Internal Revenue Service
Status of GAO Financial Audit and Related Financial Management Report Recommendations Gao ID: GAO-10-597 June 30, 2010In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS's efforts to address the weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) provide an overview of the financial management challenges still facing IRS, (2) provide the status of financial audit and financial management-related recommendations and the actions needed to address them, and (3) highlight the relationship between GAO's recommendations and internal control activities central to IRS's mission and goals.
IRS has made progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 10 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 250 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces significant financial management challenges in (1) resolving its remaining material weaknesses in internal control, (2) developing outcome-oriented performance metrics, and (3) correcting numerous other internal control issues, especially those relating to safeguarding tax receipts and taxpayer information. At the beginning of GAO's audit of IRS's fiscal year 2009 financial statements, 62 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2009 financial audit, IRS took actions that GAO considered sufficient to close 18 recommendations. At the same time, GAO identified additional internal control issues resulting in 41 new recommendations. In total, 85 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 85 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories: safeguarding of assets and security activities; proper recording and documenting of transactions; and effective management review and oversight. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning the functionality of IRS's automated systems, are complex and will require several more years to effectively address. GAO is not making any recommendations in this report. In commenting on a draft report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices.
GAO-10-597, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations
This is the accessible text file for GAO report number GAO-10-597
entitled 'Internal Revenue Service: Status of GAO Financial Audit and
Related Financial Management Report Recommendations' which was
released on June 30, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Commissioner of Internal Revenue:
United States Government Accountability Office:
GAO:
June 2010:
Internal Revenue Service:
Status of GAO Financial Audit and Related Financial Management Report
Recommendations:
GAO-10-597:
GAO Highlights:
Highlights of GAO-10-597, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
In its role as the nation‘s tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility to annually collect
trillions of dollars in taxes, process hundreds of millions of tax and
information returns, and enforce the nation‘s tax laws. Since its
first audit of IRS‘s financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS‘s financial management
operations. In related reports, GAO has recommended corrective actions
to address those weaknesses.
Each year, as part of the annual audit of IRS‘s financial statements,
GAO makes recommendations to address any new weaknesses identified and
follows up on the status of IRS‘s efforts to address the weaknesses
GAO identified in previous years‘ audits. The purpose of this report
is to (1) provide an overview of the financial management challenges
still facing IRS, (2) provide the status of financial audit and
financial management–related recommendations and the actions needed to
address them, and (3) highlight the relationship between GAO‘s
recommendations and internal control activities central to IRS‘s
mission and goals.
What GAO Found:
IRS has made progress in improving its internal controls and financial
management since its first financial statement audit in 1992, as
evidenced by 10 consecutive years of clean audit opinions on its
financial statements, the resolution of several material internal
control weaknesses, and actions resulting in the closure of over 250
financial management recommendations. This progress has been the
result of hard work throughout IRS and sustained commitment at the top
levels of the agency. However, IRS still faces significant financial
management challenges in (1) resolving its remaining material
weaknesses in internal control, (2) developing outcome-oriented
performance metrics, and (3) correcting numerous other internal
control issues, especially those relating to safeguarding tax receipts
and taxpayer information. At the beginning of GAO‘s audit of IRS‘s
fiscal year 2009 financial statements, 62 financial management–related
recommendations from prior audits remained open because IRS had not
fully addressed the issues that gave rise to them. During the fiscal
year 2009 financial audit, IRS took actions that GAO considered
sufficient to close 18 recommendations. At the same time, GAO
identified additional internal control issues resulting in 41 new
recommendations. In total, 85 recommendations remain open.
To assist IRS in evaluating and improving internal controls, GAO
categorized the 85 open recommendations by various internal control
activities, which, in turn, were grouped into three broad control
categories.
Table: Summary of Open Recommendations by Control Category:
Safeguarding of assets and security activities:
Open at the beginning of 2009: 20;
Closed during 2009 audit: 5;
New from 2009 audit: 4;
Total remaining open: 19.
Proper recording and documenting of transactions:
Open at the beginning of 2009: 24;
Closed during 2009 audit: 8;
New from 2009 audit: 23;
Total remaining open: 39.
Effective management review and oversight:
Open at the beginning of 2009: 18;
Closed during 2009 audit: 5;
New from 2009 audit: 14;
Total remaining open: 27.
Total:
Open at the beginning of 2009: 62;
Closed during 2009 audit: 18;
New from 2009 audit: 41;
Total remaining open: 85.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
The continued existence of internal control weaknesses that gave rise
to these recommendations represents a serious obstacle that IRS needs
to overcome. Effective implementation of GAO‘s recommendations can
greatly assist IRS in improving its internal controls and achieving
sound financial management and can help enable it to more effectively
carry out its tax administration responsibilities. Most can be
addressed in the short term (the next 2 years). However, a few
recommendations, particularly those concerning the functionality of IRS‘
s automated systems, are complex and will require several more years
to effectively address.
What GAO Recommends:
GAO is not making any recommendations in this report. In commenting on
a draft report, IRS stated that it is committed to implementing
appropriate improvements to maintain sound financial management
practices.
View [hyperlink, http://www.gao.gov/products/GAO-10-597] or key
components. For more information, contact Steven J. Sebastian at (202)
512-3406 or sebastians@gao.gov.
[End of section]
Contents:
Letter:
Background:
Scope and Methodology:
IRS Faces Significant Financial Management Challenges:
Status of Recommendations Based on the Fiscal Year 2009 Financial
Statement Audit:
Open Recommendations Grouped by Internal Control Activity:
Concluding Observations:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations from Internal Revenue
Service Financial Audits and Related Management Reports:
Appendix II: Open Recommendations Arranged by Material Weakness,
Compliance, or Other Control Issue:
Appendix III: Comments from the Internal Revenue Service:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Summary of Open Recommendations:
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
Table 3: Recommendations to Improve IRS's Segregation of Duties:
Table 4: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
Table 5: Recommendations to Improve IRS's Documentation of
Transactions and Internal Control:
Table 6: Recommendations to Improve IRS's Accurate and Timely
Recording of Transactions and Events:
Table 7: Recommendations to Improve IRS's Execution of Transactions
and Events:
Table 8: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
Table 9: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
Table 10: Recommendations to Improve IRS's Management of Human Capital:
Table 11: Recommendations to Improve Top-Level Reviews of Actual
Performance:
Table 12: Recommendations Not Previously Reported as Closed:
Table 13: Material Weakness: Controls over Unpaid Assessments:
Table 14: Compliance with Laws and Regulations: Timely Release of
Liens:
Table 15: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
Abbreviations:
ATFR: Automated Trust Fund Recovery:
CCTV: Closed Circuit Television:
CDDB: Custodial Detail Data Base:
CFO: Chief Financial Office:
CIMIS: Criminal Investigation Management Information System:
FASAB: Financial Accounting Standards Advisory Board:
FFMIA: Federal Financial Management Improvement Act of 1996:
FFMSR: Federal Financial Management System Requirements:
FISMA: Federal Information Security Management Act of 2002:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
IFS: Integrated Financial System:
IRACS: Interim Revenue and Accounting Control System:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
ITAMS: Information Technology Asset Management System:
LMSB: Large and Mid-sized Business:
NFC: National Finance Center:
OMB: Office of Management and Budget:
P&E: Property and Equipment:
RRACS: Redesign Revenue Accounting Control System:
SB/SE: Small Business/Self Employed:
SCC: Service Center Campus:
SGL: Standard General Ledger:
SP: Submission Processing:
TAC: Taxpayer Assistance Center:
TE/GE: Tax Exempt and Government Entities:
TFRP: Trust Fund Recovery Penalty:
Treasury: Department of the Treasury:
W&I: Wage and Investment:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 30, 2010:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Dear Mr. Shulman:
In its role as the nation's tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility to collect taxes, process
tax returns, and enforce the nation's tax laws. In fiscal year 2009,
IRS collected about $2.3 trillion in tax payments, processed hundreds
of millions of tax and information returns, and paid about $438
billion in refunds to taxpayers. Because of its role and overall
mission, IRS's activities affect virtually all of the nation's
citizens. It is therefore critical that the agency strive to maintain
sound internal control and financial management practices.
IRS has made much progress in improving its financial management since
it was first required to prepare a set of financial statements nearly
two decades ago. This progress is reflected in IRS's 10-year record of
obtaining a clean audit opinion on its financial statements and
correcting several material internal control weaknesses[Footnote 1]
and significant deficiencies[Footnote 2] in internal controls over the
years. At the same time, IRS continues to face significant financial
management challenges in achieving the overarching goals of federal
financial management--accountability and useful management
information. To enable more effective financial and operational
management, IRS needs to (1) address its remaining long-standing
material internal control weaknesses, (2) develop data and performance
metrics that will enhance its ability to manage for outcomes, and (3)
implement corrective actions to address other identified internal
control issues.
An agency's internal control serves as the first line of defense in
safeguarding its assets and in preventing and detecting errors and
fraud, as well as in helping to effectively manage its stewardship
over public resources.[Footnote 3] For many years, IRS has had
weaknesses in internal controls over fundamental elements of its
operations that leave it vulnerable to a greater risk of fraud, waste,
abuse, and mismanagement. Specifically, during our audit of IRS's
fiscal year 2009 financial statements,[Footnote 4] we found that IRS
continued to be challenged with two long-standing material weaknesses
in internal control that are at the heart of its operations--
weaknesses in internal controls over unpaid tax assessments[Footnote
5] and over information systems security. We also found that IRS faces
a significant management challenge in enhancing and using its
financial management capabilities to develop outcome-oriented
performance metrics[Footnote 6] critical to providing the foundation
upon which an agency can manage its operations for outcomes. Finally,
we found that IRS has other internal control issues that need
management attention, especially those that relate to safeguarding tax
receipts and taxpayer information.
To assist IRS in strengthening its internal controls and improving its
operations, we have made numerous recommendations as part of our prior
annual financial statement audits and other financial management-
related work at IRS. This report (1) provides an overview of financial
management challenges still facing IRS; (2) describes the status of
financial audit and financial management-related recommendations and
the actions needed to address them, as presented in appendix I; and
(3) discusses how the unresolved recommendations relate to control
activities central to IRS's mission and goals. To assist IRS in
addressing those control activities, appendix II provides summary
information regarding the primary internal control issue to which each
open recommendation is related. This report does not include our
recommendations related to information systems security even though
they also are the result of our annual financial audits and are
financial management-related; those recommendations are reported
separately because of the sensitive nature of many of the issues that
give rise to the recommendations.[Footnote 7] We are not making any
new recommendations in this report.
Our work was performed from December 2009 through May 2010 in
accordance with generally accepted government auditing standards. For
further details regarding our approach to this audit, see the Scope
and Methodology section.
Background:
Internal control is not one event, but a series of activities that
occur throughout an entity's operations and on an ongoing basis.
Internal control should be an integral part of each system that
management uses to regulate and guide its operations rather than as a
separate system within an agency. In this sense, internal control is
management control that is built into the entity as a part of its
infrastructure to help managers run the entity and achieve their goals
on an ongoing basis.
Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires
agencies to establish and maintain effective internal control. The
agency head must annually evaluate and report on the control and
financial systems that protect the integrity of its federal programs.
The requirements of FMFIA serve as an umbrella under which other
reviews, evaluations, and audits should be coordinated and considered
to support management's assertion about the effectiveness of internal
control over operations, financial reporting, and compliance with laws
and regulations.
Office of Management and Budget (OMB) Circular No. A-123, Management's
Responsibility for Internal Control, provides the implementing
guidance for FMFIA, and prescribes the specific requirements for
assessing and reporting on internal controls consistent with the
Standards for Internal Control in the Federal Government (internal
control standards) issued by the Comptroller General of the United
States.[Footnote 8] The circular defines management's responsibilities
related to internal control and the process for assessing internal
control effectiveness, and provides specific requirements for
conducting management's assessment of the effectiveness of internal
control over financial reporting. Specifically, the circular requires
management to annually provide assurances on internal control in its
performance and accountability report, and, for each of the 24 Chief
Financial Officers (CFO) Act[Footnote 9] agencies, to include a
separate assurance on internal control over financial reporting, along
with a report on identified material weaknesses and corrective
actions.[Footnote 10] The circular also emphasizes the need for
integrated and coordinated internal control assessments that
synchronize all internal control-related activities.
FMFIA requires GAO to issue standards for internal control in the
federal government. The internal control standards provide the overall
framework for establishing and maintaining effective internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.
As summarized in the internal control standards, internal control in
the government is defined by the following five elements, which also
provide the basis against which internal controls are to be evaluated:
* Control environment: Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management.
* Risk assessment: Internal control should provide for an assessment
of the risks the agency faces from both external and internal sources.
* Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives.
* Information and communication: Information should be recorded and
communicated to management and others within the entity who need it
and in a form and within a time frame that enables them to carry out
their internal control and other responsibilities.
* Monitoring: Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
A key objective in our annual audits of IRS's financial statements is
to obtain reasonable assurance that IRS maintained effective internal
control with respect to financial reporting. While we use all five
elements of internal control as a basis for evaluating the
effectiveness of IRS's internal controls, our ongoing evaluations and
tests have focused heavily on control activities, where we have
identified numerous internal control weaknesses and have provided
recommendations for corrective action. Control activities are the
policies, procedures, techniques, and mechanisms that enforce
management's directives. In other words, they are the activities
conducted in the everyday course of business that are intended to
accomplish a control objective, such as ensuring IRS employees
successfully complete background checks prior to being granted access
to taxpayer information and receipts. As such, control activities are
an integral part of an entity's planning, implementing, reviewing, and
accountability for stewardship of government resources and achievement
of effective results.
Scope and Methodology:
To accomplish our objectives, we evaluated the effectiveness of
corrective actions IRS implemented during fiscal year 2009 in response
to open recommendations as part of our fiscal years 2009 and 2008
financial audits. To determine the current status of the
recommendations, we (1) obtained IRS's reported status of each
recommendation and corrective action taken or planned as of April
2010, (2) compared IRS's reported status to our fiscal year 2009 audit
findings to identify any differences between IRS's and our conclusions
regarding the status of each recommendation, and (3) performed
additional follow-up work to assess IRS's actions taken to address the
open recommendations. For our recommendations to IRS regarding
information security, this report includes only summary data on the
number of those recommendations and their general nature. We have
reported the objectives and results of our information security work
separately to IRS because of the sensitive nature of many of the
issues identified for which we have made recommendations for
corrective action.[Footnote 11]
In order to determine how IRS's open recommendations, including the
latest ones in our June 2010 management report,[Footnote 12] fit
within the agency's management and internal control structure, we
compared the open recommendations and the issues that gave rise to
them to the (1) control activities listed in the internal control
standards, (2) list of major factors and examples outlined in our
Internal Control Management and Evaluation Tool,[Footnote 13] and (3)
criteria and objectives for federal financial management as discussed
in the CFO Act of 1990 and the Federal Accounting Standards Advisory
Board's (FASAB) Statement of Federal Financial Accounting Concepts No.
1, Objectives of Federal Financial Reporting.[Footnote 14] We also
considered whether IRS had addressed, in whole or in part, the
underlying control issues that gave rise to the recommendations; and
other legal requirements and implementing guidance, such as OMB
Circular No. A-123 and FMFIA.
Our work was performed from December 2009 through May 2010 in
accordance with generally accepted government auditing standards.
IRS Faces Significant Financial Management Challenges:
IRS continues to make progress in resolving its internal control
weaknesses and addressing outstanding recommendations, but it still
faces significant financial management challenges. Since we first
began auditing IRS's financial statements in fiscal year 1992, IRS has
taken a significant number of actions that enabled us to eliminate
several material weaknesses and significant deficiencies and to close
over 250 of our previously reported financial management-related
recommendations. This includes 18 recommendations we are closing with
this report based on actions IRS took through April 2010.
Nevertheless, IRS continues to face significant challenges in
improving the effectiveness of its financial and operational
management. Specifically, IRS continues to face management challenges
in (1) resolving its two remaining material weaknesses in internal
control, (2) developing performance measures and managing for
outcomes, and (3) addressing its remaining internal control issues,
particularly those dealing with safeguarding of taxpayer receipts and
information. Further, as in previous years' audits, our fiscal year
2009 audit continued to identify additional internal control issues,
resulting in 41 new recommendations for corrective action we discussed
in detail in our June 2010 management report to IRS.[Footnote 15] In
addition, as noted earlier, we also identified several issues related
to information security during our fiscal year 2009 audit that we
reported separately because of the sensitive nature of many of those
issues.[Footnote 16]
Challenges in Resolving Two Long-standing Material Internal Control
Weaknesses:
As we reported in our audit of IRS's fiscal year 2009 financial
statements,[Footnote 17] IRS's efforts to address its internal control
weaknesses resulted in our closure of a material weakness in internal
control over financial reporting and a significant deficiency in
internal control over tax revenue and refunds. However, as we also
reported in that audit, IRS continues to face significant challenges
in resolving its two remaining material weaknesses in internal control
concerning (1) unpaid tax assessments[Footnote 18] and (2) information
security.
IRS's continuing challenge in addressing its material weakness in
internal control over unpaid tax assessments results from its (1)
inability to use its core general ledger system for tax administration-
related transactions to support its reported balances for taxes
receivable and other unpaid assessments, (2) lack of a subsidiary
ledger for unpaid tax assessments that would allow it to produce
reliable, useful, and timely information with which to manage and
report externally on these key transactions, and (3) errors and delays
in recording taxpayer information, payments, and other activities.
These control deficiencies impede IRS's ability to properly manage and
routinely report certain information on unpaid tax assessments and
lead to increased taxpayer burden.
IRS's continuing challenge in addressing its material weakness in
internal control over information security is primarily due to IRS not
having fully implemented its information security program. As we
reported in our audit of IRS's fiscal year 2009 financial statements,
IRS has not (1) restricted users' ability to bypass application
controls, (2) removed separated employees' system access in a timely
manner, (3) followed required procedures to timely review employee
access to sensitive areas at data centers, (4) restricted system
access to only those who needed it, (5) instituted adequate separation
of duties for its procurement system, and (6) developed adequate
encryption controls over user login. IRS's deficiencies in internal
control over information security result in IRS's inability to rely on
the controls embedded in its automated financial management systems to
provide reasonable assurance that its (1) financial statements are
fairly stated in accordance with U.S. generally accepted accounting
principles, (2) financial information that management relies on to
support day-to-day decision making is current, complete, and accurate,
and (3) proprietary information processed by these automated systems
is appropriately safeguarded. These deficiencies also increase the
risk that unauthorized individuals could access, alter, or abuse
proprietary IRS programs and electronic data and taxpayer information
without detection.
We have made numerous recommendations to IRS over the years--including
new recommendations resulting from our fiscal year 2009 financial
audit--to address the issues constituting these two material internal
control weaknesses. Successfully implementing these recommendations
would assist IRS in fully resolving these weaknesses. To its credit,
IRS continues to work to address the issues underlying these two
material weaknesses.
Challenges in Developing and Implementing Performance Metrics to
Assist in Managing for Outcomes:
As we reported in our audit of IRS's fiscal year 2009 financial
statements,[Footnote 19] IRS continues to face significant challenges
in developing and instutionalizing the use of financial management
information to assist it in making operational decisions and in
measuring the effectiveness of its programs. IRS's management has not
developed the data or outcome-oriented performance measures that would
enhance its ability to manage for outcomes.[Footnote 20] For example,
it has not integrated the use of cost-based (and when appropriate,
revenue-based) performance metrics into its routine management and
decision-making processes or externally reported performance
metrics.[Footnote 21] Although IRS has developed projected return on
investment estimates for new enforcement (tax collection) initiatives
in its annual budget submissions, it has not developed similar outcome-
oriented performance metrics to determine whether funded initiatives
achieve their estimated goals. IRS has also not developed outcome-
oriented performance metrics for its existing enforcement programs.
These limitations inhibit IRS's ability to more fully assess and
monitor the relative merits of its existing programs, to evaluate new
initiatives, or to consider alternatives and adjust its strategies as
needed. Outcome-oriented performance metrics based on specific
enforcement programs' costs and revenues should improve IRS's ability
to (1) establish measurable outcome goals, (2) evaluate the relative
merits of various program options, and (3) highlight opportunities for
optimizing the allocation of resources. They can also help IRS more
credibly demonstrate to Congress and the public that it is spending
its appropriations wisely.
