforce the requirements for
documenting monitoring actions and supervisory review for manual
refunds in fiscal year 2008. SB/SE Campus Compliance Services covered
this topic in both Filing & Payment Compliance and Campus Reporting
Compliance Operations during their fiscal year 2008 campus reviews to
ensure all campuses continue to comply with all IRM provisions for
manual refunds. Submission Processing conducted refresher training at
all sites by September 30, 2008, in team meetings and annual continuing
professional education classroom training using IRM 21.4.4 and 3.17.79
as reference materials to reinforce the monitoring requirements. As a
result of recent findings and quarterly review of the manual refund
process in Accounts Management, both the monitoring and supervisory
review process are being examined to identify means for improvement.
Once the review is complete, consideration will be given to
implementing any recommendations. Accounts Management continues its
quarterly reviews of the manual refund process;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to find instances where the manual refund initiators did not document
their monitoring of accounts to prevent duplicate refunds. IRS's review
of the monitoring and supervisory review process for manual refunds has
not been completed. We will continue to evaluate IRS's corrective
actions during our fiscal year 2009 audit.
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. Accounts Management has procedures in place for
the periodic supervisory review and documentation of the Form 3210
reconciliation process, which is designed to follow up on
unacknowledged forms. This process is designed to provide a timely
account of any discrepancy between the documents listed on the Form
3210 and those received. For the last 3 years, conference calls have
been conducted with each directorate to reinforce the correct
processing of Form 3210s. Recent actions to address the recommendation
include having "Form 3210 Processing" as an agenda item on the Refund
Inquiry Units' conference call. In addition, the quarterly Accounts
Management internal control Form 3210 review now requires that the
Refund Inquiry Unit be included in the review;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
an instance at one SCC where the Refund Inquiry Unit manager did not
perform or document periodic reviews of forms used to transmit returned
refund checks. We will continue to evaluate IRS's actions during our
fiscal year 2009 audit.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. IRS has procedures in place to ensure compliance
with tracking acknowledgement copies of document transmittals. W&I
Account Management continues to analyze the results of its quarterly
reviews. Field Assistance revised the IRM provisions during 2007 to
provide procedures for requiring TACs to follow up with SP Centers when
acknowledgments are not received within 10 days. Field Assistance
revised other IRM provisions to include more detail for processing Form
3210. The IRM provides guidance to maintain centralized files for
acknowledged Form 3210 for three years, and provides guidance for
handling unacknowledged Form 3210. Offices transmitting receipts have a
system to track acknowledged copies of document transmittals. All TE/GE
Division Directors continue to use the Quick Reference Guide for
Processing Checks, including a check sheet and flowchart developed for
the TE/GE Exam Managers to use when performing operational reviews to
ensure their subordinate groups are properly processing all checks.
TE/GE will also implement by September 2009 requirements for each
Examination Area Manager to verify tracking measures are in place in
all their groups. LMSB has completed all its planned actions with
regard to this recommendation and will continue to issue an annual
executive memorandum on Form 3210 procedures around July 2009;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at three SB/SE units and two TACs where there was no system
in place to monitor acknowledged/unacknowledged transmittals to the SP
Center. We will continue to assess IRS's actions during our fiscal year
2009 audit.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. IRS revised the IRM on October 1, 2008, to
include more detail for processing Form 3210. IRM 1.4.11.19.1 provides
guidance to maintain centralized files for acknowledged Form 3210 for 3
years. Operational Reviews revealed that managers are in compliance
with conducting and documenting the document transmittal review that
includes the reconciliation process of Forms 3210 and 795. All managers
were reminded to conduct these reviews at the Filing Season Readiness
Workshop completed by December 15, 2008. The Refund Inquiry Unit
continues to be included in the Accounts Management quarterly internal
control review of document transmittal procedures. The review checklist
includes the timely follow-up and documentation of Form 3210
acknowledgements as well as the required periodic managerial review.
For TE/GE, each front line Examination group manager will ensure they
complete reviews of document transmittals, and TE/GE is adding an
additional question to TE/GE's 2009 Annual Assurance Review to certify
all managers addressed this issue by June 2009;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at five SB/SE units and eight TACs where there was no
evidence of managerial review of document transmittals and one instance
at a SCC where the Refund Inquiry Unit manager did not perform or
document periodic reviews of forms used to transmit returned refund
checks. Moreover, the corrective actions cited by IRS were implemented
after our fiscal year 2008 fieldwork. We will continue to evaluate
IRS's corrective actions during our fiscal year 2009 audit.
ID no.: 06-05;
Recommendation: Equip all TACs with adequate physical security controls
to deter and prevent unauthorized access to restricted areas or office
space occupied by other IRS units, including those TACs that are not
scheduled to be reconfigured to the "new TAC" model in the near future.
This includes appropriately separating customer service waiting areas
from restricted areas in the near future by physical barriers, such as
locked doors marked with signs barring entrance by unescorted customers
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. IRS continues to work to improve security and
control access issues in the TACs. Of the 401 TAC locations, 183 have
been built to design standard, with another 14 scheduled for completion
by the end of January 2009. Forty-five projects have been approved to
implement the TAC model in 2009, with another 30 projects pending final
approval and funding. Forty-four projects are in development for
implementation from 2010 through 2014. IRS will work to address any
concerns with the space design/layout of TAC space and continue to roll
out the TAC Design Model in the remaining locations. While
implementation of the TAC Model Design is the ideal solution,
implementation of compensating controls such as theater ropes or other
barriers, signage and minor alterations/reconfigurations have been
incorporated in many TAC locations as an interim measure. Using a
variety of criteria including security, safety and health concerns, IRS
has identified priority locations for the implementation of the TAC
Design Model;
Status per GAO: Open. We will continue to evaluate IRS's actions during
our fiscal year 2009 audit.
ID no.: 06-07;
Recommendation: Document supervisory visits by offsite managers to TACs
not having a manager permanently on-site. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. Field Assistance uses the TAC Security Remittance
Review Database, which requires managers to conduct and document their
reviews to ensure the protection of data and compliance with remittance
and security procedures. Field Assistance implemented the TAC Security
Remittance Review Database during the first quarter of fiscal year
2007. Since implementation, IRS has had numerous problems with the
system due to technological limitations. Some of the problems IRS
encountered include erroneously deleted information and an inability to
save and transmit reports. IRS has attempted to secure funding and
assistance to convert the database to a user-friendly Web version. The
system was converted to a Web-modified application effective the second
quarter of fiscal year 2009. This is only a temporary resolution until
funding is secured. While the database was being revised, the area
offices were still responsible for completing the reviews using Data
Collection Instruments for the first quarter. In addition, IRS also
tested the Web design prior to its implementation and has initiated a
review process to engage headquarters, areas and territory management
staff to identify and correct the database entries. The process will
include sampling and conducting operational reviews as assurance of the
database integrity. To enhance everyone's understanding of the process,
talking points will be developed for discussions between the territory
and group managers;
Status per GAO: Open. IRS continues to implement its new process for
providing oversight of TACs not having a manager permanently on-site
during our fiscal year 2008 audit. Because the process was not fully
functional, we were unable to test its implementation during our audit
fieldwork. We will continue to assess IRS's actions during our fiscal
year 2009 audit.
ID no.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms, regardless of the
circumstances that may have caused the activation (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. IRM 10.2.14 Methods of Providing Protection will
be revised by September 30, 2009, to state: "A record of all instances
involving the activation of any alarm regardless of the circumstances
that may have caused the activation, must be documented in a Daily
Activity Report/Event Log, or other log book and maintained for 2
years;"
Status per GAO: Open. During our review and evaluation, we found that
IRS's corrective actions relating to the recordation of all instances
involving alarm activations in the Daily Activity Report/Event Log, or
other log book, were not included in the final version of the IRM. We
will continue to assess IRS's corrective actions during our fiscal year
2009 audit.
ID no.: 06-15;
Recommendation: Revise the physical security procedures in the IRM to
require that all SCCs and any respective annex facilities processing
taxpayer receipts and/or information perform and document monthly tests
of the facility's intrusion detection alarms. At a minimum, these
procedures should (1) outline the type of test to be conducted, (2)
include criteria for assessing whether the controls used to respond to
the alarm were effective, and (3) require that a logbook be maintained
to document the test dates, results, and response information (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. IRS performs monthly unannounced testing of
guard response to alarms, and test results are reviewed by the Security
Programs Office to enforce and ensure compliance. According to IRS,
test results on guard response to alarms are consistently 98 percent or
higher, indicating substantial compliance with IRS guidelines. Test
procedures were formalized in IRM 10.2.14 Methods of Providing
Protection issued on October 1, 2008. PSEP continues to utilize the
Audit Management Checklist as a repeatable process, and SCCs validate
quarterly the performance and documentation of monthly unannounced
alarm testing;
Status per GAO: Closed. IRS revised IRM 10.2.14 to include requirements
to perform and document monthly tests of intrusion detection alarms,
including guard responses to alarms. Also, IRS's Audit Management
Checklist contains review steps for physical security analysts to
determine whether SCCs and respective annex facilities that process
taxpayer receipts and/or information perform and document monthly tests
of intrusion alarms.
