Internal Revenue Service

Status of GAO Financial Audit and Related Financial Management Report Recommendations Gao ID: GAO-10-597 June 30, 2010

In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS's efforts to address the weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) provide an overview of the financial management challenges still facing IRS, (2) provide the status of financial audit and financial management-related recommendations and the actions needed to address them, and (3) highlight the relationship between GAO's recommendations and internal control activities central to IRS's mission and goals.

IRS has made progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 10 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 250 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces significant financial management challenges in (1) resolving its remaining material weaknesses in internal control, (2) developing outcome-oriented performance metrics, and (3) correcting numerous other internal control issues, especially those relating to safeguarding tax receipts and taxpayer information. At the beginning of GAO's audit of IRS's fiscal year 2009 financial statements, 62 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2009 financial audit, IRS took actions that GAO considered sufficient to close 18 recommendations. At the same time, GAO identified additional internal control issues resulting in 41 new recommendations. In total, 85 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 85 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories: safeguarding of assets and security activities; proper recording and documenting of transactions; and effective management review and oversight. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning the functionality of IRS's automated systems, are complex and will require several more years to effectively address. GAO is not making any recommendations in this report. In commenting on a draft report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices.



GAO-10-597, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations This is the accessible text file for GAO report number GAO-10-597 entitled 'Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations' which was released on June 30, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Commissioner of Internal Revenue: United States Government Accountability Office: GAO: June 2010: Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations: GAO-10-597: GAO Highlights: Highlights of GAO-10-597, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: In its role as the nation‘s tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation‘s tax laws. Since its first audit of IRS‘s financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS‘s financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS‘s financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS‘s efforts to address the weaknesses GAO identified in previous years‘ audits. The purpose of this report is to (1) provide an overview of the financial management challenges still facing IRS, (2) provide the status of financial audit and financial management–related recommendations and the actions needed to address them, and (3) highlight the relationship between GAO‘s recommendations and internal control activities central to IRS‘s mission and goals. What GAO Found: IRS has made progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 10 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 250 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces significant financial management challenges in (1) resolving its remaining material weaknesses in internal control, (2) developing outcome-oriented performance metrics, and (3) correcting numerous other internal control issues, especially those relating to safeguarding tax receipts and taxpayer information. At the beginning of GAO‘s audit of IRS‘s fiscal year 2009 financial statements, 62 financial management–related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2009 financial audit, IRS took actions that GAO considered sufficient to close 18 recommendations. At the same time, GAO identified additional internal control issues resulting in 41 new recommendations. In total, 85 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 85 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. Table: Summary of Open Recommendations by Control Category: Safeguarding of assets and security activities: Open at the beginning of 2009: 20; Closed during 2009 audit: 5; New from 2009 audit: 4; Total remaining open: 19. Proper recording and documenting of transactions: Open at the beginning of 2009: 24; Closed during 2009 audit: 8; New from 2009 audit: 23; Total remaining open: 39. Effective management review and oversight: Open at the beginning of 2009: 18; Closed during 2009 audit: 5; New from 2009 audit: 14; Total remaining open: 27. Total: Open at the beginning of 2009: 62; Closed during 2009 audit: 18; New from 2009 audit: 41; Total remaining open: 85. Source: GAO analysis of financial management recommendations made to IRS. [End of table] The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO‘s recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning the functionality of IRS‘ s automated systems, are complex and will require several more years to effectively address. What GAO Recommends: GAO is not making any recommendations in this report. In commenting on a draft report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices. View [hyperlink, http://www.gao.gov/products/GAO-10-597] or key components. For more information, contact Steven J. Sebastian at (202) 512-3406 or sebastians@gao.gov. [End of section] Contents: Letter: Background: Scope and Methodology: IRS Faces Significant Financial Management Challenges: Status of Recommendations Based on the Fiscal Year 2009 Financial Statement Audit: Open Recommendations Grouped by Internal Control Activity: Concluding Observations: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: Appendix II: Open Recommendations Arranged by Material Weakness, Compliance, or Other Control Issue: Appendix III: Comments from the Internal Revenue Service: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of Open Recommendations: Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: Table 3: Recommendations to Improve IRS's Segregation of Duties: Table 4: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: Table 5: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: Table 6: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: Table 7: Recommendations to Improve IRS's Execution of Transactions and Events: Table 8: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: Table 9: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: Table 10: Recommendations to Improve IRS's Management of Human Capital: Table 11: Recommendations to Improve Top-Level Reviews of Actual Performance: Table 12: Recommendations Not Previously Reported as Closed: Table 13: Material Weakness: Controls over Unpaid Assessments: Table 14: Compliance with Laws and Regulations: Timely Release of Liens: Table 15: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: Abbreviations: ATFR: Automated Trust Fund Recovery: CCTV: Closed Circuit Television: CDDB: Custodial Detail Data Base: CFO: Chief Financial Office: CIMIS: Criminal Investigation Management Information System: FASAB: Financial Accounting Standards Advisory Board: FFMIA: Federal Financial Management Improvement Act of 1996: FFMSR: Federal Financial Management System Requirements: FISMA: Federal Information Security Management Act of 2002: FMFIA: Federal Managers' Financial Integrity Act of 1982: IFS: Integrated Financial System: IRACS: Interim Revenue and Accounting Control System: IRM: Internal Revenue Manual: IRS: Internal Revenue Service: ITAMS: Information Technology Asset Management System: LMSB: Large and Mid-sized Business: NFC: National Finance Center: OMB: Office of Management and Budget: P&E: Property and Equipment: RRACS: Redesign Revenue Accounting Control System: SB/SE: Small Business/Self Employed: SCC: Service Center Campus: SGL: Standard General Ledger: SP: Submission Processing: TAC: Taxpayer Assistance Center: TE/GE: Tax Exempt and Government Entities: TFRP: Trust Fund Recovery Penalty: Treasury: Department of the Treasury: W&I: Wage and Investment: [End of section] United States Government Accountability Office: Washington, DC 20548: June 30, 2010: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Dear Mr. Shulman: In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. In fiscal year 2009, IRS collected about $2.3 trillion in tax payments, processed hundreds of millions of tax and information returns, and paid about $438 billion in refunds to taxpayers. Because of its role and overall mission, IRS's activities affect virtually all of the nation's citizens. It is therefore critical that the agency strive to maintain sound internal control and financial management practices. IRS has made much progress in improving its financial management since it was first required to prepare a set of financial statements nearly two decades ago. This progress is reflected in IRS's 10-year record of obtaining a clean audit opinion on its financial statements and correcting several material internal control weaknesses[Footnote 1] and significant deficiencies[Footnote 2] in internal controls over the years. At the same time, IRS continues to face significant financial management challenges in achieving the overarching goals of federal financial management--accountability and useful management information. To enable more effective financial and operational management, IRS needs to (1) address its remaining long-standing material internal control weaknesses, (2) develop data and performance metrics that will enhance its ability to manage for outcomes, and (3) implement corrective actions to address other identified internal control issues. An agency's internal control serves as the first line of defense in safeguarding its assets and in preventing and detecting errors and fraud, as well as in helping to effectively manage its stewardship over public resources.[Footnote 3] For many years, IRS has had weaknesses in internal controls over fundamental elements of its operations that leave it vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. Specifically, during our audit of IRS's fiscal year 2009 financial statements,[Footnote 4] we found that IRS continued to be challenged with two long-standing material weaknesses in internal control that are at the heart of its operations-- weaknesses in internal controls over unpaid tax assessments[Footnote 5] and over information systems security. We also found that IRS faces a significant management challenge in enhancing and using its financial management capabilities to develop outcome-oriented performance metrics[Footnote 6] critical to providing the foundation upon which an agency can manage its operations for outcomes. Finally, we found that IRS has other internal control issues that need management attention, especially those that relate to safeguarding tax receipts and taxpayer information. To assist IRS in strengthening its internal controls and improving its operations, we have made numerous recommendations as part of our prior annual financial statement audits and other financial management- related work at IRS. This report (1) provides an overview of financial management challenges still facing IRS; (2) describes the status of financial audit and financial management-related recommendations and the actions needed to address them, as presented in appendix I; and (3) discusses how the unresolved recommendations relate to control activities central to IRS's mission and goals. To assist IRS in addressing those control activities, appendix II provides summary information regarding the primary internal control issue to which each open recommendation is related. This report does not include our recommendations related to information systems security even though they also are the result of our annual financial audits and are financial management-related; those recommendations are reported separately because of the sensitive nature of many of the issues that give rise to the recommendations.[Footnote 7] We are not making any new recommendations in this report. Our work was performed from December 2009 through May 2010 in accordance with generally accepted government auditing standards. For further details regarding our approach to this audit, see the Scope and Methodology section. Background: Internal control is not one event, but a series of activities that occur throughout an entity's operations and on an ongoing basis. Internal control should be an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency. In this sense, internal control is management control that is built into the entity as a part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis. Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires agencies to establish and maintain effective internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of its federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, provides the implementing guidance for FMFIA, and prescribes the specific requirements for assessing and reporting on internal controls consistent with the Standards for Internal Control in the Federal Government (internal control standards) issued by the Comptroller General of the United States.[Footnote 8] The circular defines management's responsibilities related to internal control and the process for assessing internal control effectiveness, and provides specific requirements for conducting management's assessment of the effectiveness of internal control over financial reporting. Specifically, the circular requires management to annually provide assurances on internal control in its performance and accountability report, and, for each of the 24 Chief Financial Officers (CFO) Act[Footnote 9] agencies, to include a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.[Footnote 10] The circular also emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities. FMFIA requires GAO to issue standards for internal control in the federal government. The internal control standards provide the overall framework for establishing and maintaining effective internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. As summarized in the internal control standards, internal control in the government is defined by the following five elements, which also provide the basis against which internal controls are to be evaluated: * Control environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. * Risk assessment: Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. * Control activities: Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and communication: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring: Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. A key objective in our annual audits of IRS's financial statements is to obtain reasonable assurance that IRS maintained effective internal control with respect to financial reporting. While we use all five elements of internal control as a basis for evaluating the effectiveness of IRS's internal controls, our ongoing evaluations and tests have focused heavily on control activities, where we have identified numerous internal control weaknesses and have provided recommendations for corrective action. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives. In other words, they are the activities conducted in the everyday course of business that are intended to accomplish a control objective, such as ensuring IRS employees successfully complete background checks prior to being granted access to taxpayer information and receipts. As such, control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of effective results. Scope and Methodology: To accomplish our objectives, we evaluated the effectiveness of corrective actions IRS implemented during fiscal year 2009 in response to open recommendations as part of our fiscal years 2009 and 2008 financial audits. To determine the current status of the recommendations, we (1) obtained IRS's reported status of each recommendation and corrective action taken or planned as of April 2010, (2) compared IRS's reported status to our fiscal year 2009 audit findings to identify any differences between IRS's and our conclusions regarding the status of each recommendation, and (3) performed additional follow-up work to assess IRS's actions taken to address the open recommendations. For our recommendations to IRS regarding information security, this report includes only summary data on the number of those recommendations and their general nature. We have reported the objectives and results of our information security work separately to IRS because of the sensitive nature of many of the issues identified for which we have made recommendations for corrective action.[Footnote 11] In order to determine how IRS's open recommendations, including the latest ones in our June 2010 management report,[Footnote 12] fit within the agency's management and internal control structure, we compared the open recommendations and the issues that gave rise to them to the (1) control activities listed in the internal control standards, (2) list of major factors and examples outlined in our Internal Control Management and Evaluation Tool,[Footnote 13] and (3) criteria and objectives for federal financial management as discussed in the CFO Act of 1990 and the Federal Accounting Standards Advisory Board's (FASAB) Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting.[Footnote 14] We also considered whether IRS had addressed, in whole or in part, the underlying control issues that gave rise to the recommendations; and other legal requirements and implementing guidance, such as OMB Circular No. A-123 and FMFIA. Our work was performed from December 2009 through May 2010 in accordance with generally accepted government auditing standards. IRS Faces Significant Financial Management Challenges: IRS continues to make progress in resolving its internal control weaknesses and addressing outstanding recommendations, but it still faces significant financial management challenges. Since we first began auditing IRS's financial statements in fiscal year 1992, IRS has taken a significant number of actions that enabled us to eliminate several material weaknesses and significant deficiencies and to close over 250 of our previously reported financial management-related recommendations. This includes 18 recommendations we are closing with this report based on actions IRS took through April 2010. Nevertheless, IRS continues to face significant challenges in improving the effectiveness of its financial and operational management. Specifically, IRS continues to face management challenges in (1) resolving its two remaining material weaknesses in internal control, (2) developing performance measures and managing for outcomes, and (3) addressing its remaining internal control issues, particularly those dealing with safeguarding of taxpayer receipts and information. Further, as in previous years' audits, our fiscal year 2009 audit continued to identify additional internal control issues, resulting in 41 new recommendations for corrective action we discussed in detail in our June 2010 management report to IRS.[Footnote 15] In addition, as noted earlier, we also identified several issues related to information security during our fiscal year 2009 audit that we reported separately because of the sensitive nature of many of those issues.[Footnote 16] Challenges in Resolving Two Long-standing Material Internal Control Weaknesses: As we reported in our audit of IRS's fiscal year 2009 financial statements,[Footnote 17] IRS's efforts to address its internal control weaknesses resulted in our closure of a material weakness in internal control over financial reporting and a significant deficiency in internal control over tax revenue and refunds. However, as we also reported in that audit, IRS continues to face significant challenges in resolving its two remaining material weaknesses in internal control concerning (1) unpaid tax assessments[Footnote 18] and (2) information security. IRS's continuing challenge in addressing its material weakness in internal control over unpaid tax assessments results from its (1) inability to use its core general ledger system for tax administration- related transactions to support its reported balances for taxes receivable and other unpaid assessments, (2) lack of a subsidiary ledger for unpaid tax assessments that would allow it to produce reliable, useful, and timely information with which to manage and report externally on these key transactions, and (3) errors and delays in recording taxpayer information, payments, and other activities. These control deficiencies impede IRS's ability to properly manage and routinely report certain information on unpaid tax assessments and lead to increased taxpayer burden. IRS's continuing challenge in addressing its material weakness in internal control over information security is primarily due to IRS not having fully implemented its information security program. As we reported in our audit of IRS's fiscal year 2009 financial statements, IRS has not (1) restricted users' ability to bypass application controls, (2) removed separated employees' system access in a timely manner, (3) followed required procedures to timely review employee access to sensitive areas at data centers, (4) restricted system access to only those who needed it, (5) instituted adequate separation of duties for its procurement system, and (6) developed adequate encryption controls over user login. IRS's deficiencies in internal control over information security result in IRS's inability to rely on the controls embedded in its automated financial management systems to provide reasonable assurance that its (1) financial statements are fairly stated in accordance with U.S. generally accepted accounting principles, (2) financial information that management relies on to support day-to-day decision making is current, complete, and accurate, and (3) proprietary information processed by these automated systems is appropriately safeguarded. These deficiencies also increase the risk that unauthorized individuals could access, alter, or abuse proprietary IRS programs and electronic data and taxpayer information without detection. We have made numerous recommendations to IRS over the years--including new recommendations resulting from our fiscal year 2009 financial audit--to address the issues constituting these two material internal control weaknesses. Successfully implementing these recommendations would assist IRS in fully resolving these weaknesses. To its credit, IRS continues to work to address the issues underlying these two material weaknesses. Challenges in Developing and Implementing Performance Metrics to Assist in Managing for Outcomes: As we reported in our audit of IRS's fiscal year 2009 financial statements,[Footnote 19] IRS continues to face significant challenges in developing and instutionalizing the use of financial management information to assist it in making operational decisions and in measuring the effectiveness of its programs. IRS's management has not developed the data or outcome-oriented performance measures that would enhance its ability to manage for outcomes.