IRS's existing metrics focus on process-oriented workload measures of
program outputs[Footnote 22] rather than on measuring program
outcomes. For example, for its enforcement programs, IRS focuses on
measuring discrete activities within its overall tax collection
efforts, such as the percentage of various types of tax returns
examined, criminal investigations completed, and the number of tax
returns examined and closed. While such output measures can be useful
elements in assessing performance, they are not designed to measure
the contribution each of these activities makes to the collection of
unpaid taxes, nor do they compare the cost of collection activities to
the tax revenue generated. IRS's enforcement metrics do not include
revenue collected--a measure of outcome--compared to the cost of
collection that could show the net monetary benefits of the
enforcement programs. In addition, IRS's publicly available
performance metrics do not measure the cost of IRS's programs either
in the aggregate or per service or activity performed.[Footnote 23]
As we report in the "Status per IRS" section of appendix I in this
report, IRS has reported that it considers our recommendation to
develop outcome-oriented performance measures and related performance
goals for IRS's enforcement programs and activities to be closed.
[Footnote 24] We do not agree. Part of IRS's justification for closing
the recommendation is that IRS uses cost-benefit return on investment
analysis to evaluate future scenarios and to support funding requests
for new initiatives in its annual budget submissions. Such prospective
return on investment information is useful for budgetary decision
making, but our recommendation is for IRS to develop outcome data on
the actual results of its programs and activities. We have also
previously recommended that IRS (1) extend the use of return on
investment in future budget proposals to include major enforcement
programs and (2) develop return on investment data for its enforcement
programs using actual revenue and full cost data and compare actual
results to the projected return on investment data included in its
budget request.[Footnote 25] Our recommendations regarding development
of outcome-oriented performance metrics remain open because, as noted
above, IRS does not develop such data for either funded initiatives or
for ongoing enforcement programs and activities and it has not
deployed outcome-oriented performance measures.
IRS also reported that return on investment information is but one
tool that can be utilized to improve resource-allocation decision
making, and it is not prudent to rely exclusively on return on
investment as the sole determinant of resource allocation. As we have
reported previously,[Footnote 26] we acknowledge that IRS must
consider other factors besides maximizing revenue collection and least-
cost operations. The fairness of IRS's implementation of the tax code
and treatment of all taxpayers are important, and we are cognizant of
the many factors, such as coverage, that are important considerations
when making resource-allocation decisions. These factors, and the
decisions IRS makes about how to respond to them, have a significant
effect on taxpayers, as well as on tax collections. However, using
full cost and collection outcome-oriented performance metrics are also
important to make optimum use of its available resources and to be
able to credibly demonstrate it is doing so to Congress and the public.
For several years, IRS has been developing full cost data on its
programs and activities in response to a recommendation we made in
1999.[Footnote 27] However, as we have reported in the past,[Footnote
28] IRS's efforts have been slowed because IRS cannot produce full
cost information[Footnote 29] down to the program and activity levels
[Footnote 30] directly from its cost accounting system, the Integrated
Financial System (IFS).[Footnote 31] IRS has partially overcome this
difficulty by developing the ability to manually combine cost data
from IFS with personnel time-charge data from IRS's various workload
management systems and revenue data for enforcement programs to
develop full cost (and revenue) information for selected programs.
IRS's lack of outcome-oriented performance metrics is inconsistent
with federal financial management concepts as embodied in FASAB's
Statement of Federal Financial Accounting Concepts No. 1, Objectives
of Federal Financial Reporting.[Footnote 32] In its discussion of
financial reporting concepts, FASAB notes that federal financial data
should provide accountability and decision-useful information on the
costs of programs and the outputs and outcomes achieved, and it should
provide data for evaluating service efforts, costs, and
accomplishments.[Footnote 33]
The absence of outcome metrics is also inconsistent with the
objectives of the CFO Act of 1990. A key objective of the act was for
agencies to routinely develop and use appropriate financial management
information to evaluate program effectiveness, make fully informed
operational decisions, and ensure accountability. While obtaining a
clean audit opinion on its financial statements is important in
itself, it is not the end goal reflected in the act. The end goal is
modern financial management systems that provide reliable, timely, and
useful financial information to support day-to-day decision making and
oversight. Such systems and practices should also provide for the
systematic measurement of both outputs and outcomes.
Developing the data and performance metrics necessary for a more
outcome-oriented approach to managing operations requires active and
sustained senior management leadership. We acknowledge that without
the benefit of integrated financial management systems, IRS faces
significant challenges in developing outcome-oriented performance
metrics, including the data needed for such metrics. However,
undertaking such an effort agencywide will enhance IRS's ability to
effectively measure and compare the benefits of its programs to make
better informed resource-allocation decisions and to better support
its budget requests.
We have made several recommendations to IRS over the years to address
its financial management challenges in developing full cost data for
its programs and activities and for outcome-oriented performance
measures. Successfully addressing the remaining open recommendations
would enhance IRS's ability to effectively manage for outcomes.
Challenges in Resolving Other Internal Control Issues:
As discussed earlier, IRS has taken significant actions over the years
to resolve internal control weaknesses and this has enabled us to
close over 250 internal control-related recommendations. The closure
of such a high number of recommendations indicates that IRS has a
strong commitment to improving its internal control. However, IRS also
continues to face a challenge in addressing numerous other unresolved
internal control issues in several aspects of its operations that,
while neither individually nor collectively representing a material
weakness, nonetheless merit management attention to ensure they are
fully and effectively addressed. IRS now has a total of 70 open audit
recommendations resulting from internal control issues that we report
as "other control issues" in appendix II of this report. While most
were identified during our recent financial audits, some were
identified in our audits as far back as 1999 and 2001.
Over half of those 70 open recommendations address issues related to
the physical safeguarding of tax receipts and taxpayer information, a
critical aspect of IRS's responsibilities. IRS processes billions of
dollars annually in checks and currency and other valuable assets, and
it must physically safeguard and account for them to prevent theft,
fraud, and misuse. To do so, IRS has established physical security,
accountability, and accounting policies, processes, and procedures to
manage its activities involving the transportation and accounting for
tax receipts and for handling and storing taxpayer information.
Although IRS has made substantial improvements in safeguarding
taxpayer receipts and information since our financial audits first
began surfacing serious internal control issues in this area, the task
of ensuring ongoing control over such critical responsibilities for
IRS is a difficult one. Each year, we continue to identify control
issues related to IRS's safeguarding of taxpayer receipts and
information. For example, based on our fiscal year 2009 audit, we
identified new internal control issues and made 19 additional
recommendations that related either directly or indirectly to the
physical safeguarding of taxpayer receipts and information. The
internal control issues encompassed in our recommendations cover
critical physical security functions, such as:
* transporting taxpayer receipts and sensitive taxpayer information
among IRS facilities and lockbox banks[Footnote 34] and maintaining
physical security at IRS facilities to prevent loss, theft, or the
potential for fraud regarding tax receipts and taxpayer information;
* conducting inspections and audits of the design and operation of
IRS's physical security processes and controls designed to safeguard
tax receipts and taxpayer information;
* conducting appropriate background investigations and screening of
personnel, including contractors, with access to IRS facilities and
lockbox bank operations; and:
* ensuring the proper destruction of documents to prevent the
inappropriate release of sensitive taxpayer information.
Due to the volume of taxpayer receipts and sensitive taxpayer files
that IRS is responsible for safeguarding, and the implications for
IRS's mission if they are lost, stolen, or the subject of fraud or
misuse, it is critical that IRS successfully resolve the internal
control issues we have identified and work toward continually
improving its internal controls to prevent new issues from arising.
Status of Recommendations Based on the Fiscal Year 2009 Financial
Statement Audit:
In June 2009, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2008 and prior year
financial audits and other financial management-related work.[Footnote
35] In that report, we identified 62 audit recommendations that
remained open and thus required corrective action by IRS. A
significant number of these recommendations had been open for several
years, either because IRS had not taken corrective action or because
the actions taken had not yet effectively resolved the issues that
gave rise to the recommendations.
IRS continued to work to address many of the internal control issues
to which these open recommendations relate. In the course of
performing our fiscal year 2009 financial audit, we identified
numerous actions IRS took to address many of its internal control
issues. On the basis of IRS's actions, which we were able to
substantiate through our audit, we have closed 18 of these prior
years' recommendations. However, a total of 44 recommendations from
prior years remain open, a significant number of which have been
outstanding for several years. IRS considers another 21 of the prior
years' recommendations to be effectively addressed and therefore
closed. However, we consider them to remain open. For 14 of the 21, in
our view, IRS's actions did not fully address the issue that gave rise
to the recommendations. For the remaining seven, we have not yet been
able to verify the effectiveness of IRS's actions. (See app. I,
"Status per GAO," for our assessment of IRS's actions on each
recommendation).
During our audit of IRS's fiscal year 2009 financial statements, we
identified additional issues that require corrective action. In our
June 2010 management report to IRS,[Footnote 36] we discussed these
issues, and made 41 new recommendations to address them. Consequently,
a total of 85 financial management-related recommendations need to be
addressed--44 from prior years and 41 new ones from our fiscal year
2009 audit. We consider all of the new recommendations to be short-
term.[Footnote 37] We also consider the majority of the
recommendations outstanding from prior years to be short-term;
however, a few, particularly those concerning the functionality of
IRS's automated systems, are complex and will require several more
years to fully and effectively address.
In addition to the 85 open recommendations from our financial audits
and other financial management-related work, there are 88 additional
open recommendations stemming from our assessment of IRS's information
security controls over key financial systems, information, and
interconnected networks conducted as an integral part of our annual
financial audits. The issues that led to our previously reported and
our newly identified recommendations related to information security
increase the risk of unauthorized disclosure, modification, or
destruction of financial and sensitive taxpayer data. Collectively,
they constitute IRS's material weakness in internal control over
information security for its financial and tax processing systems. As
discussed earlier in this report, recommendations resulting from the
information security issues identified in our annual audits of IRS's
financial statements are reported separately because of the sensitive
nature of many of these issues.[Footnote 38]
Appendix I presents a combined listing of (1) the 62 non-information-
systems security-related recommendations based on our financial
statement audits and other financial management-related work that we
had not previously reported as closed and the 41 new recommendations
based on our fiscal year 2009 financial audit, (2) IRS-reported
corrective actions taken or planned as of April 2010, and (3) our
analysis of whether the issues that gave rise to the recommendations
have been effectively addressed, based primarily on the work performed
during our fiscal year 2009 financial statement audit. The appendix
lists the recommendations by the date on which the recommendation was
made and by report number. Appendix II presents the open
recommendations arranged by related material weakness and compliance
issue as described in our opinion report on IRS's financial
statements,[Footnote 39] as well as other control issues we have
identified and discussed in our annual management reports to IRS.
[Footnote 40]
Open Recommendations Grouped by Internal Control Activity:
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to
them, to internal control activities that are central to IRS's tax
administration responsibilities provides insight regarding their
significance.
Internal control standards consist of five elements--control
environment, risk assessment, control activities, information and
communication, and monitoring.[Footnote 41] For the control activities
element, the internal control standards explain that an agency's
system of internal control should provide for an assessment of the
risks the agency faces from both external and internal sources and
that internal control activities help ensure that management's
directives are carried out. The control activities should be effective
and efficient in accomplishing the agency's control objectives. The
control activities element defines 11 specific control activities,
which we have grouped into three categories, as shown in table 1. Each
of the unresolved recommendations from our financial audits and
financial management-related work, and the underlying issues that gave
rise to them, can be traced to 1 of the 11 specific control activities
as shown in table 1.
Table 1: Summary of Open Recommendations:
Safeguarding of assets and security activities:
Control activity: Physical control over vulnerable assets;
Open at the beginning of 2009: 11;
Closed during 2009 audit: 2;
New from 2009 audit: 2;
Total remaining open: 11;
Percentage: 13.
Control activity: Segregation of duties;
Open at the beginning of 2009: 3;
Closed during 2009 audit: 1;
New from 2009 audit: 1;
Total remaining open: 3;
Percentage: 3.
Control activity: Controls over information processing;
Open at the beginning of 2009: 1;
Closed during 2009 audit: 1;
New from 2009 audit: 0;
Total remaining open: 0;
Percentage: 0.
Control activity: Access restrictions to and accountability for
resources and records;
Open at the beginning of 2009: 5;
Closed during 2009 audit: 1;
New from 2009 audit: 1;
Total remaining open: 5;
Percentage: 6.
Safeguarding of assets and security activities: Subtotal;
Open at the beginning of 2009: 20;
Closed during 2009 audit: 5;
New from 2009 audit: 4;
Total remaining open: 19;
Percentage: 22.
Proper recording and documenting of transactions:
Control activity: Appropriate documentation of transactions and
internal controls;
Open at the beginning of 2009: 9;
Closed during 2009 audit: 1;
New from 2009 audit: 10;
Total remaining open: 18;
Percentage: 21.
Control activity: Accurate and timely recording of transactions and
events;
Open at the beginning of 2009: 12;
Closed during 2009 audit: 5;
New from 2009 audit: 13;
Total remaining open: 20;
Percentage: 24.
Control activity: Proper execution of transactions and events;
Open at the beginning of 2009: 3;
Closed during 2009 audit: 2;
New from 2009 audit: 0;
Total remaining open: 1;
Percentage: 1.
Proper recording and documenting of transactions: Subtotal;
Open at the beginning of 2009: 24;
Closed during 2009 audit: 8;
New from 2009 audit: 23;
Total remaining open: 39;
Percentage: 46.
Effective management review and oversight:
Control activity: Reviews by management at the functional or activity
level;
Open at the beginning of 2009: 13;
Closed during 2009 audit: 5;
New from 2009 audit: 7;
Total remaining open: 15;
Percentage: 18.
Control activity: Establishment and review of performance measures and
indicators;
Open at the beginning of 2009: 3;
Closed during 2009 audit: 0;
New from 2009 audit: 0;
Total remaining open: 3;
Percentage: 4.
Control activity: Management of human capital;
Open at the beginning of 2009: 2;
Closed during 2009 audit: 0;
New from 2009 audit: 6;
Total remaining open: 8;
Percentage: 9.
Control activity: Top-level reviews of actual performance;
Open at the beginning of 2009: 0;
Closed during 2009 audit: 0;
New from 2009 audit: 1;
Total remaining open: 1;
Percentage: 1.
Effective management review and oversight: Subtotal;
Open at the beginning of 2009: 18;
Closed during 2009 audit: 5;
New from 2009 audit: 14;
Total remaining open: 27;
Percentage: 32.
Control activity: Total;
Open at the beginning of 2009: 62;
Closed during 2009 audit: 18;
New from 2009 audit: 41;
Total remaining open: 85;
Percentage: 100.
Source: GAO analysis of the status of financial management
recommendations made to IRS.
[End of table]
As table 1 indicates, 19 (22 percent) of the unresolved
recommendations relate to IRS's controls over safeguarding of assets
and security activities, 39 (46 percent) relate to issues associated
with IRS's ability to properly record and document transactions, and
27 (32 percent) relate to issues associated with IRS's management
review and oversight.[Footnote 42]
On the following pages, we group the 85 open recommendations under the
specific control activity to which the condition that gave rise to
them most appropriately fits. We define each control activity as
presented in the internal control standards and briefly identify some
of the key IRS operations that fall under that control activity.
Although not comprehensive, the descriptions are intended to help
explain why actions to strengthen these control activities are
important for IRS to efficiently and effectively carry out its overall
mission. Each control activity description includes a table of the
related open recommendations. The tables list the recommendations by
the year in which we made them (ID no.). For each recommendation, we
also indicate whether it is a short-term or long-term recommendation.
We characterized a recommendation as short-term when we believe that
IRS had the capability to implement solutions within 2 years of the
year in which we first reported them.
Safeguarding of Assets and Security Activities:
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of
the most important control activities at IRS is the safeguarding of
assets. Internal control in this important area should be designed to
provide reasonable assurance regarding prevention or prompt detection
of unauthorized acquisition, use, or disposition of an agency's
assets. IRS has outstanding recommendations in the following three
control activities in the internal control standards that relate to
safeguarding of assets (including buildings and equipment as well as
tax receipts) and security activities (such as limiting access to only
authorized personnel): (1) physical control over vulnerable assets;
(2) segregation of duties; and (3) access restrictions to, and
accountability for, resources and records.
Physical Control over Vulnerable Assets:
Internal control standard: An agency must establish physical control
to secure and safeguard vulnerable assets. Examples include security
for and limited access to assets such as cash, securities,
inventories, and equipment which might be vulnerable to risk of loss
or unauthorized use. Such assets should be periodically counted and
compared to control records.
Of the trillions of dollars in taxes that IRS collects each year,
hundreds of billions is collected in the form of checks and cash
accompanied by tax returns and related information.[Footnote 43] IRS
collects taxes both at its own facilities as well as at lockbox
banks.[Footnote 44] IRS acts as custodian for (1) the tax payments it
receives until they are deposited in the General Fund of the U.S.
Treasury and (2) the tax returns and related information it receives
until they are either sent to the Federal Records Center or destroyed.
IRS is also charged with controlling many other assets, such as
computers and other equipment, but it is IRS's legal responsibility to
safeguard tax returns and the confidential information taxpayers
provided on those returns that makes the effectiveness of IRS's
internal controls over physical security essential.
While effective physical safeguards over receipts should exist
throughout the year, such safeguards are especially important during
the peak tax filing season. Each year during the weeks preceding and
shortly after April 15, an IRS service center[Footnote 45] or lockbox
bank may receive and process daily over 100,000 pieces of mail
containing returns, receipts, or both. The dollar value of receipts
each service center and lockbox bank processes increases to hundreds
of millions of dollars a day during the April 15 time frame.
The following 11 open recommendations in table 2 are designed to
improve IRS's physical controls over vulnerable assets. They include
recommendations for IRS to improve controls over (1) physical security
at its Taxpayer Assistance Centers (TAC),[Footnote 46] (2) courier
activities, and (3) lockbox banks' handling of unprocessable
items.[Footnote 47] We consider all of these recommendations to be
correctable on a short-term basis.
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
ID no.: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers with adequate
physical security controls to deter and prevent unauthorized access to
restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term).
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
SCC's perimeter, such as adding or repositioning existing CCTV cameras
or removing obstructions. (short-term).
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed and/or
shipped out. (short-term).
ID no.: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term).
ID no.: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term).
ID no.: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term).
ID no.: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date. (short-term).
ID no.: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term).
ID no.: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station,
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term).
ID no.: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term).
ID no.: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses and lockbox banks to acknowledge and track
transmittals of unprocessable items with receipts. These procedures
should include monitoring discrepancies and instituting appropriate
corrective actions as needed. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Segregation of Duties:
Internal control standard: Key duties and responsibilities need to be
divided or segregated among different people to reduce the risk of
error or fraud. This should include separating the responsibilities
for authorizing transactions, processing and recording them, reviewing
the transactions, and handling any related assets. No one individual
should control all key aspects of a transaction or event.
As noted in the previous section, IRS employees process hundreds of
billions of dollars in tax receipts in the form of cash and checks.
Consequently, it is critical that IRS maintain appropriate separation
of duties to allow for adequate oversight of staff and protection of
these vulnerable resources so that no single individual would be in a
position of causing an error or irregularity, or potentially
converting the asset to personal use, and then concealing it. For
example, when an IRS field office receives taxpayer receipts and
returns, it is responsible for depositing the cash and checks in a
depository institution and forwarding the related taxpayer information
received, such as tax returns, to an IRS service center for further
processing. In order to adequately safeguard receipts from theft, the
person responsible for recording the information from the taxpayer
receipts on a voucher should be different from the individual who
prepares those receipts for transmittal to the service center for
further processing. Also, IRS employees must properly account for the
billions of dollars IRS spends each year on its operations.
Implementing the following three recommendations in table 3 would help
IRS improve its separation of duties, which will in turn strengthen
its controls over tax receipts, procurement activities, and financial
accounting processes. All are short-term in nature.
Table 3: Recommendations to Improve IRS's Segregation of Duties:
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments.
(short-term).
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term).
ID no.: 10-12;
Recommendation: Revise the IRM and cost allocation desk guide to
require appropriate segregation of duties within the cost allocation
process. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Access Restrictions to and Accountability for Resources and Records:
Internal control standard: Access to resources and records should be
limited to authorized individuals, and accountability for their
custody and use should be assigned and maintained. Periodic comparison
of resources with the recorded accountability should be made to help
reduce the risk of errors, fraud, misuse, or unauthorized alteration.