ID no.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. This item remains closed since fiscal year
2006, with AWSS continuing to regularly follow up on disposal actions.
During fiscal year 2008, IRS implemented a new wizard tool that caused
a system glitch which prevented IRS from updating all disposals within
10 work days. Several IRS staff were aware of the glitch and were
working on the issue. As a result, the disposal action that should have
been updated in 10 days was actually updated in 15 work days;
Status per GAO: Open. In fiscal year 2006, IRS re-engineered the P&E
asset retirement and disposal process to generate exception reports
that enable management to regularly monitor the aging of transactions
during the disposal process. However, our testing in fiscal years 2007
and 2008 noted that disposals shown on the exception report were not
always being recorded in a timely manner. During our fiscal year 2009
audit, we will verify that the new software enhancement is operating as
intended.
ID no.: 07-01;
Recommendation: Enforce the existing policy requiring that all lockbox
banks encrypt backup media containing federal taxpayer information
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS revised the language in Lockbox Security
Guidelines (LSG) 2.17.8 (9) to mitigate the risk as outlined in the
Lockbox Electronic Bulletin issued on July 17, 2008. As of September 1,
2008, all lockbox sites use file encryption, and are in compliance with
the requirements as outlined in the Lockbox Electronic Bulletin;
Status per GAO: Closed. IRS revised its LSG to require lockbox banks to
encrypt backup media containing taxpayer information. IRS has included
this issue as one of the areas tested during its annual reviews of
information technology security at its lockbox banks. During our fiscal
year 2008 internal control testing, we did not identify any instances
where lockbox banks were not encrypting backup media containing federal
taxpayer information.
ID no.: 07-02;
Recommendation: Ensure that lockbox banks store backup media containing
federal taxpayer information at an off-site location as required by the
2006 LSG (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS revised the language in LSG 2.17.8 (9) to
mitigate the risk as outlined in the Lockbox Electronic Bulletin issued
on July 17, 2008. As of September 1, 2008, all lockbox sites store
backup media containing federal taxpayer information at an off-site
location and are in compliance with the requirements as outlined in the
Lockbox Electronic Bulletin;
Status per GAO: Closed. IRS revised its LSG to require lockbox banks to
store backup media containing taxpayer information at an off-site
location. IRS has included this issue as one of the areas tested during
its annual information technology security reviews at lockbox banks.
ID no.: 07-03;
Recommendation: Revise instructions for the annual reviews of lockbox
banks to encompass routine monitoring of backup media containing
personally identifiable information to ensure that this information is
(1) encrypted prior to transmission and (2) stored in an appropriate
off-site location (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS revised the Information Technology Data
Collection Instruments, which are used during the annual reviews of
lockbox banks, and the related instructions (1) to ensure that the
data/image transmissions sent through the Lockbox Electronic Network
are encrypted prior to transmission and (2) to validate that all backup
media containing personally identifiable information is stored and
protected as required in the Lockbox Electronic Bulletin;
Status per GAO: Closed. IRS revised its Information Technology Data
Collection Instrument to test whether lockbox banks are (1) encrypting
personally identifiable information prior to transmission and (2)
storing backup media containing personally identifiable information at
an appropriate off-site location.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. PSEP developed and implemented an action plan
requiring all SCCs to (1) perform and validate completion of an
assessment of their CCTV to ascertain if it provided an unobstructed
view of the exterior of the campus perimeter, and (2) identify problems
and planned corrective actions to mitigate the identified problems. All
SCCs validated completion of the CCTV assessment and a total of 16
problems were identified. Progress on corrective actions was monitored
and reported to PSEP management on a monthly basis. All corrective
actions were addressed: 14 were resolved by the installation of CCTV
cameras and/or removal of obstructions, and 2 were determined by
management to meet an acceptable level of risk. PSEP continues to
utilize the Audit Management Checklist as a repeatable process where
SCCs quarterly validate CCTV coverage of the campus fence line and
perimeter. The reported corrective actions were completed January 10,
2008. PSEP will continue to place emphasis on CCTV camera coverage, as
well as perform regularly scheduled risk assessments of IRS facilities;
Status per GAO: Open. On January 10, 2008, IRS completed an assessment
of its CCTVs in all SCCs to ascertain whether they provided an
unobstructed view of its campuses' exterior perimeter. However, IRS's
assessment did not account for the CCTV weaknesses that were reported
in the Fresno SCC's January 2007 risk assessment, which continued to
exist during our April 2009 visit. During our visit, we found that the
CCTVs did not provide an unobstructed view of the building exterior or
fence line, many of the CCTVs were not wired properly and could not be
used to their full potential. While these weaknesses were reported in
the January 2007 risk assessment, Fresno was one of the four SCCs that
did not report any specific weaknesses to the PSEP management that
requested the assessment of the CCTVs. In view of the weaknesses we
observed, it is unclear how the Fresno campus reached its conclusion
that no CCTV problems were reportable to the PSEP requestors performing
the assessment. We will continue to assess IRS's actions during our
fiscal year 2009 audit.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the manual
refund initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. All W&I functions, except Accounts Management,
conducted training during 2007 and 2008 for manual refund initiators to
ensure they fulfill their responsibilities to monitor manual refunds
and document their monitoring actions to prevent the issuance of
duplicate refunds. W&I Compliance completed its training for manual
refund initiators in the W&I campuses in April 2008. SP conducted
refresher training during fiscal years 2007 and 2008 (continuing
professional education) and will include again in the fiscal year 2009
continuing professional education. SP management reviews history sheets
annotated with taxpayer identification numbers, tax period, transaction
code, date, and initials of initiator. Accounts Management manual
refund training has been delayed due to the Economic Stimulus Package
workload. Accounts Management is re-examining manual refund monitoring
procedures and will reschedule the training in fiscal year 2009 once
the review is complete and any changes implemented;
Status per GAO: Open. During our fiscal year 2008 audit, we found
instances where the manual refund initiators did not receive training
on the most current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds. We will continue to
evaluate IRS's corrective actions during our fiscal year 2009 audit.
ID no.: 07-09;
Recommendation: Enhance its computer program to check for outstanding
tax liabilities associated with both the primary and secondary Social
Security numbers shown on a joint tax return and apply credits to those
balances before issuing any refund (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. On January 20, 2008, SB/SE implemented the
programming to check for outstanding liabilities associated with both
the primary and secondary Social Security numbers on a joint tax return
for offsetting to any outstanding TFRP liability before issuance of a
refund;
Status per GAO: Closed. We verified that IRS implemented the
programming change to check for outstanding liabilities associated with
both the primary and secondary Social Security numbers on a joint tax
return for offsetting to any outstanding TFRP liability before issuance
of a refund. We reviewed the accounts of a number of taxpayers who (1)
were assessed a TFRP, (2) filed a joint personal income tax return with
a spouse, (3) listed her or his Social Security number as the second
one on the tax return, and (4) had credits on the personal income tax
account. In each of these cases, we verified that IRS's computer
program identified the outstanding TFRP and applied the credits to the
TFRP balance before sending any refund to the taxpayer. Additionally,
according to IRS, their analysis identified over $10 million of refund
offsets that have occurred from January 2008 to March 2009 as a result
of this corrective action.
ID no.: 07-11;
Recommendation: Correct the penalty calculation programs in the master
file so that penalties are calculated in accordance with the applicable
Internal Revenue Code and implementing IRM guidance (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. SB/SE implemented a system change in January
2007 to correct the failure-to-pay (FTP) penalty calculation program.
In June 2008, SB/SE conducted a review of the programming change and
determined the program is correctly charging the reduced rate on
subsequent assessments. There was a small subpopulation of accounts
that the system change did not correct. IRS worked on an additional
system change to correct penalty calculation programming affecting the
remainder of the cases and completed its corrective action in August
2008;
Status per GAO: Closed. We verified that IRS's system corrected the FTP
penalty calculation program. We reviewed the accounts of a number of
taxpayers for whom: (1) IRS increased the FTP penalty rate assessed
against the taxpayer for failing to pay taxes owed from 0.5 percent to
1 percent when the taxpayer failed to pay following repeated
notification of the taxes due, (2) the taxpayer subsequently paid off
the balance for the specific tax period, and (3) following its system
change, IRS assessed the taxpayer additional taxes owed for the same
tax period and a related FTP penalty. In each of these cases, we
verified that the FTP penalties were calculated in accordance with the
applicable IRM guidance.
