Management Report
Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations Gao ID: GAO-10-565R June 28, 2010The purpose of this report is to present internal control and compliance issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2009, for which we do not already have any recommendations outstanding. Although not all of these issues were discussed in our report on the results of our fiscal year 2009 financial statement audit, they all warrant IRS management's attention.
During our audit of IRS's fiscal year 2009 financial statements, we identified several internal control issues and a compliance issue not addressed by previous recommendations. These issues include the following: 1) IRS's reported balances for taxes receivable and other unpaid tax assessments were not supported by its core general ledger system for tax-administration-related transactions. 2) IRS did not always credit or accurately credit trust fund recovery penalty payments received from one taxpayer to all related taxpayers as required by the Internal Revenue Manual (IRM), resulting in errors in taxpayer accounts. 3) IRS's transaction file of "pre-posted" tax revenue, which was supposed to largely reconcile the difference between IRS's aggregate tax revenue receipts recorded in its general ledger and the detailed-level tax revenue receipts recorded in its master file, was not accurate. 4) IRS did not establish adequate internal controls over its complex process for allocating operation support costs to the programs reported on its statement of net cost. 5) IRS did not always review duplicate refund transcripts, which identify potentially duplicate or erroneous refunds, prior to issuing the refunds as required by the IRM. 6) IRS's service center campuses (SCCs) did not acknowledge the quantity of unprocessable items the lockbox banks shipped to them, even in cases where there were discrepancies between the quantity of unprocessable items the lockbox bank recorded on the transmittal form and the quantity that the SCC actually received. 7) IRS's SCC and field office physical security analysts did not always accurately complete audit management checklists used to assess the physical security and emergency preparedness controls in place at their sites. 8) IRS's taxpayer assistance center group managers did not always accurately assess the status of operational and security controls at their locations. 9) SCC and field office contractors who are provided routine, unescorted, unsupervised physical access to IRS facilities containing taxpayer receipts and information were not required to and did not receive annual security awareness training. 10) IRS's SCC unit security representatives, who are responsible for maintaining security over one of IRS's key tax processing systems, did not always receive or timely complete required initial and refresher training on carrying out their security responsibilities. 11) IRS's employees did not always complete annual mandatory briefing requirements in fiscal years 2008 and 2009. 12) IRS staff did not always confirm or obtain documentation of confirmation with the end user of a purchased product or service that the item was satisfactorily received before entering receipt and acceptance of the good/service into the procurement system. 13) IRS did not always timely deobligate excess obligated funds after the related goods or services were delivered and the remaining funds for those purchases were no longer needed. 14) IRS did not always ensure that upward and downward adjustments to prior-year obligation transactions were properly reported for financial statement reporting purposes. 15) IRS did not comply with requirements in its annual appropriations act. We are making 41 recommendations that, if effectively implemented, should address the internal control and compliance issues we identified. These recommendations are intended to bring IRS into conformance with its own policies, the Standards for Internal Control in the Federal Government, or both, as well as to help ensure IRS's compliance with its appropriations act requirements. We provided IRS with a draft of this report and obtained its written comments. In its comments, IRS agreed with all but three of our 41 recommendations and described actions it had taken, underway, or planned to take to address the control weaknesses described in this report.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Steven J. Sebastian Team: Government Accountability Office: Financial Management and Assurance Phone: (202) 512-9521GAO-10-565R, Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations
This is the accessible text file for GAO report number GAO-10-565R
entitled 'Management Report: Improvements Are Needed in IRS's Internal
Controls and Compliance with Laws and Regulations' which was released
on June 29, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-10-565R:
United States Government Accountability Office:
Washington, DC 20548:
June 28, 2010:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Are Needed in IRS's Internal
Controls and Compliance with Laws and Regulations:
Dear Mr. Shulman:
In November 2009, we issued our report on the results of our audit of
the financial statements of the Internal Revenue Service (IRS) as of,
and for the fiscal years ending, September 30, 2009, and 2008, and on
the effectiveness of its internal controls as of September 30, 2009.
[Footnote 1] We also reported our conclusions on IRS's compliance with
selected provisions of laws and regulations and on whether IRS's
financial management systems substantially comply with the
requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA). In March 2010, we issued a report on information
security issues identified during our fiscal year 2009 audit, along
with associated recommendations.[Footnote 2]
The purpose of this report is to present internal control and
compliance issues identified during our audit of IRS's financial
statements as of, and for the fiscal year ending, September 30, 2009,
for which we do not already have any recommendations outstanding.
Although not all of these issues were discussed in our report on the
results of our fiscal year 2009 financial statement audit, they all
warrant IRS management's attention. This report provides 41
recommendations to address the internal control and compliance issues
we identified. We will issue a separate report on the status of IRS's
implementation of the recommendations from our prior IRS financial
audits and related financial management reports, as well as this one.
We conducted our audit in accordance with U.S. generally accepted
government auditing standards.
Results in Brief:
During our audit of IRS's fiscal year 2009 financial statements, we
identified several internal control issues and a compliance issue not
addressed by previous recommendations. These issues include the
following:
* IRS's reported balances for taxes receivable and other unpaid tax
assessments were not supported by its core general ledger system for
tax-administration-related transactions. We found certain systemic
limitations in its Custodial Detailed Data Base (CDDB) and other
control weaknesses that resulted in errors in taxpayer accounts that,
in turn, prevented IRS from using CDDB as its subsidiary ledger to
manage, and routinely and reliably report, its balance of unpaid tax
assessments.
* IRS did not always credit or accurately credit trust fund recovery
penalty payments received from one taxpayer to all related taxpayers
as required by the Internal Revenue Manual (IRM), resulting in errors
in taxpayer accounts. Although IRS automated this process, about half
of the penalty payments processed through its automated system still
require some error-prone, manual intervention. These errors occurred
because IRS staff did not receive sufficient training when IRS fully
implemented the automated system and their supervisors did not have
sufficient guidance to review these transactions for accuracy.
* IRS's transaction file of "pre-posted" tax revenue, which was
supposed to largely reconcile the difference between IRS's aggregate
tax revenue receipts recorded in its general ledger and the detailed-
level tax revenue receipts recorded in its master file,was not
accurate.[Footnote 3] This occurred because of errors in the
instructions provided to the programmers for extracting the pre-posted
tax revenue transactions and IRS's lack of updated desk procedures for
the comparison of its general ledger tax revenue collections to its
master files.
* IRS did not establish adequate internal controls over its complex
process for allocating operation support costs to the programs
reported on its statement of net cost. This occurred because IRS's
policies and procedures--including the IRM and the cost allocation
desk guide--do not require controls such as the segregation of duties
for the allocation tasks performed or documentation controls to help
reduce the risk of errors and omissions in the spreadsheet used to
track the allocation progress and status.
* IRS did not always review duplicate refund transcripts, which
identify potentially duplicate or erroneous refunds, prior to issuing
the refunds as required by the IRM. The service center campuses (SCC)
that generate the transcripts are required to transmit the data for
special cases, such as bankruptcy cases, to centralized units for
review. However, IRS did not have written IRM procedures requiring the
centralized units to acknowledge receipt of the transcripts and, thus,
to establish accountability for reviewing these cases. Consequently,
some cases were lost in transit and were not reviewed.
* IRS's SCCs did not acknowledge the quantity of unprocessable items--
e.g., unacceptable forms of payment such as traveler's checks, gold
coins, and other items of value--the lockbox banks shipped to them,
even in cases where there were discrepancies between the quantity of
unprocessable items the lockbox bank recorded on the transmittal form
and the quantity that the SCC actually received.
* IRS's SCC and field office physical security analysts did not always
accurately complete audit management checklists used to assess the
physical security and emergency preparedness controls in place at
their sites. Although IRS issued the checklists to help identify,
prevent, and reduce physical security weaknesses, several of the
questions on the checklist were unclear and guidance and training were
not provided to help ensure accurate completion of the checklists. In
addition, there was no requirement that managers or supervisors review
the responses prepared by the physical security analysts.
* IRS's taxpayer assistance center group managers did not always
accurately assess the status of operational and security controls at
their locations. We found that this was caused in part by ambiguities
in the assessment questions for which they were required to respond,
uncertainty as to the scope and intent of certain questions, a lack of
guidance and training for completing the assessments, and a lack of
managerial oversight and review of the group managers' assessment
responses.
* SCC and field office contractors who are provided routine,
unescorted, unsupervised physical access to IRS facilities containing
taxpayer receipts and information were not required to and did not
receive annual security awareness training.
* IRS's SCC unit security representatives, who are responsible for
maintaining security over one of IRS's key tax processing systems, did
not always receive or timely complete required initial and refresher
training on carrying out their security responsibilities. IRS policy
does not clearly designate one position or office with the oversight
and enforcement responsibility; consequently, oversight was not
effective in ensuring unit security representatives received or
received timely essential security training.
* IRS's employees did not always complete annual mandatory briefing
requirements in fiscal years 2008 and 2009. IRS relied on each of its
business units to establish their own policies to track and monitor
employees' compliance with the requirements and to follow up on those
that have not yet completed the required briefings. However, IRS did
not centrally review each business unit's process for tracking,
monitoring, and enforcing compliance or the results to ensure that
mandatory briefing requirements were met.
* IRS staff did not always confirm or obtain documentation of
confirmation with the end user of a purchased product or service that
the item was satisfactorily received before entering receipt and
acceptance of the good/service into the procurement system. This
confirmation is essential because often the end user (i.e., the person
requesting the good or service) is at a different geographic location
than the staff member responsible for entering receipt and acceptance
into the system. However, IRS's policy did not specifically instruct
staff who are responsible for entering receipt and acceptance to
obtain and retain written documentation from end users confirming that
a purchased product or service was received before entering receipt
and acceptance.
* IRS did not always timely deobligate excess obligated funds after
the related goods or services were delivered and the remaining funds
for those purchases were no longer needed. Although IRS performs
periodic reviews of aging unliquidated obligations to identify
potential funds for deobligation, the aging criteria for identifying
obligations to review was too narrow, thus limiting the effectiveness
of the reviews in ensuring that only valid obligations were reported
in IRS's general ledger and its financial statements.
* IRS did not always ensure that upward and downward adjustments to
prior-year obligation transactions were properly reported for
financial statement reporting purposes. To better identify and report
only valid upward adjustments and valid downward adjustments of prior-
year obligations--which are each reported on separate line items in
IRS's financial statements--IRS performs a monthly netting process to
offset transactions that are accounting corrections and not true
adjustments to obligations. However, IRS did not have an adequate
review process to identify erroneously linked transactions in the
accounting system that, consequently, were improperly netted.
* IRS did not comply with requirements in its annual appropriations
act. Although that act required IRS to set aside at least $7.487
billion for tax law enforcement and related support activities,
[Footnote 4] IRS fell short by about $74 million. IRS attributed the
cause to (1) delays in hiring staff for enforcement activities caused
by an almost 6-month delay in the enactment of IRS's fiscal year 2009
appropriations, and (2) increased funding for taxpayer services.
Together, these factors resulted in a greater portion of its
operations support costs (e.g., costs incurred for rent,
telecommunications, agencywide administration, and facilities
services) being allocated to its taxpayer services program and less to
its enforcement program than what it originally estimated. In
addition, IRS had about $71 million in fiscal year 2009 operations
support appropriations that were unobligated at fiscal year end. Even
if IRS could have allocated all of these unobligated operations
support funds to enforcement, this would only have helped to reduce,
but not eliminate, the shortfall.
These issues increase the risk that IRS may fail to prevent or
promptly detect and correct (1) errors in crediting taxpayer trust
fund recovery penalty payments; (2) errors that could adversely affect
the reliability of its financial statements; (3) duplicate or
erroneous refunds; (4) discrepancies in the transport of unprocessable
items; (5) security and control deficiencies at its SCCs and field
offices; (6) improper disclosure of taxpayer data; (7) premature
payments to vendors before confirming goods or services have been
received; and (8) excess unused obligations reported on the financial
statements. In addition, IRS is at increased risk of not complying
with requirements established in its annual appropriations act.
We are making 41 recommendations that, if effectively implemented,
should address the internal control and compliance issues we
identified. These recommendations are intended to bring IRS into
conformance with its own policies, the Standards for Internal Control
in the Federal Government,[Footnote 5] or both, as well as to help
ensure IRS's compliance with its appropriations act requirements.