Because IRS handles, and is responsible for maintaining accountability
over, a large volume of cash and checks, it is imperative that it
maintain strong controls to appropriately restrict access to those
assets, the records relied on to track those assets, and sensitive
taxpayer information. Although IRS has a number of both physical and
information systems controls in place, some of the issues we have
identified in our financial audits over the years pertain to ensuring
that (1) those individuals who have direct access to cash and checks
are appropriately vetted, such as through appropriate background
investigations, before being granted access to taxpayer receipts and
information and (2) IRS maintains effective access security control.
The following five short-term recommendations in table 4 were intended
to help IRS improve its access restrictions to assets and records.
Table 4: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records:
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term).
ID no.: 08-13;
Recommendation: Require including in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term).
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term).
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 by contacting the reference directly and
documenting the details of this contact. (short-term).
ID no.: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Recording and Documenting of Transactions:
IRS has a number of internal control issues that relate to recording
transactions, documenting events, and tracking the processing of
taxpayer receipts or information. IRS has outstanding recommendations
in the following three control activities that relate to proper
recording and documenting of transactions: (1) appropriate
documentation of transactions and internal controls, (2) accurate and
timely recording of transactions and events, and (3) proper execution
of transactions and events.
Appropriate Documentation of Transactions and Internal Control:
Internal control standard: Internal control and all transactions and
other significant events need to be clearly documented, and the
documentation should be readily available for examination. The
documentation should appear in management directives, administrative
policies, or operating manuals and may be in paper or electronic form.
All documentation and records should be properly managed and
maintained.
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under
contract to process taxpayer receipts for the federal government.
Therefore, it is important that IRS maintain effective controls to
ensure that all documents and records are properly and timely
recorded, managed, and maintained both at its facilities and at the
lockbox banks. In this regard, it is critical that IRS adequately
document and disseminate its procedures to ensure that they are
available for IRS employees. IRS must also document its management
reviews of controls, such as those regarding refunds and returned
checks, credit card purchases, and reviews of TAC operations. To
ensure future availability of adequate documentation, IRS must ensure
that (1) its systems, particularly those now being developed and
implemented, have appropriate capability to identify and trace
individual transactions and (2) all critical steps in its accounting
processes are adequately documented and controlled. Resolving the
following 18 recommendations in table 5 would assist IRS in improving
its documentation of transactions and related internal control
procedures. Seventeen of these recommendations are short-term, and one
is long-term.
Table 5: Recommendations to Improve IRS's Documentation of
Transactions and Internal Control:
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term).
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term).
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), and establish a system to track acknowledged copies of
document transmittals. (short-term).
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term).
ID no.: 06-07;
Recommendation: Document supervisory visits by off-site managers to
TACs not having a manager permanently on-site. This documentation
should be signed by the manager and should (1) record the time and
date of the visit, (2) identify the manager performing the visit, (3)
indicate the tasks performed during the visit, (4) note any problems
identified, and (5) describe corrective actions planned. (short-term).
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA). (long-
term).
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid
assessment estimation process. (short-term).
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting
the results. This guidance should include a description of the key
controls that should be in place at outlying TACs, specify how often
these key controls should be reviewed, and specify how the results of
each review should be documented, including follow-up on issues
identified in previous TAC reviews. (short-term).
ID no.: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
TFRP payments processed through the ATFR system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term).
ID no.: 10-09;
Recommendation: Revise the existing methodology for extracting the
preposted revenue component of the comparison to ensure that nontax
revenues and tax revenue transactions already posted to the master
files are properly excluded. (short-term).
ID no.: 10-10;
Recommendation: Update the desk procedures governing the comparison of
general ledger tax revenue receipts to the master file to ensure that
the procedures reflect the current process and controls. (short-term).
ID no.: 10-11;
Recommendation: Revise the cost allocation desk guide to better
document the cost allocation process. This should include ensuring
that all key processing steps are included and identifying the key
sources of input data and the controls necessary to help ensure their
reliability. (short-term).
ID no.: 10-15;
Recommendation: Revise the IRM to require CIO to promptly provide
service center campuses an acknowledgment of receipt for each Form
3210 transmittal related to a duplicate refund transcript sent to them
by a service center campus for review. (short-term).
ID no.: 10-16;
Recommendation: Revise the IRM to require service center campuses to
verify that an acknowledgment of receipt has been received from CIO
for 100 percent of the Form 3210 transmittals related to duplicate
refund transcripts they have forwarded to CIO for review. (short-term).
ID no.: 10-17;
Recommendation: Revise the IRM to require service center campuses to
resolve any instances in which an acknowledgment of receipt for a Form
3210 transmittal related to duplicate refund transcripts is not
received. (short-term).
ID no.: 10-21;
Recommendation: Review the audit management checklist for clarity and
revise the assessment questions as appropriate. (short-term).
ID no.: 10-26;
Recommendation: Review the TSRRD for clarity and revise review
questions as appropriate. (short-term).
ID no.: 10-35;
Recommendation: Reiterate IRS's policy for personnel to indicate in
WebRTS during receipt and acceptance that a payment is a final payment
to close out a contract or purchase order to help ensure any remaining
obligated funds are deobligated in a timely manner. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Accurate and Timely Recording of Transactions and Events:
Internal control standard: Transactions should be promptly recorded to
maintain their relevance and value to management in controlling
operations and making decisions. This applies to the entire process or
life cycle of a transaction or event from the initiation and
authorization through its final classification in summary records. In
addition, control activities help to ensure that all transactions are
completely and accurately recorded.
IRS maintains records for tens of millions of taxpayers in addition to
maintaining its own financial records. To carry out this
responsibility, IRS often has to rely on outdated computer systems or
manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, an effort that is long-term
and, in part, dependent on obtaining future funding.
Implementation of the following 20 recommendations in table 6 would
strengthen IRS's recordkeeping abilities. Sixteen of these
recommendations are short-term, and four are long-term regarding
requirements for new systems for maintaining taxpayer records. Several
of the recommendations listed deal with financial reporting processes,
such as maintaining subsidiary records, recording budgetary
transactions, and tracking program costs. Some of the issues that gave
rise to several of our recommendations directly affect taxpayers, such
as those involving duplicate assessments, errors in calculating and
reporting manual interest, errors in calculating penalties, and
collection of trust fund recovery penalty assessments. Three of these
recommendations have remained open for over 10 years, reflecting the
complex nature of the underlying systems issues that must be resolved
to fully address some of these control deficiencies.
Table 6: Recommendations to Improve IRS's Accurate and Timely
Recording of Transactions and Events:
ID no.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term).
ID no.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term).
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term).
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term).
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term).
ID no.: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term).
ID no.: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process. (short-term).
ID no.: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in CDDB resulted in
misclassifications of account balances which, in turn resulted in
material inaccuracies in the amounts of reported unpaid assessments.
(short-term).
ID no.: 10-02;
Recommendation: Research and implement programming changes to allow
CDDB to more accurately classify such accounts among the three
categories of unpaid tax assessments. (short-term).
ID no.: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that materially affect the
financial reporting of unpaid tax assessments. (short-term).
ID no.: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that materially affect the financial
reporting of unpaid tax assessments, implement control procedures to
routinely prevent, or to detect and correct, such errors. (short-term).
ID no.: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews so that specific factors causing the errors are
identified. (short-term).
ID no.: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of TFRP payment transactions identified
through the analyses of the quarterly review results. (short-term).
ID no.: 10-14;
Recommendation: Establish controls over the cycle run spreadsheet to
help minimize the risk of error or omission. At a minimum, this should
include assigning a unique, sortable identifier to each row in the
spreadsheet and implementing controls to promptly and accurately
record the status of processing steps in a manner that ensures each
cycle run is performed and is performed in the proper sequence. (short-
term).
ID no.: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term).
ID no.: 10-34;
Recommendation: Establish procedures requiring COs/COTRs to obtain and
retain written documentation from end users confirming receipt and
acceptability of purchased goods or services prior to entering
acknowledgment of receipt and acceptance in WebRTS. (short-term).
ID no.: 10-36;
Recommendation: Reevaluate and, as necessary, revise the aging
criteria for the Aging Unliquidated Obligation reviews so that
obligations are reviewed more frequently in order to detect and
deobligate excess obligations in a timely manner. (short-term).
ID no.: 10-38;
Recommendation: Develop controls to improve the linked obligation
transaction review process to detect and correct erroneous links
between unrelated upward and downward adjustments to prior-year
obligation transactions in a timely manner. (short-term).
ID no.: 10-39;
Recommendation: Establish a formal funds control process to set aside
amounts for tax law enforcement and related support activities, as
required by annual appropriations acts. (short-term).
ID no.: 10-41;
Recommendation: Based on the results of its periodic assessments, take
action to allocate the required amount of appropriations to tax law
enforcement and related support activities to comply with the set-
aside requirement. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Proper Execution of Transactions and Events:
Internal control standard: Transactions and other significant events
should be authorized and executed only by persons acting within the
scope of their authority. This is the principal means of ensuring that
only valid transactions to exchange, transfer, use, or commit
resources and other events are initiated or entered into.
Authorizations should be clearly communicated to managers and
employees.
Each year, IRS spends approximately $250 million annually to cover the
cost of its employees' travel. Failure to ensure that employees obtain
appropriate authorizations for their travel leaves the government open
to fraud, waste, or abuse. IRS actions to address the following short-
term recommendation in table 7 would improve IRS's controls over
travel costs.
Table 7: Recommendations to Improve IRS's Execution of Transactions
and Events:
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Effective Management Review and Oversight:
All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set
the objectives, put control activities in place, and monitor and
evaluate controls to ensure that they are followed. Without adequate
monitoring by managers, there is a risk that internal control
activities may not be carried out effectively and in a timely manner.
IRS has outstanding recommendations in the following four control
activities related to effective management review and oversight: (1)
reviews by management at the functional or activity level, (2)
establishment and review of performance measures and indicators, (3)
management of human capital, and (4) top-level reviews of actual
performance.
Reviews by Management at the Functional or Activity Level:
Internal control standard: Managers need to compare actual performance
to planned or expected results throughout the organization and analyze
significant differences.
IRS employs over 100,000 full-time and seasonal employees. In
addition, as discussed earlier, lockbox banks process tens of
thousands of individual receipts, totaling hundreds of billions of
dollars for IRS. Management oversight of operations is important at
any organization, but is imperative at IRS given its mission.
Implementing the following 14 short-term and 1 long-term
recommendations in table 8 would improve IRS's management oversight of
several areas of its operations, including monitoring of contractor
facilities, release of tax liens, issuance of manual refunds, and use
of appropriated funds. These recommendations were made because an
internal control activity either did not exist or the existing control
was not being adequately or consistently applied.
Table 8: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level:
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term).
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term).
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term).
ID no.: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information
security, expand FISMA procedures or perform additional procedures as
part of the A-123 reviews to augment FISMA work. (short-term).
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term).
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term).
ID no.: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide. (long-term).
ID no.: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help
employees distinguish between procurement actions that constitute new
obligations and those that merely adjust or liquidate prior
obligations that the IRS incurred during an expired appropriation's
original period of availability. (short-term).
ID no.: 10-06;
Recommendation: Formalize and implement the quarterly reviews of TFRP
payment transactions to monitor compliance with IRM requirements.
(short-term).
ID no.: 10-13;
Recommendation: Revise the IRM and cost allocation desk guide to
require timely, documented supervisory reviews at key process points
to help prevent and detect cost allocation processing errors. (short-
term).
ID no.: 10-22;
Recommendation: Issue written guidance to accompany the audit
management checklist that explains the relevance of the questions and
the methods that should be used to assess and test the related
controls. (short-term).
ID no.: 10-24;
Recommendation: Establish and document the minimum frequency for how
often the audit management checklist should be completed at each
service center campus and field office. (short-term).
ID no.: 10-25;
Recommendation: Establish policies requiring documented managerial
reviews of completed audit management checklists. These reviews should
document (1) the time and date of the review, (2) the name of the
manager performing the review, (3) the supporting documentation
reviewed, (4) any problems identified with the responses on the
checklists, and (5) corrective actions to be taken. (short-term).
ID no.: 10-28;
Recommendation: Establish policies that require territory managers or
a manager at least one level above the group manager to periodically
review the information entered into the TSRRD for accuracy and
completeness prior to the results being forwarded to Field Assistance
Office headquarters management. This review should be signed and
documented, and include (1) the time and date of the review, (2) the
name of the manager performing the review, (3) the task performed
during the review, (4) any problems or questions identified, and (5)
planned corrective actions. (short-term).
ID no.: 10-33;
Recommendation: Establish procedures requiring HCO LEADS or their
designee to periodically monitor each business unit's progress in
complying with mandatory briefing requirements. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Establishment and Review of Performance Measures and Indicators:
Internal control standard: Activities need to be established to
monitor performance measures and indicators. These controls could call
for comparisons and assessments relating different sets of data to one
another so that analyses of the relationships can be made and
appropriate actions taken. Controls should also be aimed at validating
the propriety and integrity of both organizational and individual
performance measures and indicators.
IRS's operations include a vast array of activities encompassing
educating taxpayers, processing of taxpayer receipts and data,
disbursing hundreds of billions of dollars in refunds to millions of
taxpayers, maintaining extensive information on tens of millions of
taxpayers, and seeking collection from individuals and businesses that
fail to comply with the nation's tax laws. Within its compliance
function, IRS has numerous activities, including identifying
businesses and individuals that underreport income, collecting from
taxpayers who do not pay taxes, and collecting from those receiving
refunds for which they are not entitled. Although IRS has at its peak
over 100,000 employees, it still faces resource constraints in
attempting to fulfill its duties. It is vitally important for IRS to
have sound performance measures to assist it in assessing its
performance and targeting its resources to maximize the government's
return on investment. However, in past audits we have reported that
IRS did not capture costs at the program or activity level to assist
in developing cost-based performance measures for its various programs
and activities. As a result, IRS is unable to measure the costs and
benefits of its various collection and enforcement efforts to best
target its available resources.
The following one short-term and two long-term recommendations in
table 9 are designed to assist IRS in (1) evaluating its operations,
(2) determining which activities are the most beneficial, and (3)
establishing a good system for oversight. These recommendations are
directed at improving IRS's ability to measure, track, and evaluate
the costs, benefits, or outcomes of its operations--particularly with
regard to identifying its most cost-effective tax collection
activities.
Table 9: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators:
ID no.: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means;
(2) define the roles and responsibilities of the CFO and other
business units in the process;
and (3) be focused on the goal of determining what cost information
would be useful and the most appropriate means of developing and
reporting it for both existing programs and new programs as they are
initiated. (short-term).
ID no.: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed and they should include both personnel costs
based on time spent on specific activities as well as all associated
nonpersonnel costs, and be drawn from or reconcilable to IRS's
financial accounting system. (long-term).
ID no.: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Management of Human Capital:
Internal control standard: Effective management of an organization's
workforce--its human capital--is essential to achieving results and an
important part of internal control. Management should view human
capital as an asset rather than a cost. Only when the right personnel
for the job are on board and are provided the right training, tools,
structure, incentives, and responsibilities is operational success
possible. Management should ensure that skill needs are continually
assessed and that the organization is able to obtain a workforce that
has the required skills that match those necessary to achieve
organizational goals. Training should be aimed at developing and
retaining employee skill levels to meet changing organizational needs.
Qualified and continuous supervision should be provided to ensure that
internal control objectives are achieved. Performance evaluation and
feedback, supplemented by an effective reward system, should be
designed to help employees understand the connection between their
performance and the organization's success. As a part of its human
capital planning, management should also consider how best to retain
valuable employees, plan for their eventual succession, and ensure
continuity of needed skills and abilities.
IRS's operations cover a wide range of technical activities requiring
specific expertise needed in tax-related matters; financial
management; and systems design, development, and maintenance. Because
IRS has tens of thousands of employees spread throughout the country,
it is imperative that management keep its guidance up-to-date and its
staff properly trained. Taking action to implement the following eight
short-term recommendations in table 10 would assist IRS in its
management of human capital.
Table 10: Recommendations to Improve IRS's Management of Human Capital:
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term).
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a
detailed supervisory review be performed to ensure (1) the statistical
validity of the sampling plans, (2) data entered into the sample
selection programs agree with the sampling plans, (3) data entered
into the statistical projection programs agree with IRS's sample
review results, (4) data on the spreadsheets used to compile the
interim projections and roll-forward results trace back to supporting
statistical projection results, and (5) the calculations on these
spreadsheets are mathematically correct. (short-term).
ID no.: 10-23;
Recommendation: Provide training to physical security analysts
responsible for completing the audit management checklist to help
ensure that checklist questions are answered appropriately and
accurately. (short-term).
ID no.: 10-27;
Recommendation: Provide training to TAC group managers to assist with
their understanding of the TSRRD review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term).
ID no.: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all USRs to complete (1) the required initial USR
training prior to assuming their responsibilities, and (2) annual
refresher training each year thereafter. (short-term).
ID no.: 10-31;
Recommendation: Update USR training manuals to ensure they reflect
current security policies and procedures. (short-term).
ID no.: 10-32;
Recommendation: Establish a process to periodically review and update
training materials as appropriate. (short-term).
ID no.: 10-37;
Recommendation: Provide technicians and supervisors who are
responsible for recording and reviewing obligation transactions with
training on the proper use of manually linked obligation transactions
to reinforce IRS's existing policy requiring that transactions be
recorded accurately to the upward and downward adjustments to prior
year obligation accounts. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Top-Level Reviews of Actual Performance:
Internal control standard: Management should track major agency
achievements and compare these to the plans, goals, and objectives
established under the Government Performance and Results Act.
IRS is responsible for developing and operating a system of internal
control to ensure that it spends the billions of dollars appropriated
to it each year for operations in accordance with the directions
dictated by Congress. Implementing the following short-term
recommendation in table 11 would improve IRS's management and
oversight of its performance against legal mandates and requirements.
Table 11: Recommendations to Improve Top-Level Reviews of Actual
Performance:
ID no: 10-40;
Recommendation: Establish a policy to periodically monitor throughout
the year the amount of different appropriations accounts attributed to
the set-aside to asses IRS's progress toward complying with the
requirement. (short-term).
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Concluding Observations:
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to carry out its mission
more efficiently and more effectively while protecting taxpayers'
information.
Sound financial management and effective internal controls are
essential if IRS is to efficiently and effectively achieve its goals.
IRS has made substantial progress in improving its financial
management and internal control since its first financial audit, as
evidenced by unqualified audit opinions on its financial statements
for the past 10 years; resolution of several material internal control
weaknesses, significant deficiencies, and other control issues; and
actions taken resulting in the closure of hundreds of financial
management recommendations. This progress has been the result of hard
work by many individuals throughout IRS and sustained commitment of
IRS leadership. Nonetheless, more needs to be done to fully address
the agency's continuing financial management challenges--resolving
material internal control weaknesses; developing outcome-oriented
performance metrics that can facilitate managing operations for
outcomes; and correcting numerous other internal control issues.
Effective implementation of the recommendations we have made and
continue to make through our financial audits and related work could
greatly assist IRS in improving its internal controls and achieving
sound financial management. While we recognize that some actions--
primarily those related to modernizing automated systems--will take a
number of years to resolve, most of the open recommendations can be
addressed in the short term.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS expressed it's
appreciation for our acknowledgment of the agency's progress in
addressing its financial management challenges as evidenced by our
closure of 18 open financial management recommendations from prior GAO
reports. IRS also commented that it is committed to implementing
appropriate improvement to ensure that it maintains sound financial
management practices. We will review the effectiveness of further
corrective actions IRS has taken or will take to address all open
recommendations as part of our audit of IRS's fiscal year 2010
financial statements.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term
Growth, Senate Committee on Finance. We are also sending copies to the
Chairmen and Ranking Members of the House Committee on Appropriations;
House Committee on Ways and Means; the Chairman and Vice Chairman of
the Joint Committee on Taxation; the Secretary of the Treasury; the
Director of OMB; the Chairman of the IRS Oversight Board; and other
interested parties. The report is also available at no charge on the
GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staffs have any questions concerning this report,
please contact me at (202) 512-3406 or sebastians@gao.gov. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made major
contributions to this report are listed in appendix IV.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
[End of section]
Appendix I: Status of GAO Recommendations from Internal Revenue
Service Financial Audits and Related Management Reports:
This appendix presents a list of (1) the 62 recommendations that we
had not previously reported as closed, (2) Internal Revenue Service
(IRS) reported corrective actions taken or planned as of April 2010,
and (3) our analysis of whether the issues that gave rise to the
recommendations have been effectively addressed. It also includes 41
recommendations based on our fiscal year 2009 financial statement
audit. The appendix lists the recommendations by the year and
recommendation number (ID no.) and also identifies the report in which
the recommendation was made.