[Footnote 20] For example, it has not integrated the use of cost-based (and when appropriate, revenue-based) performance metrics into its routine management and decision-making processes or externally reported performance metrics.[Footnote 21] Although IRS has developed projected return on investment estimates for new enforcement (tax collection) initiatives in its annual budget submissions, it has not developed similar outcome- oriented performance metrics to determine whether funded initiatives achieve their estimated goals. IRS has also not developed outcome- oriented performance metrics for its existing enforcement programs. These limitations inhibit IRS's ability to more fully assess and monitor the relative merits of its existing programs, to evaluate new initiatives, or to consider alternatives and adjust its strategies as needed. Outcome-oriented performance metrics based on specific enforcement programs' costs and revenues should improve IRS's ability to (1) establish measurable outcome goals, (2) evaluate the relative merits of various program options, and (3) highlight opportunities for optimizing the allocation of resources. They can also help IRS more credibly demonstrate to Congress and the public that it is spending its appropriations wisely. IRS's existing metrics focus on process-oriented workload measures of program outputs[Footnote 22] rather than on measuring program outcomes. For example, for its enforcement programs, IRS focuses on measuring discrete activities within its overall tax collection efforts, such as the percentage of various types of tax returns examined, criminal investigations completed, and the number of tax returns examined and closed. While such output measures can be useful elements in assessing performance, they are not designed to measure the contribution each of these activities makes to the collection of unpaid taxes, nor do they compare the cost of collection activities to the tax revenue generated. IRS's enforcement metrics do not include revenue collected--a measure of outcome--compared to the cost of collection that could show the net monetary benefits of the enforcement programs. In addition, IRS's publicly available performance metrics do not measure the cost of IRS's programs either in the aggregate or per service or activity performed.[Footnote 23] As we report in the "Status per IRS" section of appendix I in this report, IRS has reported that it considers our recommendation to develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities to be closed. [Footnote 24] We do not agree. Part of IRS's justification for closing the recommendation is that IRS uses cost-benefit return on investment analysis to evaluate future scenarios and to support funding requests for new initiatives in its annual budget submissions. Such prospective return on investment information is useful for budgetary decision making, but our recommendation is for IRS to develop outcome data on the actual results of its programs and activities. We have also previously recommended that IRS (1) extend the use of return on investment in future budget proposals to include major enforcement programs and (2) develop return on investment data for its enforcement programs using actual revenue and full cost data and compare actual results to the projected return on investment data included in its budget request.[Footnote 25] Our recommendations regarding development of outcome-oriented performance metrics remain open because, as noted above, IRS does not develop such data for either funded initiatives or for ongoing enforcement programs and activities and it has not deployed outcome-oriented performance measures. IRS also reported that return on investment information is but one tool that can be utilized to improve resource-allocation decision making, and it is not prudent to rely exclusively on return on investment as the sole determinant of resource allocation. As we have reported previously,[Footnote 26] we acknowledge that IRS must consider other factors besides maximizing revenue collection and least- cost operations. The fairness of IRS's implementation of the tax code and treatment of all taxpayers are important, and we are cognizant of the many factors, such as coverage, that are important considerations when making resource-allocation decisions. These factors, and the decisions IRS makes about how to respond to them, have a significant effect on taxpayers, as well as on tax collections. However, using full cost and collection outcome-oriented performance metrics are also important to make optimum use of its available resources and to be able to credibly demonstrate it is doing so to Congress and the public. For several years, IRS has been developing full cost data on its programs and activities in response to a recommendation we made in 1999.[Footnote 27] However, as we have reported in the past,[Footnote 28] IRS's efforts have been slowed because IRS cannot produce full cost information[Footnote 29] down to the program and activity levels [Footnote 30] directly from its cost accounting system, the Integrated Financial System (IFS).[Footnote 31] IRS has partially overcome this difficulty by developing the ability to manually combine cost data from IFS with personnel time-charge data from IRS's various workload management systems and revenue data for enforcement programs to develop full cost (and revenue) information for selected programs. IRS's lack of outcome-oriented performance metrics is inconsistent with federal financial management concepts as embodied in FASAB's Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting.[Footnote 32] In its discussion of financial reporting concepts, FASAB notes that federal financial data should provide accountability and decision-useful information on the costs of programs and the outputs and outcomes achieved, and it should provide data for evaluating service efforts, costs, and accomplishments.[Footnote 33] The absence of outcome metrics is also inconsistent with the objectives of the CFO Act of 1990. A key objective of the act was for agencies to routinely develop and use appropriate financial management information to evaluate program effectiveness, make fully informed operational decisions, and ensure accountability. While obtaining a clean audit opinion on its financial statements is important in itself, it is not the end goal reflected in the act. The end goal is modern financial management systems that provide reliable, timely, and useful financial information to support day-to-day decision making and oversight. Such systems and practices should also provide for the systematic measurement of both outputs and outcomes. Developing the data and performance metrics necessary for a more outcome-oriented approach to managing operations requires active and sustained senior management leadership. We acknowledge that without the benefit of integrated financial management systems, IRS faces significant challenges in developing outcome-oriented performance metrics, including the data needed for such metrics. However, undertaking such an effort agencywide will enhance IRS's ability to effectively measure and compare the benefits of its programs to make better informed resource-allocation decisions and to better support its budget requests. We have made several recommendations to IRS over the years to address its financial management challenges in developing full cost data for its programs and activities and for outcome-oriented performance measures. Successfully addressing the remaining open recommendations would enhance IRS's ability to effectively manage for outcomes. Challenges in Resolving Other Internal Control Issues: As discussed earlier, IRS has taken significant actions over the years to resolve internal control weaknesses and this has enabled us to close over 250 internal control-related recommendations. The closure of such a high number of recommendations indicates that IRS has a strong commitment to improving its internal control. However, IRS also continues to face a challenge in addressing numerous other unresolved internal control issues in several aspects of its operations that, while neither individually nor collectively representing a material weakness, nonetheless merit management attention to ensure they are fully and effectively addressed. IRS now has a total of 70 open audit recommendations resulting from internal control issues that we report as "other control issues" in appendix II of this report. While most were identified during our recent financial audits, some were identified in our audits as far back as 1999 and 2001. Over half of those 70 open recommendations address issues related to the physical safeguarding of tax receipts and taxpayer information, a critical aspect of IRS's responsibilities. IRS processes billions of dollars annually in checks and currency and other valuable assets, and it must physically safeguard and account for them to prevent theft, fraud, and misuse. To do so, IRS has established physical security, accountability, and accounting policies, processes, and procedures to manage its activities involving the transportation and accounting for tax receipts and for handling and storing taxpayer information. Although IRS has made substantial improvements in safeguarding taxpayer receipts and information since our financial audits first began surfacing serious internal control issues in this area, the task of ensuring ongoing control over such critical responsibilities for IRS is a difficult one. Each year, we continue to identify control issues related to IRS's safeguarding of taxpayer receipts and information. For example, based on our fiscal year 2009 audit, we identified new internal control issues and made 19 additional recommendations that related either directly or indirectly to the physical safeguarding of taxpayer receipts and information. The internal control issues encompassed in our recommendations cover critical physical security functions, such as: * transporting taxpayer receipts and sensitive taxpayer information among IRS facilities and lockbox banks[Footnote 34] and maintaining physical security at IRS facilities to prevent loss, theft, or the potential for fraud regarding tax receipts and taxpayer information; * conducting inspections and audits of the design and operation of IRS's physical security processes and controls designed to safeguard tax receipts and taxpayer information; * conducting appropriate background investigations and screening of personnel, including contractors, with access to IRS facilities and lockbox bank operations; and: * ensuring the proper destruction of documents to prevent the inappropriate release of sensitive taxpayer information. Due to the volume of taxpayer receipts and sensitive taxpayer files that IRS is responsible for safeguarding, and the implications for IRS's mission if they are lost, stolen, or the subject of fraud or misuse, it is critical that IRS successfully resolve the internal control issues we have identified and work toward continually improving its internal controls to prevent new issues from arising. Status of Recommendations Based on the Fiscal Year 2009 Financial Statement Audit: In June 2009, we issued a report on the status of IRS's efforts to implement corrective actions to address financial management recommendations stemming from our fiscal year 2008 and prior year financial audits and other financial management-related work.[Footnote 35] In that report, we identified 62 audit recommendations that remained open and thus required corrective action by IRS. A significant number of these recommendations had been open for several years, either because IRS had not taken corrective action or because the actions taken had not yet effectively resolved the issues that gave rise to the recommendations. IRS continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our fiscal year 2009 financial audit, we identified numerous actions IRS took to address many of its internal control issues. On the basis of IRS's actions, which we were able to substantiate through our audit, we have closed 18 of these prior years' recommendations. However, a total of 44 recommendations from prior years remain open, a significant number of which have been outstanding for several years. IRS considers another 21 of the prior years' recommendations to be effectively addressed and therefore closed. However, we consider them to remain open. For 14 of the 21, in our view, IRS's actions did not fully address the issue that gave rise to the recommendations. For the remaining seven, we have not yet been able to verify the effectiveness of IRS's actions. (See app. I, "Status per GAO," for our assessment of IRS's actions on each recommendation). During our audit of IRS's fiscal year 2009 financial statements, we identified additional issues that require corrective action. In our June 2010 management report to IRS,[Footnote 36] we discussed these issues, and made 41 new recommendations to address them. Consequently, a total of 85 financial management-related recommendations need to be addressed--44 from prior years and 41 new ones from our fiscal year 2009 audit. We consider all of the new recommendations to be short- term.[Footnote 37] We also consider the majority of the recommendations outstanding from prior years to be short-term; however, a few, particularly those concerning the functionality of IRS's automated systems, are complex and will require several more years to fully and effectively address. In addition to the 85 open recommendations from our financial audits and other financial management-related work, there are 88 additional open recommendations stemming from our assessment of IRS's information security controls over key financial systems, information, and interconnected networks conducted as an integral part of our annual financial audits. The issues that led to our previously reported and our newly identified recommendations related to information security increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer data. Collectively, they constitute IRS's material weakness in internal control over information security for its financial and tax processing systems. As discussed earlier in this report, recommendations resulting from the information security issues identified in our annual audits of IRS's financial statements are reported separately because of the sensitive nature of many of these issues.[Footnote 38] Appendix I presents a combined listing of (1) the 62 non-information- systems security-related recommendations based on our financial statement audits and other financial management-related work that we had not previously reported as closed and the 41 new recommendations based on our fiscal year 2009 financial audit, (2) IRS-reported corrective actions taken or planned as of April 2010, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed, based primarily on the work performed during our fiscal year 2009 financial statement audit. The appendix lists the recommendations by the date on which the recommendation was made and by report number. Appendix II presents the open recommendations arranged by related material weakness and compliance issue as described in our opinion report on IRS's financial statements,[Footnote 39] as well as other control issues we have identified and discussed in our annual management reports to IRS. [Footnote 40] Open Recommendations Grouped by Internal Control Activity: Linking the open recommendations from our financial audits and other financial management-related work, and the issues that gave rise to them, to internal control activities that are central to IRS's tax administration responsibilities provides insight regarding their significance. Internal control standards consist of five elements--control environment, risk assessment, control activities, information and communication, and monitoring.[Footnote 41] For the control activities element, the internal control standards explain that an agency's system of internal control should provide for an assessment of the risks the agency faces from both external and internal sources and that internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. The control activities element defines 11 specific control activities, which we have grouped into three categories, as shown in table 1. Each of the unresolved recommendations from our financial audits and financial management-related work, and the underlying issues that gave rise to them, can be traced to 1 of the 11 specific control activities as shown in table 1. Table 1: Summary of Open Recommendations: Safeguarding of assets and security activities: Control activity: Physical control over vulnerable assets; Open at the beginning of 2009: 11; Closed during 2009 audit: 2; New from 2009 audit: 2; Total remaining open: 11; Percentage: 13. Control activity: Segregation of duties; Open at the beginning of 2009: 3; Closed during 2009 audit: 1; New from 2009 audit: 1; Total remaining open: 3; Percentage: 3. Control activity: Controls over information processing; Open at the beginning of 2009: 1; Closed during 2009 audit: 1; New from 2009 audit: 0; Total remaining open: 0; Percentage: 0. Control activity: Access restrictions to and accountability for resources and records; Open at the beginning of 2009: 5; Closed during 2009 audit: 1; New from 2009 audit: 1; Total remaining open: 5; Percentage: 6. Safeguarding of assets and security activities: Subtotal; Open at the beginning of 2009: 20; Closed during 2009 audit: 5; New from 2009 audit: 4; Total remaining open: 19; Percentage: 22. Proper recording and documenting of transactions: Control activity: Appropriate documentation of transactions and internal controls; Open at the beginning of 2009: 9; Closed during 2009 audit: 1; New from 2009 audit: 10; Total remaining open: 18; Percentage: 21. Control activity: Accurate and timely recording of transactions and events; Open at the beginning of 2009: 12; Closed during 2009 audit: 5; New from 2009 audit: 13; Total remaining open: 20; Percentage: 24. Control activity: Proper execution of transactions and events; Open at the beginning of 2009: 3; Closed during 2009 audit: 2; New from 2009 audit: 0; Total remaining open: 1; Percentage: 1. Proper recording and documenting of transactions: Subtotal; Open at the beginning of 2009: 24; Closed during 2009 audit: 8; New from 2009 audit: 23; Total remaining open: 39; Percentage: 46. Effective management review and oversight: Control activity: Reviews by management at the functional or activity level; Open at the beginning of 2009: 13; Closed during 2009 audit: 5; New from 2009 audit: 7; Total remaining open: 15; Percentage: 18. Control activity: Establishment and review of performance measures and indicators; Open at the beginning of 2009: 3; Closed during 2009 audit: 0; New from 2009 audit: 0; Total remaining open: 3; Percentage: 4. Control activity: Management of human capital; Open at the beginning of 2009: 2; Closed during 2009 audit: 0; New from 2009 audit: 6; Total remaining open: 8; Percentage: 9. Control activity: Top-level reviews of actual performance; Open at the beginning of 2009: 0; Closed during 2009 audit: 0; New from 2009 audit: 1; Total remaining open: 1; Percentage: 1. Effective management review and oversight: Subtotal; Open at the beginning of 2009: 18; Closed during 2009 audit: 5; New from 2009 audit: 14; Total remaining open: 27; Percentage: 32. Control activity: Total; Open at the beginning of 2009: 62; Closed during 2009 audit: 18; New from 2009 audit: 41; Total remaining open: 85; Percentage: 100. Source: GAO analysis of the status of financial management recommendations made to IRS. [End of table] As table 1 indicates, 19 (22 percent) of the unresolved recommendations relate to IRS's controls over safeguarding of assets and security activities, 39 (46 percent) relate to issues associated with IRS's ability to properly record and document transactions, and 27 (32 percent) relate to issues associated with IRS's management review and oversight.[Footnote 42] On the following pages, we group the 85 open recommendations under the specific control activity to which the condition that gave rise to them most appropriately fits. We define each control activity as presented in the internal control standards and briefly identify some of the key IRS operations that fall under that control activity. Although not comprehensive, the descriptions are intended to help explain why actions to strengthen these control activities are important for IRS to efficiently and effectively carry out its overall mission. Each control activity description includes a table of the related open recommendations. The tables list the recommendations by the year in which we made them (ID no.). For each recommendation, we also indicate whether it is a short-term or long-term recommendation. We characterized a recommendation as short-term when we believe that IRS had the capability to implement solutions within 2 years of the year in which we first reported them. Safeguarding of Assets and Security Activities: Given IRS's mission, the sensitivity of the data it maintains, and its processing of trillions of dollars of tax receipts each year, one of the most important control activities at IRS is the safeguarding of assets. Internal control in this important area should be designed to provide reasonable assurance regarding prevention or prompt detection of unauthorized acquisition, use, or disposition of an agency's assets. IRS has outstanding recommendations in the following three control activities in the internal control standards that relate to safeguarding of assets (including buildings and equipment as well as tax receipts) and security activities (such as limiting access to only authorized personnel): (1) physical control over vulnerable assets; (2) segregation of duties; and (3) access restrictions to, and accountability for, resources and records. Physical Control over Vulnerable Assets: Internal control standard: An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. Of the trillions of dollars in taxes that IRS collects each year, hundreds of billions is collected in the form of checks and cash accompanied by tax returns and related information.[Footnote 43] IRS collects taxes both at its own facilities as well as at lockbox banks.[Footnote 44] IRS acts as custodian for (1) the tax payments it receives until they are deposited in the General Fund of the U.S. Treasury and (2) the tax returns and related information it receives until they are either sent to the Federal Records Center or destroyed. IRS is also charged with controlling many other assets, such as computers and other equipment, but it is IRS's legal responsibility to safeguard tax returns and the confidential information taxpayers provided on those returns that makes the effectiveness of IRS's internal controls over physical security essential. While effective physical safeguards over receipts should exist throughout the year, such safeguards are especially important during the peak tax filing season. Each year during the weeks preceding and shortly after April 15, an IRS service center[Footnote 45] or lockbox bank may receive and process daily over 100,000 pieces of mail containing returns, receipts, or both. The dollar value of receipts each service center and lockbox bank processes increases to hundreds of millions of dollars a day during the April 15 time frame. The following 11 open recommendations in table 2 are designed to improve IRS's physical controls over vulnerable assets. They include recommendations for IRS to improve controls over (1) physical security at its Taxpayer Assistance Centers (TAC),[Footnote 46] (2) courier activities, and (3) lockbox banks' handling of unprocessable items.