We provided IRS with a draft of this report and obtained its written
comments. In its comments, IRS agreed with all but three of our 41
recommendations and described actions it had taken, underway, or
planned to take to address the control weaknesses described in this
report. IRS did not agree with the three recommendations we made to
address our finding that IRS did not comply with the legal
requirements in its annual appropriations act. In its comments, IRS
stated that it fully funded its tax law enforcement activities and met
the intent of the law, and it disputed other facts described in our
report's discussion of IRS's compliance with the appropriations act.
We do not concur with IRS's views on this matter and, as we discuss in
further detail at the end of that report section, we stand by the
information we are reporting.
At the end of our discussion of each of the issues in this report, we
have summarized IRS's related comments and provided our evaluation. We
have also reprinted IRS's comments in enclosure II.
Scope and Methodology:
This report addresses issues we identified during our audit of IRS's
fiscal years 2009 and 2008 financial statements. As part of our audit,
we tested IRS's internal controls over financial reporting and its
compliance with selected provisions of laws and regulations. We
designed our audit procedures to test relevant controls, including
those for proper authorization, execution, accounting, and reporting
of transactions. To assess internal controls related to safeguarding
taxpayer receipts and information, we visited three SCCs,[Footnote 6]
one consolidated campus,[Footnote 7] four lockbox banks,[Footnote 8]
nine taxpayer assistance centers (TAC),[Footnote 9] and eight field
office units.[Footnote 10] We conducted our fieldwork and related
follow up between January 2009 and May 2010. Further details on our
audit scope and methodology are included in enclosure I.
Unpaid Tax Assessments:
During our audit of IRS's fiscal year 2009 financial statements, we
continued to find that IRS's reported balances for taxes receivable
and other unpaid assessments were not supported by its core general
ledger system for tax-administration-related transactions because IRS
lacked a fully functioning subsidiary ledger for unpaid tax
assessments that would allow it to produce reliable, useful, and
timely information with which to manage and routinely report these
balances.
Unpaid assessments consist of taxes that IRS has recorded as due to
the government from taxpayers for which payment has not yet been
received.[Footnote 11] In accordance with federal accounting
standards, unpaid assessments are placed in one of the following three
categories:[Footnote 12]
* taxes receivable, which are amounts due from taxpayers for which IRS
can support the existence of a receivable through taxpayer agreement
(such as the filing of a tax return) or a court ruling favorable to
IRS;
* compliance assessments, for which neither the taxpayer nor the court
has affirmed that the amounts are owed, such as an assessment
resulting from an audit of the taxpayer; and:
* write-offs, which are any unpaid assessments for which IRS does not
expect further collections due to factors such as the taxpayer's
bankruptcy, insolvency, or death.
Of these three, only taxes receivable are reported on the principal
financial statements, with compliance assessments and write-offs
presented as supplemental information to the financial statements.
Therefore, it is essential for IRS to be able to accurately and
routinely classify its unpaid assessments into these three categories
in order to present reliable information in its financial statements
and to enable management to make informed business decisions based on
this complete and reliable information.
As we reported in prior years, IRS's balance for federal taxes
receivable,[Footnote 13] which comprised nearly 80 percent of IRS's
total assets as reported on its fiscal year 2009 balance sheet, was
not produced by its general ledger system for tax administration
activities, the Interim Revenue Accounting Control System (IRACS).
[Footnote 14] While IRS summarizes the detailed transaction
information from its master files on IRACS, neither the master files
nor IRACS were designed to classify and report unpaid assessments in
accordance with federal accounting standards.[Footnote 15] To
compensate for this, IRS for years has had to apply statistical
sampling and estimation techniques to data from its master files to
estimate the year-end balances of (1) taxes receivable in its
financial statements and required supplementary information, and (2)
compliance assessments and write-offs in its required supplementary
information.
To partially address this issue, we previously recommended that as
part of IRS's efforts to modernize its systems, it include plans to
develop a subsidiary ledger to accurately and promptly identify,
classify, track, and report all IRS unpaid assessments by amount and
taxpayer. We noted that this subsidiary ledger needed to have the
capability to distinguish unpaid assessments by category in order to
identify those assessments that represent taxes receivable versus
those that represent compliance assessments and write-offs.
Recognizing the seriousness of this deficiency, IRS began phasing in
the use of the Custodial Detailed Data Base (CDDB) in 2006.[Footnote
16] According to IRS, one key objective of CDDB is to serve as a
transaction-level subsidiary ledger for unpaid tax assessments by
linking and classifying taxpayer account information from IRS's master
files to IRACS, thus providing for transactional
traceability.[Footnote 17] In fiscal year 2008, IRS enhanced CDDB to
analyze the unpaid assessment balances, including related interest and
penalty accruals, from its master files and record the balances to its
general ledger by the various financial reporting categories (taxes
receivable, compliance assessments, and write-offs) on a weekly basis.
These enhancements established CDDB's capability to function as a
transaction-level subsidiary ledger for unpaid tax assessments.
However, IRS cannot yet use CDDB as its subsidiary ledger for
recording transaction-based tax debt information to its general ledger
in a manner that ensures reliable internal and external reporting.
While CDDB analyzes and classifies master file tax debt information
into the various financial reporting categories, the analysis and
classification contain material inaccuracies. For example, IRS itself
identified errors necessitating almost $8 billion in adjustments to
the 2009 fiscal year-end gross taxes receivable balance produced by
CDDB.
We identified several systemic limitations in the programs used by
CDDB that resulted in misclassifying tax debt accounts among the three
financial reporting categories. Specifically, we identified instances
in which CDDB was unable to correctly classify an account module
because IRS had not written sufficient details into the CDDB
classification program to allow it to sort through, identify, and
analyze all the relevant transaction-level information required for
proper classification.[Footnote 18] For example, when IRS records
multiple tax assessments on a single account module, CDDB is currently
unable to distinguish among and separately classify the various
balances. In one instance we identified, a taxpayer filed a tax return
but did not pay the entire amount of the tax liability reported on the
return, which resulted in the amount owed being classified as a tax
receivable.[Footnote 19] IRS later assessed additional taxes against
the taxpayer for the same tax period, but the taxpayer did not concur
with the additional tax assessment. Because there was no concurrence
by the taxpayer or a court ruling in favor of IRS for the additional
tax assessment, this assessment should not have been classified as a
taxes receivable; it should have been classified as a compliance
assessment. However, CDDB classified the entire outstanding balance as
taxes receivable because the taxpayer's master file account module
contained information that the taxpayer had filed a tax return.
In addition to CDDB's systemic limitations, IRS's management and
reporting of unpaid tax assessments also continued to be hindered by
control weaknesses that resulted in inaccurate tax records. During our
fiscal year 2009 audit, we again found errors in taxpayer records
resulting from IRS's not recording information accurately and timely.
Examples included IRS's failure to record the receipt of a taxpayer's
$3 million payment and, as discussed in the next section of this
report, IRS's failure to properly record trust fund recovery penalty
payments to all related taxpayer accounts.[Footnote 20] Such errors
directly affect the accuracy of the tax debt information being
classified by CDDB. Additionally, such errors can cause frustration to
taxpayers who either have already paid taxes owed or who owe
significantly lower amounts.
Internal control standards require that transactions and other
significant events be promptly recorded and properly classified to
maintain their relevance and value to management in controlling
operations and making decisions.[Footnote 21] The standards also
require that control activities ensure that all transactions are
completely and accurately recorded. Transactions and events are to be
properly classified in the summary records from which reports and
financial statements are prepared.
CDDB's systemic limitations and errors in taxpayer accounts resulted
in IRS having to make numerous adjustments as part of its compensating
manual process for estimating the balance of net taxes receivable and
other unpaid tax assessments. On the basis of a statistical projection
of these individual adjustments, IRS had to make almost $8 billion in
adjustments to the year-end balances of all three categories of unpaid
assessments generated by CDDB in order to produce reliable amounts for
external reporting on its balance sheet and required supplementary
information. IRS is aware of certain systemic limitations with CDDB,
and has already initiated research into enhancing the CDDB
classification programs to allow it to analyze some of the more
complex unpaid assessment accounts in order to more accurately
classify them for financial reporting purposes. Until IRS (1) improves
the capabilities of CDDB to analyze the more complex unpaid
assessments accounts and correctly classify them, and (2) addresses
the control weaknesses that result in errors in taxpayer accounts, the
unpaid assessment balances produced by CDDB, including taxes
receivables, will continue to be materially inaccurate. This prevents
IRS from using CDDB as a reliable subsidiary ledger to effectively
manage and routinely and reliably report its balance of unpaid tax
assessments, and constitutes a material weakness in IRS's management
of unpaid assessments.
Additionally, IRS must continue using its compensating statistical
estimation process to annually estimate the amount of taxes receivable
for financial reporting. Since the taxes receivable balance is
produced by this process rather than IRS's general ledger, there is no
transactional traceability from the amount of taxes receivable
reported on IRS's balance sheet, through the general ledger, back to
the underlying account records.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Review the results of IRS's unpaid assessments compensating
statistical estimation process to identify and document instances
where systemic limitations in CDDB resulted in misclassifications of
account balances which, in turn, resulted in inaccuracies in the
amounts of reported unpaid assessments.
* Research and implement programming changes to allow CDDB to more
accurately classify such accounts among the three categories of unpaid
tax assessments.
* Research and identify control weaknesses resulting in inaccuracies
or errors in taxpayer accounts that affect the financial reporting of
unpaid tax assessments.
* Once IRS identifies the control weaknesses that result in
inaccuracies or errors that affect the financial reporting of unpaid
tax assessments, implement control procedures to routinely prevent, or
to detect and correct, such errors.
IRS Comments and our Evaluation:
IRS agreed with our recommendations to enhance controls over the
classification and reporting of its unpaid tax assessments. IRS stated
that it has (1) identified programming changes to improve the business
rules used by CDDB to accurately classify unpaid tax assessments, (2)
identified and scheduled programming changes that would allow more
accurate classification of the three categories of unpaid tax
assessments, (3) identified and corrected misclassifications of
account balances during its review of sample cases each year, and (4)
reviewed IRM procedures to ensure controls are in place and are
followed. IRS also stated that it would continue to identify and
validate the completion of corrective actions. We will evaluate the
effectiveness of IRS's actions and monitor its efforts during our
audit of IRS's fiscal year 2010 financial statements and future audits.
Trust Fund Recovery Penalty Payments:
During our fiscal year 2009 audit, we found that IRS did not always
credit or accurately credit trust fund recovery penalty payments to
all related taxpayers. The Internal Revenue Code grants IRS the broad
authority to assess penalties against taxpayers for failing to pay
taxes owed or otherwise attempting to evade taxes.[Footnote 22]
Employers are required to withhold from their employees' salaries
amounts for individual federal income taxes and for Federal Insurance
Contribution Act (FICA) taxes, which include Social Security and
Hospital Insurance taxes. These withheld taxes are also referred to as
"trust fund taxes." Employers are also required to match the amounts
withheld from an employees' salary for Social Security and Hospital
Insurance taxes. Taken together, the amounts withheld from an
employee's salary for federal individual income and FICA taxes, along
with the employer's matching portion of the FICA taxes, comprise the
business's payroll taxes. When a business willfully fails to account
for or pay the taxes it is legally required to withhold from its
employees' wages, IRS will assess the outstanding payroll tax and
underpayment penalties against the business. To provide the IRS a
secondary source of collection for withheld taxes not paid by a
business, IRS may impose a trust fund recovery penalty (TFRP) against
the responsible officers of the business specifically for the employee-
withholding component of the payroll tax liability.[Footnote 23]
Although IRS has the authority to assess the TFRP individually against
all responsible officers, the full amount of the TFRP assessment need
only be paid once. Thus, IRS may record tax assessments against each
of several individuals for the employee-withholding component of the
payroll tax liability of a given business. When any one of those
individuals or the business makes a payment towards this liability,
IRS policies require that the payment be properly credited (i.e., the
liability reduced) on all related taxpayer accounts associated with
the TFRP within 45 days of the payment posting to the payer's tax
account.[Footnote 24]
During our fiscal year 2009 financial audit, we tested a statistical
sample of 92 TFRP payments received by IRS during the first quarter of
fiscal year 2009. We found eight instances in which IRS either did not
record a reduction to the outstanding payroll tax liability on related
taxpayer accounts or did not record the correct amount. For example,
in one case, the officer of the business paid over $6,000 related to
an outstanding TFRP assessment. However, IRS had not credited the
business's payroll tax liability for the amount of the officer's
payment when we reviewed the business account 12 weeks after IRS
posted the payment to the officer's account. In another case, the
officer of a business paid over $95,000 related to an outstanding TFRP
assessment. IRS recorded a credit of about $70,000 towards the
remaining TFRP balance on his account, and a credit of about $25,000
towards interest accrued on the account. Although IRS should have
credited the business's account for the same amounts, it correctly
recorded about a $70,000 credit to the business's unpaid payroll tax
liability but failed to credit the business for about $25,000 to
reduce interest accrued. Based on our testing, we estimate that about
8.7 percent of TFRP payment transactions in the first 3 months of
fiscal year 2009 were not credited or accurately recorded on related
taxpayer accounts.[Footnote 25] Since the detailed information from
the taxpayer account records serves as the underlying basis for IRS's
financial statements, erroneous tax records could lead IRS to misstate
its unpaid assessments balances. Additionally, inaccurate tax records
could cause unnecessary burden to taxpayers.