Table 12: Recommendations Not Previously Reported as Closed:
ID no.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term);
Source report: Financial Management: Important IRS Revenue Information
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993);
Status per IRS: Open. Small Business/Self-Employed (SB/SE) provided
onsite training to functions that compute interest during fiscal year
2009. SB/SE upgraded the commercial software program used to compute
manual interest and in March 2009 issued guidance stressing the
importance of using the Decision Modeling Incorporated/Automated
Computational Tool software as the primary, authorized, manual
interest computation tool. SB/SE Research stratified all fiscal year
2009 manual interest transactions and reached an agreement on
tentative sampling populations and rates needed to build the
statistical sampling program. The sampling program is projected to be
operational by September 2010 and will allow SB/SE to establish
statistically valid accuracy rates, identify sources of significant
errors, and develop necessary corrective actions;
Status per GAO: Open. During our fiscal year 2006 audit, we tested a
statistical sample of manual interest transactions and estimated that
18 percent of IRS's manual interest calculations contain errors. We
concluded that IRS controls over this area were ineffective. The
ineffectiveness of these controls contributes to errors in taxpayer
records, which is a major component of the material weakness in IRS's
management of unpaid assessments. While IRS continues to take actions
to strengthen controls over this area, such as updating guidance and
providing training related to manual interest calculations, both we
and IRS believe that the actions taken thus far would not improve the
accuracy of the manual interest calculations. Consequently, we did not
test IRS controls in this area as part of our fiscal year 2007-2009
audits. We will continue to monitor IRS's actions to address this
recommendation during future audits.
ID no.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Open. SB/SE created a Quality Assurance Internal
Review process to validate the accuracy of cross-referencing of
payments and credits on assessed Trust Fund Recovery Penalty (TFRP)
accounts. SB/SE completed a detailed analysis of the quarterly review
process performed at the campuses and in October 2009 determined SB/SE
would perform both a Current Payment Sample review to identify current
cross-referencing errors and a Whole Case Review looking for all types
of TFRP errors. SB/SE developed written procedures and specific Data
Collection Instruments to document these reviews and met with the
Ogden and Brookhaven Campuses in November 2009 to discuss the new
review process and to perfect the DCIs and procedures. The Chief
Financial Officer (CFO) and SB/SE are reviewing an extract of a
statistically valid selection of TFRP cases for each type of review;
Status per GAO: Open. IRS has made significant progress in this area
over the past several years. For example, IRS established procedures
to more clearly link each penalty assessment against a responsible
corporate officer to a specific tax period of the business account.
IRS also reported completing implementation of all phases of the
Automated Trust Fund Recovery (ATFR) system in 2008. ATFR is intended
to properly cross-reference payments received and automatically reduce
the amounts owed on all related accounts when a payment is received
from one related party. However, the system is currently unable to
process all payments related to such cases. IRS officials reported
that as of March 2010, ATFR can only automatically reduce the amounts
owed on all related accounts for about 54 percent of TFRP payments
that it receives. The remaining TFRP payments continue to require some
form of manual processing to record the reduction to the liability in
related accounts. Thus, the opportunity for errors and omissions
continues to exist. Our most recent test in fiscal year 2009 indicates
that IRS's controls in this area are still not effective in ensuring
that all TFRP payments are accurately and timely credited to all
related parties when received. We will continue to monitor IRS's
actions to address this recommendation during our fiscal year 2010 and
future audits.
ID no.: 99-03;
Recommendation: Ensure that IRS's modernization blueprint includes
developing a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. This subsidiary ledger must also have the capability to
distinguish unpaid assessments by category in order to identify those
assessments that represent taxes receivable versus compliance
assessments and write-offs. In cases involving trust fund recovery
penalties, the subsidiary ledger should ensure that (1) the trust fund
recovery penalty assessment is appropriately tracked for all taxpayers
liable but counted only once for reporting purposes and (2) all
payments made are properly credited to the accounts of all individuals
assessed for the liability. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998);
Status per IRS: Closed. IRS implemented the Custodial Detailed Data
Base (CDDB). CDDB records unpaid assessments, including accrued
penalties and interest to the general ledger by the various financial
reporting categories (taxes receivable, compliance assessments, and
write-offs), establishing CDDB as the subsidiary ledger for unpaid
assessments. CDDB is classifying approximately 85 percent of the TFRP
inventory where TFRP assessments are appropriately tracked for all
taxpayers liable and counted only once for reporting purposes.
Enhancements to CDDB during fiscal year 2009 resulted in more accurate
classifications of unpaid assessments and continued to reduce the
amount of the annual audit adjustments. CDDB is fully operational and
will be used in conjunction with the Redesign Revenue Accounting
Control System (RRACS) in February 2010 to record the unpaid
assessment amounts using the United States Standard General Ledger
format;
Status per GAO: Closed. IRS has established CDDB to function as a
transaction-level subsidiary ledger for unpaid tax debt. However,
while CDDB has the capability to function as a subsidiary ledger for
unpaid tax debt, systemic limitations and errors in taxpayer accounts
prevent IRS from using CDDB as its subsidiary ledger to routinely and
reliably report its balance of unpaid tax assessments. IRS must
continue to use a labor-intensive, manual compensating process to
estimate the year-end balances of the various categories of unpaid tax
assessments to avoid materially misstating its financial statements.
Specifically, IRS had to make almost $8 billion in adjustments to the
fiscal year-end 2009 gross taxes receivable balance produced by CDDB
as part of its manual estimation process. While IRS has made
significant progress, full operational capability of CDDB depends on
additional refinements to CDDB programs that classify unpaid
assessments accounts into the various financial reporting categories,
as well as IRS's ability to improve controls over the recording of
information into taxpayer accounts. Additionally, we continue to find
deficiencies in IRS's processes for accurately and timely crediting
the accounts of all parties assessed for a TFRP when TFRP payments are
received by IRS. Nevertheless, in order to provide recommendations
more closely aligned with the current status of these control
weaknesses, we have closed this recommendation based on IRS's
progress. We have reported the remaining issues related to the
reliability of IRS's subsidiary ledger and trust fund recovery
penalties, along with new recommendations for corrective actions, in
our June 2010 management report. See GAO-10-565R and recommendations
10-03 and 10-04 in this report.
ID no.: 99-20;
Recommendation: Analyze and determine the factors causing delays in
processing and posting Trust Fund Recovery Penalty (TFRP) assessments.
Once these factors have been determined, IRS should develop procedures
to reduce the impact of these factors and to ensure timely posting to
all applicable accounts and proper offsetting of refunds against
unpaid assessments before issuance. (long-term);
Source report: Internal Revenue Service: Custodial Financial
Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Closed: IRS has completed the following actions to
close this recommendation. With respect to systemic enhancements, IRS
has implemented numerous ATFR enhancements to the Area Office
application and to the Integrated Data Retrieval System. Examples
include (1) implementation of ATFR programming, which automated the
calculation of the penalties and assessment process to ensure accuracy
and timeliness of assessments, (2) implementation of Area Office ATFR
application, including the Web version of the Control Point Monitoring
portion of the application, and (3) enhancements to increase system
usability and features to help ensure timely processing. Through an
end-to-end analysis of the TFRP process, IRS identified factors that
caused delays in processing and posting trust fund recovery
assessments. As a result, IRS established time frames for critical
milestones in the IRM and include (1) an initial maximum 120-day
period, starting when balance due accounts are assigned to a revenue
officer to decide whether to pursue the TFRP, (2) beginning with the
date the decision was made to pursue the TFRP, an additional maximum
120-day period for submission of the TFRP recommendation package to
the group manager, and (3) created an IRM requirement that establishes
specific processing time frames for processing cases through the CPM.
With respect to reports diagnostics and training, IRS has created
numerous management-level reports to monitor cases as they progress
through the various stages of determination, assessment and processing
of the TFRP. Additionally, an extensive training and workshop program
has been established to ensure all levels of management receive
comprehensive and timely training on the effective use of TFRP reports;
Status per GAO: Closed. Over the past several years, IRS determined
several factors causing delays and took a series of actions to improve
the timeliness of processing and posting TFRP assessments. IRS updated
the Internal Revenue Manual to establish specific time frames for
achieving critical milestones in processing TFRP assessments. These
milestones include a maximum number of days that IRS staffs are given
to (1) determine whether to pursue TFRP assessments against
responsible business officers, (2) submit a case file for managerial
approval of the recommended TFRP assessment, (3) review the case file,
and (4) post the assessment to the responsible business officer's tax
account. IRS has also established time frames for segments of the TFRP
assessment process not currently covered in its IRM, and is working to
finalize these criteria in the IRM. Additionally, IRS completed the
nationwide implementation of the Automated Trust Fund Recovery - Area
Office (ATFR-AO) application. According to IRS, ATFR-AO will
facilitate the timely and accurate processing of TFRP assessments by
automating the calculation of trust fund penalties. Furthermore, IRS
developed several reports to help managers monitor the progress of
TFRP assessment cases being processed.
ID no.: 99-22;
Recommendation: Expand IRS's current review of campus deterrent
controls to include similar analyses of controls at IRS field offices
in areas such as courier security, safeguarding of receipts in locked
containers, requirements for fingerprinting employees, and
requirements for promptly overstamping checks made out to "IRS" with
"Internal Revenue Service" or "United States Treasury." Based on the
results, IRS should make appropriate changes to strengthen its
physical security controls. (short-term);
Source report: Internal Revenue Service: Custodial Financial
Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999);
Status per IRS: Closed. All IRS field offices continue to provide
training and perform reviews to strengthen controls over remittances.
On August 15, 2008, SB/SE updated guidance and instructions to
Collection Field function employees about overstamping checks made out
to "IRS" or "Internal Revenue Service" with "United States Treasury."
This includes Submission Processing (SP) sending a teller error advice
through the Revenue Officer group manager to address remittance
errors. Tax Exempt/Government Entity (TE/GE) covered remittance
processing procedures during the new hire workshops and included text
in the fiscal year 2009 Revenue Agent CPE. On August 20, 2009, Large
and Mid-sized Business (LMSB) issued their annual executive memorandum
to all IRS field offices on the use of Form 3210 procedures. On
November 30, 2009, LMSB incorporated information on Form 3210
procedures along with the proper procedure for overstamping of checks
made out to the "IRS" with "United States Treasury" in the "Processing
Advance Payments and Deposits" job aid module for new hires. TE/GE
Employee Plans Division will revise two sections of the IRM and add a
third section by May 31, 2010, to provide clear instructions on check
handling procedures, including the importance of overstamping checks
made out to IRS, and locking them in a secured area;
Status per GAO: Closed. IRS has taken several actions to address this
recommendation and improve its review of deterrent controls at its
field offices. During our fiscal year 2009 audit, we did not find any
instances of physical security control weaknesses over courier
security, safeguarding of receipts in locked containers, requirements
for fingerprinting employees, and requirements for promptly
overstamping checks made out to "IRS" with "Internal Revenue Service"
or "United States Treasury" at the field offices we visited.
Therefore, we are closing this recommendation. We will continue to
monitor IRS's implementation of its field office reviews during future
audits.
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999);
Status per IRS: Open. The IRS continues to strengthen internal
controls and procedures to enhance its ability to account for Property
and Equipment (P&E) in the Integrated Financial System (IFS).
Currently, IRS is reviewing options to develop a new asset tracking
system that will reconcile physical asset records to the financial
records. The new system is scheduled to be implemented during the
second quarter of 2011;
Status per GAO: Open. During our fiscal year 2009 audit, we continued
to find that IRS experienced problems with linking asset purchases
recorded in the general ledger system (IFS) to the P&E inventory
systems (Information Technology Asset Management System (ITAMS) and
Criminal Investigation Management Information System (CIMIS)), which
indicates that IRS's detailed P&E records do not yet fully reconcile
to the financial records. We will continue to monitor IRS's progress
in addressing these financial management system issues.
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Open. IRS continues to address issues that cause late
lien releases through an internal Lien Action Plan and by conducting
reviews as part of its A-123 controls assessment process. Based on the
fiscal year 2009 A-123 results, SB/SE initiated a semiannual
independent review to identify areas of recurring errors, revise
procedural guidance, correct systemic problems with dead cycles, and
to work closely with stakeholders. SB/SE is reviewing a sample of lien
releases and will establish target goals and review and adjust the
Lien Action Plan based on these reviews throughout the year;
Status per GAO: Open. During our fiscal 2009 audit, we continued to
find that IRS did not always timely release liens. In IRS's own
testing of lien releases, it identified 8 instances out of 59 cases
tested in which it did not release the applicable federal tax lien
within the statutory 30-day period. The time between the satisfaction
of the liability and release of the lien ranged from 35 days to more
than 123 days. Based on these results, IRS estimated that for about 14
percent of unpaid tax assessment cases that were resolved in fiscal
year 2009 in which it had filed a tax lien, it did not release the
lien within 30 days of the resolution of the case. IRS's ineffective
controls over this area results in its noncompliance with Internal
Revenue Code Section 6325, which requires IRS to release tax liens
within 30 days of the date the related tax liability is fully
satisfied. We will continue to monitor IRS's actions to address this
recommendation during our fiscal year 2010 and future audits.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000);
Status per IRS: Open. IRS implemented a methodology to calculate
leasehold improvements disposal balances in time for the fiscal year
2009 financial statements. The IRS continues to assess existing system
capabilities and data sources to determine alternative approaches for
leasehold improvements;
Status per GAO: Open. During our fiscal year 2009 audit, we determined
that IRS had not established a subsidiary ledger for leasehold
improvements. However, IRS is pursuing alternative methodologies to
enhance its ability to account for leasehold improvements. We will
continue to monitor IRS's development of alternative methodologies to
enhance its ability to account for leasehold improvements in future
audits.
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Source report: Management Letter: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-01-880R, July 30,
2001);
Status per IRS: Open. IRS made significant improvements to its
methodologies for cost estimation and actual cost tracking. The IRS
published IRM 1.33.3, Reimbursable Operating Guidelines, on October 9,
2009, which provides guidance for determining the full costs of
estimated and actual costs for reimbursable agreements. IRS also
published IRM 1.32.3, Managerial Cost Accounting, on July 13, 2009.
The Office of Cost Accounting continues to work with the business
units to provide guidance on proper recording of data and the use of
the Integrated Financial System for reporting, data matching, and
analysis;
Status per GAO: Open. IRS has improved its methodology for allocating
its costs of operations at the business unit level. However, further
actions are needed for it to accumulate and report actual costs
associated with specific reimbursable projects. We confirmed during
our fiscal year 2009 audit that, for reimbursable projects that do not
require payments to be made in advance, IRS business units manually
track the actual costs for each project and bill the customer as costs
are incurred. However, for projects that require advance payments, IRS
does not have a process for determining the total actual costs
incurred at the end of the agreement term, determining the difference
between actuals and the advance payment amount, and refunding or
billing for the difference. We also noted that neither the
Reimbursable Operating Guidelines nor IRS's Managerial Cost Accounting
Policy describe a mechanism for tracking and reporting actual costs
associated with reimbursable activities. We will continue to monitor
IRS's efforts to implement this recommendation during our fiscal year
2010 audit.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments.
(short-term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Closed. Wage and Investment (W&I) continues to
emphasize the requirements of segregation of duties and annually
performs operational reviews at all levels to ensure field offices
comply with the requirements of segregation of duties. Follow-up
reviews preformed by Territory Managers during March 2009 revealed
that Taxpayer Assistance Centers (TAC) managers are following these
requirements. W&I holds an annual Filing Season Readiness Workshop to
address remittance and data security. New managers are trained using
the "Managing a TAC" course that provides training on payment
processing, managerial reviews, and segregation of duties between
employees accepting, recording, and transmitting payments. Field
Assistance delivered "Managing a TAC" classes in July 2009 and in
October 2009. Additional "Managing a TAC" training is ongoing. Field
Assistance Headquarters is conducting reviews on the remittance
process during the first two quarters of fiscal year 2010 to obtain
compliance;
Status per GAO: Open. During our fiscal year 2009 audit, we identified
instances at five TACs we visited where there was a lack of
segregation of duties between the employees preparing Forms 795, which
is used to record taxpayer payments (cash and non-cash), and mailing
those forms to SCCs without having the forms reconciled by other
employees or reviewed by managers. In addition, IRS asserts in its
response that new managers are trained using the "Managing a TAC"
course and that the course provides training on payment processing,
managerial reviews, and segregation of duties between employees
accepting, recording, and transmitting payments. However, from our
review of the "Managing a TAC" course material, we did not find where
the course material specifically addresses IRS's segregation of duties
policy as outlined in IRM 21.3.4.7.3.2, which establishes procedures
and protocols for segregation of duties but limits that activity only
to those TACs where staffing levels permit such activity. We will
continue to assess IRS's actions during our fiscal year 2010 audit.
ID no.: 02-18;
Recommendation: Work with the National Finance Center (NFC) to resolve
the technical limitations that exist within the Security Entry and
Tracking System (SETS) database and continue to periodically review
SETS data to detect and correct errors. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002);
Status per IRS: Closed. The Personnel Security (PS) office
successfully implemented all three short-term measures to reduce the
instances of Security Entry and Tracking System (SETS) errors. PS
continues to issue biweekly emails to all SETS users containing the
most current reports to be used in identifying and reporting errors to
the National Finance Center (NFC) and to compile weekly extracts of
all enter-on-duty dates where there were no fingerprints results or
where the results were after the enter-on-duty date. SETS users then
send these reports to each Employment Office for updates and feedback.
PS addressed the long-term measures to include writing Standard
Operating Procedures and vetting with the Human Capital Office's
employment offices, along with forming a working group to develop a
collaborative report;
Status per GAO: Closed. During our fiscal year 2009 audit, we found
that IRS implemented compensating controls to address the weaknesses
associated with this recommendation. Specifically, IRS implemented
biweekly reminders and reviews of SETS data and began utilizing the
comment field in the SETS database to annotate important dates and
other key information that SETS is unable to track and update due to
its technical limitations.
ID no.: 04-08;
Recommendation: Enforce policies and procedures to ensure that service
center campus security guards respond to alarms. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26,
2004);
Status per IRS: Closed: IRS enforces monthly unannounced monitoring of
guard response to alarms. The Physical Security and Emergency
Preparedness (PSEP) Risk Management (RM) office conducted an Alarm
Monitoring Workshop on April 28, 2009, that included this topic. RM
sends a calendar/reminder to alarm program coordinators each Friday
before the monthly report is due, and continues to oversee and ensure
compliance of alarm testing and results via internal reporting tools.
A communication was distributed to PSEP Operational Readiness to
reiterate policy on guard response to alarms on February 2, 2010;
Status per GAO: Closed. IRS continually enforces its policies and
procedures to ensure that SCC security guards respond to alarms. Each
month, IRS sends reminders to alarm program coordinators to ensure
that alarms are tested and guards' responses are evaluated in each
test. Alarm program coordinators are required to summarize the test
results and report them monthly to PSEP management.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
(SB/SE) units of field offices with respect to preparation of Payment
Posting Vouchers, Document Transmittal forms, and transmittal
packages. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005);
Status per IRS: Open. SB/SE will revise IRM 5.1.2.4 by June 30, 2010,
to add additional clarification to the policies and procedures related
to Collection Field function payment posting vouchers, document
transmittal forms, and transmittal packages to ensure an appropriate
level of separation of duties;
Status per GAO: Open. IRS did not revise its IRM during fiscal year
2009 to address the additional clarifications for ensuring appropriate
separation of duties. We will continue to assess IRS's actions during
our fiscal year 2010 audit.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005);
Status per IRS: Closed. SB/SE revised IRM 5.1.2.4.4 on August 15,
2008, to document the field office requirements for preparing Form
3210, Document Transmittal, when more than one remittance package
(sealed envelope containing Form 795/795A and remittances) is being
sent to SP. Also, SB/SE revised IRM 1.4.50.2.1.9(11) on May 12, 2009,
outlining procedures for group managers to review remittance package
transmittals to SP. Fiscal year 2009 reviews of area operations
included addressing group remittance processing controls;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issue that gave rise to our
recommendation. During our fiscal year 2009 audit, we identified one
SB/SE unit that was not following the requirement to use a Form 3210
while transmitting multiple Forms 795 to the SCC for further
processing. We will continue to evaluate this issue during our fiscal
year 2010 audit.