[Footnote 47] We consider all of these recommendations to be correctable on a short-term basis. Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: ID no.: 06-05; Recommendation: Equip all Taxpayer Assistance Centers with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term). ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term). ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term). ID no.: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term). ID no.: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term). ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term). ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date. (short-term). ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term). ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station, and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term). ID no.: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term). ID no.: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Segregation of Duties: Internal control standard: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event. As noted in the previous section, IRS employees process hundreds of billions of dollars in tax receipts in the form of cash and checks. Consequently, it is critical that IRS maintain appropriate separation of duties to allow for adequate oversight of staff and protection of these vulnerable resources so that no single individual would be in a position of causing an error or irregularity, or potentially converting the asset to personal use, and then concealing it. For example, when an IRS field office receives taxpayer receipts and returns, it is responsible for depositing the cash and checks in a depository institution and forwarding the related taxpayer information received, such as tax returns, to an IRS service center for further processing. In order to adequately safeguard receipts from theft, the person responsible for recording the information from the taxpayer receipts on a voucher should be different from the individual who prepares those receipts for transmittal to the service center for further processing. Also, IRS employees must properly account for the billions of dollars IRS spends each year on its operations. Implementing the following three recommendations in table 3 would help IRS improve its separation of duties, which will in turn strengthen its controls over tax receipts, procurement activities, and financial accounting processes. All are short-term in nature. Table 3: Recommendations to Improve IRS's Segregation of Duties: ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short-term). ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term). ID no.: 10-12; Recommendation: Revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Access Restrictions to and Accountability for Resources and Records: Internal control standard: Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. Because IRS handles, and is responsible for maintaining accountability over, a large volume of cash and checks, it is imperative that it maintain strong controls to appropriately restrict access to those assets, the records relied on to track those assets, and sensitive taxpayer information. Although IRS has a number of both physical and information systems controls in place, some of the issues we have identified in our financial audits over the years pertain to ensuring that (1) those individuals who have direct access to cash and checks are appropriately vetted, such as through appropriate background investigations, before being granted access to taxpayer receipts and information and (2) IRS maintains effective access security control. The following five short-term recommendations in table 4 were intended to help IRS improve its access restrictions to assets and records. Table 4: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term). ID no.: 08-13; Recommendation: Require including in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term). ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term). ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact. (short-term). ID no.: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Recording and Documenting of Transactions: IRS has a number of internal control issues that relate to recording transactions, documenting events, and tracking the processing of taxpayer receipts or information. IRS has outstanding recommendations in the following three control activities that relate to proper recording and documenting of transactions: (1) appropriate documentation of transactions and internal controls, (2) accurate and timely recording of transactions and events, and (3) proper execution of transactions and events. Appropriate Documentation of Transactions and Internal Control: Internal control standard: Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. IRS collects and processes trillions of dollars in taxpayer receipts annually both at its own facilities and at lockbox banks under contract to process taxpayer receipts for the federal government. Therefore, it is important that IRS maintain effective controls to ensure that all documents and records are properly and timely recorded, managed, and maintained both at its facilities and at the lockbox banks. In this regard, it is critical that IRS adequately document and disseminate its procedures to ensure that they are available for IRS employees. IRS must also document its management reviews of controls, such as those regarding refunds and returned checks, credit card purchases, and reviews of TAC operations. To ensure future availability of adequate documentation, IRS must ensure that (1) its systems, particularly those now being developed and implemented, have appropriate capability to identify and trace individual transactions and (2) all critical steps in its accounting processes are adequately documented and controlled. Resolving the following 18 recommendations in table 5 would assist IRS in improving its documentation of transactions and related internal control procedures. Seventeen of these recommendations are short-term, and one is long-term. Table 5: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term). ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term). ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), and establish a system to track acknowledged copies of document transmittals. (short-term). ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term). ID no.: 06-07; Recommendation: Document supervisory visits by off-site managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term). ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term). ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term). ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term). ID no.: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to TFRP payments processed through the ATFR system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term). ID no.: 10-09; Recommendation: Revise the existing methodology for extracting the preposted revenue component of the comparison to ensure that nontax revenues and tax revenue transactions already posted to the master files are properly excluded. (short-term). ID no.: 10-10; Recommendation: Update the desk procedures governing the comparison of general ledger tax revenue receipts to the master file to ensure that the procedures reflect the current process and controls. (short-term). ID no.: 10-11; Recommendation: Revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. (short-term). ID no.: 10-15; Recommendation: Revise the IRM to require CIO to promptly provide service center campuses an acknowledgment of receipt for each Form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term). ID no.: 10-16; Recommendation: Revise the IRM to require service center campuses to verify that an acknowledgment of receipt has been received from CIO for 100 percent of the Form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. (short-term). ID no.: 10-17; Recommendation: Revise the IRM to require service center campuses to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. (short-term). ID no.: 10-21; Recommendation: Review the audit management checklist for clarity and revise the assessment questions as appropriate. (short-term). ID no.: 10-26; Recommendation: Review the TSRRD for clarity and revise review questions as appropriate. (short-term). ID no.: 10-35; Recommendation: Reiterate IRS's policy for personnel to indicate in WebRTS during receipt and acceptance that a payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are deobligated in a timely manner. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Accurate and Timely Recording of Transactions and Events: Internal control standard: Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. IRS maintains records for tens of millions of taxpayers in addition to maintaining its own financial records. To carry out this responsibility, IRS often has to rely on outdated computer systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping difficulties we have reported on over the years will not be addressed until it can replace its aging systems, an effort that is long-term and, in part, dependent on obtaining future funding. Implementation of the following 20 recommendations in table 6 would strengthen IRS's recordkeeping abilities. Sixteen of these recommendations are short-term, and four are long-term regarding requirements for new systems for maintaining taxpayer records. Several of the recommendations listed deal with financial reporting processes, such as maintaining subsidiary records, recording budgetary transactions, and tracking program costs. Some of the issues that gave rise to several of our recommendations directly affect taxpayers, such as those involving duplicate assessments, errors in calculating and reporting manual interest, errors in calculating penalties, and collection of trust fund recovery penalty assessments. Three of these recommendations have remained open for over 10 years, reflecting the complex nature of the underlying systems issues that must be resolved to fully address some of these control deficiencies. Table 6: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: ID no.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term). ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term). ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term). ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term). ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term). ID no.: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term). ID no.: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. (short-term). ID no.: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in CDDB resulted in misclassifications of account balances which, in turn resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term). ID no.: 10-02; Recommendation: Research and implement programming changes to allow CDDB to more accurately classify such accounts among the three categories of unpaid tax assessments. (short-term). ID no.: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments. (short-term). ID no.: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term). ID no.: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews so that specific factors causing the errors are identified. (short-term). ID no.: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of TFRP payment transactions identified through the analyses of the quarterly review results. (short-term). ID no.: 10-14; Recommendation: Establish controls over the cycle run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. (short- term). ID no.: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term). ID no.: 10-34; Recommendation: Establish procedures requiring COs/COTRs to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods or services prior to entering acknowledgment of receipt and acceptance in WebRTS. (short-term). ID no.: 10-36; Recommendation: Reevaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that obligations are reviewed more frequently in order to detect and deobligate excess obligations in a timely manner. (short-term). ID no.: 10-38; Recommendation: Develop controls to improve the linked obligation transaction review process to detect and correct erroneous links between unrelated upward and downward adjustments to prior-year obligation transactions in a timely manner. (short-term). ID no.: 10-39; Recommendation: Establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. (short-term). ID no.: 10-41; Recommendation: Based on the results of its periodic assessments, take action to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set- aside requirement. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Execution of Transactions and Events: Internal control standard: Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of ensuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees. Each year, IRS spends approximately $250 million annually to cover the cost of its employees' travel. Failure to ensure that employees obtain appropriate authorizations for their travel leaves the government open to fraud, waste, or abuse. IRS actions to address the following short- term recommendation in table 7 would improve IRS's controls over travel costs. Table 7: Recommendations to Improve IRS's Execution of Transactions and Events: ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Effective Management Review and Oversight: All personnel within IRS have an important role in establishing and maintaining effective internal controls, but IRS's managers have additional review and oversight responsibilities. Management must set the objectives, put control activities in place, and monitor and evaluate controls to ensure that they are followed. Without adequate monitoring by managers, there is a risk that internal control activities may not be carried out effectively and in a timely manner. IRS has outstanding recommendations in the following four control activities related to effective management review and oversight: (1) reviews by management at the functional or activity level, (2) establishment and review of performance measures and indicators, (3) management of human capital, and (4) top-level reviews of actual performance. Reviews by Management at the Functional or Activity Level: Internal control standard: Managers need to compare actual performance to planned or expected results throughout the organization and analyze significant differences. IRS employs over 100,000 full-time and seasonal employees. In addition, as discussed earlier, lockbox banks process tens of thousands of individual receipts, totaling hundreds of billions of dollars for IRS. Management oversight of operations is important at any organization, but is imperative at IRS given its mission. Implementing the following 14 short-term and 1 long-term recommendations in table 8 would improve IRS's management oversight of several areas of its operations, including monitoring of contractor facilities, release of tax liens, issuance of manual refunds, and use of appropriated funds. These recommendations were made because an internal control activity either did not exist or the existing control was not being adequately or consistently applied. Table 8: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term). ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term). ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term). ID no.: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short-term). ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term). ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term). ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. (long-term). ID no.: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. (short-term). ID no.: 10-06; Recommendation: Formalize and implement the quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements. (short-term). ID no.: 10-13; Recommendation: Revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. (short- term). ID no.: 10-22; Recommendation: Issue written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. (short-term). ID no.: 10-24; Recommendation: Establish and document the minimum frequency for how often the audit management checklist should be completed at each service center campus and field office. (short-term). ID no.: 10-25; Recommendation: Establish policies requiring documented managerial reviews of completed audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. (short-term). ID no.: 10-28; Recommendation: Establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the TSRRD for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. (short-term). ID no.: 10-33; Recommendation: Establish procedures requiring HCO LEADS or their designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Establishment and Review of Performance Measures and Indicators: Internal control standard: Activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators. IRS's operations include a vast array of activities encompassing educating taxpayers, processing of taxpayer receipts and data, disbursing hundreds of billions of dollars in refunds to millions of taxpayers, maintaining extensive information on tens of millions of taxpayers, and seeking collection from individuals and businesses that fail to comply with the nation's tax laws. Within its compliance function, IRS has numerous activities, including identifying businesses and individuals that underreport income, collecting from taxpayers who do not pay taxes, and collecting from those receiving refunds for which they are not entitled. Although IRS has at its peak over 100,000 employees, it still faces resource constraints in attempting to fulfill its duties. It is vitally important for IRS to have sound performance measures to assist it in assessing its performance and targeting its resources to maximize the government's return on investment. However, in past audits we have reported that IRS did not capture costs at the program or activity level to assist in developing cost-based performance measures for its various programs and activities. As a result, IRS is unable to measure the costs and benefits of its various collection and enforcement efforts to best target its available resources. The following one short-term and two long-term recommendations in table 9 are designed to assist IRS in (1) evaluating its operations, (2) determining which activities are the most beneficial, and (3) establishing a good system for oversight. These recommendations are directed at improving IRS's ability to measure, track, and evaluate the costs, benefits, or outcomes of its operations--particularly with regard to identifying its most cost-effective tax collection activities. Table 9: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: ID no.: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. (short-term). ID no.: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed and they should include both personnel costs based on time spent on specific activities as well as all associated nonpersonnel costs, and be drawn from or reconcilable to IRS's financial accounting system. (long-term). ID no.: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Management of Human Capital: Internal control standard: Effective management of an organization's workforce--its human capital--is essential to achieving results and an important part of internal control. Management should view human capital as an asset rather than a cost. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. Performance evaluation and feedback, supplemented by an effective reward system, should be designed to help employees understand the connection between their performance and the organization's success. As a part of its human capital planning, management should also consider how best to retain valuable employees, plan for their eventual succession, and ensure continuity of needed skills and abilities. IRS's operations cover a wide range of technical activities requiring specific expertise needed in tax-related matters; financial management; and systems design, development, and maintenance. Because IRS has tens of thousands of employees spread throughout the country, it is imperative that management keep its guidance up-to-date and its staff properly trained. Taking action to implement the following eight short-term recommendations in table 10 would assist IRS in its management of human capital. Table 10: Recommendations to Improve IRS's Management of Human Capital: ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term). ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term). ID no.: 10-23; Recommendation: Provide training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately. (short-term). ID no.: 10-27; Recommendation: Provide training to TAC group managers to assist with their understanding of the TSRRD review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term). ID no.: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all USRs to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term). ID no.: 10-31; Recommendation: Update USR training manuals to ensure they reflect current security policies and procedures. (short-term). ID no.: 10-32; Recommendation: Establish a process to periodically review and update training materials as appropriate. (short-term). ID no.: 10-37; Recommendation: Provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper use of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments to prior year obligation accounts. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Top-Level Reviews of Actual Performance: Internal control standard: Management should track major agency achievements and compare these to the plans, goals, and objectives established under the Government Performance and Results Act. IRS is responsible for developing and operating a system of internal control to ensure that it spends the billions of dollars appropriated to it each year for operations in accordance with the directions dictated by Congress. Implementing the following short-term recommendation in table 11 would improve IRS's management and oversight of its performance against legal mandates and requirements. Table 11: Recommendations to Improve Top-Level Reviews of Actual Performance: ID no: 10-40; Recommendation: Establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set-aside to asses IRS's progress toward complying with the requirement. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Concluding Observations: Increased budgetary pressures and an increased public awareness of the importance of internal control require IRS to carry out its mission more efficiently and more effectively while protecting taxpayers' information. Sound financial management and effective internal controls are essential if IRS is to efficiently and effectively achieve its goals. IRS has made substantial progress in improving its financial management and internal control since its first financial audit, as evidenced by unqualified audit opinions on its financial statements for the past 10 years; resolution of several material internal control weaknesses, significant deficiencies, and other control issues; and actions taken resulting in the closure of hundreds of financial management recommendations. This progress has been the result of hard work by many individuals throughout IRS and sustained commitment of IRS leadership. Nonetheless, more needs to be done to fully address the agency's continuing financial management challenges--resolving material internal control weaknesses; developing outcome-oriented performance metrics that can facilitate managing operations for outcomes; and correcting numerous other internal control issues. Effective implementation of the recommendations we have made and continue to make through our financial audits and related work could greatly assist IRS in improving its internal controls and achieving sound financial management. While we recognize that some actions-- primarily those related to modernizing automated systems--will take a number of years to resolve, most of the open recommendations can be addressed in the short term. Agency Comments and Our Evaluation: In commenting on a draft of this report, IRS expressed it's appreciation for our acknowledgment of the agency's progress in addressing its financial management challenges as evidenced by our closure of 18 open financial management recommendations from prior GAO reports. IRS also commented that it is committed to implementing appropriate improvement to ensure that it maintains sound financial management practices. We will review the effectiveness of further corrective actions IRS has taken or will take to address all open recommendations as part of our audit of IRS's fiscal year 2010 financial statements. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of OMB; the Chairman of the IRS Oversight Board; and other interested parties. The report is also available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions concerning this report, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: [End of section] Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: This appendix presents a list of (1) the 62 recommendations that we had not previously reported as closed, (2) Internal Revenue Service (IRS) reported corrective actions taken or planned as of April 2010, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed. It also includes 41 recommendations based on our fiscal year 2009 financial statement audit. The appendix lists the recommendations by the year and recommendation number (ID no.) and also identifies the report in which the recommendation was made. Table 12: Recommendations Not Previously Reported as Closed: ID no.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term); Source report: Financial Management: Important IRS Revenue Information Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); Status per IRS: Open. Small Business/Self-Employed (SB/SE) provided onsite training to functions that compute interest during fiscal year 2009. SB/SE upgraded the commercial software program used to compute manual interest and in March 2009 issued guidance stressing the importance of using the Decision Modeling Incorporated/Automated Computational Tool software as the primary, authorized, manual interest computation tool. SB/SE Research stratified all fiscal year 2009 manual interest transactions and reached an agreement on tentative sampling populations and rates needed to build the statistical sampling program. The sampling program is projected to be operational by September 2010 and will allow SB/SE to establish statistically valid accuracy rates, identify sources of significant errors, and develop necessary corrective actions; Status per GAO: Open. During our fiscal year 2006 audit, we tested a statistical sample of manual interest transactions and estimated that 18 percent of IRS's manual interest calculations contain errors. We concluded that IRS controls over this area were ineffective. The ineffectiveness of these controls contributes to errors in taxpayer records, which is a major component of the material weakness in IRS's management of unpaid assessments. While IRS continues to take actions to strengthen controls over this area, such as updating guidance and providing training related to manual interest calculations, both we and IRS believe that the actions taken thus far would not improve the accuracy of the manual interest calculations. Consequently, we did not test IRS controls in this area as part of our fiscal year 2007-2009 audits. We will continue to monitor IRS's actions to address this recommendation during future audits. ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Open. SB/SE created a Quality Assurance Internal Review process to validate the accuracy of cross-referencing of payments and credits on assessed Trust Fund Recovery Penalty (TFRP) accounts. SB/SE completed a detailed analysis of the quarterly review process performed at the campuses and in October 2009 determined SB/SE would perform both a Current Payment Sample review to identify current cross-referencing errors and a Whole Case Review looking for all types of TFRP errors. SB/SE developed written procedures and specific Data Collection Instruments to document these reviews and met with the Ogden and Brookhaven Campuses in November 2009 to discuss the new review process and to perfect the DCIs and procedures. The Chief Financial Officer (CFO) and SB/SE are reviewing an extract of a statistically valid selection of TFRP cases for each type of review; Status per GAO: Open. IRS has made significant progress in this area over the past several years. For example, IRS established procedures to more clearly link each penalty assessment against a responsible corporate officer to a specific tax period of the business account. IRS also reported completing implementation of all phases of the Automated Trust Fund Recovery (ATFR) system in 2008. ATFR is intended to properly cross-reference payments received and automatically reduce the amounts owed on all related accounts when a payment is received from one related party. However, the system is currently unable to process all payments related to such cases. IRS officials reported that as of March 2010, ATFR can only automatically reduce the amounts owed on all related accounts for about 54 percent of TFRP payments that it receives. The remaining TFRP payments continue to require some form of manual processing to record the reduction to the liability in related accounts. Thus, the opportunity for errors and omissions continues to exist. Our most recent test in fiscal year 2009 indicates that IRS's controls in this area are still not effective in ensuring that all TFRP payments are accurately and timely credited to all related parties when received. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2010 and future audits. ID no.: 99-03; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Closed. IRS implemented the Custodial Detailed Data Base (CDDB). CDDB records unpaid assessments, including accrued penalties and interest to the general ledger by the various financial reporting categories (taxes receivable, compliance assessments, and write-offs), establishing CDDB as the subsidiary ledger for unpaid assessments. CDDB is classifying approximately 85 percent of the TFRP inventory where TFRP assessments are appropriately tracked for all taxpayers liable and counted only once for reporting purposes. Enhancements to CDDB during fiscal year 2009 resulted in more accurate classifications of unpaid assessments and continued to reduce the amount of the annual audit adjustments. CDDB is fully operational and will be used in conjunction with the Redesign Revenue Accounting Control System (RRACS) in February 2010 to record the unpaid assessment amounts using the United States Standard General Ledger format; Status per GAO: Closed. IRS has established CDDB to function as a transaction-level subsidiary ledger for unpaid tax debt. However, while CDDB has the capability to function as a subsidiary ledger for unpaid tax debt, systemic limitations and errors in taxpayer accounts prevent IRS from using CDDB as its subsidiary ledger to routinely and reliably report its balance of unpaid tax assessments. IRS must continue to use a labor-intensive, manual compensating process to estimate the year-end balances of the various categories of unpaid tax assessments to avoid materially misstating its financial statements. Specifically, IRS had to make almost $8 billion in adjustments to the fiscal year-end 2009 gross taxes receivable balance produced by CDDB as part of its manual estimation process. While IRS has made significant progress, full operational capability of CDDB depends on additional refinements to CDDB programs that classify unpaid assessments accounts into the various financial reporting categories, as well as IRS's ability to improve controls over the recording of information into taxpayer accounts. Additionally, we continue to find deficiencies in IRS's processes for accurately and timely crediting the accounts of all parties assessed for a TFRP when TFRP payments are received by IRS. Nevertheless, in order to provide recommendations more closely aligned with the current status of these control weaknesses, we have closed this recommendation based on IRS's progress. We have reported the remaining issues related to the reliability of IRS's subsidiary ledger and trust fund recovery penalties, along with new recommendations for corrective actions, in our June 2010 management report. See GAO-10-565R and recommendations 10-03 and 10-04 in this report. ID no.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (long-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Closed: IRS has completed the following actions to close this recommendation. With respect to systemic enhancements, IRS has implemented numerous ATFR enhancements to the Area Office application and to the Integrated Data Retrieval System. Examples include (1) implementation of ATFR programming, which automated the calculation of the penalties and assessment process to ensure accuracy and timeliness of assessments, (2) implementation of Area Office ATFR application, including the Web version of the Control Point Monitoring portion of the application, and (3) enhancements to increase system usability and features to help ensure timely processing. Through an end-to-end analysis of the TFRP process, IRS identified factors that caused delays in processing and posting trust fund recovery assessments. As a result, IRS established time frames for critical milestones in the IRM and include (1) an initial maximum 120-day period, starting when balance due accounts are assigned to a revenue officer to decide whether to pursue the TFRP, (2) beginning with the date the decision was made to pursue the TFRP, an additional maximum 120-day period for submission of the TFRP recommendation package to the group manager, and (3) created an IRM requirement that establishes specific processing time frames for processing cases through the CPM. With respect to reports diagnostics and training, IRS has created numerous management-level reports to monitor cases as they progress through the various stages of determination, assessment and processing of the TFRP. Additionally, an extensive training and workshop program has been established to ensure all levels of management receive comprehensive and timely training on the effective use of TFRP reports; Status per GAO: Closed. Over the past several years, IRS determined several factors causing delays and took a series of actions to improve the timeliness of processing and posting TFRP assessments. IRS updated the Internal Revenue Manual to establish specific time frames for achieving critical milestones in processing TFRP assessments. These milestones include a maximum number of days that IRS staffs are given to (1) determine whether to pursue TFRP assessments against responsible business officers, (2) submit a case file for managerial approval of the recommended TFRP assessment, (3) review the case file, and (4) post the assessment to the responsible business officer's tax account. IRS has also established time frames for segments of the TFRP assessment process not currently covered in its IRM, and is working to finalize these criteria in the IRM. Additionally, IRS completed the nationwide implementation of the Automated Trust Fund Recovery - Area Office (ATFR-AO) application. According to IRS, ATFR-AO will facilitate the timely and accurate processing of TFRP assessments by automating the calculation of trust fund penalties. Furthermore, IRS developed several reports to help managers monitor the progress of TFRP assessment cases being processed. ID no.: 99-22; Recommendation: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Closed. All IRS field offices continue to provide training and perform reviews to strengthen controls over remittances. On August 15, 2008, SB/SE updated guidance and instructions to Collection Field function employees about overstamping checks made out to "IRS" or "Internal Revenue Service" with "United States Treasury." This includes Submission Processing (SP) sending a teller error advice through the Revenue Officer group manager to address remittance errors. Tax Exempt/Government Entity (TE/GE) covered remittance processing procedures during the new hire workshops and included text in the fiscal year 2009 Revenue Agent CPE. On August 20, 2009, Large and Mid-sized Business (LMSB) issued their annual executive memorandum to all IRS field offices on the use of Form 3210 procedures. On November 30, 2009, LMSB incorporated information on Form 3210 procedures along with the proper procedure for overstamping of checks made out to the "IRS" with "United States Treasury" in the "Processing Advance Payments and Deposits" job aid module for new hires. TE/GE Employee Plans Division will revise two sections of the IRM and add a third section by May 31, 2010, to provide clear instructions on check handling procedures, including the importance of overstamping checks made out to IRS, and locking them in a secured area; Status per GAO: Closed. IRS has taken several actions to address this recommendation and improve its review of deterrent controls at its field offices. During our fiscal year 2009 audit, we did not find any instances of physical security control weaknesses over courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury" at the field offices we visited. Therefore, we are closing this recommendation. We will continue to monitor IRS's implementation of its field office reviews during future audits. ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Status per IRS: Open. The IRS continues to strengthen internal controls and procedures to enhance its ability to account for Property and Equipment (P&E) in the Integrated Financial System (IFS). Currently, IRS is reviewing options to develop a new asset tracking system that will reconcile physical asset records to the financial records. The new system is scheduled to be implemented during the second quarter of 2011; Status per GAO: Open. During our fiscal year 2009 audit, we continued to find that IRS experienced problems with linking asset purchases recorded in the general ledger system (IFS) to the P&E inventory systems (Information Technology Asset Management System (ITAMS) and Criminal Investigation Management Information System (CIMIS)), which indicates that IRS's detailed P&E records do not yet fully reconcile to the financial records. We will continue to monitor IRS's progress in addressing these financial management system issues. ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS continues to address issues that cause late lien releases through an internal Lien Action Plan and by conducting reviews as part of its A-123 controls assessment process. Based on the fiscal year 2009 A-123 results, SB/SE initiated a semiannual independent review to identify areas of recurring errors, revise procedural guidance, correct systemic problems with dead cycles, and to work closely with stakeholders. SB/SE is reviewing a sample of lien releases and will establish target goals and review and adjust the Lien Action Plan based on these reviews throughout the year; Status per GAO: Open. During our fiscal 2009 audit, we continued to find that IRS did not always timely release liens. In IRS's own testing of lien releases, it identified 8 instances out of 59 cases tested in which it did not release the applicable federal tax lien within the statutory 30-day period. The time between the satisfaction of the liability and release of the lien ranged from 35 days to more than 123 days. Based on these results, IRS estimated that for about 14 percent of unpaid tax assessment cases that were resolved in fiscal year 2009 in which it had filed a tax lien, it did not release the lien within 30 days of the resolution of the case. IRS's ineffective controls over this area results in its noncompliance with Internal Revenue Code Section 6325, which requires IRS to release tax liens within 30 days of the date the related tax liability is fully satisfied. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2010 and future audits. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS implemented a methodology to calculate leasehold improvements disposal balances in time for the fiscal year 2009 financial statements. The IRS continues to assess existing system capabilities and data sources to determine alternative approaches for leasehold improvements; Status per GAO: Open. During our fiscal year 2009 audit, we determined that IRS had not established a subsidiary ledger for leasehold improvements. However, IRS is pursuing alternative methodologies to enhance its ability to account for leasehold improvements. We will continue to monitor IRS's development of alternative methodologies to enhance its ability to account for leasehold improvements in future audits. ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Source report: Management Letter: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 2001); Status per IRS: Open. IRS made significant improvements to its methodologies for cost estimation and actual cost tracking. The IRS published IRM 1.33.3, Reimbursable Operating Guidelines, on October 9, 2009, which provides guidance for determining the full costs of estimated and actual costs for reimbursable agreements. IRS also published IRM 1.32.3, Managerial Cost Accounting, on July 13, 2009. The Office of Cost Accounting continues to work with the business units to provide guidance on proper recording of data and the use of the Integrated Financial System for reporting, data matching, and analysis; Status per GAO: Open. IRS has improved its methodology for allocating its costs of operations at the business unit level. However, further actions are needed for it to accumulate and report actual costs associated with specific reimbursable projects. We confirmed during our fiscal year 2009 audit that, for reimbursable projects that do not require payments to be made in advance, IRS business units manually track the actual costs for each project and bill the customer as costs are incurred. However, for projects that require advance payments, IRS does not have a process for determining the total actual costs incurred at the end of the agreement term, determining the difference between actuals and the advance payment amount, and refunding or billing for the difference. We also noted that neither the Reimbursable Operating Guidelines nor IRS's Managerial Cost Accounting Policy describe a mechanism for tracking and reporting actual costs associated with reimbursable activities. We will continue to monitor IRS's efforts to implement this recommendation during our fiscal year 2010 audit. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short-term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Closed. Wage and Investment (W&I) continues to emphasize the requirements of segregation of duties and annually performs operational reviews at all levels to ensure field offices comply with the requirements of segregation of duties. Follow-up reviews preformed by Territory Managers during March 2009 revealed that Taxpayer Assistance Centers (TAC) managers are following these requirements. W&I holds an annual Filing Season Readiness Workshop to address remittance and data security. New managers are trained using the "Managing a TAC" course that provides training on payment processing, managerial reviews, and segregation of duties between employees accepting, recording, and transmitting payments. Field Assistance delivered "Managing a TAC" classes in July 2009 and in October 2009. Additional "Managing a TAC" training is ongoing. Field Assistance Headquarters is conducting reviews on the remittance process during the first two quarters of fiscal year 2010 to obtain compliance; Status per GAO: Open. During our fiscal year 2009 audit, we identified instances at five TACs we visited where there was a lack of segregation of duties between the employees preparing Forms 795, which is used to record taxpayer payments (cash and non-cash), and mailing those forms to SCCs without having the forms reconciled by other employees or reviewed by managers. In addition, IRS asserts in its response that new managers are trained using the "Managing a TAC" course and that the course provides training on payment processing, managerial reviews, and segregation of duties between employees accepting, recording, and transmitting payments. However, from our review of the "Managing a TAC" course material, we did not find where the course material specifically addresses IRS's segregation of duties policy as outlined in IRM 21.3.4.7.3.2, which establishes procedures and protocols for segregation of duties but limits that activity only to those TACs where staffing levels permit such activity. We will continue to assess IRS's actions during our fiscal year 2010 audit. ID no.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short-term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Closed. The Personnel Security (PS) office successfully implemented all three short-term measures to reduce the instances of Security Entry and Tracking System (SETS) errors. PS continues to issue biweekly emails to all SETS users containing the most current reports to be used in identifying and reporting errors to the National Finance Center (NFC) and to compile weekly extracts of all enter-on-duty dates where there were no fingerprints results or where the results were after the enter-on-duty date. SETS users then send these reports to each Employment Office for updates and feedback. PS addressed the long-term measures to include writing Standard Operating Procedures and vetting with the Human Capital Office's employment offices, along with forming a working group to develop a collaborative report; Status per GAO: Closed. During our fiscal year 2009 audit, we found that IRS implemented compensating controls to address the weaknesses associated with this recommendation. Specifically, IRS implemented biweekly reminders and reviews of SETS data and began utilizing the comment field in the SETS database to annotate important dates and other key information that SETS is unable to track and update due to its technical limitations. ID no.: 04-08; Recommendation: Enforce policies and procedures to ensure that service center campus security guards respond to alarms. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Status per IRS: Closed: IRS enforces monthly unannounced monitoring of guard response to alarms. The Physical Security and Emergency Preparedness (PSEP) Risk Management (RM) office conducted an Alarm Monitoring Workshop on April 28, 2009, that included this topic. RM sends a calendar/reminder to alarm program coordinators each Friday before the monthly report is due, and continues to oversee and ensure compliance of alarm testing and results via internal reporting tools. A communication was distributed to PSEP Operational Readiness to reiterate policy on guard response to alarms on February 2, 2010; Status per GAO: Closed. IRS continually enforces its policies and procedures to ensure that SCC security guards respond to alarms. Each month, IRS sends reminders to alarm program coordinators to ensure that alarms are tested and guards' responses are evaluated in each test. Alarm program coordinators are required to summarize the test results and report them monthly to PSEP management. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed (SB/SE) units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Status per IRS: Open. SB/SE will revise IRM 5.1.2.4 by June 30, 2010, to add additional clarification to the policies and procedures related to Collection Field function payment posting vouchers, document transmittal forms, and transmittal packages to ensure an appropriate level of separation of duties; Status per GAO: Open. IRS did not revise its IRM during fiscal year 2009 to address the additional clarifications for ensuring appropriate separation of duties. We will continue to assess IRS's actions during our fiscal year 2010 audit. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Status per IRS: Closed. SB/SE revised IRM 5.1.2.4.4 on August 15, 2008, to document the field office requirements for preparing Form 3210, Document Transmittal, when more than one remittance package (sealed envelope containing Form 795/795A and remittances) is being sent to SP. Also, SB/SE revised IRM 1.4.50.2.1.9(11) on May 12, 2009, outlining procedures for group managers to review remittance package transmittals to SP. Fiscal year 2009 reviews of area operations included addressing group remittance processing controls; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issue that gave rise to our recommendation. During our fiscal year 2009 audit, we identified one SB/SE unit that was not following the requirement to use a Form 3210 while transmitting multiple Forms 795 to the SCC for further processing. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Status per IRS: Closed. IRS continues to enforce documentation requirements relating to authorizing officials charged with approving manual refunds. IRS created a standard authorization Form 14031 in September 2008 for all offices to use, and as a result, monthly and annual security review reports show considerable decline in memorandum defects. IRS continues to issue its annual solicitation memorandum to authorizing officials charged with approving manual refunds. The IRS finalized the annual list of authorized signatures as required by IRM 3.17.79.3.5 (4) (d) on October 31, 2009. SP Headquarters completes a sample review as part of the Monthly Security Review Checklist per IRM 3.17.79.3.5 (3), ensuring compliance to documentation requirements-- including the signatures of Heads of Office that delegated officials the authority to approve manual refunds and the authorizing official's campus or field office organization information. Any defects identified are shared with management for correction; Status per GAO: Closed. IRS has taken significant steps to address this recommendation. During our fiscal year 2009 audit, we found that the documentation requirements on memorandums providing the list of officials authorized to approve manual refunds were completed satisfactorily. In August 2009, IRS issued a memorandum entitled "Annual Solicitation for Authorized Refunds" which provides the information to enforce documentation requirements. GAO verified that the memorandum contained the required information. Additionally, GAO reviewed a copy of the standardized memorandum listings in Form 14031 to verify whether those charged with approving manual refunds are properly documented. No exceptions were noted. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Status per IRS: Open. IRS increased its oversight to enforce the requirements to monitor accounts related to manual refunds. This included updating IRM requirements and controls to consolidate and simplify the process related to manual refund monitoring, providing refresher training for manual refund initiators, and implementing internal control and operational reviews to ensure managers and employees are adhering to the prescribed IRM procedures. Any defects identified through these reviews are shared with management for correction. Additionally, the IRS utilizes the Taxpayer Advocate Service (TAS) Managers Forum to advise all TAS employees of the requirement to have a backup manual refund monitor when the Case Advocate is out of the office and to educate managers on the requirement to monitor all manual refunds entered by their employees; Status per GAO: Open. During our fiscal year 2009 audit, we continued to find instances where manual refund initiators did not monitor accounts for manual refunds and supervisors did not verify that manual refund initiators were following proper procedures for monitoring manual refunds. We will continue to evaluate IRS's actions during our fiscal year 2010 audit. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr, 27, 2005); Status per IRS: Open. IRS increased its oversight to enforce the requirements to monitor accounts related to manual refunds. On October 1, 2009, SB/SE Campus Compliance Services updated IRM 21.7.8.4.5.3 (9) (d) to address manual refund monitoring requirements. Accounts Management (AM) revised IRM 21.4.4 to require centralized controls for monitoring and reviewing manual refunds at the team level. AM and Submission Processing (SP) sites completed the manual refund refresher training for their manual refund initiators and managers by October 15, 2009. Manual refund issues continue to be part of the site's quarterly internal control review for AM, and as part of the Monthly Security Review Checklist for SP. Any defects identified are shared with management for correction. IRS also reminds its employees and managers of the monitoring requirement during team meetings, annual continuing professional education, and annual operational reviews. The Manager's Forum instructs managers on the requirement to monitor all manual refunds entered by their employees. In March 2009, the Executive Director of Case Advocacy (EDCA) sent to all Area offices a notice of "verification of action taken" that requires each office to verify all IRM requirements are followed concerning the issuance and monitoring of manual refunds. In the last year, the EDCA Office performed a physical review of TAS cases and evidence that Case Advocates and Managers monitored manual refunds in the 30 TAS offices reviewed. In TAS, the EDCA office, in addition to physical reviews performed, reminds management to discuss the manual refund monitoring requirements in all group meetings by referring Case Advocates to the IRM reference, 21.4.4.5.1, Monitoring Manual Refunds; Status per GAO: Open. Although IRS's response does not directly address requirements for documenting monitoring actions, we verified that IRS has updated its IRM to include guidance on the requirements to document monitoring actions for manual refunds. However, during our fiscal year 2009 audit, we continued to find instances where manual refund initiators did not document their monitoring actions or the unit supervisor did not document his/her review of monitoring actions, or both. The additional corrective actions cited by IRS were subsequent to our fieldwork. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2010 audit. ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. Accounts Management (AM) has procedures in place for the periodic supervisory review and documentation of the Form 3210 reconciliation process to follow up on unacknowledged forms. This process provides a timely account of any discrepancy between the documents listed on the Form 3210 and those received. Beginning in fiscal year 2009, AM required a quarterly, independent review of each Refund Inquiry Unit to ensure compliance with this requirement. AM Headquarters conducts this review; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issue that gave rise to our recommendation. Since initially issuing this recommendation in May 2006, we continued to identify instances where Refund Inquiry Unit managers or supervisors were not performing or documenting periodic reviews of forms used to transmit returned refund checks. In many cases, the employees were not aware of the requirement for documenting their reviews. In addition, while IRS states that procedures are in place requiring the periodic review of these forms, we were unable to locate or identify these procedures in the IRM. We will continue to evaluate IRS's actions during our fiscal year 2010 audit. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. IRS has procedures in place to ensure compliance with tracking acknowledgment of document transmittals. To ensure compliance, LMSB issued a memorandum reiterating Form 3210 procedures which provided specific IRM guidance related to the preparation, tracking, and monitoring of Form 3210s and incorporated such procedures in a job aid module for new hires. All TE/GE Exam Managers use the Quick Reference Guide for processing checks and Area Managers verify tracking measures are in place during operational reviews. Additionally, TE/GE's Exempt Organization Exam Division will revise specific IRM sections dealing with remittance processing. W&I also has a system in place to monitor the use of Form 3210s when mailing documents to SP Centers and reiterate this requirement while conducting workshops and annual training. Further, W&I monitors compliance through operational reviews, which have provided evidence that sustained improvement has been achieved in compliance with tracking acknowledgment copies of Form 3210 document transmittals; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issues that gave rise to this recommendation. During our fiscal year 2009 audit, we identified instances at two TACs where there was no system in place to monitor acknowledged/unacknowledged transmittals to the SCC. We will continue to assess IRS's actions during our fiscal year 2010 audit. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. TE/GE added a question to its 2009 Annual Assurance Review to ensure managers document their reviews of document transmittals verifying that taxpayer remittances mailed between IRS locations are tracked according to guidelines. TE/GE will include this question in all future Annual Assurance Reviews. Also, TE/GE managers are required to review procedures and the Director of Exempt Organization (EO) Exam sent an e-mail to all EO Exam Managers reiterating Form 3210, Document Transmittal, procedures and to discuss Form 3210 procedures with their employees. W&I has a system in place to monitor the use of Form 3210 when mailing documents to SP Centers. W&I reinforces this requirement while conducting its Filing Season Readiness Workshop. Further, W&I monitors compliance during reviews conducted by territory managers and operational reviews conducted by headquarters personnel. AM operational reviews have provided evidence that sustained improvement has been achieved in compliance with tracking acknowledgment copies of Form 3210 document transmittals. LMSB emphasizes in managerial workshops that document transmittals between IRS locations are likely to be reviewed by Territory Managers. LMSB also incorporated the review of Form 3210 procedures into their Territory Manager's operational review, such as the Communications, Technology, and Media Industry operation review discussion check sheet. In August 2009, LMSB issued an annual executive memorandum to its employees on Form 3210 procedures, including the IRM requirement for LMSB managers and employees for the preparation, tracking, and monitoring of the form. In November 2009, LMSB incorporated information on Form 3210 procedures in the "Processing Advance Payments and Deposits" job aid module for new hires."; Status per GAO: Open. We reviewed IRS's policies for ensuring that hard-copy taxpayer receipts and information mailed between IRS locations are tracked according to guidelines. However, we did not find specific instructions stating how and where W&I Field Assistance managers or supervisors should document their review of the document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. During our fiscal year 2009 audit, we identified instances at seven TACs where there was no evidence of managerial review of document transmittals. We will continue to evaluate IRS's corrective actions. ID no.: 06-05; Recommendation: Equip all Taxpayer Assistance Centers with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. The IRS continues to identify priority locations for TAC Model build outs through proactively evaluating TAC sites and from customer feedback. IRS criteria for priority status include sites with security, safety, and environmental health concerns. Of the 401 TAC locations, 224 have the model TAC design and 12 were completed by the end of 2009 with another 63 scheduled for completion by the end of 2010. IRS's Physical Security and Emergency Preparedness (PSEP) established quarterly meetings to track the redesign and physical security issues of the TACs. Until all remaining sites can be upgraded, all sites will follow the strictest security guidelines as established by PSEP. IRS continues to focus on security concerns through the use of the following solutions: theater rope or other barriers, signage, minor alterations, and reconfigurations with consultations from PSEP; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2010 audit. ID no.: 06-07; Recommendation: Document supervisory visits by off-site managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. W&I Field Assistance continues to use the TAC Security Remittance Review Database to document supervisory reviews. Managers are required to conduct and document their reviews to ensure the protection of data and compliance with remittance and security procedures. W&I Field Assistance is currently testing the Web design and initiated a review process to engage headquarters, area, and territory managers to identify and correct database entries. W&I Field Assistance is validating the effectiveness of the corrective actions taken; Status per GAO: Open. During our fiscal year 2009 audit, we identified instances at four TACs where group managers did not properly use the TAC Security Remittance Review Database to document supervisory reviews conducted during visits to outlying TACs. We will continue to assess IRS's actions during our fiscal year 2010 audit. ID no.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at service center campuses (SCC) and lockbox banks record all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. On September 23, 2009, IRS revised the IRM requiring campuses to record all instances involving the activation of any alarm, regardless of what may have caused the activation, and the instances must be recorded in a Daily Activity Report/Event Log or other log book and maintained for a period of two years. On January 1, 2008, IRS revised L.S.G.2.3.3.15 Intrusion Detection System (IDS) stating, "A record of all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation, must be maintained in the Daily Activity Report (DAR) or other incident logbook." On April 27, 2009, Business Support Management met with the guard staff to address IDS requirements and emphasized the requirement for the full completion of the Daily Activity Report as detailed in the Lockbox Security Guidelines (LSG), Standard Operating Procedures (SOP), and Post Orders. In addition, the Business Support team will monitor the full completion of the DAR, on a daily basis, and provide feedback to the guards, as necessary. Repeated offenses will ultimately result in the dismissal of the guard from the Lockbox Project; Status per GAO: Closed. During our fiscal year 2009 audit, we verified that IRS revised IRM 10.2.14 and LSG 2.3.3.15 to require all instances involving the activation of intrusion alarms to be recorded at SCCs and lockbox banks. In addition, Business Support staff met with the guards to address Intrusion Detection System requirements and instituted controls to monitor full completion of the DAR at lockbox banks. In addition, we did not identify any instances where the activation of intrusion alarms were not recorded. ID no.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. During fiscal year 2008, IRS corrected the Information Technology Asset Management System-Asset Center, which is used to record and manage P&E's disposal wizard, allowing all disposal actions to be timely updated in the Web-based aging report to ensure timely completion of the disposal process; Status per GAO: Closed. During our fiscal year 2009 audit, we verified that IRS staff routinely researched and resolved the aging reports, thereby promptly recording disposals of property and equipment in its inventory records. Additionally, our testing did not identify any situations where IRS did not timely update disposal transactions. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS continues to utilize the Audit Management Checklist as a repeatable process where service center campuses quarterly validate their closed circuit television (CCTV) to determine if it provides an unobstructed view of the exterior of the campus perimeter and to identify problems and planned corrective actions to mitigate any identified problems. Physical Security and Emergency Preparedness (PSEP) continues to place emphasis on CCTV camera coverage, and the PSEP Risk Management office will distribute a communication to PSEP, Operational Readiness, to reiterate the policy on CCTV camera coverage; Status per GAO: Open. On January 10, 2008, IRS completed an assessment of its CCTVs in all SCCs to ascertain whether they provided an unobstructed view of its campuses' exterior perimeter. We found that this assessment did not account for the multiple long-standing CCTV weaknesses, which continued to exist at one SCC during our April 2009 visit. As a result, it is unclear whether additional CCTV weaknesses at other SCCs went unreported in this risk assessment. Further, while IRS cites the Audit Management Checklist as a tool to (1) assess the physical security controls at SCCs and field offices and (2) identify associated weaknesses and planned corrective actions, we found that the officials responsible for completing the checklist did not always answer the questions in the checklist accurately. We will continue to assess IRS's actions during our fiscal year 2010 audit. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. All initiators and their managers completed manual refund procedures refresher training by October 15, 2009. In addition, Accounts Management revised manual refund monitoring procedures in IRM 21.4.4, emphasizing the new requirements for centralized monitoring at the team level and documenting the monitoring actions; Status per GAO: Open. During our fiscal year 2009 audit, we continued to find instances where the manual refund initiators did not receive training to ensure that they are able to fulfill their responsibilities for processing manual refunds which include monitoring and documenting actions to prevent the issuance of duplicate refunds. The IRS refresher training referred to by IRS was subsequent to our field work. We will follow up during our fiscal year 2010 audit to test its effectiveness. ID no.: 07-15; Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the Internal Revenue Manual (IRM) requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. SB/SE issued a memorandum on December 16, 2009, to its managers providing interim guidance on policies and procedures for monitoring the timely determination of release of Notices of Federal Tax Lien for cases receiving a discharge through bankruptcy. These procedures will be incorporated into IRM 5.9.17 and IRM 1.4.51 by August 30, 2010; Status per GAO: Closed. IRS issued a memorandum providing additional guidance for monitoring cases involving bankruptcy discharge to help ensure the timely release of federal tax liens. However, in its own fiscal year 2009 lien release testing, IRS identified one case involving bankruptcy, where it did not release the lien within 30 days. We will continue to monitor IRS's implementation of policies and procedures in this area during our fiscal year 2010 audit. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS implemented procedures on March 3, 2009, which state, in part, "an Employee Resource Center (ERC) work ticket call type has been established to specifically identify when secured storage space is needed. Requesters will initiate the ERC ticket process by requesting "Property Consultation" services, which initiates Real Estate and Facilities Management (REFM) activity to work with the requester on obtaining whatever secured storage space is needed"; Status per GAO: Open. While IRS had established procedures to ensure that sufficient secured space was available for all property and equipment not currently in use, we found that IRS did not ensure that the space was maintained properly. During our fiscal year 2009 physical inventory testing, IRS was unable to locate a laptop computer. According to IRS officials, the laptop computer had been stolen. Although the IRS officials informed us that the storage room that housed the computer is normally locked, we found during our physical inventory testing that the storage room was unlocked. We will assess the effectiveness of IRS's procedures to properly secure and safeguard property and equipment not in use during our fiscal year 2010 audit. ID no.: 07-21; Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. The Office of Procurement Policy will issue a Policy Update reminder to all of its employees regarding the receipt and acceptance criteria and limitations on contracting officers outlined in policy documents. This immediate notification will serve as a reminder and bring attention to this concern. In addition, Agency Wide Shared Services (AWSS) will follow up with an audit to ensure compliance with policy and procedures; Status per GAO: Closed. During our fiscal year 2008 audit, we reviewed IRS's revised policy and procedure memorandum pertaining to the separation of duties, but during our fiscal year 2008 testing, we found that individuals were performing incompatible functions. During our fiscal year 2009 audit, we did not identify any issues regarding separation of duties. ID no.: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. On June 30, 2009, the IRS implemented a review process for evaluating controls over information technology relating to financial statement reporting. The review focused on the systems that affect recording of financial transactions and included assessing the annual Federal Information Security Management Act (FISMA) evaluations of the CFO-oriented financial systems. In addition, the Associate Chief Financial Officer (ACFO) obtained copies of the Chief Information Officer's (CIO) annual FISMA report evaluating the IRS servicewide information technology security program and found that it met A-123 requirements. The annual Treasury Inspector General for Tax Administration (TIGTA) report evaluating the IRS compliance with FISMA requirements was also reviewed to identify any A-123 FISMA issues; Status per GAO: Open. IRS implemented the review process for evaluating controls over information systems related to financial reporting subsequent to the conclusion of its a-123 testing for fiscal year 2009. We will follow up during our fiscal year 2010 audit to assess the effectiveness of this process. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. On June 30, 2009, IRS implemented a "Fiscal Year 2009 Control Design" template that annotates which design activity was completed for each transaction. IRS enhanced its testing to include procedures for design control activities published in SOPs, IRM references, and business process documentation. The A-123 office, along with the process owner, evaluates procedures to identify the key internal controls and to determine whether the control fully addresses multiple risks; Status per GAO: Open. During our fiscal year 2009 audit, we continued to find that IRS did not include appropriate consideration of design of internal controls into their test plans. We reviewed IRS's internal control test results and found that for about half of the transactions tested, IRS did not consider the design of internal controls in their respective test plans. IRS's actions to address this recommendation were implemented subsequent to the conclusion of its A-123 testing for fiscal year 2009. We will evaluate the effectiveness of these actions during our fiscal year 2010 audit. ID no.: 07-27; Recommendation: Begin devising appropriate A-123 follow-up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. In fiscal year 2009, IRS performed tests in the 4th quarter to provide sufficient evidence of continued operating effectiveness. Testing focused on significant nonroutine transactions, accounts, and processes with high subjectivity or judgment, period end reporting, and other high-risk transactions, as deemed appropriate. The IRS developed its 4th quarter testing by evaluating (1) results of controls tested prior to the year end, (2) evidence obtained, (3) length of time since initial A-123 test, and (4) possibility of significant changes. Testing procedures consisted of one or more of the following: (1) inquiries/questionnaires; (2) additional walk throughs; (3) scanning reconciliations used in the process; (4) selection of more significant controls to independently test; and, (5) review of annotated copies of reports and follow up communications. Testing was also conducted for some controls over processes that normally operate only after the year end closing; Status per GAO: Closed. During our fiscal year 2009 audit, we verified that IRS devised appropriate procedures for the last 3 months of the fiscal year. We obtained and reviewed IRS's testing plans and supporting audit documentation and determined the procedures to be appropriate. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. IRS established traceability for 98 percent of tax revenue collections using the Trace ID stored in IRACS, CDDB, the Integrated Submission and Remittance Processing (ISRP) system, Lockbox, and Electronic Federal Tax Payment System (EFTPS) during the fiscal year 2009 audit. IRS reviewed and corrected twenty-four IRMs pertaining to recording the Trace ID in summary deposits and revenue detail transactions. IRS issued a Hot Topic to the campuses, and is currently updating IRM 3.17.63 to include a new Trace ID reconciliation process to resolve any traceability discrepancies. During fiscal year 2009, IRS completed all remaining programs that validate the Trace ID in the deposit systems and implemented the programs into production in January 2010. During fiscal year 2009, IRS completed all remaining RRACS development and testing to implement RRACS into production, making RRACS the system of record replacing IRACS beginning in February 2010; Status per GAO: Open. During our fiscal year 2009 audit, we verified that IRS substantially completed the capability to trace its revenue and refund transactions from its general ledger to supporting documentary detail, thus providing transaction traceability for its refund disbursements and more than 98 percent of its recorded tax revenue collections. However, as of the end of our fieldwork, IRS had not demonstrated transaction traceability for unpaid tax assessments, including taxes receivable, which constituted over 80 percent of its assets as of September 30, 2009. During our audit of IRS fiscal year 2010 financial statements, we will follow up to assess IRS progress in providing transaction traceability for unpaid tax assessments, including taxes receivable. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. Revenue Financial Management added a check sheet in May 2009 to ensure the statistician performed each of the steps in the estimation process outlined in the June 2008 procedures and is adding additional steps to the procedures based on the fiscal year 2009 review; Status per GAO: Open. IRS is still in the process of documenting the specific procedures performed by the IRS statistician in each step of the unpaid assessment estimation process. During our fiscal year 2009 audit, we again found an error in IRS's unpaid assessment estimates. Until IRS fully documents the specific procedures performed by its statistician in each step of the unpaid assessment estimation process, IRS faces increased risk that an error or omission could be made. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2010 and future audits. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. Revenue Financial Management (RFM) is developing procedures for reviewers during review of the unpaid assessments estimation process to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. The procedures will be in place by May 2010; Status per GAO: Open. During our fiscal year 2009 audit, we again found an error in IRS's unpaid assessment estimates that was not detected by IRS's internal reviews. IRS corrected this error after we brought it to IRS's attention. However, until IRS fully documents the specific detailed procedures for reviewers to follow in its review of unpaid assessments statistical estimates, IRS faces increased risk that errors in this process will not be prevented or detected and corrected. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2010 audit. ID no.: 08-04; Recommendation: To address the inconsistency in assigning the effective date of an accuracy-related penalty, modify the Business Master (BMF) File computer program so that the date of the deficiency assessment is used as the effective date of any associated accuracy- related penalty. (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. In January 2009 IRS implemented programming changes to its BMF so that accuracy-related penalties assessed subsequent to the programming change will carry the same date as the related deficiency assessment; Status per GAO: Closed. IRS changed the computer program for calculating accuracy-related penalties in its BMF to assign the effective date of the accuracy penalty to match the date of the related deficiency assessment. The change makes the assessment of accuracy related penalties in its BMF consistent with how IRS calculates accuracy-related penalties in its Individual Master File. We reviewed IRS's documentation showing the implementation of the programming change as well as the results of its internal tests verifying that the programming change functioned as intended. ID no.: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. The cross-functional working group to address penalty and interest programming issues continue to identify and assess penalty and interest issues. Solutions to identify systemic differences between IRS systems that cannot be fixed under the current processing system have been shared and discussed with Modernization & Information Technology Services to determine the most effective way to implement programming changes and in certain cases an impact analysis determined correction is not cost effective at this time; Status per GAO: Open. Although IRS completed corrective actions on some of the programming issues it identified in 2008, and determined that others were not cost effective to correct, it has not yet completed the required programming corrections on all of the issues it planned to correct. We will continue to review IRS's progress on implementing the programming corrections during our fiscal year 2010 and future audits. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. W&I Field Assistance continues to use the TAC Security Remittance Review Database (TSRRD) to document supervisory reviews. Managers are required to conduct and document their reviews to ensure the protection of data and compliance with remittance and security procedures. W&I Field Assistance is validating the effectiveness of the corrective actions taken by trending subsequent findings to the baseline of prior findings; Status per GAO: Open. IRS outlined the reviews that TAC managers are required to conduct in its IRM. W&I Field Assistance informed us that all of the reviews assessing controls over taxpayer receipts and information are documented in the TSRRD. However, during our fiscal year 2009 audit, we found that the TSRRD was not used throughout the entire fiscal year and as a result we were unable to determine whether the required TAC manager reviews were performed and documented. Also, we identified instances at five TACs where the responses entered into the TSRRD by the TAC group manager were not always accurate, and instances at four TACs where the group manager was not performing the required payment processing reviews. In addition, we found that there was no guidance requiring managerial or supervisory reviews of the information entered in the TSRRD. The lack of managerial oversight increases the risk that the reviews conducted at these outlying TACs may not be useful in assessing key controls and identifying potential weaknesses. We will continue to evaluate IRS's corrective actions during our fiscal year 2010 audit. ID no.: 08-08; Recommendation: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. The Director of Field Assistance issued managers a quarterly reminder to conduct required reviews again during fiscal year 2009. W&I reviews and monitors the status of corrective actions noted during operational reviews; Status per GAO: Closed. IRS established a process to periodically update and communicate the specific required reviews for all off-site TAC managers through quarterly reminders and reviewing and monitoring the status of corrective actions noted during operational reviews. In addition, IRS outlined the reviews that TAC managers are required to conduct in its IRM. According to our discussions with Field Assistance officials, any additional or revised reviews would be communicated through the normal IRM update process. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. AWSS continues to work with the General Services Administration (GSA) to complete janitorial background investigations. GSA has only provided certification that a small number of Level IV and Level III background investigations were completed. IRS requests a Background Investigation (BI) on all contractors at IRS facilities. Although IRS has been working with GSA since March 2008, GSA has not delivered on this entire initiative. As an interim measure, IRS has asked GSA to convert all IRS leases to daytime janitorial cleaning; Status per GAO: Open. To date, background investigations have not been completed for all contractors with access to TAC and other field offices. Since many of these contracts are administered by GSA, IRS has no direct authority over how these contracts should be managed or what provisions should be included in these contracts. As a result, IRS's AWSS continues to work with GSA to complete the investigations for janitorial contractors and has asked GSA in the interim to convert all IRS leases to daytime janitorial cleaning. However, during our fiscal year 2009 audit, we identified instances at three TACs where IRS did not have documentary evidence demonstrating the completion of favorable background investigations for contractors performing janitorial services during nonoperating hours. We will assess the effectiveness of IRS's implementation and oversight of these procedures during our fiscal year 2010 audit. ID no.: 08-13; Recommendation: Require including in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. IRS implemented a National Document Destruction Contract with the National Institute for the Severely Handicapped (NISH) at 482 of the 668 sites requiring shredding as of October 1, 2009. The current contract requires a review of contractor performance through site visits and to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. The remaining sites did not migrate to the NISH contract, as NISH is not able to service several of these remote areas. However, all of the remaining sites' contractors that have local shred contracts with the IRS have agreed to operate under the same strict guidelines established in the NISH contract and are now operating accordingly. As NISH expands its coverage in the future, some of these small outlying locations may fall under the NISH contract, but all sites are now following the strict guidelines; Status per GAO: Open. IRS has taken steps, subsequent to our fiscal year 2009 fieldwork, to consolidate its offsite shredding services to one provider. However, this effort covers only about 72 percent of its sites requiring shredding services. IRS has not provided support to show that the provisions in our recommendation are included in the remaining shredding contracts. We will continue to evaluate IRS's corrective actions during future audits. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. IRS implemented a National Document Destruction Contract with the National Institute for the Severely Handicapped (NISH) at 482 of the 668 sites requiring shredding as of October 1, 2009. The current contract requires a review of contractor performance through site visits and to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. The remaining sites did not migrate to the NISH contract, as NISH is not able to service several of these remote areas. However, all of the remaining sites' contractors that have local shred contracts with the IRS have agreed to operate under the same strict guidelines established in the NISH contract and are now operating accordingly. As NISH expands its coverage in the future, some of these small outlying locations may fall under the NISH contract, but all sites are now following the strict guidelines; Status per GAO: Open. IRS identifies its current efforts and progress of implementing a National Document Destruction Contract with NISH that would include provisions for conducting site visits and asserts that all sites are following these guidelines. However, these actions occurred subsequent to our fiscal year 2009 fieldwork. In addition, IRS has not revised the IRM to require that IRS perform and document periodic unannounced inspections of off-site shredding contractor facilities to ensure that contractors continue to appropriately safeguard sensitive IRS information on an ongoing basis. We will continue to evaluate IRS's corrective actions during future audits. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Open. IRS implemented a National Document Destruction Contract with the National Institute for the Severely Handicapped (NISH) at 482 of the 668 sites requiring shredding as of October 1, 2009. The current contract requires a review of contractor performance through site visits and to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. The remaining sites did not migrate to the NISH contract, as NISH is not able to service several of these remote areas. However, all of the remaining sites' contractors that have local shred contracts with the IRS have agreed to operate under the same strict guidelines established in the NISH contract and are now operating accordingly. As NISH expands its coverage in the future, some of these small outlying locations may fall under the NISH contract, but all sites are now following the strict guidelines; Status per GAO: Open. IRS identifies its current efforts and progress in implementing a National Document Destruction Contract with NISH that would include provisions for requiring that contractors comply with all security requirements for employee clearance prior to performing the work. However, these actions occurred subsequent to our fiscal year 2009 fieldwork. We will review IRS's procedures for evaluating completed background investigation records to ensure that only contractor employees who receive favorable background investigation results are allowed access to taxpayer receipts or other sensitive information during future audits. ID no.: 08-16; Recommendation: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. HCO continues to send monthly reminders to the Employment Offices reinforcing Policy No. 15 - Suitability Standards for Hiring Juveniles by the IRS. A notice was issued in July 2007 to emphasize the policy. Further, the HCO issued Alert 731-2 in September 2008, to all Employment Offices to clarify the guidance in Policy No. 15. HCO has taken steps to monitor the Employment Offices via monthly employment teleconference meetings to eliminate any further issues; Status per GAO: Closed. We verified that IRS continues to send monthly reminders to its Employment Offices. Also, we verified the Human Capital Office issued an alert to clarify guidance in its suitability standards for hiring juveniles, and conducted an oversight review of the Juvenile Employment Program in September 2009. We believe that these actions met the intent of our recommendation by enforcing the requirement to receive and make direct contact with character references when hiring juveniles. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 (Recommendation for Juvenile Employment) by contacting the reference directly and documenting the details of this contact. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. The HCO issued Alert 731-2 in September 2008 to all Employment Offices to clarify the guidance in Policy No. 15. The Policy and Programs office conducted an oversight review of the Juvenile Employment Program in September 2009 and no exceptions in the policy were found regarding contacting the references listed on the Form 13094 and documenting the details; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issues that gave rise to our recommendation. During our fiscal year 2009 audit, we identified three instances in which IRS employment office staff did not obtain and verify a valid character reference, as required on Form 13094. We will review IRS's corrective actions during our fiscal year 2010 audit. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008); Status per IRS: Closed. IRS implemented GovTrip requiring all travelers to use the new system. Travelers are required to create an authorization before travel begins, and GovTrip will not allow a voucher to be created without a signed/approved authorization. AWSS continues to issue communications to all employees reiterating the policy requiring all employees to obtain approval of travel authorizations before the initiation of travel through periodic notices on the IRS intranet. AWSS will continue to monitor compliance with this requirement; Status per GAO: Open. We confirmed that IRS implemented its GovTrip system, and that GovTrip does not allow a voucher to be created without an approved authorization entered into the system. However, GovTrip allows an authorization to be created after the date of travel and thus, cannot ensure that travel is authorized before it begins. Also, IRS could not provide an example of AWSS communications that mentioned the requirement to obtain approval of a travel authorization prior to the initiation of travel. In addition, during our fiscal year 2009 audit, we found an instance where IRS staff did not obtain approval of travel authorizations in advance of travel. We will continue to review IRS's progress in implementing this recommendation. ID no.: 09-01; Recommendation: Correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure to pay penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS implemented additional programming changes in January 2009 to ensure that failure to pay penalties are calculated at a reduced rate for all eligible taxpayers who have entered into an installment agreement. IRS's CFO tested the programming changes through August of 2009 to ensure that the programming is operating as intended; Status per GAO: Closed. We reviewed a nonrepresentative selection of accounts of eligible taxpayers that had entered into installment agreements with IRS and verified that IRS's master file was calculating the failure to pay penalty at the reduced monthly rate of one-quarter of one percent on all of the selected accounts. ID no.: 09-02; Recommendation: Add specific requirements to the IRM to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. (W&I) Accounts Management revised IRM 21.4.4.5.1 (1) on October 2, 2009, with the following: "It is management's responsibility to ensure accounts are monitored each week; however, the actual monitoring can be delegated. When an employee who performs monitoring actions is out on leave, management must reassign the monitoring to a backup"; Status per GAO: Closed. During our fiscal year 2009 audit, we verified that IRS revised its guidelines by adding a note within the IRM stating that it is management's responsibility to ensure accounts are monitored each week. ID no.: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Open. On May 15, 2009, IRS updated IRM 3.8.45 clarifying the instructions when there are time discrepancies on acknowledged Forms 10160. IRM 3.8.45.1.9.3.1 directs the campuses to enact the courier contingency plan if the time stamps on Form 10160 are outside of the time allowed in the courier contract without a reasonable explanation. Each campus has a contingency plan for delivering the deposit to the bank if the courier does not meet the requirements outlined in IRM 3.8.45.1.9.1. IRM 3.8.45.1.9.5 directs the Receipt & Control Operations Manager to enact the courier contingency plan and contact headquarters (HQ) if the time stamps on Form 10160 are outside of the time allowed in the courier contract without a reasonable explanation. IRM 3.8.45.1.9.7 directs HQ to contact the courier company management when notified by the Campus Receipt and Control Operations Manager of unacceptable time discrepancies on Form 10160. HQ management will make the decision to continue with the courier contract or adopt the campus courier contingency plan; Status per GAO: Open. The objective of this recommendation was for IRS to develop a mechanism to aid in identifying when courier drivers who transport deposits failed to comply with IRS's guidance to transport the deposits directly to their destination with no unauthorized stops. From our review of the IRM, IRS continues to lack guidance in establishing a methodology for developing minimum requirements for setting allowable times for courier deposits that, when exceeded, would identify potential unauthorized stops during transit. For example, during our fiscal year 2009 audit, we continued to find instances at one SCC where the deposit courier's average travel time was 90 minutes; however, the threshold established before anyone would question the deposit time or initiate the courier contingency plan was 135 minutes. Thus, IRS officials are only required to make inquiries if the courier exceeded the delivery time by 45 minutes. This time frame does not meet the objective of identifying potential instances when deposit couriers have made unauthorized stops during their delivery. We will review IRS's corrective actions during our fiscal year 2010 audit. ID no.: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. SP performs courier surveillance during the unannounced security reviews completed at each campus. IRM 3.8.45.1.5 instructs the campus Receipt & Control Operation manager to contact headquarters (HQ) if there is a time discrepancy on Form 10160 that does not have a reasonable explanation. HQ Management will perform courier surveillance if needed and make the decision to continue with the courier contract or adopt the campus contingency plan; Status per GAO: Open. The objective of this recommendation was to include minimum requirements in the IRM for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. In March 2010, IRS informed us that a surveillance of all couriers at SCCs will be conducted during fiscal year 2010. However, the IRM referred to in IRS's response does not include this requirement or any other requirements outlining when surveillance of couriers are conducted. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Open. W&I Field Assistance and Accounts Management Services are creating an electronic Form 795 that will automate the existing manual remittance reporting process. W&I has reached the first milestone in building the "Collection Activity Report." This report will have capabilities of tracking cash and noncash remittances by geographical regions. The national roll-up report will identify the type and total amount of payments received at the territory level. Efforts are being made to further develop the report to the TAC level. Anticipated completion of the recommendation is October 2012; Status per GAO: Open. IRS continues its ongoing efforts to establish a mechanism to track and report TAC receipt. According to IRS, full implementation is not expected until October 2012. We will evaluate IRS's corrective actions during future audits. ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14, Methods of Providing Protection, on September 23, 2009, requiring that the documentation of all duress alarms for each location be readily available to individuals conducting duress alarm tests before each test is conducted; Status per GAO: Open. IRS revised the IRM as noted and established a policy requiring a readily available inventory of all duress alarms for individuals conducting the alarm tests. However, while IRS has provided a broad policy statement, it did not provide detailed procedures on how the policy should be implemented. During our fiscal year 2009 financial audit, we identified instances at all nine field offices we visited where an inventory of all duress alarms was not provided to the test conductor prior to conducting the quarterly duress alarm tests. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14, Methods of Providing Protection, on September 23, 2009, requiring Territory Managers to conduct a quarterly inventory validation of all duress alarms; Status per GAO: Open. IRS revised the IRM as noted and established a policy requiring that the inventory of all duress alarms be periodically updated for individuals conducting the alarm tests. However, while IRS has provided a broad policy statement, it did not provide detailed procedures on how the policy should be implemented. During our fiscal year 2009 audit, we identified instances at all nine field offices we visited where an updated inventory of all duress alarms was not provided to the test conductor prior to conducting the quarterly duress alarm tests. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(2), Methods of Providing Protection, on September 23, 2009, requiring IRS officials who conduct the test to (1) document the test results for each duress alarm listed in the inventory including date, findings, and planned corrective action and (2) track the findings until they are properly resolved; Status per GAO: Open. During our fiscal year 2009 audit, we verified that IRS revised duress alarm testing policies in the IRM to require that officials (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective actions and (2) track the findings until they are properly resolved. However, we determined that IRS has not developed specific instructions outlining the necessary steps for properly completing duress alarm tests at its facilities. For example, a waiting period may be necessary between activations of duress alarms at some IRS locations to ensure that the central monitoring station receives each signal. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station, and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(8), Methods of Providing Protection, on September 23, 2009, requiring a quarterly validation of the central monitoring station's Emergency Signal History Report at each IRS facility under the PSEP Territory Office jurisdiction where alarms are present. The prospective PSEP representative ensures that appropriate corrective actions are planned for all deficiencies or incidents requiring actions reported by the central monitoring station per IRM 10.2.14.9.1(11). The IRM requires a monthly validation of the "Emergency/Alarm Contact List" for each IRS facility under PSEP Territory Office jurisdiction where alarms are present, ensuring contact information is current, accurate, and includes appropriate contacts; Status per GAO: Open. IRS revised the IRM as noted and established policies requiring periodic documented review of the Emergency Signal History Report and emergency contact list. However, while IRS has provided broad policy statements, it did not provide detailed procedures on how the policies should be implemented. During our fiscal year 2009 financial audit, we identified instances at all nine field offices we visited where there was no routine documented review of the Emergency Signal History Report or emergency contact list provided to the central monitoring station and an instance at one TAC in which an appropriately qualified individual was not listed as the designated first responder on the duress alarm contact list. We will continue to evaluate this issue during our fiscal year 2010 audit. ID no.: 09-10; Recommendation: Develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of noncompliance with required approval time frames. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. AWSS modified the Purchase Card Handbook (IRM 1.32.6) to meet this requirement, which is expected to be published at the end of January 2010. AWSS Credit Card Services Branch continues to monitor compliance with purchase card requirements through monthly reviews; Status per GAO: Closed. We confirmed that IRS developed, documented, and implemented procedures to regularly monitor the timeliness of purchase card approvals. Also, we verified that IRS's AWSS Credit Card Services Branch conducts monthly reviews of both Web-based and manual purchase card transactions to identify and follow up on instances of noncompliance with required approval time frames. ID no.: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Open. The CFO published IRM 1.35.15, Annual Close Guidelines, establishing year end procedures for expired and closing appropriations. Corporate Budget will revise IRM 1.33.4, Financial Operating Guidelines, clarifying existing procedures regarding the use of expired appropriations, and the Agency-Wide Shared Services will update IRM 1.32.6, Purchase Card Handbook, by March 2010, providing guidance and procedures to preclude the use of expired appropriations when using a purchase card; Status per GAO: Open. We reviewed IRM 1.35.15, which was issued September 8, 2009, and noted that it provides policies and procedures for expired appropriations, including situations when it is appropriate to use expired appropriations, procedures for closing transactions with canceled appropriations, and policies for paying invoices after a fiscal year appropriation is canceled. We also reviewed the revised version of IRM 1.33.4, which was updated on April 16, 2010. It clarified procedures regarding the use of expired appropriations and used examples to further illustrate the policies and procedures. However, as IRS acknowledged in its response, one additional IRM section must be revised and updated to satisfy the intent of the recommendation. IRS expects this action to be completed in fiscal year 2010. We will continue to evaluate IRS's actions during our fiscal year 2010 audit. ID no.: 09-12; Recommendation: Reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. The CFO issued the Annual Close and Fiscal Year 2009 Year end Memorandum on June 4, 2009. The memorandum states, "The need for timely review of open commitments and obligation continues to be essential Guidelines for the Review of Aging Unliquidated Commitments (AUC) and the Aging Unliquidated Obligations (AUO) Reports." The document provides supporting guidance for reviewing and ensuring the validity of AUO, liquidating unneeded balances for commitments and obligations, and defining responsibilities. In addition, the CFO published IRM 1.35.15, Annual Close Guidelines on September 8, 2009. During the AUC/AUO review process, the CFO also reiterates the importance of maintaining accurate obligation and commitment balances to Procurement and the business units; Status per GAO: Closed. We obtained the June 4, 2009 memo, noting that IRS emphasized the importance of reviewing AUCs and AUOs. Furthermore, IRM 1.35.15.11.2 was issued September 8, 2009, and reemphasizes the importance of monitoring and modifying obligations so that they are accurate. However, we noted during the fiscal year 2009 financial statement audit that the AUO reviews did not always identify and deobligate obligations that were no longer valid. We found that some unneeded obligations were not reviewed and deobligated in a timely manner because they did not meet the age criteria to be reviewed under the AUO program. In these cases, the age criteria for review would allow obligations with up to 300 days of inactivity to be exempt from review. This situation could lead to the inaccurate reporting of obligations at the fiscal year end. Thus, while we are closing this recommendation given that IRS's actions were responsive to it, we have reported the related issues noted above, along with related recommendations for corrective action, in our June 2010 management report (GAO-10-565R) and recommendations 10-35 and 10-36 in this report. ID no.: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. The CFO initiated weekly reviews of receipt and acceptance transactions to more timely identify and correct errors; Status per GAO: Open. We obtained information about the Aging Unliquidated Accruals (AUA) process which is designed to review IRS receipt and acceptance transactions in order to more timely identify and correct errors. We confirmed that IRS was conducting the AUA reviews; however, during our fiscal year 2009 audit work we continued to find errors in Receipt and Acceptance transactions that had been identified through the AUA process but had not been corrected in a timely manner. These transactions had been identified by the AUA process from 2 months to over 3 years before they were corrected. We will review IRS's corrective actions during our fiscal year 2010 audit. ID no.: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS established a Cost Users Group and developed a regular meeting schedule. The purpose of the group is to identify programs, underlying activities, and outputs and services for which cost information would be beneficial. The group formalized the cost accounting process for each business unit, defines the roles and responsibilities of the CFO and business units, and determines what cost information would be useful and the means of developing and reporting this information for existing programs and new programs as they are initiated. They share cost accounting information, leverage best practices between the business units, and achieve standardization and consistency. Work is formalized and documented through agenda items and minutes. The ACFO for Internal Financial Management also documented and formalized the cost accounting policy and process, including the roles and responsibilities of the CFO, business units, and Cost Users Group in the new IRM 1.32.3, Managerial Cost Accounting which was published on July 13, 2009; Status per GAO: Open. As IRS notes, the IRM section that formalized IRS's Managerial Cost Accounting Policy established the Cost Users Group to share cost accounting information and to identify programs for which cost information would be beneficial, and the IRM section defined the roles and responsibilities of the CFO and IRS's business units in the process. However, IRS has not formally designated in writing the membership of the Cost Users Group. The group's meetings, as reported in its minutes, have not included discussions of which IRS programs and activities would benefit from full cost information. The minutes do not indicate that the group has developed a formal process whereby the group's determinations are communicated to upper management and adopted formally by IRS. We will continue to review IRS's progress in addressing this recommendation during our fiscal year 2010 audit. ID no.: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed, and they should include both personnel costs based on time spent on specific activities as well as all associated non-personnel costs and be drawn from or reconcilable to IRS's financial accounting system. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. IRS continues to develop cost-benefit analysis as requested by the business units to enhance program evaluation and decision making; Status per GAO: Open. As IRS noted, it continues to develop full cost- benefit data for its programs and activities. However, the ad hoc process of reacting to the request from business units has not resulted in full cost and benefit data on a comprehensive set of programs and activities for which IRS regularly updates and makes readily accessible to program managers. We will continue to review IRS's progress in addressing this recommendation during our fiscal year 2010 audit. ID no.: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009); Status per IRS: Closed. The IRS improved the analytical tools it uses to inform its resource decisions for major enforcement programs. The IRS already uses cost-benefit analysis, return on investment, evaluation of possible future scenarios, and enterprise risk management techniques for a wide range of resource-allocations decisions, such as service and enforcement initiatives included in the President's Budget. It is important to understand that return on investment is but one tool that can be utilized to improve resource- allocation decision making. Currently, the IRS uses a broader set of tools, such as cost/benefit analysis that incorporates a wide range of tangible and intangible costs and benefits (such as equitable coverage rates for different groups of taxpayers, enhancing respect for the law, and ensuring that disadvantaged populations of taxpayers receive adequate levels of service). It is not prudent to rely exclusively on return on investment as the sole determinant of resource allocation; Status per GAO: Open. Although IRS began using projected cost-benefit analyses and projections as part of its support for future enforcement initiatives in its annual budget submissions, it has not developed outcome-oriented performance measures and related goals to measure the effectiveness of its existing programs. We recognize that IRS must take into consideration coverage and equitable taxpayer treatment when making decisions, and we have not advocated that IRS use cost/benefit analysis as the sole measure of effectiveness. However, measuring the cost-benefit--return on investment--of IRS's enforcement programs and activities is an important element in measuring their effectiveness. During fiscal year 2009, IRS developed data for some of its enforcement programs that could be, but has not been, used to develop performance metrics and related goals. We will continue to review and monitor IRS's progress in addressing this recommendation during our fiscal year 2010 audit. ID no.: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in CDDB resulted in misclassifications of account balances which, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-02; Recommendation: Research and implement programming changes to allow CDDB to more accurately classify such accounts among the three categories of unpaid tax assessments. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that affect the financial reporting of unpaid tax assessments. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to TFRP payments processed through the ATFR system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-06; Recommendation: Formalize and implement the quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews so that specific factors causing the errors are identified. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of TFRP payment transactions identified through the analyses of the quarterly review results. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-09; Recommendation: Revise the existing methodology for extracting the pre- posted revenue component of the comparison to ensure that nontax revenues and tax revenue transactions already posted to the master files are properly excluded. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-10; Recommendation: Update the desk procedures governing the comparison of general ledger tax revenue receipts to the master file to ensure that the procedures reflect the current process and controls. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-11; Recommendation: Revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-12; Recommendation: Revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, July 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-13; Recommendation: Revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-14; Recommendation: Establish controls over the cycle run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-15; Recommendation: Revise the IRM to require CIO to promptly provide service center campuses an acknowledgment of receipt for each Form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-16; Recommendation: Revise the IRM to require service center campuses to verify that an acknowledgment of receipt has been received from CIO for 100 percent of the Form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-17; Recommendation: Revise the IRM to require service center campuses to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-21; Recommendation: Review the audit management checklist for clarity and revise the assessment questions as appropriate. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June, 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-22; Recommendation: Issue written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-23; Recommendation: Provide training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-24; Recommendation: Establish and document the minimum frequency for how often the audit management checklist should be completed at each service center campus and field office. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-25; Recommendation: Establish policies requiring documented managerial reviews of completed audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-26; Recommendation: Review the TAC Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-27; Recommendation: Provide training to TAC group managers to assist with their understanding of the TSRRD review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-28; Recommendation: Establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the TSRRD for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all SCC Unit Security Representatives (USR) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-31; Recommendation: Update USR training manuals to ensure they reflect current security policies and procedures. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-32; Recommendation: Establish a process to periodically review and update USR training materials as appropriate. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-33; Recommendation: Establish procedures requiring HCO LEADS or their designees to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-34; Recommendation: Establish procedures requiring COs/COTRs to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods or services prior to entering acknowledgment of receipt and acceptance in WebRTS. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-35; Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS during final receipt and acceptance that the payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are deobligated in a timely manner. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-36; Recommendation: Reevaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that unliquidated obligations are reviewed sooner in order to detect and deobligate excess obligations in a timely manner. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-37; Recommendation: Provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper use of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments to prior- year obligation accounts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-38; Recommendation: Develop controls to improve the linked obligation transaction review process to detect and correct erroneous links between unrelated upward and downward adjustments to prior-year obligation transactions in a timely manner. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-39; Recommendation: Establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-40; Recommendation: Establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set-aside to asses IRS's progress toward complying with the requirement. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 10-41; Recommendation: Based on the results of its periodic assessments, take action to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set- aside requirement. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during future audits. Source: GAO and IRS. [End of table] [End of section] Appendix II: Open Recommendations Arranged by Material Weakness, Compliance, or Other Control Issue: For several years, we have reported material weaknesses, significant deficiencies, noncompliance with laws and regulations, and other control issues in our annual financial statement audits and related management reports.