Internal control standards require that transactions be promptly
recorded to maintain their relevance and value to management in
controlling operations and making decisions. Furthermore, internal
controls should help ensure that all transactions are completely and
accurately recorded.[Footnote 26] However, the failure to completely
and accurately reflect TFRP payments on the accounts of all related
taxpayers has been a long-standing internal control weakness at IRS
that we reported on following our fiscal year 1997 financial audit.
[Footnote 27] The control weakness in the TFRP process was due largely
to shortcomings with certain IRS computer systems, specifically its
master files. IRS records payroll tax assessments against businesses
in its business master file, and records TFRP assessments made against
responsible officers in its individual master file. However, IRS's
systems were unable to automatically link the account information
between the business and the responsible officers, as well as account
information between related officers assessed a TFRP for the same
business. Consequently, transactions recorded in one account that
should have been reflected in other related accounts were not
automatically recorded. If the business or one of its officers paid
some or all of the outstanding payroll tax or related TFRP, IRS's
systems were unable to automatically reflect the payment as a
reduction to the outstanding liability in the related accounts.
Following our fiscal year 1997 financial audit, we recommended that
IRS develop a subsidiary ledger for unpaid assessments that had the
capability to, among other things, ensure that all payments made were
properly credited to accounts of all individuals assessed for the
liability. We also recommended that IRS manually review and eliminate
duplicate or other assessments that had already been paid off to
ensure that all accounts related to a single assessment were
appropriately credited for payments received.
Since then, IRS has taken a number of corrective actions in response
to our recommendations. For example, IRS phased in the implementation
of the Automated Trust Fund Recovery (ATFR) system, which interfaces
with the business and individual master files to facilitate the
linking of payment information to related parties. One of the key
objectives of ATFR is to automatically record a reduction to the
outstanding liability of related taxpayer accounts when either the
business or any one of the responsible officers makes a payment. IRS
officials informed us that while IRS had implemented all phases of
ATFR, it can only automatically credit the outstanding liability of
related taxpayer accounts for about 54 percent of TFRP payments it
processes as of March 2010.[Footnote 28] The remaining 46 percent of
TFRP payments processed through ATFR require some form of manual
intervention in order to credit the outstanding liability on related
taxpayer accounts.
Additionally, in 2008 IRS completed special reviews of taxpayer
accounts with outstanding TFRP liabilities to identify and correct any
previously recorded TFRP payments that had not been accurately
credited to all related accounts. The primary focus of these reviews
was to correct existing errors in taxpayer accounts but, as shown by
our recent testing results, they did not significantly improve
controls that would prevent and detect errors as they occurred.
The errors we identified in 2009 were primarily caused by a lack of
sufficient training and guidance to employees when IRS fully
implemented the ATFR system. According to IRS officials, during ATFR's
development stage, only a small group of SCC employees were involved
with processing TFRP credits to related parties using the ATFR system.
When IRS fully implemented ATFR in March 2008, it significantly
expanded the number of ATFR users. However, IRS did not issue its ATFR
training manual to all affected employees until November 2008, and did
not provide formal training until after it had issued the training
manual. During the intervening period, IRS provided new users and
their immediate supervisors with on-the-job training. As a result of
our audit findings, IRS determined that its employees did not fully
understand how to properly use the ATFR system and interpret its
reports. For example, with more complex TFRP payment transactions, the
system will calculate how the payment might be applied to reduce the
liability of related taxpayer accounts and issue a transcript
reporting the proposed transaction for IRS employees to review. IRS
employees are required to research the related parties' accounts to
determine the accuracy of the proposed transaction. If their research
indicates that the proposed transaction is correct, they can
electronically submit the proposed transaction for further processing
and updating of taxpayer accounts. If their research indicates that
the proposed transaction is not correct, they can delete the proposed
transaction and enter a transaction to correctly apply the payment
credits to the related parties. However, IRS found that some employees
over-relied on the ATFR system's proposals. Specifically, when these
employees received the ATFR system reports, they accepted the proposed
transaction without verifying its accuracy. In other cases, IRS found
that employees deleted the proposed transaction and closed the case
without taking any action to reduce the liabilities of the related
party accounts. Such examples directly resulted in the inaccurate
recording or omission of payment transactions on related taxpayer
accounts.
Additionally, IRS did not detect these processing errors promptly
because supervisors did not have adequate guidance for reviewing TFRP
payment transactions processed through the new ATFR system. The
current IRM section covering TFRP payment processing under the new
ATFR system does not contain specific guidance on supervisory
responsibilities for reviewing credit transactions, such as
determining whether there should be associated credits resulting from
a payment transaction, whether the credits applied to related parties
were accurate, and which ATFR system reports would best facilitate
supervisory reviews.[Footnote 29] According to IRS officials,
supervisors have always performed reviews of TFRP payment processing.
However, the reviews were focused more on ensuring the timeliness of
processing the payments rather than the accuracy of the credit
transactions applied to all related parties.
In its attempt to address control weaknesses related to TFRP payment
processing, IRS recently implemented and is continuing to implement
additional corrective actions. Specifically, IRS officials stated that
they provided additional training to IRS staff with emphasis on how to
use and interpret ATFR reports and that new users receive more
supervision and one-on-one training by more experienced staff. IRS
officials also stated that in June 2009 the agency held a summit with
key IRS management and first-line employees where these officials
emphasized the importance of managerial reviews for accuracy as well
as timeliness when reviewing TFRP transactions processed by their
staff. Finally, IRS is currently in the process of implementing
quarterly reviews led by its Small Business/Self-Employed Division.
These quarterly reviews will statistically sample recent TFRP payment
transactions to determine the employees' compliance with TFRP
processing guidance. However, until it successfully implements
effective controls over TFRP payment processing, IRS will continue to
experience inaccuracies in the recording of credit information on
related taxpayer accounts or failures in crediting the related parties
altogether. This contributes to errors in taxpayer accounts, which is
a major component of the material weakness in IRS's management of its
unpaid assessments.[Footnote 30]
Recommendations:
To ensure that TFRP payments are always and accurately credited to all
related parties when received, we recommend that you direct the
appropriate IRS officials to do the following:
* Revise the IRM to provide specific requirements for supervisors to
review the accuracy of credit transactions related to TFRP payments
processed through the ATFR system. This guidance should provide
specific areas to review and list the ATFR system reports that can
facilitate supervisory reviews.
* Formalize and implement the quarterly reviews of TFRP payment
transactions to monitor compliance with IRM requirements.
* Develop procedures to analyze the results of the quarterly reviews
so that specific factors causing the errors are identified.
* Develop procedures to address the factors causing errors in the
processing of TFRP payment transactions identified through the
analyses of the quarterly review results.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it updated the IRM
in May 2010 to include supervisory reviews of the accuracy and
timeliness of credit transactions related to TFRP payments processed
through ATFR and identified areas and system reports for review. IRS
also stated that it commenced quarterly quality reviews in April 2010
that included analysis of findings and implementation of corrective
actions to address identified deficiencies. We will verify the changes
to the IRM and evaluate the effectiveness of IRS's efforts during our
audit of IRS's fiscal year 2010 financial statements.
Tax Revenue Comparisons and Reconciliations:
During our fiscal year 2009 financial audit, we found that a component
of IRS's comparison of its general ledger tax revenue receipts to
detailed transaction support in its master files was not accurate. IRS
records and summarizes tax revenue transactions in two distinct paths.
The general ledger is used to record and summarize tax revenue
receipts by tax class and tax year, and is updated daily based on
deposit activity; in contrast, the master files are used to record
detailed transaction activity in each taxpayer's account, and are
generally updated weekly. IRS performs a comparison between its
general ledger and the master files to (1) help compensate for its
lack of a subsidiary ledger which would normally contain the
underlying detailed records that support the general ledger, (2)
ensure that the two independent systems are materially reliable for
both internal and external reporting purposes, and (3) account for
expected timing differences between the general ledger postings and
the master files. However, we found that the pre-posted revenue
component of the comparison, which is a reconciling item intended to
represent tax revenue transactions that have been recorded in the
general ledger but not yet posted to a taxpayer's account on the
master files, improperly included (1) exchange non-tax revenue such as
reimbursements and user fees, which are accounted for separately from
tax revenues, (2) tax revenue collected by IRS that had already been
posted to the master files, and (3) misdirected receipts that were
sent electronically to IRS, but were not tax revenue collections.
IRS's fiscal year 2009 comparison of its general ledger revenue
receipts to its master files identified that it recorded $6.2 billion
more in receipts in the general ledger than the master files. IRS
asserted that approximately $5.1 billion of the $6.2 billion variance
consisted of pre-posted tax revenue. However, during our testing of a
statistical sample of 59 transactions from the pre-posted revenue
file, we found that 20 transactions were (1) non-tax revenue
transactions, or (2) tax revenue transactions that had already been
posted to the master files. Based on our testing, we estimate that
33.9 percent of the transactions in the pre-posted revenue file IRS
provided were not in fact pre-posted revenue.[Footnote 31]
Accordingly, we identified the $5.1 billion as an unexplained variance
and were unable to rely on IRS's assertion that the transactions in
the pre-posted file represented pre-posted tax revenue. Based on the
materiality threshold established for the audit, the variance was not
considered material to IRS's statement of custodial activity, but it
nonetheless pointed to a breakdown in controls.
In following up on these exceptions, we found that IRS officials
responsible for the comparison did not establish the appropriate
controls to ensure that the pre-posted transactions consisted of only
tax revenue transactions that were posted in the general ledger but
not yet posted in the master files. Specifically, the methodology
these officials provided to IRS's computer programmers to create the
pre-posted file did not appropriately include provisions for (1)
eliminating both exchange non-tax revenue and tax revenue that had
already been posted to the master files, and (2) verifying that those
transactions were properly eliminated. Also, we found that the desk
procedures used to outline the controls in IRS's comparison of its
general ledger revenue receipts to its master files had not been
updated since November 2001. As a result, these procedures did not
document the controls or include detailed instructions addressing the
most recent additions to the comparison process, such as the use of
CDDB. For example, fiscal year 2009 marked the first year that IRS
used CDDB to support the variance analysis of its comparison of
general ledger tax revenue receipts to its master files, yet the desk
procedures used to perform the comparison did not document the
methodology for or mention the use of CDDB as part of the variance
analysis.
Internal control standards state that control activities, including
comparisons and reconciliations, must be clearly documented,
periodically updated, and readily available for examination.[Footnote
32] Control activities are an integral part of an entity's planning,
implementing, reviewing, and accountability for stewardship of
government resources and achieving effective results. However, to be
effective, the information upon which comparisons are based must be
reliable. Since the pre-posted file is a key reconciling component of
the comparison, the data it contains must be sufficiently reliable in
order to ensure that the general ledger tax revenue receipts and the
tax receipt information in the master files materially reconcile.
IRS's inability to rely on the pre-posted file as a proper reconciling
component of the comparison and the lack of updated documented
procedures over the comparison process increase the risk that errors
in the general ledger, the master files, or both, may not be
identified and appropriately resolved.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Revise the existing methodology for extracting the pre-posted
revenue component of the comparison to ensure that non-tax revenues
and tax revenue transactions already posted to the master files are
properly excluded.
* Update the desk procedures governing the comparison of general
ledger tax revenue receipts to the master files to ensure that the
procedures reflect the current process and controls.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it (1) revised the
pre-posted extraction methodology in May 2010 to ensure the proper
exclusion of transactions such as non-tax revenue and (2) would update
the desk procedures for the general ledger to master file comparison
by December 31, 2010. We will review IRS's methodology and evaluate
the effectiveness of IRS's efforts during our audit of IRS's fiscal
year 2010 financial statements and future audits.