ID no.: 05-37;
Recommendation: Enforce documentation requirements relating to
authorizing officials charged with approving manual refunds. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005);
Status per IRS: Closed. IRS continues to enforce documentation
requirements relating to authorizing officials charged with approving
manual refunds. IRS created a standard authorization Form 14031 in
September 2008 for all offices to use, and as a result, monthly and
annual security review reports show considerable decline in memorandum
defects. IRS continues to issue its annual solicitation memorandum to
authorizing officials charged with approving manual refunds. The IRS
finalized the annual list of authorized signatures as required by IRM
3.17.79.3.5 (4) (d) on October 31, 2009. SP Headquarters completes a
sample review as part of the Monthly Security Review Checklist per IRM
3.17.79.3.5 (3), ensuring compliance to documentation requirements--
including the signatures of Heads of Office that delegated officials
the authority to approve manual refunds and the authorizing official's
campus or field office organization information. Any defects
identified are shared with management for correction;
Status per GAO: Closed. IRS has taken significant steps to address
this recommendation. During our fiscal year 2009 audit, we found that
the documentation requirements on memorandums providing the list of
officials authorized to approve manual refunds were completed
satisfactorily. In August 2009, IRS issued a memorandum entitled
"Annual Solicitation for Authorized Refunds" which provides the
information to enforce documentation requirements. GAO verified that
the memorandum contained the required information. Additionally, GAO
reviewed a copy of the standardized memorandum listings in Form 14031
to verify whether those charged with approving manual refunds are
properly documented. No exceptions were noted.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005);
Status per IRS: Open. IRS increased its oversight to enforce the
requirements to monitor accounts related to manual refunds. This
included updating IRM requirements and controls to consolidate and
simplify the process related to manual refund monitoring, providing
refresher training for manual refund initiators, and implementing
internal control and operational reviews to ensure managers and
employees are adhering to the prescribed IRM procedures. Any defects
identified through these reviews are shared with management for
correction. Additionally, the IRS utilizes the Taxpayer Advocate
Service (TAS) Managers Forum to advise all TAS employees of the
requirement to have a backup manual refund monitor when the Case
Advocate is out of the office and to educate managers on the
requirement to monitor all manual refunds entered by their employees;
Status per GAO: Open. During our fiscal year 2009 audit, we continued
to find instances where manual refund initiators did not monitor
accounts for manual refunds and supervisors did not verify that manual
refund initiators were following proper procedures for monitoring
manual refunds. We will continue to evaluate IRS's actions during our
fiscal year 2010 audit.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr, 27, 2005);
Status per IRS: Open. IRS increased its oversight to enforce the
requirements to monitor accounts related to manual refunds. On October
1, 2009, SB/SE Campus Compliance Services updated IRM 21.7.8.4.5.3 (9)
(d) to address manual refund monitoring requirements. Accounts
Management (AM) revised IRM 21.4.4 to require centralized controls for
monitoring and reviewing manual refunds at the team level. AM and
Submission Processing (SP) sites completed the manual refund refresher
training for their manual refund initiators and managers by October
15, 2009. Manual refund issues continue to be part of the site's
quarterly internal control review for AM, and as part of the Monthly
Security Review Checklist for SP. Any defects identified are shared
with management for correction. IRS also reminds its employees and
managers of the monitoring requirement during team meetings, annual
continuing professional education, and annual operational reviews. The
Manager's Forum instructs managers on the requirement to monitor all
manual refunds entered by their employees. In March 2009, the
Executive Director of Case Advocacy (EDCA) sent to all Area offices a
notice of "verification of action taken" that requires each office to
verify all IRM requirements are followed concerning the issuance and
monitoring of manual refunds. In the last year, the EDCA Office
performed a physical review of TAS cases and evidence that Case
Advocates and Managers monitored manual refunds in the 30 TAS offices
reviewed. In TAS, the EDCA office, in addition to physical reviews
performed, reminds management to discuss the manual refund monitoring
requirements in all group meetings by referring Case Advocates to the
IRM reference, 21.4.4.5.1, Monitoring Manual Refunds;
Status per GAO: Open. Although IRS's response does not directly
address requirements for documenting monitoring actions, we verified
that IRS has updated its IRM to include guidance on the requirements
to document monitoring actions for manual refunds. However, during our
fiscal year 2009 audit, we continued to find instances where manual
refund initiators did not document their monitoring actions or the
unit supervisor did not document his/her review of monitoring actions,
or both. The additional corrective actions cited by IRS were
subsequent to our fieldwork. We will evaluate the effectiveness of
IRS's corrective actions during our fiscal year 2010 audit.
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. Accounts Management (AM) has procedures in
place for the periodic supervisory review and documentation of the
Form 3210 reconciliation process to follow up on unacknowledged forms.
This process provides a timely account of any discrepancy between the
documents listed on the Form 3210 and those received. Beginning in
fiscal year 2009, AM required a quarterly, independent review of each
Refund Inquiry Unit to ensure compliance with this requirement. AM
Headquarters conducts this review;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issue that gave rise to our
recommendation. Since initially issuing this recommendation in May
2006, we continued to identify instances where Refund Inquiry Unit
managers or supervisors were not performing or documenting periodic
reviews of forms used to transmit returned refund checks. In many
cases, the employees were not aware of the requirement for documenting
their reviews. In addition, while IRS states that procedures are in
place requiring the periodic review of these forms, we were unable to
locate or identify these procedures in the IRM. We will continue to
evaluate IRS's actions during our fiscal year 2010 audit.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. IRS has procedures in place to ensure compliance
with tracking acknowledgment of document transmittals. To ensure
compliance, LMSB issued a memorandum reiterating Form 3210 procedures
which provided specific IRM guidance related to the preparation,
tracking, and monitoring of Form 3210s and incorporated such
procedures in a job aid module for new hires. All TE/GE Exam Managers
use the Quick Reference Guide for processing checks and Area Managers
verify tracking measures are in place during operational reviews.
Additionally, TE/GE's Exempt Organization Exam Division will revise
specific IRM sections dealing with remittance processing. W&I also has
a system in place to monitor the use of Form 3210s when mailing
documents to SP Centers and reiterate this requirement while
conducting workshops and annual training. Further, W&I monitors
compliance through operational reviews, which have provided evidence
that sustained improvement has been achieved in compliance with
tracking acknowledgment copies of Form 3210 document transmittals;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issues that gave rise to this
recommendation. During our fiscal year 2009 audit, we identified
instances at two TACs where there was no system in place to monitor
acknowledged/unacknowledged transmittals to the SCC. We will continue
to assess IRS's actions during our fiscal year 2010 audit.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. TE/GE added a question to its 2009 Annual
Assurance Review to ensure managers document their reviews of document
transmittals verifying that taxpayer remittances mailed between IRS
locations are tracked according to guidelines. TE/GE will include this
question in all future Annual Assurance Reviews. Also, TE/GE managers
are required to review procedures and the Director of Exempt
Organization (EO) Exam sent an e-mail to all EO Exam Managers
reiterating Form 3210, Document Transmittal, procedures and to discuss
Form 3210 procedures with their employees. W&I has a system in place
to monitor the use of Form 3210 when mailing documents to SP Centers.
W&I reinforces this requirement while conducting its Filing Season
Readiness Workshop. Further, W&I monitors compliance during reviews
conducted by territory managers and operational reviews conducted by
headquarters personnel. AM operational reviews have provided evidence
that sustained improvement has been achieved in compliance with
tracking acknowledgment copies of Form 3210 document transmittals.
LMSB emphasizes in managerial workshops that document transmittals
between IRS locations are likely to be reviewed by Territory Managers.
LMSB also incorporated the review of Form 3210 procedures into their
Territory Manager's operational review, such as the Communications,
Technology, and Media Industry operation review discussion check
sheet. In August 2009, LMSB issued an annual executive memorandum to
its employees on Form 3210 procedures, including the IRM requirement
for LMSB managers and employees for the preparation, tracking, and
monitoring of the form. In November 2009, LMSB incorporated
information on Form 3210 procedures in the "Processing Advance
Payments and Deposits" job aid module for new hires.";
Status per GAO: Open. We reviewed IRS's policies for ensuring that
hard-copy taxpayer receipts and information mailed between IRS
locations are tracked according to guidelines. However, we did not
find specific instructions stating how and where W&I Field Assistance
managers or supervisors should document their review of the document
transmittals to ensure that taxpayer receipts and/or taxpayer
information mailed between IRS locations are tracked according to
guidelines. During our fiscal year 2009 audit, we identified instances
at seven TACs where there was no evidence of managerial review of
document transmittals. We will continue to evaluate IRS's corrective
actions.
ID no.: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers with adequate
physical security controls to deter and prevent unauthorized access to
restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. The IRS continues to identify priority locations
for TAC Model build outs through proactively evaluating TAC sites and
from customer feedback. IRS criteria for priority status include sites
with security, safety, and environmental health concerns. Of the 401
TAC locations, 224 have the model TAC design and 12 were completed by
the end of 2009 with another 63 scheduled for completion by the end of
2010. IRS's Physical Security and Emergency Preparedness (PSEP)
established quarterly meetings to track the redesign and physical
security issues of the TACs. Until all remaining sites can be
upgraded, all sites will follow the strictest security guidelines as
established by PSEP. IRS continues to focus on security concerns
through the use of the following solutions: theater rope or other
barriers, signage, minor alterations, and reconfigurations with
consultations from PSEP;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2010 audit.
ID no.: 06-07;
Recommendation: Document supervisory visits by off-site managers to
TACs not having a manager permanently on-site. This documentation
should be signed by the manager and should (1) record the time and
date of the visit, (2) identify the manager performing the visit, (3)
indicate the tasks performed during the visit, (4) note any problems
identified, and (5) describe corrective actions planned. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Open. W&I Field Assistance continues to use the TAC
Security Remittance Review Database to document supervisory reviews.
Managers are required to conduct and document their reviews to ensure
the protection of data and compliance with remittance and security
procedures. W&I Field Assistance is currently testing the Web design
and initiated a review process to engage headquarters, area, and
territory managers to identify and correct database entries. W&I Field
Assistance is validating the effectiveness of the corrective actions
taken;
Status per GAO: Open. During our fiscal year 2009 audit, we identified
instances at four TACs where group managers did not properly use the
TAC Security Remittance Review Database to document supervisory
reviews conducted during visits to outlying TACs. We will continue to
assess IRS's actions during our fiscal year 2010 audit.
ID no.: 06-08;
Recommendation: Enforce the requirement that all security or other
responsible personnel at service center campuses (SCC) and lockbox
banks record all instances involving the activation of intrusion
alarms, regardless of the circumstances that may have caused the
activation. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. On September 23, 2009, IRS revised the IRM
requiring campuses to record all instances involving the activation of
any alarm, regardless of what may have caused the activation, and the
instances must be recorded in a Daily Activity Report/Event Log or
other log book and maintained for a period of two years. On January 1,
2008, IRS revised L.S.G.2.3.3.15 Intrusion Detection System (IDS)
stating, "A record of all instances involving the activation of
intrusion alarms, regardless of the circumstances that may have caused
the activation, must be maintained in the Daily Activity Report (DAR)
or other incident logbook." On April 27, 2009, Business Support
Management met with the guard staff to address IDS requirements and
emphasized the requirement for the full completion of the Daily
Activity Report as detailed in the Lockbox Security Guidelines (LSG),
Standard Operating Procedures (SOP), and Post Orders. In addition, the
Business Support team will monitor the full completion of the DAR, on
a daily basis, and provide feedback to the guards, as necessary.
Repeated offenses will ultimately result in the dismissal of the guard
from the Lockbox Project;
Status per GAO: Closed. During our fiscal year 2009 audit, we verified
that IRS revised IRM 10.2.14 and LSG 2.3.3.15 to require all instances
involving the activation of intrusion alarms to be recorded at SCCs
and lockbox banks. In addition, Business Support staff met with the
guards to address Intrusion Detection System requirements and
instituted controls to monitor full completion of the DAR at lockbox
banks. In addition, we did not identify any instances where the
activation of intrusion alarms were not recorded.
ID no.: 06-22;
Recommendation: Direct Facilities Management Branch managers to
research and resolve the aging reports. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006);
Status per IRS: Closed. During fiscal year 2008, IRS corrected the
Information Technology Asset Management System-Asset Center, which is
used to record and manage P&E's disposal wizard, allowing all disposal
actions to be timely updated in the Web-based aging report to ensure
timely completion of the disposal process;
Status per GAO: Closed. During our fiscal year 2009 audit, we verified
that IRS staff routinely researched and resolved the aging reports,
thereby promptly recording disposals of property and equipment in its
inventory records. Additionally, our testing did not identify any
situations where IRS did not timely update disposal transactions.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
SCC's perimeter, such as adding or repositioning existing CCTV cameras
or removing obstructions. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS continues to utilize the Audit Management
Checklist as a repeatable process where service center campuses
quarterly validate their closed circuit television (CCTV) to determine
if it provides an unobstructed view of the exterior of the campus
perimeter and to identify problems and planned corrective actions to
mitigate any identified problems. Physical Security and Emergency
Preparedness (PSEP) continues to place emphasis on CCTV camera
coverage, and the PSEP Risk Management office will distribute a
communication to PSEP, Operational Readiness, to reiterate the policy
on CCTV camera coverage;
Status per GAO: Open. On January 10, 2008, IRS completed an assessment
of its CCTVs in all SCCs to ascertain whether they provided an
unobstructed view of its campuses' exterior perimeter. We found that
this assessment did not account for the multiple long-standing CCTV
weaknesses, which continued to exist at one SCC during our April 2009
visit. As a result, it is unclear whether additional CCTV weaknesses
at other SCCs went unreported in this risk assessment. Further, while
IRS cites the Audit Management Checklist as a tool to (1) assess the
physical security controls at SCCs and field offices and (2) identify
associated weaknesses and planned corrective actions, we found that
the officials responsible for completing the checklist did not always
answer the questions in the checklist accurately. We will continue to
assess IRS's actions during our fiscal year 2010 audit.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. All initiators and their managers completed
manual refund procedures refresher training by October 15, 2009. In
addition, Accounts Management revised manual refund monitoring
procedures in IRM 21.4.4, emphasizing the new requirements for
centralized monitoring at the team level and documenting the
monitoring actions;
Status per GAO: Open. During our fiscal year 2009 audit, we continued
to find instances where the manual refund initiators did not receive
training to ensure that they are able to fulfill their
responsibilities for processing manual refunds which include
monitoring and documenting actions to prevent the issuance of
duplicate refunds. The IRS refresher training referred to by IRS was
subsequent to our field work. We will follow up during our fiscal year
2010 audit to test its effectiveness.
ID no.: 07-15;
Recommendation: Issue a memorandum to employees in the Centralized
Insolvency Office reiterating the Internal Revenue Manual (IRM)
requirement to timely record bankruptcy discharge information onto
taxpayer accounts in the master file or to manually release the liens
in the Automated Lien System. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. SB/SE issued a memorandum on December 16,
2009, to its managers providing interim guidance on policies and
procedures for monitoring the timely determination of release of
Notices of Federal Tax Lien for cases receiving a discharge through
bankruptcy. These procedures will be incorporated into IRM 5.9.17 and
IRM 1.4.51 by August 30, 2010;
Status per GAO: Closed. IRS issued a memorandum providing additional
guidance for monitoring cases involving bankruptcy discharge to help
ensure the timely release of federal tax liens. However, in its own
fiscal year 2009 lien release testing, IRS identified one case
involving bankruptcy, where it did not release the lien within 30
days. We will continue to monitor IRS's implementation of policies and
procedures in this area during our fiscal year 2010 audit.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed and/or
shipped out. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. IRS implemented procedures on March 3, 2009,
which state, in part, "an Employee Resource Center (ERC) work ticket
call type has been established to specifically identify when secured
storage space is needed. Requesters will initiate the ERC ticket
process by requesting "Property Consultation" services, which
initiates Real Estate and Facilities Management (REFM) activity to
work with the requester on obtaining whatever secured storage space is
needed";
Status per GAO: Open. While IRS had established procedures to ensure
that sufficient secured space was available for all property and
equipment not currently in use, we found that IRS did not ensure that
the space was maintained properly. During our fiscal year 2009
physical inventory testing, IRS was unable to locate a laptop
computer. According to IRS officials, the laptop computer had been
stolen. Although the IRS officials informed us that the storage room
that housed the computer is normally locked, we found during our
physical inventory testing that the storage room was unlocked. We will
assess the effectiveness of IRS's procedures to properly secure and
safeguard property and equipment not in use during our fiscal year
2010 audit.
ID no.: 07-21;
Recommendation: Develop and implement procedures to require that
separate individuals place orders with vendors and perform receipt and
acceptance functions when the orders are delivered. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007);
Status per IRS: Closed. The Office of Procurement Policy will issue a
Policy Update reminder to all of its employees regarding the receipt
and acceptance criteria and limitations on contracting officers
outlined in policy documents. This immediate notification will serve
as a reminder and bring attention to this concern. In addition, Agency
Wide Shared Services (AWSS) will follow up with an audit to ensure
compliance with policy and procedures;
Status per GAO: Closed. During our fiscal year 2008 audit, we reviewed
IRS's revised policy and procedure memorandum pertaining to the
separation of duties, but during our fiscal year 2008 testing, we
found that individuals were performing incompatible functions. During
our fiscal year 2009 audit, we did not identify any issues regarding
separation of duties.
ID no.: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information
security, expand FISMA procedures or perform additional procedures as
part of the A-123 reviews to augment FISMA work. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB)
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. On June 30, 2009, the IRS implemented a review
process for evaluating controls over information technology relating
to financial statement reporting. The review focused on the systems
that affect recording of financial transactions and included assessing
the annual Federal Information Security Management Act (FISMA)
evaluations of the CFO-oriented financial systems. In addition, the
Associate Chief Financial Officer (ACFO) obtained copies of the Chief
Information Officer's (CIO) annual FISMA report evaluating the IRS
servicewide information technology security program and found that it
met A-123 requirements. The annual Treasury Inspector General for Tax
Administration (TIGTA) report evaluating the IRS compliance with FISMA
requirements was also reviewed to identify any A-123 FISMA issues;
Status per GAO: Open. IRS implemented the review process for
evaluating controls over information systems related to financial
reporting subsequent to the conclusion of its a-123 testing for fiscal
year 2009. We will follow up during our fiscal year 2010 audit to
assess the effectiveness of this process.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB)
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. On June 30, 2009, IRS implemented a "Fiscal
Year 2009 Control Design" template that annotates which design
activity was completed for each transaction. IRS enhanced its testing
to include procedures for design control activities published in SOPs,
IRM references, and business process documentation. The A-123 office,
along with the process owner, evaluates procedures to identify the key
internal controls and to determine whether the control fully addresses
multiple risks;
Status per GAO: Open. During our fiscal year 2009 audit, we continued
to find that IRS did not include appropriate consideration of design
of internal controls into their test plans. We reviewed IRS's internal
control test results and found that for about half of the transactions
tested, IRS did not consider the design of internal controls in their
respective test plans. IRS's actions to address this recommendation
were implemented subsequent to the conclusion of its A-123 testing for
fiscal year 2009. We will evaluate the effectiveness of these actions
during our fiscal year 2010 audit.
ID no.: 07-27;
Recommendation: Begin devising appropriate A-123 follow-up procedures
for the last 3 months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB)
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007);
Status per IRS: Closed. In fiscal year 2009, IRS performed tests in
the 4th quarter to provide sufficient evidence of continued operating
effectiveness. Testing focused on significant nonroutine transactions,
accounts, and processes with high subjectivity or judgment, period end
reporting, and other high-risk transactions, as deemed appropriate.
The IRS developed its 4th quarter testing by evaluating (1) results of
controls tested prior to the year end, (2) evidence obtained, (3)
length of time since initial A-123 test, and (4) possibility of
significant changes. Testing procedures consisted of one or more of
the following: (1) inquiries/questionnaires; (2) additional walk
throughs; (3) scanning reconciliations used in the process; (4)
selection of more significant controls to independently test; and, (5)
review of annotated copies of reports and follow up communications.