ID no.: 07-12;
Recommendation: Research each of the taxpayer accounts that may have
been affected by the penalty programming errors to determine whether
they contain overassessed penalties and correct the accounts as needed
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS implemented in January 2007 and August 2008
the change to the FTP penalty calculation program and also recalculated
the FTP amount using the correct rate on all open taxpayer accounts
with this penalty;
Status per GAO: Closed. We verified that IRS's system change resulted
in FTP penalties being calculated in accordance with the applicable IRM
guidance on open taxpayer accounts. We reviewed the accounts of a
number of taxpayers from IRS's unpaid assessment inventory for whom:
(1) IRS had increased the FTP penalty rate assessed against the
taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent
when the taxpayer failed to pay following repeated notification of the
taxes due, (2) the taxpayer subsequently paid off the balance for the
specific tax period, and (3) IRS assessed the taxpayer additional taxes
owed for the same tax period, with related FTP penalties. In each of
these cases, we verified that the total recorded FTP penalty
assessments on the account were in accordance with the applicable IRM
guidance.
ID no.: 07-13;
Recommendation: Establish procedures and specify in the IRM that at the
time of receipt, employees recording taxpayer payments should (1)
determine if the payment is more than sufficient to cover the tax
liability of the tax period specified on the payment or earliest
outstanding tax period, (2) perform additional research to resolve any
outstanding issues on the account, (3) determine whether the taxpayer
has outstanding balances in other tax periods, and (4) apply available
credits to satisfy the outstanding balances in other tax periods (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008
with revisions to 5.1.2.5.3.1(1) through (7) directing employees to
make the specific determinations and to take the specific actions
contained in this recommendation;
Status per GAO: Closed. IRS revised its IRM in September 2008 to
include instructions specifically addressing this recommendation. The
IRM now instructs IRS employees to (1) determine if the payment is
sufficient to cover the tax liability of the tax period specified on
the payment, (2) perform additional research and resolve any
outstanding issues on the account, including determining if there are
any freeze codes that will delay credit posting, (3) determine whether
the taxpayer has outstanding balances in other tax periods, and (4)
apply available credits to satisfy the outstanding balances in other
tax periods.
ID no.: 07-14;
Recommendation: Establish procedures and specify in the IRM that
employees review taxpayer accounts with freeze codes that contain
credits weekly to (1) research and resolve any outstanding issues on
the account, (2) determine whether the taxpayer has outstanding
balances in other tax periods, and (3) apply available credits to
satisfy the outstanding balances in other tax periods (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008
with revisions to 5.1.2.5.3.1(1) through (7) directing employees to
make the specific determinations and to take the specific actions
contained in this recommendation;
Status per GAO: Closed. IRS revised its IRM in September 2008 to
include instructions specifically addressing this recommendation. The
IRM now instructs IRS employees to (1) determine if the payment is
sufficient to cover the tax liability of the tax period specified on
the payment, (2) perform additional research and resolve any
outstanding issues on the account, including determining if there are
any freeze codes that will delay credit posting, (3) determine whether
the taxpayer has outstanding balances in other tax periods, and (4)
apply available credits to satisfy the outstanding balances in other
tax periods.
ID no.: 07-15;
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in the Automated Lien System
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. SB/SE has requested Counsel guidance related to
lien releases after discharge to determine if a memorandum is needed.
SB/SE will issue a memorandum to employees by May 2009, if necessary;
Status per GAO: Open. As part of its own fiscal year 2008 OMB A-123
testing of lien releases, IRS tested a statistical sample of taxpayer
accounts requiring a lien release during 2008. In its testing, IRS
again identified a case in which it did not release the applicable
federal tax lien within the statutory 30-day period because it did not
update the taxpayer's account in a timely manner to reflect that the
taxpayer had been discharged of the taxes in a bankruptcy court. The
untimely recording of bankruptcy discharges results in the untimely
release of tax liens and is directly related to IRS's noncompliance
with Internal Revenue Code Section 6325 which requires IRS to release
its tax liens within 30 days of the date the related tax liability is
fully satisfied. We will continue to review IRS's corrective actions to
address this recommendation during our fiscal year 2009 audit.
ID no.: 07-17;
Recommendation: Monitor installment agreement user fee activity on a
regular basis (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. W&I Compliance continues to use the Installment
Agreement Account Listings (IAAL) report to monitor user fee activity.
In January 2008, IRS implemented enhancements to the report and
increased the frequency of the sweep process from quarterly to weekly;
Status per GAO: Closed. IRS runs edit checks to test the validity of
recorded installment agreements, including the user fees, which results
in the identification of potential errors that are then listed on the
IAAL. We verified that IRS improved its IAAL report process by grouping
items that appear on the IAAL into tiers based on priority and
establishing time frames by tier for investigating and resolving these
potential errors. In addition, we confirmed that IRS now performs
managerial reviews on IAAL cases processed by its collection
operations. IRS also increased the frequency of its computer sweep
recovery process, which is intended to identify unrecorded user fees,
from a few times a year to once a week, thus increasing the timeliness
and accuracy of recorded individual taxpayer user fees.
ID no.: 07-18;
Recommendation: Adjust errors in recorded installment agreement user
fees as necessary to correctly reflect the user fees IRS earned and
collected from taxpayers (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. W&I Compliance uses a weekly sweep process to
reconcile installment agreement payments and adjusts those with
discrepancies or errors to ensure that fees are accurately posted to
the user fee account;
Status per GAO: Closed. W&I Compliance's weekly sweep process is
designed to identify and correct for unrecorded user fees collected
with the initial installment agreement payment. We verified that IRS's
improvements to its installment agreement user fees monitoring process
will help ensure that errors in recorded installment agreement user
fees are identified and corrected in a more timely manner.
Additionally, we did not identify any instances of errors in recorded
installment agreement user fees during our fiscal year 2008 audit.
ID no.: 07-19;
Recommendation: Establish sufficient review procedures to help ensure
that adjustments to installment agreement user fees collected from
taxpayers are accurately and timely recorded (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. W&I Compliance uses the Installment Agreement
Account Listings report to identify accounts with user fee errors,
underpayments, and overpayments that require adjustments. W&I
consolidated the report listing at one location to provide improved
oversight of the process. Both W&I and SB/SE program analysts,
managers, operations management, and headquarters staff conduct reviews
of the report listing. In January 2008, IRS implemented enhancements to
the report and increased the frequency of the sweep process used to
correct accounts from quarterly to weekly. IRS also updated IRM 5.19.1
in January 2008 to include requirements for case analysis and
documentation;
Status per GAO: Closed. We verified that IRS conducts managerial and
operational reviews on its W&I Compliance Service Collection
Operations, the division responsible for making the appropriate
adjustments for errors in recorded installment agreement user fees.
Additionally, we did not identify any errors in recorded installment
agreement user fees tested during our fiscal year 2008 audit.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage space
to properly secure and safeguard property and equipment inventory,
including in-stock inventories, assets from incoming shipments, and
assets that are in the process of being excessed and/or shipped out
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Open. The IRS plans to implement the following
procedures to ensure that sufficient secured space is maintained for
Automated Data Processing (ADP) and Non-ADP assets: Requesters needing
space are to initiate an Employee Resource Center ticket requesting
"Property Consultation" services, which initiates Real Estate and
Facilities Management (REFM) activity to work with the requester on
obtaining the needed secured storage space. When Modernization &
Information Technology Services property managers need secure storage,
narrative associated with the Employee Resource Center work ticket must
state: "Need to consult with local REFM staff on providing a secure
storage alternative for ADP equipment." This procedure is to be used
for asset distribution staging or when assets are to be excessed. This
policy is effective March 30, 2009;
Status per GAO: Open. IRS completed its corrective action plan after
the end of our fiscal year 2008 audit. We will review IRS's corrective
actions during our fiscal year 2009 audit.
ID no.: 07-21;
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. AWSS Procurement issued policy Change Notice 07-
08, which contains a revision to Policy and Procedure Memorandum 46.5,
Receipt, Quality Assurance and Acceptance. The revision limits
situations in which contracting officers may perform receipt and
acceptance. In addition to the Policy and Procedure Memorandum 46.5,
the IRS Acquisition Procedure Subpart 1003.90--Separation of Duties and
Management Controls--requires separation of duties for requisition
approval, certification of funds, contract award, and receipt and
acceptance. Procurement runs Web Request Tracking System reports to
review the instances where contracting officers performed receipt and
acceptance to ensure that the receipt and acceptance falls within
exceptions/procedures outlined in the Policy and Procedure Memorandum
46.5;
Status per GAO: Open. During our fiscal year 2008 audit, we noted that
IRS revised its policy to reflect the situations under which
contracting officers may perform receipt and acceptance functions. In
addition, the IRS Acquisition procedures require that no employee shall
perform more than one of the following four functions: (1) requisition
approval for supplies and/or services, (2) certify the availability of
funds, (3) conduct the procurement and execute the contractual
document, and (4) receive the supplies or services. However, during our
fiscal year 2008 audit testing, we continued to find instances where
individuals were performing incompatible functions. We will continue to
review actions taken by IRS during our fiscal year 2009 audit.