Cost Allocation Processing:
During our fiscal year 2009 financial audit, we found that IRS did not
establish adequate internal controls over its process used to allocate
operation support costs to programs reported on its statement of net
cost. The statement of net cost, one of the basic federal financial
statements, is designed to show the net cost of operations for the
reporting entity as a whole, by major program.[Footnote 33] While some
costs--such as the salaries of staff that work directly for those
programs--are easily identified by program, many operation support
costs--such as rent and facilities costs, technology support, and
payroll operation costs--support multiple programs. Consequently, IRS
must properly allocate these costs among its programs in order to
report them on its statement of net cost. IRS uses a combination of
automated and manual processes monthly to collect and prepare cost
information, which is then allocated across IRS's cost centers through
the execution of over 600 manually initiated computerized commands, or
run cycles.[Footnote 34] The accurate allocation of costs is
dependent, in part, on the execution of each cycle in the correct
order, with the execution of each cycle reliant on the proper
execution of the previous cycle in order to yield the intended results.
Because of the complexity of the processes involved and the high
degree of manual intervention required, proper controls are necessary
to help ensure the reliability of the process and thus, the
reliability of the results reported in the financial statements.
However, in our review of IRS's controls over the allocation process,
we found the following.
* Inadequate documentation of controls. Internal control standards
state that internal control and all transactions and other significant
events need to be clearly documented and the documentation readily
available for examination. The documentation should appear in
management directives, administrative policies, or operating manuals.
[Footnote 35] However, IRS's cost allocation desk guide, which is used
by IRS's cost accountants to guide them through the allocation
process, did not list or describe all the steps required to perform
the allocations; did not identify files used, opened, or saved at each
step; did not consistently identify the source of input data; and did
not specify points in the process where reviews or accuracy
verifications by others were required.
* Lack of segregation of duties. Internal control standards state that
key duties and responsibilities need to be divided or segregated among
different people to reduce the risk of error.[Footnote 36] However,
the three IRS cost accountants, who are responsible for performing the
monthly cycle runs that allocate the costs, performed all of their
assigned processing steps--from validating cost allocation input data
to running assigned allocation cycles to evaluating the results of the
allocation cycle and documenting their activity--without the
participation or intervention of another accountant or a supervisor.
Consequently, there is an increased risk that an error made in one
allocation cycle--which could affect many subsequent cycles and yield
incorrect allocations--may not be detected.
* Inadequate documentation on the status of processing steps. Internal
control standards state that internal control activities should help
ensure that management's directives are carried out and are effective
and efficient in accomplishing the agency's controls objectives. These
include controls over information processing, such as accounting for
transactions in numerical sequence, and controls over the complete,
accurate, and prompt recording of all transactions and events.
Overall, control activities should help ensure that actions are taken
to address risks.[Footnote 37] The cycle run spreadsheet, a key
document used by the cost accountants to track the status of over 600
cycle runs as well as the performance of their over 100 manual
processing steps and the results, did not contain a field to uniquely
identify each row or provide a sort-order to help ensure steps were
maintained in sequential order, and was not consistently updated to
document the completion and results of the manual steps performed. In
addition, the accountants did not maintain one master version of the
spreadsheet, but rather duplicated it with each one updating their own
copy, then later transferring their updates to the master version.
This increases the risk of error or omission. In addition, each
month's cycle run spreadsheet was generated by taking the prior
month's spreadsheet and manually updating each of over 600 cells one
cell at a time to reflect the current month's data. This approach
greatly increases the risk of error should one or a few cells be
missed.
These control weaknesses occurred because IRS's policies--including
the IRM and the cost allocation desk guide--did not require controls
such as the segregation of duties for the tasks described above or
controls to help reduce the risk of errors and omissions in the cycle
run spreadsheet. By not requiring the proper documentation and
implementation of appropriate controls over the processing of cost
allocations, IRS is at increased risk of not detecting erroneous or
incomplete cost allocations. Consequently, we could not rely on IRS's
controls over its allocation process to ensure program costs were
reliably reported in its financial statements. Instead, IRS had to
perform a separate, labor-intensive manual allocation process to
provide support for the cost allocations that were ultimately
reflected on the statement of net cost. Although IRS was able to
satisfy us in the end that the amounts reported were reliable, it took
a significant investment of time and effort for IRS to perform this ad
hoc process and for us to review it. This may not have been necessary
had adequate controls been in place.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Revise the cost allocation desk guide to better document the cost
allocation process. This should include ensuring that all key
processing steps are included and identifying the key sources of input
data and the controls necessary to help ensure their reliability.
* Revise the IRM and cost allocation desk guide to require appropriate
segregation of duties within the cost allocation process.
* Revise the IRM and cost allocation desk guide to require timely,
documented supervisory reviews at key process points to help prevent
and detect cost allocation processing errors.
Establish controls over the cycle run spreadsheet to help minimize the
risk of error or omission. At a minimum, this should include assigning
a unique, sortable identifier to each row in the spreadsheet and
implementing controls to promptly and accurately record the status of
processing steps in a manner that ensures each cycle run is performed
and is performed in the proper sequence.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and has revised the cost
allocation desk guide to include key processing steps, key sources of
input data, and controls to ensure reliability, and established
procedures and controls over the cycle-run spreadsheet to minimize the
risk of error or omission. In addition, IRS stated that it will update
its IRM and cost allocation desk guide to require appropriate
segregation of duties and supervisory reviews by June 30, 2010. We
will verify the changes to the cost allocation desk guide and IRM and
evaluate the effectiveness of IRS's efforts during our audit of IRS's
fiscal year 2010 financial statements.
Duplicate/Erroneous Refunds Related to Bankruptcy Cases:
During our fiscal year 2009 financial statement audit, we found that
IRS did not always review duplicate refund (DUPREF) transcripts, which
identify potentially duplicate refunds, prior to issuing the refunds
as required by the IRM. This occurred because IRS did not have a
process in place to verify the receipt of pertinent taxpayer
information from the DUPREF transcripts that had been communicated to
the staff responsible for performing the required review. As a result,
the DUPREF transcripts were not all reviewed, thus increasing the risk
that actual duplicate or erroneous refunds may go undetected and be
inappropriately paid to taxpayers.
One of the primary tools used by IRS to identify potential duplicate
or erroneous refunds is the DUPREF transcript. The DUPREF transcript
is a report generated by a computer program that identifies instances
in which two or more refunds in amounts within $100 of each other are
scheduled to be disbursed and are posted to a taxpayer's account in
IRS's master files. The DUPREF transcript is generated 1 week before
the related refunds are scheduled to be disbursed. IRS requires its
staff to review 100 percent of the DUPREF transcripts to assess the
validity of the refunds listed. In most cases, the review is performed
by the SCC's Manual Refund Unit. However, in cases related to
taxpayers with a particular legal status, such as bankruptcy, special
handling is required. If a DUPREF transcript is related to a taxpayer
who has filed for bankruptcy, the Manual Refund Unit's standard
practice is to fax the pertinent taxpayer information from the DUPREF
transcripts on a 3210 transmittal form to IRS's Central Insolvency
Operation (CIO) so that CIO can perform the review. CIO then
determines if the refund is valid and if not, what steps should be
taken to prevent disbursement.
During our audit, we found that CIO did not always receive the
information for the DUPREF transcripts related to bankruptcy cases
that had been provided by the SCC. At one SCC we visited, IRS
officials informed us that they had faxed to CIO information related
to 33 DUPREF transcripts involving taxpayers in bankruptcy status.
However, during our subsequent visit to CIO, we found that either
through omission or misplacement of the transmittals, CIO only
received information for 26 of the 33 DUPREF cases sent to it by the
SCC. Until we brought this matter to their attention, neither CIO nor
the originating SCC was aware of the discrepancy. As a result, the 7
DUPREF transcripts that were not received by CIO had not been
investigated to determine whether they were valid refund transactions.
The IRM requires the review of DUPREF transcripts to minimize the risk
of disbursing potentially duplicate or erroneous refunds.[Footnote 38]
Although officials at the SCC we visited informed us there is a
standard practice followed by the Manual Refund Unit to communicate
and confirm to CIO the pertinent taxpayer information taken from the
DUPREF transcripts, we found that the practice was not consistently
followed. Additionally, there is no specific IRM requirement that CIO
acknowledge receipt of the Form 3210 transmittal received from the
SCCs or for the SCCs to verify that all of the transmittals they sent
were received by CIO. Not reviewing the DUPREF transcripts increases
the risk that duplicate or erroneous refunds will not be detected in
time to prevent them from being issued or to permit pursuit of
effective corrective action, as appropriate.
Recommendations:
We recommend that you direct the appropriate IRS officials to revise
the IRM to require:
* CIO to promptly provide service center campuses an acknowledgment of
receipt for each Form 3210 transmittal related to a duplicate refund
transcript sent to them by a service center campus for review,
* service center campuses to verify that an acknowledgment of receipt
has been received from CIO for 100 percent of the Form 3210
transmittals related to duplicate refund transcripts they have
forwarded to CIO for review, and:
* service center campuses to resolve any instances in which an
acknowledgment of receipt for a Form 3210 transmittal related to
duplicate refund transcripts is not received.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it would update
the IRM (1) by December 31, 2010, to require acknowledgment of
duplicate refund transcripts to the issuer, (2) by January 31, 2011,
to require service center verification of duplicate refund transcript
acknowledgments received from CIO, and (3) by January 31, 2011, to
include procedures for follow-up and resolution of non-receipt of
acknowledgment of duplicate refund transcripts from CIO. We will
verify the changes to the IRM and evaluate the effectiveness of IRS's
efforts during future audits.
Lockbox Bank Transmittals:
During our fiscal year 2009 financial audit, we found that the
quantity of the unprocessable items with receipts shipped from lockbox
banks differed from what the SCCs actually received. IRS defines
unprocessable items as any document, correspondence, or item that
cannot be processed by the lockbox bank. For example, unprocessable
items with receipts can include any tax return or document with
unacceptable forms of payment such as traveler's checks, gold coins,
and other items of value that are easily negotiable. Lockbox banks
complete a transmittal form for the daily shipment of unprocessable
items with receipts sent to SCCs for further processing. This form
provides an inventory of the items and quantities in the shipment.
However, we observed the shipping and receiving of these packages and
noted that two SCCs we visited were not sending acknowledgment of the
items received to the lockbox banks, including instances when there
were discrepancies between the quantity of unprocessable items the
lockbox bank recorded on the transmittal form and the quantity of
unprocessable items the SCC actually received. Because these may
contain valuable items or sensitive information, it is important that
they be carefully tracked to ensure that all of the items shipped were
actually received by the recipient.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, ensure that
ongoing monitoring occurs in the course of normal operations, and
communicate deficiencies found during monitoring to appropriate levels
of management.[Footnote 39] Additionally, the IRM requires IRS to
establish a system to track and monitor all shipments of taxpayer
receipts and information, which includes unprocessable items with
receipts, to ensure accountability for and receipt of each shipment.
However, we found that IRS has not established specific requirements
for (1) acknowledging unprocessable items with receipts received from
lockbox banks, (2) tracking SCC acknowledgments, and (3) monitoring
the process used to track and acknowledge transmittals of
unprocessable items with receipts, including the timely detection and
communication of discrepancies. This increases the risk of error and
fraud and, therefore, the potential for loss, theft, and misuse of
taxpayer receipts and information.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Require service center campuses to acknowledge unprocessable items
with receipts received from lockbox banks.
* Establish procedures to track service center campus acknowledgments
of unprocessable items with receipts.
* Establish procedures to monitor the process used by service center
campuses and lockbox banks to acknowledge and track transmittals of
unprocessable items with receipts. These procedures should include
monitoring discrepancies and instituting appropriate corrective
actions as needed.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it would implement
procedures by December 31, 2010, to (1) revise the lockbox document
transmittal form and draft instructions to include acknowledgment from
the service center campus, (2) conduct training and instructions on
this process, and (3) update the lockbox data collection instrument to
include tracking and monitoring adherence to, and implementation of,
corrective actions. We will review IRS's implementation of its new
procedures and monitor their effectiveness during future audits.
Security Reviews at Service Center Campuses and Field Offices:
During our fiscal year 2009 financial audit, we found that physical
security analysts at the SCC and field office locations we visited did
not always accurately assess the physical security and emergency
preparedness controls in place. We previously recommended that IRS
improve its internal controls related to physical security at its
processing facilities and field offices to include (1) performing and
documenting the testing of its alarms, (2) maintaining documentation
on contractor background investigations to ensure that background
investigations are completed, (3) improving surveillance camera
coverage of the perimeter and fence line at SCCs, and (4) conducting
periodic reviews of the Emergency Signal History Reports and emergency
contact lists to ensure that appropriate individuals are contacted
during emergencies.[Footnote 40] One of the tools that IRS developed
to address our recommendations was the Physical Security and Emergency
Preparedness audit management checklist. IRS physical security
analysts at SCCs and field offices are responsible for completing the
checklist, which includes steps to test controls for limiting and
controlling building access, review security guards' training records
and performance requirements, and validate that surveillance cameras
and other related equipment are properly operating.