[Footnote 48] Appendix II provides summary information regarding the primary issue to which each open recommendation is most closely related. To compile this summary, we analyzed the nature of the open recommendations to relate them to the material weaknesses, compliance issue, and other control issues not associated with a material weakness identified as part of our financial statement audit. Unpaid Tax Assessments: The Internal Revenue Service (IRS) has serious internal control issues that affected its management of unpaid tax assessments. Specifically, IRS (1) reported balances for taxes receivable and other unpaid assessments that were not supported by its core general ledger system for tax administration, (2) lacked a subsidiary ledger for unpaid tax assessments that would allow it to produce accurate, useful, and timely information with which to manage and report externally, and (3) experienced errors and delays in recording taxpayer information, payments, and other activities. Table 13: Material Weakness: Controls over Unpaid Assessments: ID no.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term); Control activity: Management of human capital. ID no.: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in CDDB resulted in misclassifications of account balances which, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-02; Recommendation: Research and implement programming changes to allow CDDB to more accurately classify such accounts among the three categories of unpaid tax assessments. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to TFRP payments processed through the ATFR system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 10-06; Recommendation: Formalize and implement the quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements. (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews so that specific factors causing the errors are identified. (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of TFRP payment transactions identified through the analyses of the quarterly review results. (short-term); Control activity: Accurate and timely recording of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Information Security: Serious weaknesses in IRS's internal control over information security continue to jeopardize the confidentiality, availability, and integrity of information processed by IRS's key systems, increasing the risk of material misstatement for financial reporting. For example, IRS has not restricted users' ability to bypass application controls, removed separated employees' systems access in a timely manner, or restricted system access to only those who needed it. These unresolved weaknesses increase the risk that data processed by the agency's financial management systems are not reliable. Although IRS has made some progress in addressing previous weaknesses we identified in its information systems and physical security controls, as of March 2010, there were 88 open recommendations designed to help IRS improve its information systems security controls. Those recommendations are reported separately and are not included in this report primarily because of the sensitive nature of some of the issues.[Footnote 49] Release of Federal Tax Liens: IRS continues to be noncompliant with the laws and regulations governing the release of federal tax liens.[Footnote 50] IRS did not always release applicable federal tax liens within 30 days of tax liabilities being either paid off or abated, as required by the Internal Revenue Code (section 6325). The Internal Revenue Code grants IRS the power to file a lien against the property of any taxpayer who neglects or refuses to pay all assessed federal taxes. The lien serves to protect the interest of the federal government and as a public notice to current and potential creditors of the government's interest in the taxpayer's property. Table 14: Compliance with Laws and Regulations: Timely Release of Liens: ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Control Activity: Reviews by management at the functional or activity level. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Other Control Issues: The 70 recommendations listed below pertain to issues that do not rise individually or in the aggregate to the level of a material weakness or noncompliance with laws and regulations. However, these issues do represent weaknesses in various aspects of IRS's control environment that should be addressed. Table 15: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short-term); Control Activity: Segregation of duties. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term); Control Activity: Segregation of duties. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-05; Recommendation: Equip all Taxpayer Assistance Centers with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Control Activity: Management of human capital. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 08-13; Recommendation: Require including in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 (Recommendation for Juvenile Employment) by contacting the reference directly and documenting the details of this contact. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Control Activity: Proper execution of transactions and events. ID no.: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. (long-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station, and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. (short-term); Control Activity: Establishment and review of performance measures and indicators. ID no.: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed, and they should include both personnel costs based on time spent on specific activities as well as all associated nonpersonnel costs and be drawn from or reconcilable to IRS's financial accounting system. (long-term); Control Activity: Establishment and review of performance measures and indicators. ID no.: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term); Control Activity: Establishment and review of performance measures and indicators. ID no.: 10-09; Recommendation: Revise the existing methodology for extracting the preposted revenue component of the comparison to ensure that nontax revenues and tax revenue transactions already posted to the master files are properly excluded. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-10; Recommendation: Update the desk procedures governing comparison of the general ledger tax revenue receipts to the master files to ensure that the procedures reflect the current process and controls. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-11; Recommendation: Revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-12; Recommendation: Revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. (short-term); Control Activity: Segregation of duties. ID no.: 10-13; Recommendation: Revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. (short- term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-14; Recommendation: Establish controls over the cycle run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-15; Recommendation: Revise the IRM to require CIO to promptly provide service center campuses an acknowledgment of receipt for each Form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-16; Recommendation: Revise the IRM to require service center campuses to verify that an acknowledgment of receipt has been received from CIO for 100 percent of the Form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-17; Recommendation: Revise the IRM to require service center campuses to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 10-21; Recommendation: Review the audit management checklist for clarity and revise the assessment questions as appropriate. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-22; Recommendation: Issue written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-23; Recommendation: Provide training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately. (short-term); Control Activity: Management of human capital. ID no.: 10-24; Recommendation: Establish and document the minimum frequency for how often the audit management checklist should be completed at each service center campus and field office. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-25; Recommendation: Establish policies requiring documented managerial reviews of completed audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-26; Recommendation: Review the TAC Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. (short- term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-27; Recommendation: Provide training to TAC group managers to assist with their understanding of the TSRRD review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term); Control Activity: Management of human capital. ID no.: 10-28; Recommendation: Establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the TSRRD for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all SCC Unit Security Representatives (USR) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term); Control Activity: Management of human capital. ID no.: 10-31; Recommendation: Update USR training manuals to ensure they reflect current security policies and procedures. (short-term); Control Activity: Management of human capital. ID no.: 10-32; Recommendation: Establish a process to periodically review and update USR training materials as appropriate. (short-term); Control Activity: Management of human capital. ID no.: 10-33; Recommendation: Establish procedures requiring HCO LEADS or their designees to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 10-34; Recommendation: Establish procedures requiring COs/COTRs to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods or services prior to entering acknowledgment of receipt and acceptance in WebRTS. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-35; Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS during final receipt and acceptance that the payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are deobligated in a timely manner. (short- term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 10-36; Recommendation: Reevaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that unliquidated obligations are reviewed sooner in order to detect and deobligate excess obligations in a timely manner. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-37; Recommendation: Provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper use of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments to prior year obligation accounts. (short-term); Control Activity: Management of human capital. ID no.: 10-38; Recommendation: Develop controls to improve the linked obligation transaction review process to detect and correct erroneous links between unrelated upward and downward adjustments to prior-year obligation transactions in a timely manner. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-39; Recommendation: Establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 10-40; Recommendation: Establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set-aside to asses IRS's progress toward complying with the requirement. (short-term); Control Activity: Top level reviews of actual performance. ID no.: 10-41; Recommendation: Based on the results of its periodic assessments, take action to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set- aside requirement. (short-term); Control Activity: Accurate and timely recording of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] [End of section] Appendix III: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: June 15, 2010: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft report titled, IRS: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GA0-10-597). As GAO noted in the report, IRS has made significant progress in improving its internal controls and financial management as evidenced by 10 consecutive years of clean audit opinions on its financial statements. We are pleased that you acknowledged our progress in addressing our financial management challenges and agreed to close 18 prior year financial management recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions or would like to discuss our response in further detail, please contact me or Alison Doone, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made major contributions to this report: William J. Cordrey, Assistant Director; Russell Brown; Ray B. Bush; Nina Crocker; Oliver Culley; Doreen Eng; Charles Fox; Valerie Freeman; Jamie Haynes; Ted Hu; Richard Larsen; Delores Lee; Julie Phillips; John Sawyer; Christopher Spain; Cynthia Teddleton; LaDonna Towler; and Gary Wiggins. [End of section] Footnotes: [1] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. [2] A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. [3] Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. See 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA); see also, GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1, 1999), 4-5. The actions required by agencies and individual federal managers includes taking proactive measures to develop and implement appropriate, cost-effective internal control for results- oriented management; to assess the adequacy of internal control in federal programs and operations; to identify needed improvements; and to take corresponding corrective actions. [4] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176] (Washington, D.C.: Nov. 10, 2009). [5] An unpaid assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties, and interest that have not been collected or abated (a reduction in a tax assessment). [6] The term "outcome-oriented performance metrics," refers to the measurement of the end result of a work activity or series of activities, such as the taxes collected as a result of a tax assessment and the collection actions taken by IRS employees, such as telephone calls to tax debtors. [7] GAO, Information Security: IRS Needs to Continue to Address Significant Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 2010). [8] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], (Washington, D.C.: Nov. 1, 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. 3512 (c), (d). which is commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA). [9] See the CFO Act of 1990, Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990), codified in relevant part, as amended at 31 U.S.C. 3521 (g). [10] The circular requires agencies and individual federal managers to take systematic and proactive measures to (1) develop and implement appropriate, cost-effective internal control for results-oriented management; (2) assess the adequacy of internal control in federal programs and operations; (3) separately assess and document internal control over financial reporting consistent with the process defined in appendix A of the circular; (4) identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal control through management assurance statements. [11] [hyperlink, http://www.gao.gov/products/GAO-10-355]. [12] GAO, Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations, [hyperlink, http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28, 2010). [13] GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: Aug. 1, 2001). [14] FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial Reporting, version 8 (Washington, D.C.: June 30, 2009). [15] [hyperlink, http://www.gao.gov/products/GAO-10-565R]. [16] [hyperlink, http://www.gao.gov/products/GAO-10-355]. [17] [hyperlink, http://www.gao.gov/products/GAO-10-176]. [18] Unpaid assessments are unpaid taxes. For reporting purposes, federal accounting standards classify unpaid assessments into federal taxes receivables, compliance assessments, and write-offs. Federal taxes receivable are taxes due from taxpayers for which IRS can support the existence of a receivable through taxpayer agreement or a favorable court ruling. Compliance assessments are assessments where neither the taxpayer nor the court has affirmed that the amounts are owed. Write-offs represent unpaid tax assessments for which IRS does not expect further collection because of factors such as the taxpayer's death, bankruptcy, or insolvency. [19] [hyperlink, http://www.gao.gov/products/GAO-10-176]. [20] An "outcome" is a measure of the end result of a work activity or series of activities, such as the taxes collected, and is a measure of the results of providing outputs. [21] IRS's performance metrics are reported externally via its Management Discussion and Analysis section of its annual financial statements. See [hyperlink, http://www.gao.gov/products/GAO-10-176]. [22] An "output" measure is a measure of the quantity of services provided, such as the number of phone calls made to taxpayers in an effort to collect unpaid taxes. [23] IRS's measure of conviction efficiency rate is a partial exception in that it measures the total cost of its criminal investigations divided by the number of convictions. [24] See app. I, recommendation 09-16, in this report. [25] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request and Interim Performance Results of IRS's 2008 Tax Filing Season, [hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.: Mar. 13, 2008); and GAO, Internal Revenue Service: Review of the Fiscal Year 2010 Budget Request, [hyperlink, http://www.gao.gov/products/GAO-09-754] (Washington, D.C.: June 13, 2009). [26] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-08-166] (Washington, D.C.: Nov. 9, 2007); GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008); and GAO, Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 2009). [27] GAO, Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations, [hyperlink, http://www.gao.gov/products/GAO/AIMD-99-196] (Washington, D.C.: Aug. 9, 1999). [28] See [hyperlink, http://www.gao.gov/products/GAO-08-166], [hyperlink, http://www.gao.gov/products/GAO-09-119], and [hyperlink, http://www.gao.gov/products/GAO-09-513R]. [29] The "full cost" of a program or activities includes all of the direct costs, including personnel time charges, and indirect costs, such as the allocation of overhead costs, that are applicable to the program or activity. [30] An "activity" can be defined as a discrete action that IRS undertakes, such as when IRS matches a taxpayer's reported dividends on its tax return to the dividends reported to IRS by the taxpayer's financial institution to identify discrepancies. A "program" can be defined as a group of related activities, such as IRS's Automated Underreporter program in which IRS matches a taxpayer's various types of income--wages, dividends, interest, etc.--to identify discrepancies that, collectively, may indicate unpaid taxes. [31] IFS is IRS's administrative accounting system, which IRS uses to facilitate its core financial management activities, such as general ledger, budget formulation, and accounts payable and receivable. IFS includes a cost module that IRS uses to facilitate the recording of cost information, but the cost module is not fully integrated with IRS's workload management systems, which record employees' time spent on various programs and activities. In fiscal year 2008, IRS canceled plans to add a managerial cost accounting module to IFS that was intended to provide the capability to produce such full cost information at the program and activity levels. [32] FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial Reporting. [33] An "outcome" is a measure of the end result of a work activity or series of activities, such as the taxes collected and is a measure of the results of providing outputs. An "output" is a measure of the quantity of services provided, such as the number of phone calls made to taxpayers in an effort to collect unpaid taxes. [34] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government to perform certain financial services, including processing tax documents, depositing the receipts, and forwarding the documents and data to the IRS service center campuses that process tax returns and payments. [35] GAO, Internal Revenue Service: Status of Financial Audit and Related Financial Management Report Recommendations, [hyperlink, http://www.gao.gov/products/GAO-09-514] (Washington, D.C.: June 25, 2009). [36] [hyperlink, http://www.gao.gov/products/GAO-10-565R]. [37] We define short-term recommendations as those that we believed could be addressed within 2 years at the time we made the recommendation. We define long-term recommendations as those we expected to require 2 years or more to implement at the time we made the recommendation. [38] [hyperlink, http://www.gao.gov/products/GAO-10-355]. [39] [hyperlink, http://www.gao.gov/products/GAO-10-176]. [40] See [hyperlink, http://www.gao.gov/products/GAO-10-565R] and [hyperlink, http://www.gao.gov/products/GAO-09-513R] for our recommendations resulting from our fiscal years 2009 and 2008 audits. [41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [42] The number of recommendations cited in the earlier report section on "challenges in resolving other internal control issues" in which we discuss the open recommendations concerning safeguarding taxpayer receipts and information does not match the control activity information in the table 1 section on "safeguarding of assets and security activities." The recommendations concerning safeguarding of taxpayer receipts and information included in that table 1 section are limited to those that are directly related to such safeguarding, such as physical safeguards over the transportation of checks and tax returns. Other recommendations that are indirectly related to safeguarding taxpayer receipts and information, such as management oversight and the adequacy of policies and procedures, are included in the other two sections of table 1, "proper recording and documenting of transactions" and "effective management review and oversight." The 70 recommendations reported in the previous report section included both those directly and indirectly related to safeguarding taxpayer receipts and information. [43] The majority of federal tax payments are made for both businesses and individuals through the Electronic Federal Tax Payment System. [44] Lockbox banks operate under contract with the Department of the Treasury's Financial Management Service. The three lockbox banks perform processing functions in seven locations throughout the country. [45] Six of IRS's 10 service center campuses process tax returns and payments submitted by taxpayers. [46] IRS's 401 TACs are small field assistance units located in various cities and towns in every state, are part of IRS's Wage and Investment operating division, and are designated to serve taxpayers who choose to seek help from IRS in person. [47] IRS defines unprocessable items as any document, correspondence, or item that cannot be processed by the lockbox bank, such as unacceptable forms of payment--traveler's checks, gold coins, and other items of value that are easily negotiable. [48] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176] (Washington, D.C.: Nov. 10, 2009); and GAO, Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations, [hyperlink, http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28, 2010). [49] GAO, Information Security: IRS Needs to Continue to Address Significant Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 2010). [50] [hyperlink, http://www.gao.gov/products/GAO-10-176]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO‘s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO‘s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.