ID no.: 07-22;
Recommendation: Document the results of internal control tests
conducted in a manner sufficiently clear and complete to explain how
control procedures were tested, what results were achieved, and how
conclusions were derived from those results, without reliance on
supplementary oral explanation (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. IRS revised its A-123 guidance to include
templates and procedures for compiling, referencing, and reviewing
audit working papers to ensure that the results of internal control
tests are clear and complete to explain how control procedures were
tested, what results were achieved, and how conclusions were derived
from those results. During the fiscal year 2008 cycle, the Office of
Corporate Planning and Internal Control assigned test team leaders and
independent Office of Corporate Planning and Internal Control reviewers
to examine workpapers to ensure the test team sufficiently documented
their work to support their conclusions. The A-123 guidance requires
that each set of work papers include a summary of findings statement
setting out the conclusion reached after performing the transaction
testing;
Status per GAO: Closed. During our fiscal year 2008 IRS financial
audit, we verified that IRS revised its A-123 guidance to include
templates that clearly outline how to document and explain what control
tests were performed, the scope of control tests, and the results of
internal control tests performed. IRS's A-123 guidance also requires
that each set of workpapers include a summary of findings statement
that clearly concludes on results of test procedures performed by
staff. We verified that IRS's workpapers documenting A-123 testing
substantially conformed to the A-123 guidance.
ID no.: 07-23;
Recommendation: Clearly document how IRS considered existing reviews
and audits in determining the nature, scope, and timing of procedures
it planned to conduct under its OMB Circular No. A-123 process (short-
term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. During the development of fiscal year 2008 A-
123 internal control test plans, IRS analyzed and documented open
recommendations related to the internal control process/transaction
being tested. IRS considered the open recommendation findings while
developing the process/transaction test plan. IRS will continue to
incorporate the open recommendation findings while planning A-123
testing;
Status per GAO: Closed. During fiscal year 2008, we verified that IRS
included a requirement in its A-123 guidance to determine the adequacy
and value of management actions taken in response to audits performed
by GAO and the Treasury Inspector General for Tax Administration
relating to financial reporting. We also verified that IRS review staff
followed the A-123 guidance in performing internal control reviews.
ID no.: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS will continue to work with Treasury and
Modernization & Information Technology Services to fully implement A-
123 requirements for evaluating controls over information technology
relating to financial statement reporting. IRS will identify areas
where the work conducted under FISMA does not meet A-123 requirements
and consider information security findings and recommendations to
ensure testing procedures meet A-123 requirements;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing this recommendation.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS revised a limited set of fiscal year 2008
test plans to pilot the requirement to include an analysis of the
design for each transaction control set tested. This project is planned
for completion during the fiscal year 2009 A-123 cycle;
Status per GAO: Open. We verified that IRS revised a limited number of
A-123 test plans to include an analysis of the design of internal
controls tested. During our fiscal year 2009 audit, we will continue to
review the remaining test plans as IRS revises them.
ID no.: 07-26;
Recommendation: Work with Treasury to identify laws and regulations
that are significant to financial reporting, test controls over
compliance with those laws and regulations, and evaluate and report on
the results of such control reviews (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. In fiscal year 2007, IRS established an
internal crosswalk between A-123 tests and laws and regulations
significant to financial reporting. In fiscal year 2008, IRS updated
the crosswalk to a listing of laws and regulations which were expanded
to include all specific public laws and took the additional step of
incorporating GAO audit methodology into the linkage;
Status per GAO: Closed. We obtained and reviewed IRS's laws and
regulations crosswalk and verified that IRS had identified and planned
appropriate procedures to test controls over laws and regulations
considered significant to financial reporting.
ID no.: 07-27;
Recommendation: Begin devising appropriate A-123 follow-up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Open. IRS is considering alternative procedures for
testing transactions to provide assurance for the last 3 months of the
fiscal year. Although implementation of such procedures is not
necessary until elimination of the outstanding material weaknesses, IRS
intends to propose follow-up procedures before the end of the fiscal
year;
Status per GAO: Open. We will follow up during future audits to assess
IRS's progress in implementing this recommendation.
ID no.: 07-28;
Recommendation: Provide A-123 review staff appropriate training, such
as that available for financial auditors, to enhance their skills in
workpaper documentation, identification and testing of internal
controls, and evaluation and documentation of results (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. Members of the IRS A-123 workgroup completed
the United States Department of Agriculture Graduate School course,
Audit Evidence and Working Papers, covering methods for collecting and
documenting types of evidence needed to support audit reports and to
meet professional standards, during the fall of 2007. IRS used concepts
from this course and best practices from previous cycles to improve the
curriculum over previous years for the annual IRS A-123 Training
Workshop to improve proficiency in documentation and analysis in the
transactional testing. The training also covers the process to be
followed when reviewing or performing tests of internal controls,
developing a determination as to whether or not the controls are
functioning properly, and evaluating the materiality of errors. The
Office of Corporate Planning and Internal Control is currently
developing an IRM provision for reference to reinforce the A-123
guidance provided during the training;
Status per GAO: Closed. We verified that IRS developed an appropriate
annual training workshop designed to ensure that their A-123 review
staff enhance their skills in workpaper documentation, identification
and testing of internal controls, and evaluation and documentation of
test results.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA) (long-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. IRS instituted the use of trace identification
numbers for revenue and refund transactions in fiscal year 2008 to
provide traceability from the general ledger for tax transactions back
to source documentation and throughout IRS financial management
systems. IRS is currently developing additional internal controls for
tax revenue transactions processed outside of the Electronic Federal
Tax Payment System, and for transactions recorded into IRACS requiring
manual transcription. IRS is working to revise each appropriate IRM
provision and requested programming to implement system controls in
payment systems to prevent, detect, and correct such transcription and
input errors by fiscal year 2010. IRS is also developing the Redesign
Revenue Accounting Control System, an enhancement of IRACS that will
incorporate the United States Standard General Ledger. IRS plans to
implement Redesign Revenue Accounting Control System in January 2010;
Status per GAO: Open. During our future audits, we will continue to
evaluate IRS's progress in achieving transaction traceability for tax
revenues processed outside of the Electronic Funds Transaction Payment
System and taxes receivable transactions.
ID no.: 08-02; Recommendation: Document and implement the specific
procedures to be performed by the IRS statistician in each step of the
unpaid assessment estimation process (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. Revenue Financial Management documented the
procedures the statistician performs in each step of the unpaid
assessments estimation process by June 2008. Revenue Financial
Management is enhancing each of these procedures to include additional
steps based on the fiscal year 2008 audit. Revenue Financial Management
will provide the new procedures by May 2009;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to find errors in IRS's unpaid assessment estimates that were not
detected by IRS's internal reviews. IRS corrected these errors after we
brought them to its attention. However, until IRS fully documents the
specific procedures performed by its statistician in each step of the
unpaid assessment estimation process and the specific procedures for
reviewers to follow in their reviews, IRS faces increased risk that
errors in this process will not be prevented or detected and corrected.
We will continue to review IRS's corrective actions to address this
recommendation during our fiscal year 2009 audit.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures for
reviewers to follow in their review of unpaid assessments statistical
estimates. Specifically, IRS should require that a detailed supervisory
review be performed to ensure (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data on
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. In June 2008, Revenue Financial Management
documented the procedures reviewers should follow during their review
of the statistical estimates. Revenue Financial Management is adding
additional levels of review and oversight for fiscal year 2009 and is
finalizing a Memorandum of Understanding with the Office of Program
Evaluation and Risk Analysis to perform an independent review;
Status per GAO: Open. During our fiscal year 2008 audit, we continued
to find errors in IRS's unpaid assessment estimates that were not
detected by IRS's internal reviews. IRS corrected these errors after we
brought them to its attention. However, until IRS fully documents the
specific procedures performed by its statistician in each step of the
unpaid assessment estimation process and the specific procedures for
reviewers to follow in their reviews, IRS faces increased risk that
errors in this process will not be prevented or detected and corrected.
We will continue to review IRS's corrective actions to address this
recommendation during our fiscal year 2009 audit.
ID no.: 08-04;
Recommendation: To address the inconsistency in assigning the effective
date of an accuracy-related penalty, modify the Business Master File
computer program so that the date of the deficiency assessment is used
as the effective date of any associated accuracy-related penalty (long-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. In January 2009, IRS implemented programming
changes to the Business Master File computer program where accuracy-
related penalties assessed subsequent to the programming change will
carry the same date as the related deficiency assessment;
Status per GAO: Open. IRS completed its corrective action after the end
of our fiscal year 2008 audit. We will review IRS's corrective action
to address this recommendation during our fiscal year 2009 audit.
ID no.: 08-05;
Recommendation: Complete and document the review of existing programs
in the master files that affect penalty calculations to identify any
instances in which programs are not functioning in accordance with the
intent of the IRM (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. IRS assembled a team of interest and penalty
subject matter experts to perform a review of master file programming
of penalty and interest computations. The review included a general
random sample of open modules as well as a sample of modules impacted
by recent implementation of programming changes. SB/SE performed the
review the week of May 19, 2008. SB/SE will continue to perform these
reviews periodically and implement any necessary changes to programming
as a result;
Status per GAO: Closed. We confirmed that IRS completed its review of
existing master file computer programs that affect penalty calculations
and documented a listing of instances in which programs are not
functioning in accordance with the intent of the IRM.