During our audit, we reviewed completed checklists for two SCCs and
nine field offices we visited and found that the information on five
of the completed checklists did not correspond to our own observations
and test results. For example, at three field offices, the completed
checklists indicated that surveillance cameras were not used or
applicable for those locations. However, based upon our physical
observations and inquiries we found that surveillance cameras were
used at all three of these locations. Also, at one SCC and two field
offices we visited, the physical security analysts asserted on the
checklists that they had performed the required quarterly (1) reviews
of the duress alarm emergency contact list provided to the central
monitoring station and (2) tests of alarms at the SCC. However, after
further discussion and review of documentation provided by the
physical security analysts, we found that these reviews had not been
performed. In one instance, the alarms had not been tested in nearly a
year.
Internal control standards require physical controls to limit access
to vulnerable assets and require that access to resources and records,
such as IRS receipts and taxpayer information, be limited to
authorized individuals to reduce the risk of unauthorized use or loss
to the government.[Footnote 41] The standards further state that
control evaluations, such as reviews of control design and tests of
internal control, are useful because they focus directly on the
controls' effectiveness at a specific time. These evaluations should
be accurately and promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions.
Deficiencies found during such evaluations should be communicated to
individuals at least one level of management above the individual
performing the evaluation. However, by entering inaccurate information
on the checklists regarding the status of controls, physical security
analysts failed to provide management with reliable information needed
to assess the effectiveness of physical security controls at these
locations. In particular, misrepresenting or overstating the adequacy
of physical security controls increases the risk that IRS management
will not timely detect control deficiencies and thus may fail to
adequately restrict access to taxpayer receipts and information.
Although IRS issued the checklist to assist with the identification,
prevention, and reduction of physical security weaknesses, we found,
based on discussions with physical security analysts and our own
observations, that several questions in the checklist were unclear and
that no detailed guidance or training was provided to assist in
completing the checklist questions. For example, the checklist is used
to assess physical security controls at all IRS facilities, including
SCCs, computing processing centers, and field offices, and certain
questions on the checklist are specific to a particular type of
facility. However, during the discussions with the physical security
analysts, we found that they were unable to clearly discern which
questions were relevant to a specific facility. We also found that
several physical security analysts were unsure how to adequately
assess or perform certain security reviews on the checklist, such as
verifying that all duress alarms are functioning properly. These
analysts were unsure because they were not trained on the various
components and structure of the security system. As a result of these
issues, the analysts were unsure how to properly assess the respective
physical security controls. In addition, there were no instructions
(1) informing the physical security analysts how often the checklists
should be completed at each IRS facility and (2) requiring supervisors
or managers to perform and document reviews of the checklist to
validate the physical security analysts' responses.
By not providing sufficient guidance and training for completing the
checklists, IRS cannot be assured that the checklists will assist in
accurately assessing the security posture of SCC and field office
locations, and identifying actual or potential physical security
issues so that corrective actions can be taken. This, in turn,
increases the risk that weaknesses in controls designed to secure and
safeguard vulnerable assets will go unnoticed, and IRS will not
promptly detect or prevent the theft or loss of, or unauthorized
access to, taxpayer receipts and information.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Review the audit management checklist for clarity and revise the
assessment questions as appropriate.
* Issue written guidance to accompany the audit management checklist
that explains the relevance of the questions and the methods that
should be used to assess and test the related controls.
* Provide training to physical security analysts responsible for
completing the audit management checklist to help ensure that
checklist questions are answered appropriately and accurately.
* Establish and document the minimum frequency for how often the audit
management checklist should be completed at each service center campus
and field office.
* Establish policies requiring documented managerial reviews of
completed audit management checklists. These reviews should document
(1) the time and date of the review, (2) the name of the manager
performing the review, (3) the supporting documentation reviewed, (4)
any problems identified with the responses on the checklists, and (5)
corrective actions to be taken.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it has
incorporated instructions for completing the audit management
checklist in its December 18, 2009 revision of the checklist and
documented the frequency for completing the checklist. In addition,
IRS stated that by July 30, 2010, it would modify its procedures for
documenting management review of the audit checklists to include the
time and date of the review, the name of the manager performing the
review, the supporting documentation reviewed, and any problems
identified. IRS stated it would also review the audit management
checklist questions for clarity by December 30, 2010, and provide
training on completing the checklist by December 31, 2010. We will
review IRS's changes and evaluate the effectiveness of IRS's efforts
during our audit of IRS's fiscal year 2010 financial statements and
future audits.
Oversight Controls at Taxpayer Assistance Centers:
During our fiscal year 2009 financial audit, we found that TAC group
managers did not always accurately assess the status of operational
and security controls at IRS's TACs. IRS's Field Assistance Office,
which oversees the TAC program, implemented the TAC Security and
Remittance Review Database (TSRRD) to monitor each TAC's adherence to
specific operational and security controls designed to collect,
process, and safeguard taxpayer receipts and information. TAC group
managers, who are responsible for managing the day-to-day operations
at these TACs, conduct quarterly reviews to assess the effectiveness
of these procedures and controls and enter the results of their
reviews into the TSRRD. Field Assistance headquarters management uses
the TSRRD to track the progress of corrective actions addressing
weaknesses identified during operational reviews and to monitor prior
audit findings.
During our fiscal year 2009 audit, we visited nine TACs and identified
several instances where responses entered by TAC group managers into
the TSRRD were inaccurate and, as a result, did not meet Field
Assistance's oversight objectives of monitoring operational and
security controls at these locations. Specifically, we found the
following.
* At two TACs we visited, the group managers' assessments of controls
over the transmission of taxpayer receipts and information to the SCC
were not always accurate. For example, at these TACs, the respective
group manager indicated in the TSRRD that TAC staff reconciled
payments to the document transmittal forms prior to mailing them to
the SCC.[Footnote 42] However, after further discussions and review of
the documentation provided by the group managers, we determined that
this was not being performed at these TAC locations.
* At two other TACs we visited, the group managers incorrectly
assessed controls for receiving and recording cash payments. These
locations were exempt from receiving cash payments; however, the TSRRD
indicated that appropriate controls were in place for receiving cash
payments and operating as designed.
* At one of the TACs we visited, the group manager indicated that
duress alarms at the location were routinely tested. However, after we
reviewed the alarm history report from the monitoring company, we
determined that this was not the case.
* At another TAC we visited, the group manager indicated that cleaning
contractors were only allowed access to the IRS space during operating
hours while other IRS employees were present. However, in conducting
our own observations, we found that these contractors were allowed
access during nonoperating hours.
In attempting to reconcile the differences between our own
observations and test procedures and the results of the group
managers' quarterly reviews as indicated in the TSRRD, we found that
several questions in the TSRRD were unclear and as a result, group
managers were unsure how to properly assess the related controls. We
asked several group managers to explain their interpretation of a few
questions included in the database and we received varying responses.
We also found that there was no policy in place requiring that
responses entered by the group managers be reviewed and validated by
territory managers or area directors before being forwarded to Field
Assistance office headquarters management.[Footnote 43] Because
several assessment questions in the TSRRD were unclear and IRS did not
provide sufficient guidance or training for completing the TSRRD or
require a supervisory review or validation of the information entered
into it, the information used by headquarters management to make
decisions and evaluate TAC adherence to control safeguards was not
accurate, and therefore, not effective for decision making.
Internal control standards require physical controls to limit access
to vulnerable assets and require that access to resources and records,
such as IRS receipts and taxpayer information, be limited to
authorized individuals to reduce the risk of unauthorized use or loss
to the government.[Footnote 44] The standards further state that
control evaluations, such as reviews of control design and tests of
internal control, are useful because they focus directly on the
controls' effectiveness at a specific time. These evaluations should
be accurate and promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions.
Deficiencies found during such evaluations should be communicated to
individuals at least one level of management above the individual
performing the evaluation. Inaccurate information on the status of
controls entered by TAC group managers into the TSRRD, combined with
the lack of a review and validation of this information, impaired IRS
management's ability to have reliable information concerning the
status of certain controls at these TAC locations. In particular,
overstating the adequacy of internal controls increases the risk that
IRS management will not promptly detect operational or control
deficiencies and thus may fail to implement adequate controls to
reduce the risk of theft or loss of, or unauthorized access to,
taxpayer receipts and information.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Review the TSRRD for clarity and revise review questions as
appropriate.
* Provide training to TAC group managers to assist with their
understanding of the TSRRD review questions and related objectives.
This training should be provided on an ongoing basis to account for
changes in TSRRD questions and for newly hired or appointed TAC group
managers.
* Establish policies that require territory managers or a manager at
least one level above the group manager to periodically review the
information entered into the TSRRD for accuracy and completeness prior
to the results being forwarded to Field Assistance Office headquarters
management. This review should be signed and documented, and include
(1) the time and date of the review, (2) the name of the manager
performing the review, (3) the task performed during the review, (4)
any problems or questions identified, and (5) planned corrective
actions.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it would, by
January 31, 2011, clarify and revise the TSRRD review questions and
add instructions to the IRM. In addition, IRS stated that by March 31,
2011, it would (1) conduct training and include TSRRD training in its
Filing Season Readiness Workshop DVD delivered to all group managers
annually and (2) update its policy to include instructions for the
Field Assistance territory manager, or a manager one level above, to
review the frontline manager's completed TSRRD responses and planned
corrective actions. We will evaluate the effectiveness of IRS's
efforts during future audits.
Security Awareness Training:
During our fiscal year 2009 financial audit, we found that IRS did not
require that all SCC and field office contractors who are provided
routine, unescorted, unsupervised physical access to IRS facilities
containing taxpayer receipts and information undergo annual security
awareness training. According to IRS, security awareness training is
an essential management tool used to educate its employees on (1)
authorized and unauthorized disclosures of taxpayer information, (2)
basic protection policies concerning taxpayer receipts and
information, and (3) federal penalties for not protecting this
information. However, we found that janitors and security guards were
all granted access to these facilities but were either not required to
meet or were exempt from annual security awareness training
requirements. During our discussions with IRS officials, we were
informed that only contractors involved in the development, operation,
or support of IRS's information systems are covered under the security
awareness training requirement. However, other contractors, such as
janitors and security guards, are allowed to freely enter areas
throughout the SCC, where taxpayer receipts and sensitive information
are processed and stored, to perform their contractual duties. Such
unfettered access without corresponding training on the
responsibilities associated with such access increases the risk of
unauthorized disclosures of taxpayer information and loss or theft of
taxpayer receipts.
Internal control standards require that agencies establish controls to
safeguard vulnerable assets and implement access restrictions to and
accountability for resources and records, including taxpayer receipts
and information.[Footnote 45] The IRM establishes requirements for
managers and employees to complete security awareness training in
order to ensure that employees are aware of proper safeguarding
controls over taxpayer receipts and information. However, the IRM does
not require that all contractors with physical access to IRS
facilities receive security awareness training, thus increasing the
vulnerability of taxpayer receipts and data to improper disclosure or
loss. The effectiveness of IRS's security awareness training program,
which is intended to help protect taxpayer information, is impaired if
contractors with physical access to taxpayer receipts and information
are not educated and briefed on these principles.
Recommendation:
We recommend that you direct the appropriate IRS officials to analyze
the various contractor access arrangements and establish a policy that
requires security awareness training for all IRS contractors who are
provided unescorted physical access to its facilities or taxpayer
receipts and information.
IRS Comments and our Evaluation:
IRS agreed with our recommendation and stated that it would develop a
policy requiring security awareness training for all IRS contractors
who are provided unescorted physical access to its facilities or
taxpayer receipts and information by June 30, 2011. We will verify
IRS's development and implementation of the new policy during future
audits.
Unit Security Representative Training:
During our fiscal year 2009 financial audit, we found that SCC Unit
Security Representatives (USR), who are responsible for system
security over one of IRS's key tax processing systems, did not always
receive or timely complete the required USR initial training and did
not always complete annual USR refresher training. USRs perform
important security duties for IRS's Integrated Data Retrieval System
(IDRS), which is one of the key systems IRS uses to process taxpayer
data,[Footnote 46] and the training covers how they should carry out
these duties in order to properly fulfill their security obligations.