Testing was also conducted for some controls over processes that
normally operate only after the year end closing;
Status per GAO: Closed. During our fiscal year 2009 audit, we verified
that IRS devised appropriate procedures for the last 3 months of the
fiscal year. We obtained and reviewed IRS's testing plans and
supporting audit documentation and determined the procedures to be
appropriate.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA). (long-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. IRS established traceability for 98 percent of
tax revenue collections using the Trace ID stored in IRACS, CDDB, the
Integrated Submission and Remittance Processing (ISRP) system,
Lockbox, and Electronic Federal Tax Payment System (EFTPS) during the
fiscal year 2009 audit. IRS reviewed and corrected twenty-four IRMs
pertaining to recording the Trace ID in summary deposits and revenue
detail transactions. IRS issued a Hot Topic to the campuses, and is
currently updating IRM 3.17.63 to include a new Trace ID
reconciliation process to resolve any traceability discrepancies.
During fiscal year 2009, IRS completed all remaining programs that
validate the Trace ID in the deposit systems and implemented the
programs into production in January 2010. During fiscal year 2009, IRS
completed all remaining RRACS development and testing to implement
RRACS into production, making RRACS the system of record replacing
IRACS beginning in February 2010;
Status per GAO: Open. During our fiscal year 2009 audit, we verified
that IRS substantially completed the capability to trace its revenue
and refund transactions from its general ledger to supporting
documentary detail, thus providing transaction traceability for its
refund disbursements and more than 98 percent of its recorded tax
revenue collections. However, as of the end of our fieldwork, IRS had
not demonstrated transaction traceability for unpaid tax assessments,
including taxes receivable, which constituted over 80 percent of its
assets as of September 30, 2009. During our audit of IRS fiscal year
2010 financial statements, we will follow up to assess IRS progress in
providing transaction traceability for unpaid tax assessments,
including taxes receivable.
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid
assessment estimation process. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. Revenue Financial Management added a check sheet
in May 2009 to ensure the statistician performed each of the steps in
the estimation process outlined in the June 2008 procedures and is
adding additional steps to the procedures based on the fiscal year
2009 review;
Status per GAO: Open. IRS is still in the process of documenting the
specific procedures performed by the IRS statistician in each step of
the unpaid assessment estimation process. During our fiscal year 2009
audit, we again found an error in IRS's unpaid assessment estimates.
Until IRS fully documents the specific procedures performed by its
statistician in each step of the unpaid assessment estimation process,
IRS faces increased risk that an error or omission could be made. We
will continue to review IRS's corrective actions to address this
recommendation during our fiscal year 2010 and future audits.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a
detailed supervisory review be performed to ensure (1) the statistical
validity of the sampling plans, (2) data entered into the sample
selection programs agree with the sampling plans, (3) data entered
into the statistical projection programs agree with IRS's sample
review results, (4) data on the spreadsheets used to compile the
interim projections and roll-forward results trace back to supporting
statistical projection results, and (5) the calculations on these
spreadsheets are mathematically correct. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. Revenue Financial Management (RFM) is developing
procedures for reviewers during review of the unpaid assessments
estimation process to ensure (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data
on the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct. The procedures will be in place by May 2010;
Status per GAO: Open. During our fiscal year 2009 audit, we again
found an error in IRS's unpaid assessment estimates that was not
detected by IRS's internal reviews. IRS corrected this error after we
brought it to IRS's attention. However, until IRS fully documents the
specific detailed procedures for reviewers to follow in its review of
unpaid assessments statistical estimates, IRS faces increased risk
that errors in this process will not be prevented or detected and
corrected. We will continue to review IRS's corrective actions to
address this recommendation during our fiscal year 2010 audit.
ID no.: 08-04;
Recommendation: To address the inconsistency in assigning the
effective date of an accuracy-related penalty, modify the Business
Master (BMF) File computer program so that the date of the deficiency
assessment is used as the effective date of any associated accuracy-
related penalty. (long-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. In January 2009 IRS implemented programming
changes to its BMF so that accuracy-related penalties assessed
subsequent to the programming change will carry the same date as the
related deficiency assessment;
Status per GAO: Closed. IRS changed the computer program for
calculating accuracy-related penalties in its BMF to assign the
effective date of the accuracy penalty to match the date of the
related deficiency assessment. The change makes the assessment of
accuracy related penalties in its BMF consistent with how IRS
calculates accuracy-related penalties in its Individual Master File.
We reviewed IRS's documentation showing the implementation of the
programming change as well as the results of its internal tests
verifying that the programming change functioned as intended.
ID no.: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. The cross-functional working group to address
penalty and interest programming issues continue to identify and
assess penalty and interest issues. Solutions to identify systemic
differences between IRS systems that cannot be fixed under the current
processing system have been shared and discussed with Modernization &
Information Technology Services to determine the most effective way to
implement programming changes and in certain cases an impact analysis
determined correction is not cost effective at this time;
Status per GAO: Open. Although IRS completed corrective actions on
some of the programming issues it identified in 2008, and determined
that others were not cost effective to correct, it has not yet
completed the required programming corrections on all of the issues it
planned to correct. We will continue to review IRS's progress on
implementing the programming corrections during our fiscal year 2010
and future audits.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting
the results. This guidance should include a description of the key
controls that should be in place at outlying TACs, specify how often
these key controls should be reviewed, and specify how the results of
each review should be documented, including follow-up on issues
identified in previous TAC reviews. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. W&I Field Assistance continues to use the TAC
Security Remittance Review Database (TSRRD) to document supervisory
reviews. Managers are required to conduct and document their reviews
to ensure the protection of data and compliance with remittance and
security procedures. W&I Field Assistance is validating the
effectiveness of the corrective actions taken by trending subsequent
findings to the baseline of prior findings;
Status per GAO: Open. IRS outlined the reviews that TAC managers are
required to conduct in its IRM. W&I Field Assistance informed us that
all of the reviews assessing controls over taxpayer receipts and
information are documented in the TSRRD. However, during our fiscal
year 2009 audit, we found that the TSRRD was not used throughout the
entire fiscal year and as a result we were unable to determine whether
the required TAC manager reviews were performed and documented. Also,
we identified instances at five TACs where the responses entered into
the TSRRD by the TAC group manager were not always accurate, and
instances at four TACs where the group manager was not performing the
required payment processing reviews. In addition, we found that there
was no guidance requiring managerial or supervisory reviews of the
information entered in the TSRRD. The lack of managerial oversight
increases the risk that the reviews conducted at these outlying TACs
may not be useful in assessing key controls and identifying potential
weaknesses. We will continue to evaluate IRS's corrective actions
during our fiscal year 2010 audit.
ID no.: 08-08;
Recommendation: Establish a process to periodically update and
communicate the specific required reviews for all off-site TAC
managers. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. The Director of Field Assistance issued
managers a quarterly reminder to conduct required reviews again during
fiscal year 2009. W&I reviews and monitors the status of corrective
actions noted during operational reviews;
Status per GAO: Closed. IRS established a process to periodically
update and communicate the specific required reviews for all off-site
TAC managers through quarterly reminders and reviewing and monitoring
the status of corrective actions noted during operational reviews. In
addition, IRS outlined the reviews that TAC managers are required to
conduct in its IRM. According to our discussions with Field Assistance
officials, any additional or revised reviews would be communicated
through the normal IRM update process.
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. AWSS continues to work with the General Services
Administration (GSA) to complete janitorial background investigations.
GSA has only provided certification that a small number of Level IV
and Level III background investigations were completed. IRS requests a
Background Investigation (BI) on all contractors at IRS facilities.
Although IRS has been working with GSA since March 2008, GSA has not
delivered on this entire initiative. As an interim measure, IRS has
asked GSA to convert all IRS leases to daytime janitorial cleaning;
Status per GAO: Open. To date, background investigations have not been
completed for all contractors with access to TAC and other field
offices. Since many of these contracts are administered by GSA, IRS
has no direct authority over how these contracts should be managed or
what provisions should be included in these contracts. As a result,
IRS's AWSS continues to work with GSA to complete the investigations
for janitorial contractors and has asked GSA in the interim to convert
all IRS leases to daytime janitorial cleaning. However, during our
fiscal year 2009 audit, we identified instances at three TACs where
IRS did not have documentary evidence demonstrating the completion of
favorable background investigations for contractors performing
janitorial services during nonoperating hours. We will assess the
effectiveness of IRS's implementation and oversight of these
procedures during our fiscal year 2010 audit.
ID no.: 08-13;
Recommendation: Require including in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. IRS implemented a National Document Destruction
Contract with the National Institute for the Severely Handicapped
(NISH) at 482 of the 668 sites requiring shredding as of October 1,
2009. The current contract requires a review of contractor performance
through site visits and to ensure that contractors comply with all
security requirements for employee clearance prior to performing the
work. The remaining sites did not migrate to the NISH contract, as
NISH is not able to service several of these remote areas. However,
all of the remaining sites' contractors that have local shred
contracts with the IRS have agreed to operate under the same strict
guidelines established in the NISH contract and are now operating
accordingly. As NISH expands its coverage in the future, some of these
small outlying locations may fall under the NISH contract, but all
sites are now following the strict guidelines;
Status per GAO: Open. IRS has taken steps, subsequent to our fiscal
year 2009 fieldwork, to consolidate its offsite shredding services to
one provider. However, this effort covers only about 72 percent of its
sites requiring shredding services. IRS has not provided support to
show that the provisions in our recommendation are included in the
remaining shredding contracts. We will continue to evaluate IRS's
corrective actions during future audits.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. IRS implemented a National Document Destruction
Contract with the National Institute for the Severely Handicapped
(NISH) at 482 of the 668 sites requiring shredding as of October 1,
2009. The current contract requires a review of contractor performance
through site visits and to ensure that contractors comply with all
security requirements for employee clearance prior to performing the
work. The remaining sites did not migrate to the NISH contract, as
NISH is not able to service several of these remote areas. However,
all of the remaining sites' contractors that have local shred
contracts with the IRS have agreed to operate under the same strict
guidelines established in the NISH contract and are now operating
accordingly. As NISH expands its coverage in the future, some of these
small outlying locations may fall under the NISH contract, but all
sites are now following the strict guidelines;
Status per GAO: Open. IRS identifies its current efforts and progress
of implementing a National Document Destruction Contract with NISH
that would include provisions for conducting site visits and asserts
that all sites are following these guidelines. However, these actions
occurred subsequent to our fiscal year 2009 fieldwork. In addition,
IRS has not revised the IRM to require that IRS perform and document
periodic unannounced inspections of off-site shredding contractor
facilities to ensure that contractors continue to appropriately
safeguard sensitive IRS information on an ongoing basis. We will
continue to evaluate IRS's corrective actions during future audits.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Open. IRS implemented a National Document Destruction
Contract with the National Institute for the Severely Handicapped
(NISH) at 482 of the 668 sites requiring shredding as of October 1,
2009. The current contract requires a review of contractor performance
through site visits and to ensure that contractors comply with all
security requirements for employee clearance prior to performing the
work. The remaining sites did not migrate to the NISH contract, as
NISH is not able to service several of these remote areas. However,
all of the remaining sites' contractors that have local shred
contracts with the IRS have agreed to operate under the same strict
guidelines established in the NISH contract and are now operating
accordingly. As NISH expands its coverage in the future, some of these
small outlying locations may fall under the NISH contract, but all
sites are now following the strict guidelines;
Status per GAO: Open. IRS identifies its current efforts and progress
in implementing a National Document Destruction Contract with NISH
that would include provisions for requiring that contractors comply
with all security requirements for employee clearance prior to
performing the work. However, these actions occurred subsequent to our
fiscal year 2009 fieldwork. We will review IRS's procedures for
evaluating completed background investigation records to ensure that
only contractor employees who receive favorable background
investigation results are allowed access to taxpayer receipts or other
sensitive information during future audits.
ID no.: 08-16;
Recommendation: Reinforce existing policies requiring the use of the
revised Form 13094 when hiring juveniles. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. HCO continues to send monthly reminders to the
Employment Offices reinforcing Policy No. 15 - Suitability Standards
for Hiring Juveniles by the IRS. A notice was issued in July 2007 to
emphasize the policy. Further, the HCO issued Alert 731-2 in September
2008, to all Employment Offices to clarify the guidance in Policy No.
15. HCO has taken steps to monitor the Employment Offices via monthly
employment teleconference meetings to eliminate any further issues;
Status per GAO: Closed. We verified that IRS continues to send monthly
reminders to its Employment Offices. Also, we verified the Human
Capital Office issued an alert to clarify guidance in its suitability
standards for hiring juveniles, and conducted an oversight review of
the Juvenile Employment Program in September 2009. We believe that
these actions met the intent of our recommendation by enforcing the
requirement to receive and make direct contact with character
references when hiring juveniles.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 (Recommendation for Juvenile Employment)
by contacting the reference directly and documenting the details of
this contact. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. The HCO issued Alert 731-2 in September 2008
to all Employment Offices to clarify the guidance in Policy No. 15.
The Policy and Programs office conducted an oversight review of the
Juvenile Employment Program in September 2009 and no exceptions in the
policy were found regarding contacting the references listed on the
Form 13094 and documenting the details;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issues that gave rise to our
recommendation. During our fiscal year 2009 audit, we identified three
instances in which IRS employment office staff did not obtain and
verify a valid character reference, as required on Form 13094. We will
review IRS's corrective actions during our fiscal year 2010 audit.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008);
Status per IRS: Closed. IRS implemented GovTrip requiring all
travelers to use the new system. Travelers are required to create an
authorization before travel begins, and GovTrip will not allow a
voucher to be created without a signed/approved authorization. AWSS
continues to issue communications to all employees reiterating the
policy requiring all employees to obtain approval of travel
authorizations before the initiation of travel through periodic
notices on the IRS intranet. AWSS will continue to monitor compliance
with this requirement;
Status per GAO: Open. We confirmed that IRS implemented its GovTrip
system, and that GovTrip does not allow a voucher to be created
without an approved authorization entered into the system. However,
GovTrip allows an authorization to be created after the date of travel
and thus, cannot ensure that travel is authorized before it begins.
Also, IRS could not provide an example of AWSS communications that
mentioned the requirement to obtain approval of a travel authorization
prior to the initiation of travel. In addition, during our fiscal year
2009 audit, we found an instance where IRS staff did not obtain
approval of travel authorizations in advance of travel. We will
continue to review IRS's progress in implementing this recommendation.
ID no.: 09-01;
Recommendation: Correct the Integrated Data Retrieval System (IDRS)
computer program for identifying individual taxpayers who have entered
into an installment agreement so that except in situations where the
taxpayer did not file the tax return timely, failure to pay penalty
assessments made after the date of the installment agreement are
calculated using the monthly one-quarter of one percent penalty rate
on all of the taxpayer's accounts covered by the installment
agreement. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS implemented additional programming changes
in January 2009 to ensure that failure to pay penalties are calculated
at a reduced rate for all eligible taxpayers who have entered into an
installment agreement. IRS's CFO tested the programming changes
through August of 2009 to ensure that the programming is operating as
intended;
Status per GAO: Closed. We reviewed a nonrepresentative selection of
accounts of eligible taxpayers that had entered into installment
agreements with IRS and verified that IRS's master file was
calculating the failure to pay penalty at the reduced monthly rate of
one-quarter of one percent on all of the selected accounts.
ID no.: 09-02;
Recommendation: Add specific requirements to the IRM to require that
manual refund units assign back up staff to perform manual refund
monitoring activities whenever a manual refund initiator is absent for
an extended period of time. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. (W&I) Accounts Management revised IRM
21.4.4.5.1 (1) on October 2, 2009, with the following: "It is
management's responsibility to ensure accounts are monitored each week;
however, the actual monitoring can be delegated. When an employee who
performs monitoring actions is out on leave, management must reassign
the monitoring to a backup";
Status per GAO: Closed. During our fiscal year 2009 audit, we verified
that IRS revised its guidelines by adding a note within the IRM
stating that it is management's responsibility to ensure accounts are
monitored each week.
ID no.: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Open. On May 15, 2009, IRS updated IRM 3.8.45
clarifying the instructions when there are time discrepancies on
acknowledged Forms 10160. IRM 3.8.45.1.9.3.1 directs the campuses to
enact the courier contingency plan if the time stamps on Form 10160
are outside of the time allowed in the courier contract without a
reasonable explanation. Each campus has a contingency plan for
delivering the deposit to the bank if the courier does not meet the
requirements outlined in IRM 3.8.45.1.9.1. IRM 3.8.45.1.9.5 directs
the Receipt & Control Operations Manager to enact the courier
contingency plan and contact headquarters (HQ) if the time stamps on
Form 10160 are outside of the time allowed in the courier contract
without a reasonable explanation. IRM 3.8.45.1.9.7 directs HQ to
contact the courier company management when notified by the Campus
Receipt and Control Operations Manager of unacceptable time
discrepancies on Form 10160. HQ management will make the decision to
continue with the courier contract or adopt the campus courier
contingency plan;
Status per GAO: Open. The objective of this recommendation was for IRS
to develop a mechanism to aid in identifying when courier drivers who
transport deposits failed to comply with IRS's guidance to transport
the deposits directly to their destination with no unauthorized stops.
From our review of the IRM, IRS continues to lack guidance in
establishing a methodology for developing minimum requirements for
setting allowable times for courier deposits that, when exceeded,
would identify potential unauthorized stops during transit. For
example, during our fiscal year 2009 audit, we continued to find
instances at one SCC where the deposit courier's average travel time
was 90 minutes;
however, the threshold established before anyone would question the
deposit time or initiate the courier contingency plan was 135 minutes.
Thus, IRS officials are only required to make inquiries if the courier
exceeded the delivery time by 45 minutes. This time frame does not
meet the objective of identifying potential instances when deposit
couriers have made unauthorized stops during their delivery. We will
review IRS's corrective actions during our fiscal year 2010 audit.
ID no.: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. SP performs courier surveillance during the
unannounced security reviews completed at each campus. IRM 3.8.45.1.5
instructs the campus Receipt & Control Operation manager to contact
headquarters (HQ) if there is a time discrepancy on Form 10160 that
does not have a reasonable explanation. HQ Management will perform
courier surveillance if needed and make the decision to continue with
the courier contract or adopt the campus contingency plan;
Status per GAO: Open. The objective of this recommendation was to
include minimum requirements in the IRM for conducting off-site
surveillance of couriers entrusted with taxpayer receipts and
information. In March 2010, IRS informed us that a surveillance of all
couriers at SCCs will be conducted during fiscal year 2010. However,
the IRM referred to in IRS's response does not include this
requirement or any other requirements outlining when surveillance of
couriers are conducted. We will continue to evaluate this issue during
our fiscal year 2010 audit.
ID no.: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Open. W&I Field Assistance and Accounts Management
Services are creating an electronic Form 795 that will automate the
existing manual remittance reporting process. W&I has reached the
first milestone in building the "Collection Activity Report." This
report will have capabilities of tracking cash and noncash remittances
by geographical regions. The national roll-up report will identify the
type and total amount of payments received at the territory level.
Efforts are being made to further develop the report to the TAC level.
Anticipated completion of the recommendation is October 2012;
Status per GAO: Open. IRS continues its ongoing efforts to establish a
mechanism to track and report TAC receipt. According to IRS, full
implementation is not expected until October 2012. We will evaluate
IRS's corrective actions during future audits.
ID no.: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14,
Methods of Providing Protection, on September 23, 2009, requiring that
the documentation of all duress alarms for each location be readily
available to individuals conducting duress alarm tests before each
test is conducted;
Status per GAO: Open. IRS revised the IRM as noted and established a
policy requiring a readily available inventory of all duress alarms
for individuals conducting the alarm tests. However, while IRS has
provided a broad policy statement, it did not provide detailed
procedures on how the policy should be implemented. During our fiscal
year 2009 financial audit, we identified instances at all nine field
offices we visited where an inventory of all duress alarms was not
provided to the test conductor prior to conducting the quarterly
duress alarm tests. We will continue to evaluate this issue during our
fiscal year 2010 audit.
ID no.: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14,
Methods of Providing Protection, on September 23, 2009, requiring
Territory Managers to conduct a quarterly inventory validation of all
duress alarms;
Status per GAO: Open. IRS revised the IRM as noted and established a
policy requiring that the inventory of all duress alarms be
periodically updated for individuals conducting the alarm tests.