ID no.: 08-06;
Recommendation: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM (long-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. IRS formed a cross-functional working group to
address penalty and interest programming issues in August 2007. This
group meets biweekly and continues to identify and assess penalty and
interest issues. When issues that need correction are identified,
programming changes are requested and IRS performs subsequent testing
to ensure that the programming change resolved the issue. Resolutions
of these identified issues are in various stages. Other issues are
being discussed with Modernization & Information Technology Services to
determine the most effective way to implement programming changes, and
on certain cases an impact analysis determined correction is not cost
effective at this time. Solutions to identified systemic differences
between IRS systems that cannot be fixed under the current processing
system are being addressed by modernization efforts;
Status per GAO: Open. Although IRS completed its review of master file
computer programs that affect penalty calculations and has planned a
series of corrective actions, it has not yet completed all of the
required programming corrections. We will continue to review IRS's
corrective actions to address this recommendation during our fiscal
year 2009 and future audits.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting the
results. This guidance should include a description of the key controls
that should be in place at outlying TACs, specify how often these key
controls should be reviewed, and specify how the results of each review
should be documented, including follow-up on issues identified in
previous TAC reviews (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. Managers follow IRM 1.4.11 as comprehensive
guidance for conducting reviews at all TACs. TAC managers use the one-
day receipt per TAC per quarter process to ensure at least once per
quarter, the manager performs a one day review of all payment receipts
as well as the documents associated with the receipts for all employees
with payment receipts on the date chosen for review. Area directors are
responsible for the oversight of all TAC activities including outlying
post of duties. IRM 1.4.11.6.2 outlines the scheduled routine visit
requirement for each TAC and Exhibit 1.4.11-11 gives a description of
all required reviews for each TAC, including the frequency. Validation
of completion is documented through operational reviews. The results of
the operational reviews indicate a summary of findings, which included
a corrective action report, completed annually;
Status per GAO: Open. IRM 1.4.11 provides guidance for managerial
reviews and frequency of these reviews at outlying TACs. Also, the IRM
outlines the TAC Security Remittance Review Database process and
requires managers to input the results of their reviews into the
database. However, the database was not fully implemented in fiscal
year 2008. As a result, we were unable to fully test its implementation
during our audit fieldwork. We will review IRS's corrective actions
during our fiscal year 2009 audit.
ID no.: 08-08;
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC managers
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. The Director of Field Assistance issued a
quarterly reminder to managers to conduct required reviews on September
30, 2008. Field Assistance continues to review the monthly reports
received from field offices, including the status of corrective actions
noted during operational reviews, to ensure completion of needed
improvements;
Status per GAO: Open. We will review IRS's corrective actions during
our fiscal year 2009 audit.
ID no.: 08-09;
Recommendation: Establish a mechanism to monitor compliance with
existing requirement that TAC employees responsible for accepting
taxpayer payments in cash have their computer system access
appropriately restricted to limit their ability to adjust taxpayer
accounts (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. IRM 1.4.11.19.4.1.1 was revised in April 2008
to mandate the use of the "restrict" command code in all cases. Group
managers will continue to be reminded of the existing requirements to
restrict command codes as part of the Form 809 Annual Reconciliation
Review. During this review, group managers use a check sheet as shown
in IRM 3.8.45.29.15, which includes this validity check. The result of
the review is sent to territory managers and Submission Processing.
Furthermore, restricted IDRS command codes are addressed in ongoing
operational reviews. IRM 1.4.11.19.4 guidance is provided to restrict
the 809 book holders profile when ordering the initial 809 receipt
book. IRM 1.4.11.19.4.1.1 establishes the requirement for group
managers to use restrict command codes from an 809 book holders
profile. IRM 1.4.11-15 TAC Payment Processing Checklist is completed as
part of the payment processing review conducted quarterly, which
includes a question addressing restrict command codes. Finally, IRM
1.4.11.19.4.1.1.1 covers the annual reconciliation of official
receipts, which managers can use as an annual monitoring process in
addition to operational reviews;
Status per GAO: Closed. IRS mandated the use of the restrict command
codes to TAC employees accepting cash payments to limit their IDRS
access rights and ability to adjust taxpayer accounts. These procedures
are monitored during operational reviews conducted by area and
territory managers, at which time group managers are reminded of the
existing requirements to restrict command codes.
ID no.: 08-10;
Recommendation: Establish procedures requiring periodic verification
that all individuals designated as first responders to TAC duress
alarms are appropriately qualified and geographically located to
respond to the potentially dangerous situations in an effective and
timely manner (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. Guidance concerning armed first responders to
TAC duress alarms was reissued via email to area directors for
distribution on August 19, 2008, and subsequently finalized in IRM
10.2.14, Methods of Providing Protection, issued October 1, 2008. The
IRM specifies, "An armed 'First Responder' (guard police) must be
listed as the first responder, as the shortest possible response time
is critical with priority notification. The alarm notification priority
protocols are: (1) First Priority: on-site guards are notified; (2)
Second Priority, Federal Protective Service is notified, and (3) Third
Priority, local police who will be notified last." The TAC Scheduled
Duress Alarm Test Report was revised to include a section to indicate
the date the notification list for first responders was last updated.
The reports are rolled up from the Areas/Territories to the Security
Programs office quarterly. The revised report was instituted via e-mail
on July 24, 2008. PSEP continues to utilize the Audit Management
Checklist as a repeatable process where Territory offices validate that
proper first responders are listed for notification;
Status per GAO: Closed. IRS established procedures in the IRM requiring
quarterly verification that individuals designated as first responders
to TAC duress alarms are appropriately qualified and geographically
located to respond to the potentially dangerous situations in an
effective and timely manner.
ID no.: 08-11;
Recommendation: Modify the IRM to specify qualifications and
geographical proximity requirements for individuals designated as first
responders to duress alarms at IRS facilities, and to require that the
responsibilities and qualifications of all designated first responders
be periodically reviewed to verify that over time, they continue to be
qualified and appropriately located, and to make any necessary
adjustments (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. IRS finalized and issued IRM 10.2.14, Methods
of Providing Protection on October 1, 2008. IRM 10.2.14.9.2(7)a
specifies: "An armed 'First Responder' (guard police) must be listed as
the first responder, as the shortest possible response time is critical
with priority notification. The alarm notification priority protocols
are: (1) First Priority: on-site guards are notified; (2) Second
Priority, Federal Protective Service is notified, and (3) Third
Priority, local police who will be notified last." The TAC Scheduled
Duress Alarm Test Report was revised to include a section to indicate
the date the notification list for first responders was last updated.
The reports are rolled up from the Areas/Territories to the Security
Programs office quarterly. The revised report form was instituted via e-
mail on July 24, 2008. PSEP continues to utilize the Audit Management
Checklist as a repeatable process where Territory offices validate that
proper first responders are listed for notification;
Status per GAO: Closed. IRS revised the IRM to specify the
qualifications and geographical proximity requirements for individuals
designated as first responders and included a provision for PSEP to
conduct quarterly reviews of this issue.
ID no.: 08-12; Recommendation: Establish procedures to require
documentation demonstrating that favorable background checks have been
completed for all contractors prior to allowing them access to TAC and
other field offices (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. AWSS has been working with the General Services
Administration (GSA) since March 2008 to implement a process for
procuring services from GSA to perform contractor background
investigations. AWSS prepared and submitted a draft interagency
agreement to GSA for consideration in June 2008. IRS received and
reviewed the GSA comments, and is finalizing the interagency agreement
for pricing and services. GSA has submitted a draft three-phase
schedule for completion of the background investigations that would
complete enter-on-duty determinations for all facilities by November
2009. Implementation is contingent upon GSA successfully completing its
actions;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
instances at three TACs where IRS did not have documentary evidence
demonstrating the completion of favorable background investigations for
contractors performing janitorial services during non-operating hours.
We will review IRS's corrective actions during our fiscal year 2009
audit.