For example, USRs are responsible for monitoring each IDRS user's
access codes, updating user profiles for changes in access rights,
issuing temporary passwords, and reviewing security reports and taking
appropriate action to address security weaknesses and breaches.
Therefore, it is essential that they be properly trained on how to
perform these critical responsibilities.
However, we reviewed the employee profiles of 10 USRs at one SCC and
found that none of the 10 had received initial training prior to
performing their duties. Moreover, only 5 of the 10 USRs had completed
annual refresher training as required by the IRM. We also reviewed
employee profiles of 10 USRs at a second SCC and found that 1 of the
10 did not complete required initial training prior to performing USR
duties. Additionally, we found the training materials used for USR
annual refresher training at the first SCC referenced obsolete
policies and procedures and thus, had not been updated to reflect
current requirements.
Internal control standards state that a key factor that affects the
control environment is management's commitment to competence.[Footnote
47] All personnel need to possess and maintain a level of competence
that allows them to effectively accomplish their assigned duties, as
well as understand the importance of developing and maintaining
effective internal control. Management needs to identify appropriate
knowledge and skills needed for various jobs and provide the staff
assigned to these positions the training necessary to enable them to
effectively fulfill their assigned responsibilities. The IRM requires
that USRs must complete initial USR training prior to performing their
duties and complete annual USR refresher training.[Footnote 48] It
also requires IDRS security officers to train and work with USRs to
maintain the desired level of IDRS security and conduct USR training
sessions at least annually.[Footnote 49]
The lack of initial training and incomplete annual refresher training
occurred at the first SCC because the IDRS Security Officer
responsible for providing USRs with training had not done so. There
were approximately 300 USRs at this SCC and according to the IDRS
Security Officer Assistant, none of them were provided initial
training because the IDRS Security Officer responsible for providing
the training had been too busy with other responsibilities. In
addition, the training manual used for the annual refresher training
was provided by Mission Assurance and Security Services and, even
though it contained obsolete information, was the most current version
available. At the second SCC, the IDRS Security Officer informed us
she had overlooked the USR who did not receive initial training prior
to performing USR duties. Although the IRM requires that Division
Commissioners, Chiefs, and the Taxpayer Advocate ensure that the USRs
complete the required USR initial and annual refresher training, the
requirement does not clearly designate an individual with the
oversight and enforcement responsibility.[Footnote 50] The lack of
required USR initial and annual refresher training for USR staff
performing critical IDRS security functions coupled with outdated
training materials increases the risk that USRs may not adequately
perform their security duties. This, in turn, increases the risk of
unauthorized access to the IDRS data.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following.
* Designate management responsibility and establish a process for
monitoring compliance with and enforcing the IRM requirement for all
USRs to complete (1) the required initial USR training prior to
assuming their responsibilities, and (2) annual refresher training
each year thereafter.
* Update USR training manuals to ensure they reflect current security
policies and procedures.
* Establish a process to periodically review and update training
materials as appropriate.
IRS Comments and our Evaluation:
IRS agreed with our recommendations to monitor and enforce compliance
with its USR training requirements and update training materials. IRS
stated that it (1) required all USRs and alternate USRs to take an
initial training class by May 31, 2010, (2) launched two new online
training courses to provide initial and annual refresher training to
all USRs, (3) would implement a report to monitor compliance with USR
training requirements by December 31, 2010, and (4) implemented an
annual review and update of the IDRS USR training material in December
2009 with another update planned by December 31, 2010. We will review
IRS's new training requirements and evaluate the effectiveness of
IRS's efforts during our audit of IRS's fiscal year 2010 financial
statements and future audits.
Annual Mandatory Briefings:
During our fiscal year 2009 financial audit, we found that IRS's
employees did not always complete their annual mandatory briefing
requirements in fiscal years 2008 and 2009.[Footnote 51] IRS's
learning and education policy requires all employees to complete
certain mandatory briefings each year in areas such as ethics and
information security.[Footnote 52] We reviewed the training records of
a non-statistical selection of 93 employees and found that 7 of the 93
employees did not complete all mandatory briefings in fiscal year 2008
and at least 1 of the 93 employees did not complete all of the
mandatory briefings required for fiscal year 2009. We were not able to
conclude on 7 of the 93 employees for fiscal year 2009 at the time of
our audit because they worked for business units that allowed their
employees up to 8 months after the end of the fiscal year to complete
the briefings.[Footnote 53]
Internal control standards require all personnel to possess and
maintain a level of competence that allows them to accomplish their
assigned duties, as well as understand the importance of developing
and implementing good internal control.[Footnote 54] This is one of
several factors that affect the control environment, which provides
discipline and structure, as well as the climate which influences the
quality of internal control. In addition, the standards state that
management should ensure that skill needs are continually assessed and
that the organization is able to obtain a workforce that has the
required skills that match those necessary to achieve organizational
goals. Training should be aimed at developing and retaining employee
skill levels to meet changing organizational needs.
The majority of IRS employees take the briefings online through its
Enterprise Learning Management System (ELMS).[Footnote 55] Each
business unit establishes its own process for ensuring that employees
receive mandatory briefings within required time frames. To help
monitor compliance with the briefing requirements, ELMS administrators
in each business unit generate a standard report listing the employees
who have not yet completed the mandatory briefings and follow their
business unit's procedures for documenting incomplete training. Each
business unit's manager is responsible for ensuring that business unit
employees complete the required briefings; however, they generally
leave it up to the individual supervisor to notify his or her
employees to complete the mandatory briefings by the cut-off date. The
Director of IRS's Human Capital Office, Leadership, Education and
Delivery Services (HCO LEADS) organization maintains and administers
policy and guidelines for servicewide learning and education, but does
not oversee or review each business unit's process or results to
ensure mandatory briefing requirements are met. When employees fail to
attend mandatory briefings, they may lack the necessary skills to
successfully perform their assigned duties.
Recommendation:
We recommend that you direct the appropriate IRS officials to
establish procedures requiring HCO LEADS or their designee to
periodically monitor each business unit's progress in complying with
mandatory briefing requirements.
IRS Comments and our Evaluation:
IRS agreed with our recommendation and stated that it would provide
each business unit with reports on the unit's progress in complying
with the mandatory briefings requirement. In addition, IRS stated that
by January 31, 2011, it will begin distributing quarterly summary
reports to heads of offices. We will evaluate the effectiveness of
IRS's efforts during our audit of IRS's fiscal year 2010 financial
statements and future audits.
Documentation of Receipt of Goods and Services:
During our fiscal year 2009 financial audit, we found that IRS staff
did not always confirm, or obtain documentation of confirmation, with
the end user of a purchased product or service that the item was
satisfactorily received before entering receipt and acceptance of the
good/service into the procurement system. This confirmation is
essential because in many instances, the end user of the product
(i.e., the requestor who physically receives the good or service) is
at a different geographic location than the staff member responsible
for entering receipt and acceptance into the system. As a result,
without following up with the end user, the staff cannot ensure that
the good or service met contractual requirements before authorizing
payment to the vendor.
All purchase requisitions that go through IRS's procurement department
are assigned to a contracting officer (CO).[Footnote 56] A contracting
officer may assign a contracting officer's technical representative
(COTR) to perform certain tasks, including maintaining documentation
of the receipt and acceptance (R&A) of purchased goods or services in
the Web Request Tracking System (WebRTS), IRS's procurement system.
[Footnote 57] Staff use this system to create, route, approve, track,
and fund requisitions, and record the receipt and acceptance of the
items purchased. Receipt signifies IRS's acknowledgment that supplies
were received or services were rendered, while acceptance signifies
that IRS assumes ownership of the supplies or approves of the services
rendered. Consequently, prior to entering R&A into WebRTS, the CO/COTR
is to ensure the good or service conforms to the contract
requirements. In addition, IRS's accounting technicians who process
payments rely on the assertion of the COs/COTRs that goods or services
have been received and accepted as a basis for authorizing payment.
However, we found that the CO/COTR did not always confirm or obtain
documentation of confirmation of receipt from the end user prior to
entering R&A in WebRTS. Specifically, we tested a statistical sample
of 116 nonpayroll expense transactions processed between October 1,
2008, and May 31, 2009, and found that for 5 of the 116
transactions,the COTRs could not provide documentation showing they
had confirmed that the end users received and accepted the goods or
services before the COTRs entered R&A into WebRTS.[Footnote 58] In 4
cases, the COTRs did not have any documentation from the end users
showing that they confirmed receipt of the goods or services with the
end users. In the fifth case, the COTR's documentation showed she did
not request confirmation of receipt from the end user until the day
after she had entered R&A into WebRTS.
IRS Policy and Procedures Memorandum No. 46.5 for Receipt, Quality
Assurance, and Acceptance states that receipt is defined as the
documentation of acknowledgment that supplies were received or
services were rendered. This policy also instructs the CO/COTR to
maintain documentation of receipt and to acknowledge receipt in
WebRTS. However, the policy does not specifically instruct the CO/COTR
to obtain and document confirmation from the end user that the good or
service was satisfactorily received before entering receipt and
acceptance in WebRTS.
Internal control standards require that agencies establish control
activities that ensure management's directives are enforced and
carried out.[Footnote 59] In addition, the standards require that
internal control and all transactions and other significant events be
clearly documented, the documentation be readily available for
examination, and all documentation and records be properly managed and
maintained. By not requiring the CO/COTR to obtain and document
confirmation that the end user actually received the good or service
before entering R&A, an individual may enter an invalid R&A into
WebRTS, which could result in an incorrectly recorded expense and the
issuance of invalid payments to contractors for goods or services that
were not received or did not fully conform to contractual requirements.
Recommendation:
We recommend that you direct the appropriate IRS officials to
establish procedures requiring COs/COTRs to obtain and retain written
documentation from end users confirming receipt and acceptability of
purchased goods or services prior to entering acknowledgment of
receipt and acceptance in WebRTS.
IRS Comments and our Evaluation:
IRS agreed with our recommendation and stated that it has updated its
receipt and acceptance handbook and procurement policies to include
the requirement to obtain and retain documentation acknowledging
receipt and acceptance of purchased goods and/or services before
entering the acknowledgment in WebRTS. In addition, IRS stated that it
reinforced this policy during its procurement and CFO customer
conferences in March and May 2010. We will evaluate the effectiveness
of IRS's efforts during our audit of IRS's fiscal year 2010 financial
statements.
Review of Obligations:
During our fiscal year 2009 financial audit, we found that IRS's
controls over the review of obligations did not always ensure the
timely deobligation or revision of excess obligations that were no
longer needed. Obligations are appropriated funds that have been
reserved to purchase specific goods or services specified in a legally
binding agreement, such as a contract or a purchase order. Most of
IRS's appropriated funds are available for obligation for a fixed
period of time and amount. Once obligated, the funds cannot be used to
fund the purchase of new goods or services unless the obligated funds
are deobligated from one purchase, reobligated to another, and still
within their valid time limits and other appropriations requirements.
[Footnote 60] For this reason, it is in IRS's best interest to
maximize the use of its appropriated funding by closely managing its
obligations to identify funds that are no longer needed under the
original obligation that can thus be used to fund other requirements
before such funding expires and is no longer available for new
obligations.
During our testing of undelivered orders and nonpayroll expenses, we
found one instance totaling nearly $141,000 and another instance
totaling over $62,000 in which IRS did not timely deobligate the
obligated funds, even though all items under the related contracts had
been delivered and the excess obligated funds were no longer needed.
In the first instance, IRS had contracted for temporary clerk services
through the end of January 2009. The actual cost of the services was
less than the funds obligated, resulting in a remaining obligated
balance after the contract period had been completed. IRS did not
identify the funds for deobligation until we informed IRS officials
approximately 7 months after the final R&A. In the second instance,
IRS had contracted for operations support services through December
2008. Final payment for services on this contract was made in February
2009; however, this obligation was not promptly deobligated because
the COTR did not mark in WebRTS during final R&A that the February
payment was the final payment under the contract. Marking this
transaction as the final payment would have indicated that excess
obligated funds should be deobligated. After we identified this open
obligation during our testing, IRS deobligated the funds. This
occurred approximately 6 months after the final payment had been made.