However, while IRS has provided a broad policy statement, it did not
provide detailed procedures on how the policy should be implemented.
During our fiscal year 2009 audit, we identified instances at all nine
field offices we visited where an updated inventory of all duress
alarms was not provided to the test conductor prior to conducting the
quarterly duress alarm tests. We will continue to evaluate this issue
during our fiscal year 2010 audit.
ID no.: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(2), Methods of
Providing Protection, on September 23, 2009, requiring IRS officials
who conduct the test to (1) document the test results for each duress
alarm listed in the inventory including date, findings, and planned
corrective action and (2) track the findings until they are properly
resolved;
Status per GAO: Open. During our fiscal year 2009 audit, we verified
that IRS revised duress alarm testing policies in the IRM to require
that officials (1) document the test results for each duress alarm
listed in the inventory, including date, findings, and planned
corrective actions and (2) track the findings until they are properly
resolved. However, we determined that IRS has not developed specific
instructions outlining the necessary steps for properly completing
duress alarm tests at its facilities. For example, a waiting period
may be necessary between activations of duress alarms at some IRS
locations to ensure that the central monitoring station receives each
signal. We will continue to evaluate this issue during our fiscal year
2010 audit.
ID no.: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station,
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(8), Methods of
Providing Protection, on September 23, 2009, requiring a quarterly
validation of the central monitoring station's Emergency Signal
History Report at each IRS facility under the PSEP Territory Office
jurisdiction where alarms are present. The prospective PSEP
representative ensures that appropriate corrective actions are planned
for all deficiencies or incidents requiring actions reported by the
central monitoring station per IRM 10.2.14.9.1(11). The IRM requires a
monthly validation of the "Emergency/Alarm Contact List" for each IRS
facility under PSEP Territory Office jurisdiction where alarms are
present, ensuring contact information is current, accurate, and
includes appropriate contacts;
Status per GAO: Open. IRS revised the IRM as noted and established
policies requiring periodic documented review of the Emergency Signal
History Report and emergency contact list. However, while IRS has
provided broad policy statements, it did not provide detailed
procedures on how the policies should be implemented. During our
fiscal year 2009 financial audit, we identified instances at all nine
field offices we visited where there was no routine documented review
of the Emergency Signal History Report or emergency contact list
provided to the central monitoring station and an instance at one TAC
in which an appropriately qualified individual was not listed as the
designated first responder on the duress alarm contact list. We will
continue to evaluate this issue during our fiscal year 2010 audit.
ID no.: 09-10;
Recommendation: Develop, document, and implement procedures to
regularly monitor the timeliness of purchase card approvals. This
should include establishing procedures and responsibility for
identifying and following up on instances of noncompliance with
required approval time frames. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. AWSS modified the Purchase Card Handbook (IRM
1.32.6) to meet this requirement, which is expected to be published at
the end of January 2010. AWSS Credit Card Services Branch continues to
monitor compliance with purchase card requirements through monthly
reviews;
Status per GAO: Closed. We confirmed that IRS developed, documented,
and implemented procedures to regularly monitor the timeliness of
purchase card approvals. Also, we verified that IRS's AWSS Credit Card
Services Branch conducts monthly reviews of both Web-based and manual
purchase card transactions to identify and follow up on instances of
noncompliance with required approval time frames.
ID no.: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help
employees distinguish between procurement actions that constitute new
obligations and those that merely adjust or liquidate prior
obligations that the IRS incurred during an expired appropriation's
original period of availability. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Open. The CFO published IRM 1.35.15, Annual Close
Guidelines, establishing year end procedures for expired and closing
appropriations. Corporate Budget will revise IRM 1.33.4, Financial
Operating Guidelines, clarifying existing procedures regarding the use
of expired appropriations, and the Agency-Wide Shared Services will
update IRM 1.32.6, Purchase Card Handbook, by March 2010, providing
guidance and procedures to preclude the use of expired appropriations
when using a purchase card;
Status per GAO: Open. We reviewed IRM 1.35.15, which was issued
September 8, 2009, and noted that it provides policies and procedures
for expired appropriations, including situations when it is
appropriate to use expired appropriations, procedures for closing
transactions with canceled appropriations, and policies for paying
invoices after a fiscal year appropriation is canceled. We also
reviewed the revised version of IRM 1.33.4, which was updated on April
16, 2010. It clarified procedures regarding the use of expired
appropriations and used examples to further illustrate the policies
and procedures. However, as IRS acknowledged in its response, one
additional IRM section must be revised and updated to satisfy the
intent of the recommendation. IRS expects this action to be completed
in fiscal year 2010. We will continue to evaluate IRS's actions during
our fiscal year 2010 audit.
ID no.: 09-12;
Recommendation: Reiterate IRS's existing policy requiring that
transactions be recorded accurately to the undelivered orders
obligation accounts. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. The CFO issued the Annual Close and Fiscal
Year 2009 Year end Memorandum on June 4, 2009. The memorandum states,
"The need for timely review of open commitments and obligation
continues to be essential Guidelines for the Review of Aging
Unliquidated Commitments (AUC) and the Aging Unliquidated Obligations
(AUO) Reports." The document provides supporting guidance for
reviewing and ensuring the validity of AUO, liquidating unneeded
balances for commitments and obligations, and defining
responsibilities. In addition, the CFO published IRM 1.35.15, Annual
Close Guidelines on September 8, 2009. During the AUC/AUO review
process, the CFO also reiterates the importance of maintaining
accurate obligation and commitment balances to Procurement and the
business units;
Status per GAO: Closed. We obtained the June 4, 2009 memo, noting that
IRS emphasized the importance of reviewing AUCs and AUOs. Furthermore,
IRM 1.35.15.11.2 was issued September 8, 2009, and reemphasizes the
importance of monitoring and modifying obligations so that they are
accurate. However, we noted during the fiscal year 2009 financial
statement audit that the AUO reviews did not always identify and
deobligate obligations that were no longer valid. We found that some
unneeded obligations were not reviewed and deobligated in a timely
manner because they did not meet the age criteria to be reviewed under
the AUO program. In these cases, the age criteria for review would
allow obligations with up to 300 days of inactivity to be exempt from
review. This situation could lead to the inaccurate reporting of
obligations at the fiscal year end. Thus, while we are closing this
recommendation given that IRS's actions were responsive to it, we have
reported the related issues noted above, along with related
recommendations for corrective action, in our June 2010 management
report (GAO-10-565R) and recommendations 10-35 and 10-36 in this
report.
ID no.: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. The CFO initiated weekly reviews of receipt
and acceptance transactions to more timely identify and correct errors;
Status per GAO: Open. We obtained information about the Aging
Unliquidated Accruals (AUA) process which is designed to review IRS
receipt and acceptance transactions in order to more timely identify
and correct errors. We confirmed that IRS was conducting the AUA
reviews;
however, during our fiscal year 2009 audit work we continued to find
errors in Receipt and Acceptance transactions that had been identified
through the AUA process but had not been corrected in a timely manner.
These transactions had been identified by the AUA process from 2
months to over 3 years before they were corrected. We will review
IRS's corrective actions during our fiscal year 2010 audit.
ID no.: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means;
(2) define the roles and responsibilities of the CFO and other
business units in the process;
and (3) be focused on the goal of determining what cost information
would be useful and the most appropriate means of developing and
reporting it for both existing programs and new programs as they are
initiated. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS established a Cost Users Group and
developed a regular meeting schedule. The purpose of the group is to
identify programs, underlying activities, and outputs and services for
which cost information would be beneficial. The group formalized the
cost accounting process for each business unit, defines the roles and
responsibilities of the CFO and business units, and determines what
cost information would be useful and the means of developing and
reporting this information for existing programs and new programs as
they are initiated. They share cost accounting information, leverage
best practices between the business units, and achieve standardization
and consistency. Work is formalized and documented through agenda
items and minutes. The ACFO for Internal Financial Management also
documented and formalized the cost accounting policy and process,
including the roles and responsibilities of the CFO, business units,
and Cost Users Group in the new IRM 1.32.3, Managerial Cost Accounting
which was published on July 13, 2009;
Status per GAO: Open. As IRS notes, the IRM section that formalized
IRS's Managerial Cost Accounting Policy established the Cost Users
Group to share cost accounting information and to identify programs
for which cost information would be beneficial, and the IRM section
defined the roles and responsibilities of the CFO and IRS's business
units in the process. However, IRS has not formally designated in
writing the membership of the Cost Users Group. The group's meetings,
as reported in its minutes, have not included discussions of which IRS
programs and activities would benefit from full cost information. The
minutes do not indicate that the group has developed a formal process
whereby the group's determinations are communicated to upper
management and adopted formally by IRS. We will continue to review
IRS's progress in addressing this recommendation during our fiscal
year 2010 audit.
ID no.: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed, and they should include both personnel costs
based on time spent on specific activities as well as all associated
non-personnel costs and be drawn from or reconcilable to IRS's
financial accounting system. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. IRS continues to develop cost-benefit analysis
as requested by the business units to enhance program evaluation and
decision making;
Status per GAO: Open. As IRS noted, it continues to develop full cost-
benefit data for its programs and activities. However, the ad hoc
process of reacting to the request from business units has not
resulted in full cost and benefit data on a comprehensive set of
programs and activities for which IRS regularly updates and makes
readily accessible to program managers. We will continue to review
IRS's progress in addressing this recommendation during our fiscal
year 2010 audit.
ID no.: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009);
Status per IRS: Closed. The IRS improved the analytical tools it uses
to inform its resource decisions for major enforcement programs. The
IRS already uses cost-benefit analysis, return on investment,
evaluation of possible future scenarios, and enterprise risk
management techniques for a wide range of resource-allocations
decisions, such as service and enforcement initiatives included in the
President's Budget. It is important to understand that return on
investment is but one tool that can be utilized to improve resource-
allocation decision making. Currently, the IRS uses a broader set of
tools, such as cost/benefit analysis that incorporates a wide range of
tangible and intangible costs and benefits (such as equitable coverage
rates for different groups of taxpayers, enhancing respect for the
law, and ensuring that disadvantaged populations of taxpayers receive
adequate levels of service). It is not prudent to rely exclusively on
return on investment as the sole determinant of resource allocation;
Status per GAO: Open. Although IRS began using projected cost-benefit
analyses and projections as part of its support for future enforcement
initiatives in its annual budget submissions, it has not developed
outcome-oriented performance measures and related goals to measure the
effectiveness of its existing programs. We recognize that IRS must
take into consideration coverage and equitable taxpayer treatment when
making decisions, and we have not advocated that IRS use cost/benefit
analysis as the sole measure of effectiveness. However, measuring the
cost-benefit--return on investment--of IRS's enforcement programs and
activities is an important element in measuring their effectiveness.
During fiscal year 2009, IRS developed data for some of its
enforcement programs that could be, but has not been, used to develop
performance metrics and related goals. We will continue to review and
monitor IRS's progress in addressing this recommendation during our
fiscal year 2010 audit.
ID no.: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in CDDB resulted in
misclassifications of account balances which, in turn, resulted in
material inaccuracies in the amounts of reported unpaid assessments.
(short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-02;
Recommendation: Research and implement programming changes to allow
CDDB to more accurately classify such accounts among the three
categories of unpaid tax assessments. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that affect the financial
reporting of unpaid tax assessments. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that affect the financial reporting of
unpaid tax assessments, implement control procedures to routinely
prevent, or to detect and correct, such errors. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
TFRP payments processed through the ATFR system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-06;
Recommendation: Formalize and implement the quarterly reviews of TFRP
payment transactions to monitor compliance with IRM requirements.
(short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews so that specific factors causing the errors are
identified. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of TFRP payment transactions identified
through the analyses of the quarterly review results. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-09;
Recommendation: Revise the existing methodology for extracting the pre-
posted revenue component of the comparison to ensure that nontax
revenues and tax revenue transactions already posted to the master
files are properly excluded. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-10;
Recommendation: Update the desk procedures governing the comparison of
general ledger tax revenue receipts to the master file to ensure that
the procedures reflect the current process and controls. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-11;
Recommendation: Revise the cost allocation desk guide to better
document the cost allocation process. This should include ensuring
that all key processing steps are included and identifying the key
sources of input data and the controls necessary to help ensure their
reliability. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-12;
Recommendation: Revise the IRM and cost allocation desk guide to
require appropriate segregation of duties within the cost allocation
process. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, July 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-13;
Recommendation: Revise the IRM and cost allocation desk guide to
require timely, documented supervisory reviews at key process points
to help prevent and detect cost allocation processing errors. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-14;
Recommendation: Establish controls over the cycle run spreadsheet to
help minimize the risk of error or omission. At a minimum, this should
include assigning a unique, sortable identifier to each row in the
spreadsheet and implementing controls to promptly and accurately
record the status of processing steps in a manner that ensures each
cycle run is performed and is performed in the proper sequence. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-15;
Recommendation: Revise the IRM to require CIO to promptly provide
service center campuses an acknowledgment of receipt for each Form
3210 transmittal related to a duplicate refund transcript sent to them
by a service center campus for review. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-16;
Recommendation: Revise the IRM to require service center campuses to
verify that an acknowledgment of receipt has been received from CIO
for 100 percent of the Form 3210 transmittals related to duplicate
refund transcripts they have forwarded to CIO for review. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-17;
Recommendation: Revise the IRM to require service center campuses to
resolve any instances in which an acknowledgment of receipt for a Form
3210 transmittal related to duplicate refund transcripts is not
received. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses and lockbox banks to acknowledge and track
transmittals of unprocessable items with receipts. These procedures
should include monitoring discrepancies and instituting appropriate
corrective actions as needed. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-21;
Recommendation: Review the audit management checklist for clarity and
revise the assessment questions as appropriate. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June, 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-22;
Recommendation: Issue written guidance to accompany the audit
management checklist that explains the relevance of the questions and
the methods that should be used to assess and test the related
controls. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-23;
Recommendation: Provide training to physical security analysts
responsible for completing the audit management checklist to help
ensure that checklist questions are answered appropriately and
accurately. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-24;
Recommendation: Establish and document the minimum frequency for how
often the audit management checklist should be completed at each
service center campus and field office. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-25;
Recommendation: Establish policies requiring documented managerial
reviews of completed audit management checklists. These reviews should
document (1) the time and date of the review, (2) the name of the
manager performing the review, (3) the supporting documentation
reviewed, (4) any problems identified with the responses on the
checklists, and (5) corrective actions to be taken. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-26;
Recommendation: Review the TAC Security and Remittance Review Database
(TSRRD) for clarity and revise review questions as appropriate. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-27;
Recommendation: Provide training to TAC group managers to assist with
their understanding of the TSRRD review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-28;
Recommendation: Establish policies that require territory managers or
a manager at least one level above the group manager to periodically
review the information entered into the TSRRD for accuracy and
completeness prior to the results being forwarded to Field Assistance
Office headquarters management. This review should be signed and
documented, and include (1) the time and date of the review, (2) the
name of the manager performing the review, (3) the task performed
during the review, (4) any problems or questions identified, and (5)
planned corrective actions. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all SCC Unit Security Representatives (USR) to
complete (1) the required initial USR training prior to assuming their
responsibilities, and (2) annual refresher training each year
thereafter. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-31;
Recommendation: Update USR training manuals to ensure they reflect
current security policies and procedures. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-32;
Recommendation: Establish a process to periodically review and update
USR training materials as appropriate. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-33;
Recommendation: Establish procedures requiring HCO LEADS or their
designees to periodically monitor each business unit's progress in
complying with mandatory briefing requirements. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-34;
Recommendation: Establish procedures requiring COs/COTRs to obtain and
retain written documentation from end users confirming receipt and
acceptability of purchased goods or services prior to entering
acknowledgment of receipt and acceptance in WebRTS. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-35;
Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS
during final receipt and acceptance that the payment is a final
payment to close out a contract or purchase order to help ensure any
remaining obligated funds are deobligated in a timely manner. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-36;
Recommendation: Reevaluate and, as necessary, revise the aging
criteria for the Aging Unliquidated Obligation reviews so that
unliquidated obligations are reviewed sooner in order to detect and
deobligate excess obligations in a timely manner. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-37;
Recommendation: Provide technicians and supervisors who are
responsible for recording and reviewing obligation transactions with
training on the proper use of manually linked obligation transactions
to reinforce IRS's existing policy requiring that transactions be
recorded accurately to the upward and downward adjustments to prior-
year obligation accounts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-38;
Recommendation: Develop controls to improve the linked obligation
transaction review process to detect and correct erroneous links
between unrelated upward and downward adjustments to prior-year
obligation transactions in a timely manner. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-39;
Recommendation: Establish a formal funds control process to set aside
amounts for tax law enforcement and related support activities, as
required by annual appropriations acts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-40;
Recommendation: Establish a policy to periodically monitor throughout
the year the amount of different appropriations accounts attributed to
the set-aside to asses IRS's progress toward complying with the
requirement. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
ID no.: 10-41;
Recommendation: Based on the results of its periodic assessments, take
action to allocate the required amount of appropriations to tax law
enforcement and related support activities to comply with the set-
aside requirement. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010);
Status per IRS: Because this is a recent recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during future audits.
Source: GAO and IRS.
[End of table]
[End of section]
Appendix II: Open Recommendations Arranged by Material Weakness,
Compliance, or Other Control Issue:
For several years, we have reported material weaknesses, significant
deficiencies, noncompliance with laws and regulations, and other
control issues in our annual financial statement audits and related
management reports.[Footnote 48] Appendix II provides summary
information regarding the primary issue to which each open
recommendation is most closely related. To compile this summary, we
analyzed the nature of the open recommendations to relate them to the
material weaknesses, compliance issue, and other control issues not
associated with a material weakness identified as part of our
financial statement audit.
Unpaid Tax Assessments:
The Internal Revenue Service (IRS) has serious internal control issues
that affected its management of unpaid tax assessments. Specifically,
IRS (1) reported balances for taxes receivable and other unpaid
assessments that were not supported by its core general ledger system
for tax administration, (2) lacked a subsidiary ledger for unpaid tax
assessments that would allow it to produce accurate, useful, and
timely information with which to manage and report externally, and (3)
experienced errors and delays in recording taxpayer information,
payments, and other activities.
Table 13: Material Weakness: Controls over Unpaid Assessments:
ID no.: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (SGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA). (long-
term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid
assessment estimation process. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-03;
Recommendation: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a
detailed supervisory review be performed to ensure (1) the statistical
validity of the sampling plans, (2) data entered into the sample
selection programs agree with the sampling plans, (3) data entered
into the statistical projection programs agree with IRS's sample
review results, (4) data on the spreadsheets used to compile the
interim projections and roll-forward results trace back to supporting
statistical projection results, and (5) the calculations on these
spreadsheets are mathematically correct. (short-term);
Control activity: Management of human capital.
ID no.: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in CDDB resulted in
misclassifications of account balances which, in turn, resulted in
material inaccuracies in the amounts of reported unpaid assessments.
(short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-02;
Recommendation: Research and implement programming changes to allow
CDDB to more accurately classify such accounts among the three
categories of unpaid tax assessments. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that materially affect the
financial reporting of unpaid tax assessments. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that materially affect the financial
reporting of unpaid tax assessments, implement control procedures to
routinely prevent, or to detect and correct, such errors. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
TFRP payments processed through the ATFR system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-06;
Recommendation: Formalize and implement the quarterly reviews of TFRP
payment transactions to monitor compliance with IRM requirements.
(short-term);
Control activity: Reviews by management at the functional or activity
level.
ID no.: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews so that specific factors causing the errors are
identified. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID no.: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of TFRP payment transactions identified
through the analyses of the quarterly review results. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Information Security:
Serious weaknesses in IRS's internal control over information security
continue to jeopardize the confidentiality, availability, and
integrity of information processed by IRS's key systems, increasing
the risk of material misstatement for financial reporting. For
example, IRS has not restricted users' ability to bypass application
controls, removed separated employees' systems access in a timely
manner, or restricted system access to only those who needed it. These
unresolved weaknesses increase the risk that data processed by the
agency's financial management systems are not reliable. Although IRS
has made some progress in addressing previous weaknesses we identified
in its information systems and physical security controls, as of March
2010, there were 88 open recommendations designed to help IRS improve
its information systems security controls. Those recommendations are
reported separately and are not included in this report primarily
because of the sensitive nature of some of the issues.[Footnote 49]
Release of Federal Tax Liens:
IRS continues to be noncompliant with the laws and regulations
governing the release of federal tax liens.[Footnote 50] IRS did not
always release applicable federal tax liens within 30 days of tax
liabilities being either paid off or abated, as required by the
Internal Revenue Code (section 6325). The Internal Revenue Code grants
IRS the power to file a lien against the property of any taxpayer who
neglects or refuses to pay all assessed federal taxes. The lien serves
to protect the interest of the federal government and as a public
notice to current and potential creditors of the government's interest
in the taxpayer's property.