ID no.: 08-13;
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. IRS developed a Performance Work Statement for a
National Document Destruction Contract. IRS expects full contract
implementation by October 1, 2009. Implementing a national contract
will standardize these requirements and ensure consistency. In the
interim, the current contracts require a review of contractor
performance through site visits and to ensure that contractors comply
with all security requirements for employee clearance prior to
performing the work. AWSS distributed a message to the Real Estate and
Facilities Management Territory Managers and Logistics Chiefs on
January 23, 2009, reinforcing the requirement to review their existing
shred contracts to ensure they comply with the security requirements
stated in their respective contracts;
Status per GAO: Open. As stated in IRS's response, the Performance Work
Statement for a National Document Destruction Contract will not be
fully implemented until the first quarter of fiscal year 2010. We will
review IRS's corrective actions during future audits.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information; document the
results, including identification of any security issues; and verify
that the contractor has taken appropriate corrective actions on any
security issues observed (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. IRS developed a Performance Work Statement for a
National Document Destruction Contract. IRS expects full contract
implementation by October 1, 2009. Implementing a national contract
will standardize these requirements and ensure consistency. In the
interim, the current contracts require a review of contractor
performance through site visits and to ensure that contractors comply
with all security requirements for employee clearance prior to
performing the work. IRS distributed a message on January 23, 2009,
reinforcing the requirement to review their existing shred contracts to
ensure they comply with the security requirements stated in their
respective contracts;
Status per GAO: Open. As stated in IRS's response, the Performance Work
Statement for a National Document Destruction Contract will not be
fully implemented until the first quarter of fiscal year 2010. We will
review IRS's corrective actions during future audits.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and reviewing
documentation of completed background investigations for all shredding
contractors before granting them access to taxpayer or other sensitive
IRS information (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Open. IRS developed a Performance Work Statement for a
National Document Destruction Contract. IRS expects full contract
implementation by October 1, 2009. Implementing a national contract
will standardize these requirements and ensure consistency. In the
interim, the current contracts require a review of contractor
performance through site visits, in order to ensure that contractors
comply with all security requirements for employee clearance prior to
performing the work. IRS distributed a message on January 23, 2009,
reinforcing the requirement to review their existing shredding
contracts to ensure they comply with the security requirements stated
in their respective contracts;
Status per GAO: Open. As stated in IRS's response, the Performance Work
Statement for a National Document Destruction Contract will not be
fully implemented until the first quarter of fiscal year 2010. In
addition, during our fiscal year 2008 audit, we identified an instance
at one of three SCCs we visited where shredding service contractor
employees did not go through background investigations before they were
granted access to taxpayer or other sensitive information. We will
review IRS's corrective actions during future audits.
ID no.: 08-16;
Recommendation: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. The Human Capital Office issued a notice in
September 2007 to each Employment Branch Chief to reinforce this
policy; and the office also sends periodic reminders to the Employment
Offices during monthly calls with the employment staffs. The Human
Capital Office also issued Alert 731-2 on September 29, 2008, to all
Employment Offices clarifying the guidance provided in Policy No. 15.
In October 2008, Policy and Programs received written confirmation from
every Employment Office that Policy No. 15 was being followed and that
the correct Form 13094 was being used;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
four juveniles hired in fiscal year 2008 who were not provided a
revised Form 13094. We will review IRS's corrective actions during our
fiscal year 2009 audit.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. The Human Capital Office revised Form 13094 in
December 2007 and provided the form and accompanying instructions to
the employment staff in January 2008. The Human Capital Office also
issued Alert 731-2 on September 29, 2008, to all Employment Offices
clarifying the guidance provided in Policy No. 15. In October 2008,
Policy and Programs received written confirmation from every Employment
Office that Policy No. 15 was being followed and that the correct Form
13094 was being used;
Status per GAO: Open. During our fiscal year 2008 audit, we identified
five instances where the IRS employment office staff did not verify the
information on Form 13094 by contacting the reference directly and
documenting the details of that contact. We will review IRS's
corrective actions during our fiscal year 2009 audit.
ID no.: 08-18;
Recommendation: Issue a memorandum to Receipt Control Operations Unit
staff reiterating existing requirements for (1) supervisory reviews of
the processing of TE/GE user fee deposits and (2) key documentation to
be signed and dated by the supervisor as evidence of that review (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. W&I Submission Processing issued a memorandum
in April 2008 to the operations manager of Receipt and Control,
reiterating the requirement to follow procedures in IRM 3.45.1 to
conduct supervisory reviews of the deposit encoding tapes and the
recapitulation of remittances, deposit tickets, and to sign or initial
the documents as evidence that the reviews were completed. Receipt and
Control is also following IRM 3.45.1 to conduct and document
supervisory reviews of the TE/GE deposits;
Status per GAO: Closed. We verified that IRS issued a memorandum to its
operations manager of Receipt and Control to reinforce procedures in
its IRM requiring signed supervisory review of TE/GE user fee deposits.
Additionally, during our fiscal year 2008 audit, we did not identify
any instances where IRS did not document supervisory review of the
TE/GE user fee deposits tested.
ID no.: 08-19;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials and purchase cardholders sign and date monthly account
statements attesting to their review and completion of the required
reconciliation process (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. The electronic Purchase Card Module eliminated
the paper statement of accounts being mailed to purchase cardholders
using the Purchase Card Module. The purchase cardholder and approving
official electronically reconcile and approve the transactions, which
is evidence of their signature approving the transactions. The system
maintains history on the user login name and date of the action;
Status per GAO: Closed. We confirmed that IRS modified its existing
guidelines and fully implemented the Purchase Card Module. During our
fiscal year 2008 audit, we noted that the purchase card approving
official's signature attesting to the review and reconciliation of the
monthly statement is now captured electronically by the Purchase Card
Module. However, we also noted that the purchase card approving
officials were not always electronically reconciling and approving
transactions within the required timeframes documented in IRS's
existing guidelines. Timely reconciliation and approval of transactions
is necessary to help ensure that purchase card transactions are valid
and appropriate. Thus, we are closing this recommendation and opening a
new recommendation to address this additional issue in our June 2009
management report. See GAO-09-513R and recommendation 09-10 in this
report.
ID no.: 08-20;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders obtain
funding approval or verify that funds are available for the intended
purpose prior to making a purchase (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. IRS provides purchase cardholders with funding
approval requirements during initial and refresher training. The
guidelines outlining funding requirements are also available online in
the Purchase Card Guide and on the program specific Web site. As IRS
converted purchase cardholders to the Purchase Card Module, it
highlighted this requirement in the transition guidelines;
Status per GAO: Closed. We confirmed that IRS modified its existing
guidelines and fully implemented the Purchase Card Module. During our
fiscal year 2008 audit, we noted that purchase cardholders obtained
funding approval electronically through the Purchase Card Module prior
to making a purchase. The Purchase Card Module directly interfaces with
the funding requisition function of IRS's Web-based Requisition
Tracking System to verify funds availability.
ID no.: 08-21;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase card approving
officials update and maintain appropriate supporting documentation
(short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. Citibank reports previously received by
purchase card approving officials were eliminated with implementation
of the Purchase Card Module. All documentation for purchase card
activity is maintained electronically in the Purchase Card Module with
the exception of packing slips/receipts, which are maintained by the
cardholder. The documentation is available for review by the approving
official, but approving officials are not required to maintain copies
of documentation already maintained by the cardholder;
Status per GAO: Closed. Even though IRS did not modify its existing
guidelines to require the purchase card approving official to maintain
copies of the purchase cardholder's supporting documentation, we
confirmed that IRS now has compensating internal control procedures in
place to close this recommendation. IRS's existing guidelines require
the purchase cardholder to maintain the supporting documentation and
for approving officials to ensure that the cardholders have all
required documentation. During our fiscal year 2008 audit, we noted
that the purchase cardholders maintained appropriate supporting
documentation.
ID no.: 08-22;
Recommendation: Modify existing guidelines to provide for detailed
internal control procedures requiring that purchase cardholders and
purchase card approving officials retain copies of all supporting
documents for a reasonable period of time, such as 3 years (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. The requirement to maintain supporting
documentation for all purchase card activity for 3 years is outlined in
current guidance and training material provided to cardholders. The
documentation is available for review by the approving official, but is
maintained by the cardholder;
Status per GAO: Closed. Even though IRS did not modify its existing
guidelines, we confirmed that the current guidelines require
cardholders to maintain supporting documentation for 3 years. IRS's
existing guidelines require the purchase cardholder to maintain the
supporting documentation and for approving officials to ensure that the
cardholders have all required documentation. During our fiscal year
2008 audit, we noted that the purchase cardholders maintained
appropriate supporting documentation.
ID no.: 08-23;
Recommendation: Issue a memorandum addressed to all personnel
responsible for updating inventory records that reiterates IRS's
existing policy requiring that new assets be inputted into the
inventory system within 10 days of receipt (short-term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. Modernization & Information Technology Services
issued a memorandum dated September 5, 2008, and Directive (Asset
Management Policy Directive AM 034) dated August 18, 2008, to all
organizations reiterating the IRS policy that new assets must be
inputted into the inventory system within 10 days of receipt;
Status per GAO: Closed. During our fiscal year 2008 audit, IRS's
Associate Chief Information Officer for End User Equipment Services, in
response to our recommendations, issued a memorandum to all personnel
responsible for updating inventory. The memorandum reiterated IRS's
existing policy requiring that new assets be inputted into the
inventory system within 10 days of receipt.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel (short-
term);
Source report: Management Report: Improvements Needed in IRS's Internal
Controls (GAO-08-368R, June 2008);
Status per IRS: Closed. AWSS issued communications to all employees
reiterating the policy requiring all employees to obtain approval of
travel authorizations before the initiation of travel through periodic
notices on the IRS intranet with links to Travel Times. In Travel
Times, IRS has issued: Travel Authorization Reminders (October 2007 and
February 2008) and Travel Authorization Reminder News from the business
units (December 2007, February 2008, and May 2008). Furthermore, IRS is
continuing to implement GovTrip and as of January 1, 2009, has 25,775
GovTrip users. All users must file a travel authorization before travel
begins, and GovTrip will not allow a voucher to be created without a
signed/approved authorization;
Status per GAO: Open. We confirmed that IRS issued communications to
staff reiterating the policy that all employees receive travel
authorization before commencing travel, and that IRS continues to
implement its GovTrip system with full implementation expected by
approximately July 2009. However, during our fiscal year 2008 audit, we
continued to identify instances where IRS staff did not obtain approval
of travel authorizations in advance of travel. We will continue to
review actions being taken by IRS to address this recommendation during
our fiscal year 2009 audit.