[Footnote 61]
If the excess obligated funds associated with these two instances had
not been deobligated, IRS would have overstated its "Obligations
Incurred" and "Obligated Balance" financial statement line items by
over $203,000 each. In addition, when excess obligated funds are not
deobligated in a timely manner, it can affect whether and how those
funds can subsequently be used. Appropriations are generally available
for incurring new obligations for a fixed period of time, usually 1 or
2 fiscal years.[Footnote 62] Once this period of availability expires,
the funds can only be used for a period of time to adjust previous
obligations--such as when the final bills on a contract obligated in a
prior year exceed the amount originally obligated--but cannot be used
on new obligations or purposes.[Footnote 63] For example, in the
instance related to the contract for operations support services
described above, the contract was funded by a 2-year appropriation
that expired on September 30, 2009. Although final payment was made on
the contract in February 2009, IRS did not deobligate the funds until
August 2009, after we identified the error and brought it to IRS's
attention. Had IRS not corrected the error before September 30, 2009,
it would have forfeited its ability to use the excess funds on any new
purchases.[Footnote 64]
To help facilitate the timely management of obligations, IRS performs
its Aging Unliquidated Obligation reviews, which are periodic reviews
of obligations that meet certain aging criteria.[Footnote 65] However,
during fiscal year 2009, these reviews were not fully effective in
timely detecting obligations requiring deobligation. Based on the
aging criteria for the periodic reviews, both instances we identified
would not have been selected for review until 300 days (about 10
months) after the last activity, which would have been in fiscal year
2010. Consequently, this review has limited effectiveness in assisting
IRS in timely identifying funds for deobligation and for use in
funding other valid agency needs. Additionally, this review has
limited effectiveness in helping to ensure that only valid obligations
are reported in IRS's general ledger and, ultimately, its financial
statements.
The IRM requires the timely management of obligations in order to
enable IRS to optimize its financial resources.[Footnote 66] Timely
deobligations of unneeded funds allow IRS to use those funds to pay
for other goods or services for which the appropriation is available
to fund, resulting in maximizing the use of the funds. Furthermore,
internal control standards require that transactions and other events
be accurately and promptly recorded to maintain their relevance and
value to management in controlling operations and making
decisions.[Footnote 67] As a result of these internal control
deficiencies, IRS may not be maximizing the use of its available funds
to meet its mission and is potentially reporting excess obligation
amounts in its general ledger accounts and financial statements.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following.
* Reiterate IRS's policy for staff to indicate in WebRTS during final
receipt and acceptance that the payment is a final payment to close
out a contract or purchase order to help ensure any remaining
obligated funds are deobligated in a timely manner.
* Reevaluate and, as necessary, revise the aging criteria for the
Aging Unliquidated Obligation reviews so that unliquidated obligations
are reviewed sooner in order to detect and deobligate excess
obligations in a timely manner.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it has revised the
aging criteria for the fiscal year 2010 Aging Unliquidated Obligation
reviews from 300 days to 240 days, and began issuing quarterly email
broadcasts to all WebRTS users in June 2010 to reinforce the use of
the receipt and acceptance final flag to ensure timely closure of
obligations. While decreasing to 240 days (about 8 months) is an
improvement, it is not clear whether this will alleviate the problem.
For example, the two transactions we identified had no activity for 6
and 7 months respectively, and thus would not have been subject to the
aging unliquidated obligation review had this been the criteria in
place at the time. We will evaluate the effectiveness of IRS's efforts
during our audit of IRS's fiscal year 2010 financial statements.
Recording of Upward and Downward Adjustments to Prior-Year Obligations:
During our fiscal year 2009 financial audit, we found that IRS did not
always ensure that upward and downward adjustments of prior-year
obligations were properly recorded for financial statement reporting
purposes.[Footnote 68]
To better identify and report only valid upward and downward
adjustments of prior-year obligations, IRS performs a monthly netting
process on all obligation transactions. The netting process should
combine or net transactions primarily with the same obligation number
and fund number to eliminate or offset transactions that are
accounting corrections and not true adjustments to
obligations.[Footnote 69] This netting process should result in a
group of transactions that represent only true upward and downward
adjustments of prior-year obligations that can be reported on IRS's
financial statements. It is important that all valid adjustments and
only valid adjustments of prior-year obligations remain after the
netting process because upward and downward adjustments are each
reported on different line items on the financial statements.
In our testing of a statistical sample of 16 downward adjustments as
of August 31, 2009, a valid upward adjustment totaling over $28,000
and a valid downward adjustment totaling over $1.4 million were
erroneously netted together and could have resulted in the
understatement of upward and downward adjustments of prior-years
obligation balances reported in the "Obligations Incurred" and
"Recoveries of Prior Years Obligations" line items in IRS's statement
of budgetary resources, one of the basic agency financial statements.
[Footnote 70] The error we found involved two valid (one upward and
one downward) adjustments with two different obligation numbers.
Normally, IRS's netting process would not combine two transactions
with different obligation numbers. However, these two transactions
were inappropriately netted because an IRS staff member had
erroneously linked the obligation numbers of the two transactions in
IRS's accounting system. After we brought this matter to its
attention, IRS corrected this error by removing an erroneous
obligation number link between the two transactions which caused the
improper netting activity. Once the erroneous link was removed, the
two valid transactions were reported correctly in the upward and
downward adjustments of prior-year obligation accounts.
IRS officials stated that it had two reports that are designed to
identify linked transactions for further review. However, after
further research, IRS determined that neither of these two reports was
designed to capture the type of erroneous manual link we identified.
IRS officials stated that they are currently developing a new control
with the ability to identify situations such as the one we identified
so they can be reviewed and corrected if necessary.
The IRM requires financial plan managers to make every effort to
ensure that data are accurately recorded.[Footnote 71] Furthermore,
internal control standards require that transactions and other events
be accurately and promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions.
[Footnote 72] Control activities also help to ensure that transactions
are completely and accurately recorded. Because IRS did not have
effective controls in place to ensure that the netting process was
properly executed or to review the netting process results for such
errors, the upward and downward adjustment balances would have been
misstated in the financial statements had we not identified and
brought the error to IRS's attention.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Provide technicians and supervisors who are responsible for
recording and reviewing obligation transactions with training on the
proper use of manually linked obligation transactions to reinforce
IRS's existing policy requiring that transactions be recorded
accurately to the upward and downward adjustments of prior-year
obligation accounts.
* Develop controls to improve the linked obligation transaction review
process to detect and correct erroneous links between unrelated upward
and downward adjustments of prior-year obligation transactions in a
timely manner.
IRS Comments and our Evaluation:
IRS agreed with our recommendations and stated that it (1) revised its
process for manually linking obligations, updated the related
procedures, and provided additional training to technicians and
supervisors in October 2009 and (2) revised its processes in March
2010 to include a second level review of all linked obligations at the
time of the actual linking. We will review the updated policies and
procedures and evaluate their design and operating effectiveness
during our audit of IRS's fiscal year 2010 financial statements.
Compliance with Appropriations Act Requirements:
During our fiscal year 2009 financial audit, we found that IRS did not
comply with all requirements of its annual appropriations act. IRS's
fiscal year 2009 appropriations act required IRS to set aside at least
$7.487 billion for tax law enforcement and related support activities.
[Footnote 73] The appropriations act funded five separate
appropriations accounts, including accounts for taxpayer services,
enforcement, and operations support; however, the amount appropriated
to the enforcement account alone was insufficient to satisfy the set-
aside requirement. Consequently, IRS was required to identify
additional funds from among the other four accounts and make available
for obligation solely to tax law enforcement and related support
activities the amount necessary to meet the requirement. However, at
the end of our fiscal year 2009 audit, IRS asserted to us that it had
set aside only $7,413,237,071 for tax law enforcement and related
support activities, resulting in a shortfall of about $73.8 million in
amounts set aside for these activities.
IRS officials attributed this shortfall to three causes. First, the
federal government was operating under a continuing resolution for
almost half of the fiscal year which, according to IRS, delayed it
from hiring staff needed for some of its enforcement initiatives.
[Footnote 74] Consequently, fewer enforcement staff were on board
throughout the year than originally estimated. Second, IRS initially
estimated it would allocate about $5.1 billion in direct enforcement
costs from its enforcement appropriations account and about $2.4
billion in indirect enforcement costs from its operations support
appropriations account to meet the appropriations act's requirements.
IRS budget officials stated that they estimated the portion of
operations support appropriations--which are available to support both
IRS's taxpayer services and enforcement programs--that would be
allocated to enforcement activities based on IRS's fiscal year 2009
budget request. However, these officials stated that increased fiscal
year 2009 funding received for taxpayer services,[Footnote 75] when
coupled with the delayed hiring in enforcement, resulted in a greater
portion of its operations support costs being allocated to the
taxpayer services program and consequently less to the enforcement
program than originally estimated.[Footnote 76] Third, IRS had about
$70.6 million in fiscal year 2009 operations support appropriations
that were unobligated at the end of the fiscal year. Because these
funds had not yet been obligated and therefore allocated to programs,
none of these funds were counted toward the set-aside requirement.
However, even if IRS could have allocated all of these unobligated
operations support funds to enforcement, that would only have reduced,
but not eliminated, the amount of the shortfall.
We recognize that the continuing resolution and the late passage of
its appropriations act put IRS in a difficult position. In particular,
we can appreciate that this would have had a negative effect on
hiring. However, these challenging circumstances did not eliminate
IRS's requirement to comply with all provisions in its annual
appropriations act and to establish adequate funds control procedures
to provide reasonable assurance of compliance.
In preparation for this report, we discussed our concerns with IRS
budget officials in February 2010. In April 2010, IRS officials
presented us with a revised tax enforcement analysis, which asserted
that IRS was now in compliance with the fiscal year 2009 set-aside
requirement. In its revised analysis, IRS did not change the amount of
appropriations that it allocated to the set-aside amount from the
enforcement appropriations account; however, IRS increased the amount
of operations support appropriations allocated to its enforcement
program by $98.4 million. As a result, IRS's revised analysis
reflected total appropriations allocated to tax law enforcement and
related support activities of $7,511,675,000, which would have
exceeded the set-aside requirement by $24.7 million.
We reviewed IRS's revised analysis and found problems with the
methodology that IRS used to support its claim that it now complied
with its appropriations act requirement. Of the $98.4 million increase
in operations support appropriations allocated to tax law enforcement
activities, $70.6 million consisted of all of IRS's fiscal year 2009
operations support appropriations that remained unobligated at fiscal
year end. IRS, in its revised analysis, attributes all of these
unobligated operations support funds to tax law enforcement. We
disagree with this methodology because these funds will also support
the overhead costs of taxpayer services and other programs; therefore,
only a portion of these unobligated operations support funds would
truly be used to support tax law enforcement and related support
activities. IRS's revised analysis achieves the remaining $27.8
million of the operations support allocation increase by not
allocating any operations support costs to taxpayer services
activities that were funded with $67.9 million in additional
appropriations that were included in the fiscal year 2009 continuing
resolution to meet the requirements of the Economic Stimulus Act of
2008.[Footnote 77] IRS officials stated that because this was a
special appropriation, no operations support costs should be allocated
to it. We disagree with this reasoning because the staff and
activities funded by this special appropriation still required the use
of office space, information technology, and other support services
that are funded by the operations support appropriations account. By
not allocating any operations support costs to these taxpayer services
activities, IRS is erroneously allocating operations support costs,
which actually supported its taxpayer services program, to its
enforcement program. In addition, the set-aside requirement in IRS's
fiscal year 2009 appropriations act required IRS to make available the
entire set-aside amount for obligation. Since some of the funds IRS
included in its revised analysis expired at the end of fiscal year
2009, reallocating and setting aside such appropriations after the end
of the fiscal year fails to satisfy this requirement.
IRS's failure to comply with its appropriations act requirement can be
attributed in large part to a lack of internal controls to monitor and
ensure compliance with its appropriations act requirements. In
particular, IRS had established no formal funds control processes to
clearly set aside the required funds. IRS officials stated that they
have the ability to create a report to track the status of the tax law
enforcement obligations and related monthly operations support
allocations throughout the year; however, they stated they do not have
any written policies or procedures specifying how compliance with such
appropriations act requirements will be monitored and achieved.
Without adequate internal controls to monitor progress against its
appropriations act requirements and to take action to comply with
these requirements, IRS may not have reasonable assurance that it is
complying with all of its appropriations act requirements.
IRS initially informed us that it would have had to transfer
appropriations from nonenforcement appropriations accounts, such as
the operations support account, to the enforcement appropriations
account in order to comply with the tax law enforcement requirement.