Table 14: Compliance with Laws and Regulations: Timely Release of
Liens:
ID no.: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
Other Control Issues:
The 70 recommendations listed below pertain to issues that do not rise
individually or in the aggregate to the level of a material weakness
or noncompliance with laws and regulations. However, these issues do
represent weaknesses in various aspects of IRS's control environment
that should be addressed.
Table 15: Other Control Issues Not Associated with a Material Weakness
or Significant Deficiency:
ID no.: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments.
(short-term);
Control Activity: Segregation of duties.
ID no.: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term);
Control Activity: Segregation of duties.
ID no.: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including SCCs, TACs, and units within Large and
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities
(TE/GE), establish a system to track acknowledged copies of document
transmittals. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers with adequate
physical security controls to deter and prevent unauthorized access to
restricted areas or office space occupied by other IRS units,
including those TACs that are not scheduled to be reconfigured to the
"new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 06-07;
Recommendation: Document supervisory visits by offsite managers to
TACs not having a manager permanently on-site. This documentation
should be signed by the manager and should (1) record the time and
date of the visit, (2) identify the manager performing the visit, (3)
indicate the tasks performed during the visit, (4) note any problems
identified, and (5) describe corrective actions planned. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
SCC's perimeter, such as adding or repositioning existing CCTV cameras
or removing obstructions. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term);
Control Activity: Management of human capital.
ID no.: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed and/or
shipped out. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information
security, expand FISMA procedures or perform additional procedures as
part of the A-123 reviews to augment FISMA work. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 07-25;
Recommendation: Revise A-123 test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
TAC managers in conducting reviews of outlying TACs and documenting
the results. This guidance should include a description of the key
controls that should be in place at outlying TACs, specify how often
these key controls should be reviewed, and specify how the results of
each review should be documented, including follow-up on issues
identified in previous TAC reviews. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to TAC and other field
offices. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-13;
Recommendation: Require including in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 08-15;
Recommendation: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 (Recommendation for Juvenile Employment)
by contacting the reference directly and documenting the details of
this contact. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Control Activity: Proper execution of transactions and events.
ID no.: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
TAC location, group, territory, area, and nationwide. (long-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each TAC location to ensure that the
inventory is current and complete as of the testing date. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station,
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help
employees distinguish between procurement actions that constitute new
obligations and those that merely adjust or liquidate prior
obligations that the IRS incurred during an expired appropriation's
original period of availability. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means;
(2) define the roles and responsibilities of the CFO and other
business units in the process; and (3) be focused on the goal of
determining what cost information would be useful and the most
appropriate means of developing and reporting it for both existing
programs and new programs as they are initiated. (short-term);
Control Activity: Establishment and review of performance measures and
indicators.
ID no.: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed, and they should include both personnel costs
based on time spent on specific activities as well as all associated
nonpersonnel costs and be drawn from or reconcilable to IRS's
financial accounting system. (long-term);
Control Activity: Establishment and review of performance measures and
indicators.
ID no.: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term);
Control Activity: Establishment and review of performance measures and
indicators.
ID no.: 10-09;
Recommendation: Revise the existing methodology for extracting the
preposted revenue component of the comparison to ensure that nontax
revenues and tax revenue transactions already posted to the master
files are properly excluded. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-10;
Recommendation: Update the desk procedures governing comparison of the
general ledger tax revenue receipts to the master files to ensure that
the procedures reflect the current process and controls. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-11;
Recommendation: Revise the cost allocation desk guide to better
document the cost allocation process. This should include ensuring
that all key processing steps are included and identifying the key
sources of input data and the controls necessary to help ensure their
reliability. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-12;
Recommendation: Revise the IRM and cost allocation desk guide to
require appropriate segregation of duties within the cost allocation
process. (short-term);
Control Activity: Segregation of duties.
ID no.: 10-13;
Recommendation: Revise the IRM and cost allocation desk guide to
require timely, documented supervisory reviews at key process points
to help prevent and detect cost allocation processing errors. (short-
term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-14;
Recommendation: Establish controls over the cycle run spreadsheet to
help minimize the risk of error or omission. At a minimum, this should
include assigning a unique, sortable identifier to each row in the
spreadsheet and implementing controls to promptly and accurately
record the status of processing steps in a manner that ensures each
cycle run is performed and is performed in the proper sequence. (short-
term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-15;
Recommendation: Revise the IRM to require CIO to promptly provide
service center campuses an acknowledgment of receipt for each Form
3210 transmittal related to a duplicate refund transcript sent to them
by a service center campus for review. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-16;
Recommendation: Revise the IRM to require service center campuses to
verify that an acknowledgment of receipt has been received from CIO
for 100 percent of the Form 3210 transmittals related to duplicate
refund transcripts they have forwarded to CIO for review. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-17;
Recommendation: Revise the IRM to require service center campuses to
resolve any instances in which an acknowledgment of receipt for a Form
3210 transmittal related to duplicate refund transcripts is not
received. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses and lockbox banks to acknowledge and track
transmittals of unprocessable items with receipts. These procedures
should include monitoring discrepancies and instituting appropriate
corrective actions as needed. (short-term);
Control Activity: Physical control over vulnerable assets.
ID no.: 10-21;
Recommendation: Review the audit management checklist for clarity and
revise the assessment questions as appropriate. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-22;
Recommendation: Issue written guidance to accompany the audit
management checklist that explains the relevance of the questions and
the methods that should be used to assess and test the related
controls. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-23;
Recommendation: Provide training to physical security analysts
responsible for completing the audit management checklist to help
ensure that checklist questions are answered appropriately and
accurately. (short-term);
Control Activity: Management of human capital.
ID no.: 10-24;
Recommendation: Establish and document the minimum frequency for how
often the audit management checklist should be completed at each
service center campus and field office. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-25;
Recommendation: Establish policies requiring documented managerial
reviews of completed audit management checklists. These reviews should
document (1) the time and date of the review, (2) the name of the
manager performing the review, (3) the supporting documentation
reviewed, (4) any problems identified with the responses on the
checklists, and (5) corrective actions to be taken. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-26;
Recommendation: Review the TAC Security and Remittance Review Database
(TSRRD) for clarity and revise review questions as appropriate. (short-
term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-27;
Recommendation: Provide training to TAC group managers to assist with
their understanding of the TSRRD review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term);
Control Activity: Management of human capital.
ID no.: 10-28;
Recommendation: Establish policies that require territory managers or
a manager at least one level above the group manager to periodically
review the information entered into the TSRRD for accuracy and
completeness prior to the results being forwarded to Field Assistance
Office headquarters management. This review should be signed and
documented, and include (1) the time and date of the review, (2) the
name of the manager performing the review, (3) the task performed
during the review, (4) any problems or questions identified, and (5)
planned corrective actions. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID no.: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all SCC Unit Security Representatives (USR) to
complete (1) the required initial USR training prior to assuming their
responsibilities, and (2) annual refresher training each year
thereafter. (short-term);
Control Activity: Management of human capital.
ID no.: 10-31;
Recommendation: Update USR training manuals to ensure they reflect
current security policies and procedures. (short-term);
Control Activity: Management of human capital.
ID no.: 10-32;
Recommendation: Establish a process to periodically review and update
USR training materials as appropriate. (short-term);
Control Activity: Management of human capital.
ID no.: 10-33;
Recommendation: Establish procedures requiring HCO LEADS or their
designees to periodically monitor each business unit's progress in
complying with mandatory briefing requirements. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID no.: 10-34;
Recommendation: Establish procedures requiring COs/COTRs to obtain and
retain written documentation from end users confirming receipt and
acceptability of purchased goods or services prior to entering
acknowledgment of receipt and acceptance in WebRTS. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-35;
Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS
during final receipt and acceptance that the payment is a final
payment to close out a contract or purchase order to help ensure any
remaining obligated funds are deobligated in a timely manner. (short-
term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID no.: 10-36;
Recommendation: Reevaluate and, as necessary, revise the aging
criteria for the Aging Unliquidated Obligation reviews so that
unliquidated obligations are reviewed sooner in order to detect and
deobligate excess obligations in a timely manner. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-37;
Recommendation: Provide technicians and supervisors who are
responsible for recording and reviewing obligation transactions with
training on the proper use of manually linked obligation transactions
to reinforce IRS's existing policy requiring that transactions be
recorded accurately to the upward and downward adjustments to prior
year obligation accounts. (short-term);
Control Activity: Management of human capital.
ID no.: 10-38;
Recommendation: Develop controls to improve the linked obligation
transaction review process to detect and correct erroneous links
between unrelated upward and downward adjustments to prior-year
obligation transactions in a timely manner. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-39;
Recommendation: Establish a formal funds control process to set aside
amounts for tax law enforcement and related support activities, as
required by annual appropriations acts. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID no.: 10-40;
Recommendation: Establish a policy to periodically monitor throughout
the year the amount of different appropriations accounts attributed to
the set-aside to asses IRS's progress toward complying with the
requirement. (short-term);
Control Activity: Top level reviews of actual performance.
ID no.: 10-41;
Recommendation: Based on the results of its periodic assessments, take
action to allocate the required amount of appropriations to tax law
enforcement and related support activities to comply with the set-
aside requirement. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
Source: GAO analysis of financial management recommendations made to
IRS.
[End of table]
[End of section]
Appendix III: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
June 15, 2010:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled, IRS: Status of GAO Financial Audit and Related
Financial Management Report Recommendations (GA0-10-597).
As GAO noted in the report, IRS has made significant progress in
improving its internal controls and financial management as evidenced
by 10 consecutive years of clean audit opinions on its financial
statements. We are pleased that you acknowledged our progress in
addressing our financial management challenges and agreed to close 18
prior year financial management recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions or would like to discuss our response in further
detail, please contact me or Alison Doone, Chief Financial Officer, at
(202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, the following individuals made
major contributions to this report: William J. Cordrey, Assistant
Director; Russell Brown; Ray B. Bush; Nina Crocker; Oliver Culley;
Doreen Eng; Charles Fox; Valerie Freeman; Jamie Haynes; Ted Hu;
Richard Larsen; Delores Lee; Julie Phillips; John Sawyer; Christopher
Spain; Cynthia Teddleton; LaDonna Towler; and Gary Wiggins.
[End of section]
Footnotes:
[1] A material weakness is a deficiency, or a combination of
deficiencies, in internal control such that there is a reasonable
possibility that a material misstatement of the entity's financial
statements will not be prevented, or detected and corrected on a
timely basis. A control deficiency exists when the design or operation
of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent, or detect
and correct misstatements on a timely basis.
[2] A significant deficiency is a deficiency, or a combination of
deficiencies, in internal control that is less severe than a material
weakness, yet important enough to merit attention by those charged
with governance.
[3] Management is responsible for establishing and maintaining
internal control to achieve the objectives of effective and efficient
operations, reliable financial reporting, and compliance with
applicable laws and regulations. See 31 U.S.C. § 3512 (c), (d),
commonly known as the Federal Managers' Financial Integrity Act of
1982 (FMFIA); see also, GAO, Standards for Internal Control in the
Federal Government, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.:
Nov. 1, 1999), 4-5. The actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for results-
oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and
to take corresponding corrective actions.
[4] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176]
(Washington, D.C.: Nov. 10, 2009).
[5] An unpaid assessment is a legally enforceable claim against a
taxpayer and consists of taxes, penalties, and interest that have not
been collected or abated (a reduction in a tax assessment).
[6] The term "outcome-oriented performance metrics," refers to the
measurement of the end result of a work activity or series of
activities, such as the taxes collected as a result of a tax
assessment and the collection actions taken by IRS employees, such as
telephone calls to tax debtors.
[7] GAO, Information Security: IRS Needs to Continue to Address
Significant Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19,
2010).
[8] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1],
(Washington, D.C.: Nov. 1, 1999), contains the internal control
standards to be followed by executive agencies in establishing and
maintaining systems of internal control as required by 31 U.S.C. §
3512 (c), (d). which is commonly known as the Federal Managers'
Financial Integrity Act of 1982 (FMFIA).
[9] See the CFO Act of 1990, Pub. L. No. 101-576, 104 Stat. 2838 (Nov.
15, 1990), codified in relevant part, as amended at 31 U.S.C. § 3521
(g).
[10] The circular requires agencies and individual federal managers to
take systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined
in appendix A of the circular; (4) identify needed improvements; (5)
take corresponding corrective action; and (6) report annually on
internal control through management assurance statements.
[11] [hyperlink, http://www.gao.gov/products/GAO-10-355].
[12] GAO, Management Report: Improvements Are Needed in IRS's Internal
Controls and Compliance with Laws and Regulations, [hyperlink,
http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28,
2010).
[13] GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G]
(Washington, D.C.: Aug. 1, 2001).
[14] FASAB, Statement of Federal Financial Concepts No. 1: Objectives
of Federal Financial Reporting, version 8 (Washington, D.C.: June 30,
2009).
[15] [hyperlink, http://www.gao.gov/products/GAO-10-565R].
[16] [hyperlink, http://www.gao.gov/products/GAO-10-355].
[17] [hyperlink, http://www.gao.gov/products/GAO-10-176].
[18] Unpaid assessments are unpaid taxes. For reporting purposes,
federal accounting standards classify unpaid assessments into federal
taxes receivables, compliance assessments, and write-offs. Federal
taxes receivable are taxes due from taxpayers for which IRS can
support the existence of a receivable through taxpayer agreement or a
favorable court ruling. Compliance assessments are assessments where
neither the taxpayer nor the court has affirmed that the amounts are
owed. Write-offs represent unpaid tax assessments for which IRS does
not expect further collection because of factors such as the
taxpayer's death, bankruptcy, or insolvency.
[19] [hyperlink, http://www.gao.gov/products/GAO-10-176].
[20] An "outcome" is a measure of the end result of a work activity or
series of activities, such as the taxes collected, and is a measure of
the results of providing outputs.
[21] IRS's performance metrics are reported externally via its
Management Discussion and Analysis section of its annual financial
statements. See [hyperlink, http://www.gao.gov/products/GAO-10-176].
[22] An "output" measure is a measure of the quantity of services
provided, such as the number of phone calls made to taxpayers in an
effort to collect unpaid taxes.
[23] IRS's measure of conviction efficiency rate is a partial
exception in that it measures the total cost of its criminal
investigations divided by the number of convictions.
[24] See app. I, recommendation 09-16, in this report.
[25] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request
and Interim Performance Results of IRS's 2008 Tax Filing Season,
[hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.:
Mar. 13, 2008); and GAO, Internal Revenue Service: Review of the
Fiscal Year 2010 Budget Request, [hyperlink,
http://www.gao.gov/products/GAO-09-754] (Washington, D.C.: June 13,
2009).
[26] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-08-166]
(Washington, D.C.: Nov. 9, 2007); GAO, Financial Audit: IRS's Fiscal
Years 2008 and 2007 Financial Statements, [hyperlink,
http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10,
2008); and GAO, Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness, [hyperlink,
http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24,
2009).
[27] GAO, Internal Revenue Service: Serious Weaknesses Impact Ability
to Report on and Manage Operations, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-99-196] (Washington, D.C.: Aug.
9, 1999).
[28] See [hyperlink, http://www.gao.gov/products/GAO-08-166],
[hyperlink, http://www.gao.gov/products/GAO-09-119], and [hyperlink,
http://www.gao.gov/products/GAO-09-513R].
[29] The "full cost" of a program or activities includes all of the
direct costs, including personnel time charges, and indirect costs,
such as the allocation of overhead costs, that are applicable to the
program or activity.
[30] An "activity" can be defined as a discrete action that IRS
undertakes, such as when IRS matches a taxpayer's reported dividends
on its tax return to the dividends reported to IRS by the taxpayer's
financial institution to identify discrepancies. A "program" can be
defined as a group of related activities, such as IRS's Automated
Underreporter program in which IRS matches a taxpayer's various types
of income--wages, dividends, interest, etc.--to identify discrepancies
that, collectively, may indicate unpaid taxes.
[31] IFS is IRS's administrative accounting system, which IRS uses to
facilitate its core financial management activities, such as general
ledger, budget formulation, and accounts payable and receivable. IFS
includes a cost module that IRS uses to facilitate the recording of
cost information, but the cost module is not fully integrated with
IRS's workload management systems, which record employees' time spent
on various programs and activities. In fiscal year 2008, IRS canceled
plans to add a managerial cost accounting module to IFS that was
intended to provide the capability to produce such full cost
information at the program and activity levels.
[32] FASAB, Statement of Federal Financial Concepts No. 1: Objectives
of Federal Financial Reporting.
[33] An "outcome" is a measure of the end result of a work activity or
series of activities, such as the taxes collected and is a measure of
the results of providing outputs. An "output" is a measure of the
quantity of services provided, such as the number of phone calls made
to taxpayers in an effort to collect unpaid taxes.
[34] Lockbox banks are financial institutions designated as
depositories and financial agents of the U.S. government to perform
certain financial services, including processing tax documents,
depositing the receipts, and forwarding the documents and data to the
IRS service center campuses that process tax returns and payments.
[35] GAO, Internal Revenue Service: Status of Financial Audit and
Related Financial Management Report Recommendations, [hyperlink,
http://www.gao.gov/products/GAO-09-514] (Washington, D.C.: June 25,
2009).
[36] [hyperlink, http://www.gao.gov/products/GAO-10-565R].
[37] We define short-term recommendations as those that we believed
could be addressed within 2 years at the time we made the
recommendation. We define long-term recommendations as those we
expected to require 2 years or more to implement at the time we made
the recommendation.
[38] [hyperlink, http://www.gao.gov/products/GAO-10-355].
[39] [hyperlink, http://www.gao.gov/products/GAO-10-176].
[40] See [hyperlink, http://www.gao.gov/products/GAO-10-565R] and
[hyperlink, http://www.gao.gov/products/GAO-09-513R] for our
recommendations resulting from our fiscal years 2009 and 2008 audits.
[41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[42] The number of recommendations cited in the earlier report section
on "challenges in resolving other internal control issues" in which we
discuss the open recommendations concerning safeguarding taxpayer
receipts and information does not match the control activity
information in the table 1 section on "safeguarding of assets and
security activities." The recommendations concerning safeguarding of
taxpayer receipts and information included in that table 1 section are
limited to those that are directly related to such safeguarding, such
as physical safeguards over the transportation of checks and tax
returns. Other recommendations that are indirectly related to
safeguarding taxpayer receipts and information, such as management
oversight and the adequacy of policies and procedures, are included in
the other two sections of table 1, "proper recording and documenting
of transactions" and "effective management review and oversight." The
70 recommendations reported in the previous report section included
both those directly and indirectly related to safeguarding taxpayer
receipts and information.
[43] The majority of federal tax payments are made for both businesses
and individuals through the Electronic Federal Tax Payment System.
[44] Lockbox banks operate under contract with the Department of the
Treasury's Financial Management Service. The three lockbox banks
perform processing functions in seven locations throughout the country.
[45] Six of IRS's 10 service center campuses process tax returns and
payments submitted by taxpayers.
[46] IRS's 401 TACs are small field assistance units located in
various cities and towns in every state, are part of IRS's Wage and
Investment operating division, and are designated to serve taxpayers
who choose to seek help from IRS in person.
[47] IRS defines unprocessable items as any document, correspondence,
or item that cannot be processed by the lockbox bank, such as
unacceptable forms of payment--traveler's checks, gold coins, and
other items of value that are easily negotiable.
[48] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176]
(Washington, D.C.: Nov. 10, 2009); and GAO, Management Report:
Improvements Are Needed in IRS's Internal Controls and Compliance with
Laws and Regulations, [hyperlink,
http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28,
2010).
[49] GAO, Information Security: IRS Needs to Continue to Address
Significant Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19,
2010).
[50] [hyperlink, http://www.gao.gov/products/GAO-10-176].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