ID no.: 09-01;
Recommendation: Correct the Integrated Data Retrieval System (IDRS)
computer program for identifying individual taxpayers who have entered
into an installment agreement so that except in situations where the
taxpayer did not file the tax return timely, failure-to-pay penalty
assessments made after the date of the installment agreement are
calculated using the monthly one-quarter of one percent penalty rate on
all of the taxpayer's accounts covered by the installment agreement
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-02;
Recommendation: Add specific requirements to the IRM to require that
manual refund units assign back up staff to perform manual refund
monitoring activities whenever a manual refund initiator is absent for
an extended period of time (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-04;
Recommendation: Document in the IRM minimum requirements for conducting
off-site surveillance of couriers entrusted with taxpayer receipts and
information (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-06; Recommendation: Establish procedures to ensure that an
inventory of all duress alarms is documented for each location and is
readily available to individuals conducting duress alarm tests before
each test is conducted (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-10;
Recommendation: Develop, document, and implement procedures to
regularly monitor the timeliness of purchase card approvals. This
should include establishing procedures and responsibility for
identifying and following up on instances of non-compliance with
required approval timeframes (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help employees
distinguish between procurement actions that constitute new obligations
and those that merely adjust or liquidate prior obligations that the
IRS incurred during an expired appropriation's original period of
availability (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-12;
Recommendation: Reiterate IRS's existing policy requiring that
transactions be recorded accurately to the undelivered orders
obligation accounts (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means; (2)
define the roles and responsibilities of the CFO and other business
units in the process; and (3) be focused on the goal of determining
what cost information would be useful and the most appropriate means of
developing and reporting it for both existing programs and new programs
as they are initiated (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed and should include both personnel costs based
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial
accounting system (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and activities
that include measures of the full cost of, and the revenue collected
from, those programs and activities (return on investment) to assist
IRS's managers in optimizing resource allocation decisions and
evaluating the effectiveness of their activities (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
2009);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open: This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
Source: IRS updates detailing actions to address GAO's recommendations
and GAO's analysis of IRS's actions.
[End of table]
[End of section]
Appendix II: Open Recommendations Arranged by Control or Compliance
Issue:
Financial Reporting:
The Internal Revenue Service (IRS) does not have financial management
systems adequate to enable it to accurately generate and report, in a
timely manner, the information needed to both prepare financial
statements and manage operations on an ongoing basis. To overcome these
systemic deficiencies with respect to preparation of its annual
financial statements, IRS was compelled to employ compensating
procedures. Specifically, IRS (1) did not have an adequate general
ledger system for tax-related transactions, and (2) was unable to
readily determine the costs of its activities and programs and did not
have cost-based performance information to assist in making or
justifying resource allocation decisions. As a result, IRS does not
have data to assist in managing operations on a day-to-day basis and to
provide an informed basis for making or justifying resource allocation
decisions.
Table 12: Material Weakness: Controls over Financial Reporting:
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA) (long-
term);
Control activity: Appropriate documentation of transactions and
internal controls.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Unpaid Tax Assessments:
IRS has serious internal control issues that affected its management of
unpaid tax assessments. Specifically, IRS (1) lacked a subsidiary
ledger for unpaid tax assessments that would allow it to produce
accurate, useful, and timely information with which to manage and
report externally, and (2) experienced errors and delays in recording
taxpayer information, payments, and other activities.
Table 13: Material Weakness: Controls over Unpaid Assessments:
ID No.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID No.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all accounts
related to a single assessment are appropriately credited for payments
received (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID No.: 99-03;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID No.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against unpaid
assessments before issuance (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID No.: 09-01;
Recommendation: Correct the Integrated Data Retrieval System (IDRS)
computer program for identifying individual taxpayers who have entered
into an installment agreement so that except in situations where the
taxpayer did not file the tax return timely, failure-to-pay penalty
assessments made after the date of the installment agreement are
calculated using the monthly one-quarter of one percent penalty rate on
all of the taxpayer's accounts covered by the installment agreement
(short-term);
Control activity: Accurate and timely recording of transactions and
events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Information Security:
Significant information security weaknesses continue to jeopardize the
confidentiality, availability, and integrity of information processed
by IRS's key systems, increasing the risk of material misstatement for
financial reporting. For example, sensitive information, such as user
identification and passwords for mission-critical applications,
continued to be readily available to any user on IRS's internal
network. These IDs and passwords could be used by a malicious user to
compromise data flowing to and from IFS. Other continuing weaknesses
included the existence of passwords that were not complex enough to
avoid being guessed or cracked. In addition, although IRS had improved
its application of vendor-supplied system patches that protect against
known vulnerabilities, it still had not patched systems in a timely
manner. The agency's procurement system, which processed approximately
$1.8 billion of obligations in fiscal year 2008, also remained at risk
because previously reported weaknesses had not been corrected. These
weaknesses included (1) not restricting user's ability to bypass
application controls, (2) continuing to use unencrypted protocols, and
(3) not removing separated employees' access in a timely manner. These
outstanding weaknesses increase the risk that data processed by the
agency's financial management systems are not reliable.
Material Weakness: Controls over Information Systems Security:
Although IRS has made some progress in addressing previous weaknesses
we identified in its information systems security controls and physical
security controls, these and new weaknesses in information systems
security continue to impair IRS's ability to ensure the
confidentiality, integrity, and availability of financial and tax-
processing systems. As of January 2009, there were 74 open
recommendations from our information systems security work designed to
help IRS improve its information systems security controls. Those
recommendations are reported separately and are not included in this
report primarily because of the sensitive nature of some of the issues.
Tax Revenue and Refunds:
Weaknesses in control over tax revenue and refunds continue to hamper
IRS's ability to optimize the use of its limited resources to collect
unpaid taxes and minimize payment of improper refunds. Specifically,
IRS has not (1) developed performance metrics and goals on the cost of,
and the revenue collected from, IRS's various enforcement programs and
activities, with the exception of the Earned Income Tax Credit program;
or (2) fully established and implemented the financial management
structure and processes to provide IRS key financial management data on
costs and enforcement tax revenue. These deficiencies inhibit IRS's
ability to appropriately assess and routinely monitor the relative
merits of its various enforcement initiatives and adjust its strategies
as needed. This, in turn, can significantly affect both the level of
enforcement tax revenue collected and improper refunds disbursed.
Table 14: Significant Deficiency: Controls over Revenues and Issuing
Refunds:
ID no.: 09-02;
Recommendation: Add specific requirements to the Internal Revenue
Manual (IRM) to require that manual refund units assign back up staff
to perform manual refund monitoring activities whenever a manual refund
initiator is absent for an extended period of time (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means; (2)
define the roles and responsibilities of the CFO and other business
units in the process; and (3) be focused on the goal of determining
what cost information would be useful and the most appropriate means of
developing and reporting it for both existing programs and new programs
as they are initiated (short-term);
Control activity: Establishment and review of performance measures and
indicators.
ID no.: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed and should include both personnel costs based
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial
accounting system (long-term);
Control activity: Establishment and review of performance measures and
indicators.
ID no.: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and activities
that include measures of the full cost of, and the revenue collected
from, those programs and activities (return on investment) to assist
IRS's managers in optimizing resource allocation decisions and
evaluating the effectiveness of their activities (long-term);
Control activity: Establishment and review of performance measures and
indicators.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Release of Federal Tax Liens:
IRS did not always release the applicable federal tax lien within 30
days of the tax liability being either paid off or abated, as required
by the Internal Revenue Code (section 6325). The Internal Revenue Code
grants IRS the power to file a lien against the property of any
taxpayer who neglects or refuses to pay all assessed federal taxes. The
lien serves to protect the interest of the federal government and as a
public notice to current and potential creditors of the government's
interest in the taxpayer's property.
Table 15: Compliance with Laws and Regulations: Timely Release of
Liens:
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 07-15;
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the IRM requirement to timely record
bankruptcy discharge information onto taxpayer accounts in the master
file or to manually release the liens in the Automated Lien System
(short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Other Control Issues:
The recommendations listed below pertain to issues that do not rise
individually or in the aggregate to the level of a significant
deficiency or a material weakness. However, these issues do represent
weaknesses in various aspects of IRS's control environment that should
be addressed.
Table 16: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
ID no.: 99-22;
Recommendation: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and requirements
for promptly overstamping checks made out to "IRS" with "Internal
Revenue Service" or "United States Treasury." Based on the results, IRS
should make appropriate changes to strengthen its physical security
controls (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments (short-
term);
Control activity: Segregation of duties.
ID no.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors (short-term);
Control activity: Controls over Information processing.
ID no.: 04-08;
Recommendation: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed units
of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages (short-
term);
Control activity: Segregation of duties.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds (short-
term);
Control activity: Proper execution of transactions and events.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring actions
and supervisory review for manual refunds (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including service center campuses (SCC), taxpayer
assistance centers (TAC), and units within Large and Mid-sized Business
(LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a
system to track acknowledged copies of document transmittals (short-
term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-05;
Recommendation: Equip all TACs with adequate physical security controls
to deter and prevent unauthorized access to restricted areas or office
space occupied by other IRS units, including those TACs that are not
scheduled to be reconfigured to the "new TAC" model in the near future.
This includes appropriately separating customer service waiting areas
from restricted areas in the near future by physical barriers such as
locked doors marked with signs barring entrance by unescorted customers
(short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 06-07;
Recommendation: Document supervisory visits by offsite managers to TACs
not having a manager permanently on site. This documentation should be
signed by the manager and should (1) record the time and date of the
visit, (2) identify the manager performing the visit, (3) indicate the
tasks performed during the visit, (4) note any problems identified, and
(5) describe corrective actions planned (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at SCCs and lockbox banks record all instances
involving the activation of intrusion alarms, regardless of the
circumstances that may have caused the activation (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the SCC's
perimeter, such as adding or repositioning existing CCTV cameras or
removing obstructions (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the manual
refund initiators in their units with training on the most current
requirements to help ensure that they fulfill their responsibilities to
monitor manual refunds and document their monitoring actions to prevent
the issuance of duplicate refunds (short-term);
Control activity: Management of human capital.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage space
to properly secure and safeguard property and equipment inventory,
including in-stock inventories, assets from incoming shipments, and
assets that are in the process of being excessed and/or shipped out
(short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 07-21;
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered (short-term);
Control activity: Segregation of duties.
ID no.: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of Office of Management and Budget (OMB) Circular No.
A-123 and, considering the findings and recommendations of our work on
IRS's information security, expand FISMA procedures or perform
additional procedures as part of the A-123 reviews to augment FISMA
work (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 07-27;
Recommendation: Begin devising appropriate A-123 follow-up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid assessment
estimation process (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures for
reviewers to follow in their review of unpaid assessments statistical
estimates. Specifically, IRS should require that a detailed supervisory
review be performed to ensure (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data on
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct (short-term);
Control activity: Management of human capital.
ID no.: 08-04;
Recommendation: To address the inconsistency in assigning the effective
date of an accuracy-related penalty, modify the Business Master File
computer program so that the date of the deficiency assessment is used
as the effective date of any associated accuracy-related penalty (long-
term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 08-06;
Recommendation: In instances where computer programs are not
functioning in accordance with the intent of the IRM, take appropriate
action to correct the programs so that they function in accordance with
the IRM (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting the
results. This guidance should include a description of the key controls
that should be in place at outlying TACs, specify how often these key
controls should be reviewed, and specify how the results of each review
should be documented, including follow-up on issues identified in
previous TAC reviews (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-08;
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC managers
(short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices (short-term);
Control activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-13;
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements (short-term);
Control activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information; document the
results, including identification of any security issues; and verify
that the contractor has taken appropriate corrective actions on any
security issues observed (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and reviewing
documentation of completed background investigations for all shredding
contractors before granting them access to taxpayer or other sensitive
IRS information (short-term);
Control activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-16;
Recommendation: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles (short-term);
Control activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact (short-term);
Control activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel (short-
term);
Control activity: Proper execution of transactions and events.
ID no.: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-04;
Recommendation: Document in the IRM minimum requirements for conducting
off-site surveillance of couriers entrusted with taxpayer receipts and
information (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide (long-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 09-06;
Recommendation: Establish procedures to ensure that an inventory of all
duress alarms is documented for each location and is readily available
to individuals conducting duress alarm tests before each test is
conducted (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts (short-term);
Control activity: Physical control over vulnerable assets.
ID no.: 09-10;
Recommendation: Develop, document, and implement procedures to
regularly monitor the timeliness of purchase card approvals. This
should include establishing procedures and responsibility for
identifying and following up on instances of noncompliance with
required approval timeframes (short-term);
Control activity: Proper execution of transactions and events.
ID no.: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help employees
distinguish between procurement actions that constitute new obligations
and those that merely adjust or liquidate prior obligations that the
IRS incurred during an expired appropriation's original period of
availability (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 09-12;
Recommendation: Reiterate IRS's existing policy requiring that
transactions be recorded accurately to the undelivered orders
obligation accounts (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process (short-term);
Control activity: Accurate and timely recording of transactions and
events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
[End of section]
Appendix III: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Commissioner:
Washington, D.C. 20224:
June 11, 2009:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled, IRS: Status of GAO Financial Audit and Related
Financial Management Report Recommendations (GAO-09-514).
As GAO noted in the report, IRS continues to make significant progress
in improving our internal controls and financial management as
evidenced by nine consecutive years of clean audit opinions on our
financial statements. We are pleased that you acknowledged our progress
in addressing our financial management challenges and agreed to close
35 prior year financial management recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions, please contact Alison Doone, Chief Financial
Officer, at (202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, the following individuals made
major contributions to this report: William J. Cordrey, Assistant
Director; Ray Bush; Stephanie Chen; Nina Crocker; Oliver Culley;
Charles Ego; Doreen Eng; Charles Fox; Valerie Freeman; Ted Hu; Richard
Larsen; Delores Lee; Gail Luna; Julie Phillips; John Sawyer;
Christopher Spain; Cynthia Teddleton; Lien To; LaDonna Towler; and Gary
Wiggins.
[End of section]
Footnotes:
[1] Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient
operations, reliable financial reporting, and compliance with
applicable laws and regulations. See 31 U.S.C. § 3512(c), (d), commonly
known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA);
see [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1],
Standards for Internal Control in the Federal Government, at 4-5
(November 1999). The actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for results-
oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and
to take corresponding corrective actions.
[2] A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected. A significant deficiency is a control
deficiency, or combination of deficiencies, that adversely affects the
entity's ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote likelihood
that a misstatement of the entity's financial statements that is more
than inconsequential will not be prevented or detected. A control
deficiency exists when the design or operation of a control does not
allow management or employees, in the course of performing their
assigned functions, to prevent or detect misstatements on a timely
basis.
[3] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[4] The circular requires agencies and individual federal managers to
take systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
control through management assurance statements.
[5] GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G]
(Washington, D.C.: August 2001).
[6] GAO, Federal Information System Controls Audit Manual (FISCAM),
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.:
February 2009). FISCAM contains guidance for reviewing information
system controls that affect the security of computerized data.
[7] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119]
(Washington, D.C.: Nov. 10, 2008).
[8] GAO, Internal Revenue Service: Status of Financial Audit and
Related Financial Management Report Recommendations, [hyperlink,
http://www.gao.gov/products/GAO-08-693] (Washington, D.C.: July 2,
2008).
[9] GAO, Management Report: Improvements Are Needed to Enhance IRS's
Internal Controls and Operating Effectiveness, [hyperlink,
http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24,
2009).
[10] We define short-term recommendations as those that we believe
could be addressed within 2 years at the time we made the
recommendation. We define long-term recommendations as those we
expected to require 2 years or more to implement at the time we made
the recommendation.
[11] [hyperlink, http://www.gao.gov/products/GAO-09-119].
[12] Table 1 does not include the 11th control activity, "top-level
reviews of actual performance," because we do not have any
recommendations related to this internal control activity.
[13] The vast majority of federal tax payments are made for both
businesses and individuals via the Electronic Federal Tax Payment
System.
[14] Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access
to data is appropriately restricted, only authorized changes to
computer programs are made, physical access to sensitive computing
resources and facilities is protected, computer security duties are
segregated, and backup and recovery plans are adequate to ensure the
continuity of essential operations.
[15] GAO, Information Security: Continued Efforts Needed to Address
Significant Weaknesses at IRS, [hyperlink,
http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9,
2009).
[16] Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers
for immediate payment due to hardship or emergency, those to
beneficiaries of deceased taxpayers, and those that need to be
expedited because IRS is in jeopardy of paying interest for exceeding
the 45-day limit for processing a return.
[17] [hyperlink, http://www.gao.gov/products/GAO-09-119].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