IRS's fiscal year 2009 appropriations act allows IRS to transfer up to
5 percent of any nonenforcement appropriation made available in the
fiscal year 2009 appropriations act to its enforcement appropriation
account upon the advance approval of the Committees on
Appropriations.[Footnote 78] Although IRS officials informed us that
they knew in the middle of fiscal year 2009 that they were not likely
to meet the set-aside requirement, they did not request such a
transfer during fiscal year 2009. Since a similar tax law enforcement
requirement has been included in IRS's fiscal year 2010 appropriations
act,[Footnote 79] IRS needs to have appropriate funds control policies
and procedures in place to ensure it meets its mandated appropriations
act requirements.[Footnote 80]
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following.
* Establish a formal funds control process to set aside amounts for
tax law enforcement and related support activities, as required by
annual appropriations acts.
* Establish a policy to periodically monitor throughout the year the
amount of different appropriations accounts attributed to the set-
aside to assess IRS's progress toward complying with the requirement.
* Based on the results of its periodic assessments, take action to
allocate the required amount of appropriations to tax law enforcement
and related support activities to comply with the set-aside
requirement.
IRS Comments and our Evaluation:
IRS disagreed with all three recommendations related to its compliance
with the fiscal year 2009 appropriations act requirements. IRS stated
that (1) it fully funded tax law enforcement activities and met the
intent of the 2009 legislation; (2) our characterization of the fiscal
year 2009 appropriations act was incorrect; (3) it disagreed with our
characterization of its April 2010 analysis; and (4) its failure to
comply with the appropriations act requirement was not attributable to
a lack of internal controls to monitor and ensure compliance. As
discussed in the following paragraphs, we disagree with all of these
points.
First, IRS stated that it fully funded tax law enforcement activities
and met the intent of IRS's fiscal year 2009 appropriations act. The
act (1) provided $5.12 billion in IRS's enforcement appropriation,
which funds direct enforcement activities such as conducting criminal
investigations; and (2) required IRS to explicitly make available at
least a total of $7.487 billion specifically for enforcement
activities from among any of its appropriations funding in the
appropriations act. IRS stated that because it obligated most of the
funds appropriated for enforcement (the $5.12 billion) and allocated
to enforcement a commensurate portion of operations support costs
(i.e., the indirect or overhead costs associated with operating IRS's
enforcement program),[Footnote 81] it fully funded its enforcement
activities and thus met the intent of the law. We disagree. By not
explicitly designating appropriated amounts of at least $7.487 billion
for enforcement activities, IRS did not comply with the appropriations
act set-aside requirement. The fact that IRS elected to meet the set-
aside requirement in part through an allocation of indirect costs to
enforcement activities does not alter the express requirement in the
appropriations act. In fact, as IRS noted in its written response, it
requested a change in the appropriations language to make compliance
with this requirement contingent upon the availability of funds in its
operations support account. IRS stated that this contingency was
included in the fiscal year 2010 House Budget Resolution but was not
included in the enacted law. We believe that IRS's proposal to amend
the requirement provides further evidence that IRS was legally
obligated to identify and set aside the $7.487 billion for enforcement
activities from among its appropriations accounts.
Second, IRS stated that our characterization of the requirements of
the fiscal year 2009 appropriations act in our report was incorrect.
IRS stated that the act's requirement that it make available $7.487
billion for tax law enforcement and related support activities applies
only to the enforcement appropriation and the operations support
appropriation. We agree that the $7.487 billion must be used only for
tax law enforcement and related support activities. However, as
discussed in our report, we disagree that the act provided that the
source of funding must come solely from (and therefore is limited to
the availability of) enforcement and operations support
appropriations. In fact, the act explicitly provided that all of the
funds made available by the Act shall be available to meet the
requirement.[Footnote 82] Thus, it is clear that compliance was not
contingent upon the availability of enforcement and operations support
appropriations.[Footnote 83]
Third, IRS disagreed with our characterization of the supplemental
analysis it provided to us in April which was intended to demonstrate
that it complied with the fiscal year 2009 appropriations act
requirement. IRS stated that the primary change in the April 2010
analysis from the initial analysis it provided us was to count all
unobligated operations support balances towards the amount required,
under the assumption that those funds met the criteria that the
resources "shall be available" for enforcement activities. However, as
IRS stated in its comments, it cannot "set aside" funds in operations
support exclusively for enforcement activities. Therefore, it is not
possible for IRS under its cost allocation methodology to make 100
percent of the unobligated operations support balances at year end
available exclusively for enforcement. In addition, even if IRS could
have allocated all of the unobligated operations support balances to
enforcement, the $70.6 million in total unobligated operations support
balances would not have been enough to make up for the $73.8 million
shortfall.
Finally, IRS disagreed that its failure to comply with the
appropriations act requirement is attributable to a lack of internal
controls to monitor and ensure compliance. We can appreciate that the
late passage of the final fiscal year 2009 budget and IRS's use of an
indirect cost allocation approach to carrying out the set-aside both
created difficulties for IRS in managing its appropriations. However,
as discussed in our report, additional internal controls in this area
could have alerted IRS to the problem much earlier in the year and
enabled IRS to take corrective actions that may have enabled it to
comply with the appropriation act's requirements. IRS stated that when
it developed its fiscal year 2009 budget request, it estimated the
amount of direct enforcement and related operations support costs that
would enable it to comply. Because IRS must submit its budget request
many months before the start of the fiscal year, the actual budget and
other circumstances can change drastically before the final
appropriation is enacted. Thus, it is important for IRS to establish
and implement control procedures to ensure it periodically reassesses
its estimates and revises plans as appropriate. However, IRS did not
have such controls in place. For example, IRS officials stated that
Congress appropriated $143 million more than IRS anticipated to
taxpayer services in fiscal year 2009. While IRS's fiscal year 2009
appropriations act was not enacted until March 11, 2009, a significant
portion of the increase ($67.9 million) was provided to IRS in its
continuing resolution enacted September 30, 2008.[Footnote 84]
Consequently, IRS knew about nearly half of the increase at the
beginning of the fiscal year, yet it did not reassess its original
estimates nor take any action to address the impact that the increase
would have on the allocation of operations support costs to its tax
law enforcement activities. For instance, rather than depending solely
on the allocation of operations support costs to enforcement to meet
the requirement, IRS could have identified funding sources in other
appropriations or requested a transfer of funds to the direct
enforcement appropriation.
In addition, IRS's statements that the proportion of operations
support costs allocated to the taxpayer service program from the
enforcement program increased after the end of the fiscal year are
incorrect. Contrary to IRS's assertions, IRS does not allocate the
entire year's expenses at the end of the year. IRS runs its cost
allocation methodology at the beginning of every month to allocate the
prior month's operations support costs to the major programs,
including taxpayer services and enforcement. The results of each
monthly allocation are then added to the previous month's cumulative
totals by program, so that at the end of the year all of the monthly
allocations total the amount reported in IRS's statement of net cost.
IRS's post year-end allocations only allocate the final month's
operations support costs plus year-end adjustments necessary to
prepare its financial statements. Had IRS's budget office had
effective controls in place to monitor these monthly allocations, it
could have tracked the amounts allocated to enforcement against what
was originally estimated throughout the year and thus, could have
identified early on that action was needed to meet the requirement.
For the reasons discussed above, we still believe that IRS did not
comply with the requirements of its fiscal year 2009 appropriations
act with respect to its requirement that IRS set aside at least $7.487
billion for tax law enforcement and related support activities. IRS
recognizes a problem exists, which is why it plans to propose language
in its fiscal year 2012 budget request to make compliance with this
requirement contingent upon the availability of funds in its
operations support account. We also believe that the recommendations
we are making in this report, if effectively implemented, will assist
IRS in ensuring it has the processes and controls in place to minimize
the risk of a reoccurrence of this issue.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and
Governmental Affairs and the House Committee on Oversight and
Government Reform within 60 days of the date of this report. A written
statement must also be sent to the House and Senate Committees on
Appropriations with the agency's first request for appropriations made
more than 60 days after the date of the report. Furthermore, to ensure
GAO has accurate, up-to-date information on the status of your
agency's actions on our recommendations, we request that you also
provide us with a copy of your agency's statement of actions taken on
open recommendations. Please send your statement of action to me or
Doreen Eng, Assistant Director, at EngD@gao.gov.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; and
Subcommittee on Taxation and IRS Oversight, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking
Members of the House Committee on Appropriations and House Committee
on Ways and Means; the Chairman and Vice-Chairman of the Joint
Committee on Taxation; the Secretary of the Treasury; the Director of
the Office of Management and Budget; and the Chairman of the IRS
Oversight Board. The report is available at no charge on GAO's Web
site at [hyperlink, http://www.gao.gov].
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years
2009 and 2008 financial statements. Please contact me at (202) 512-
3406 or sebastians@gao.gov if you or your staff have any questions
concerning this report. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in enclosure III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures - 3:
[End of section]
Enclosure I: Details on Audit Methodology:
We are responsible for planning and performing the audit to obtain
reasonable assurance and provide our opinion about whether (1) IRS's
financial statements are presented fairly, in all material respects,
in conformity with U.S. generally accepted accounting principles, (2)
IRS management maintained, in all material respects, effective
internal control over financial reporting as of September 30, 2009,
and (3) IRS's financial management systems substantially comply with
financial management systems requirements. We are also responsible for
(1) testing compliance with selected provisions of laws and
regulations that have a direct and material effect on the financial
statements, and (2) performing limited procedures with respect to
certain other information accompanying the financial statements.
To fulfill our responsibilities as the auditor of IRS's financial
statements, we did the following.
* We examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included selecting
statistical samples of unpaid assessments, revenue, refunds, payroll
and nonpayroll expenses, property and equipment, and undelivered order
transactions. These statistical samples were selected primarily to
determine the validity of balances and activities reported in IRS's
financial statements. We projected any errors in dollar amounts to the
population of transactions from which they were selected. In testing
some of these samples, certain attributes were identified that
indicated deficiencies in the design or operation of internal control.
These attributes, where applicable, were statistically projected to
the appropriate populations.
* We examined evidence supporting IRS's compliance with learning and
education policies. This included selecting non-statistical samples to
determine if employees completed all mandatory briefings within the
required time frames.
* We assessed the accounting principles used and significant estimates
made by management.
* We evaluated the overall presentation of the financial statements.
* We obtained an understanding of IRS and its operations, including
its internal control over financial reporting.
* We considered IRS's process for evaluating and reporting on internal
control and financial systems under 31 U.S.C. § 3512 (c), (d),
commonly referred to as the Federal Managers' Financial Integrity Act
of 1982, and Office of Management and Budget Circular No. A-123,
Management's Responsibility for Internal Control.
* We assessed the risk of (1) material misstatement in the financial
statements and (2) material weakness in internal control over
financial reporting.
* We tested relevant internal control over financial reporting.
* We evaluated the design and operating effectiveness of internal
control over financial reporting based on the assessed risk.
* We tested compliance with selected provisions of the following laws
and regulations: Internal Revenue Code; Antideficiency Act, as
amended; Purpose Statute; Prompt Payment Act; Pay and Allowance System
for Civilian Employees; Federal Employees' Retirement System Act of
1986, as amended; Social Security Act of 1935, as amended; Federal
Employees Health Benefits Act of 1959, as amended; Continuing
Appropriations Resolution, 2009, as amended; Financial Services and
General Government Appropriations Act, 2009; and American Recovery and
Reinvestment Act of 2009.
* We tested whether IRS's financial management systems substantially
complied with the three FFMIA requirements.
* We performed such other procedures as we considered necessary in the
circumstances.
[End of section]
Enclosure II: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Commissioner:
Washington, D.C. 20224:
June 21, 2010:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled, Management Report: Improvements Are Needed in
IRS's Internal Controls and Compliance with Laws and Regulations (GA0-
10-565R). As GAO noted in the report titled, Financial Audit: IRS's
Fiscal Years 2009 and 2008 Financial Statements, we continue to make
significant progress in addressing remaining financial management
challenges and have substantially mitigated weaknesses in internal
controls.
During FY 2009, IRS developed traceability of revenue and refund
transactions from the general ledger to supporting detailed
transaction information. IRS also continued to develop its cost
accounting capabilities by implementing full-cost information on
numerous IRS programs and activities and measuring the cost-benefit on
enforcement programs. These improvements allowed GAO to conclude that
these matters no longer constitute internal control deficiencies. The
enclosed response addresses each of your recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions or would like to discuss our response in further
detail, please contact me or Alison Doone, Chief Financial Officer, at
(202) 622-6400.
Sincerely.
Signed by:
Douglas H. Shulman:
Enclosure:
[End of letter]
IRS Responses to GAO Recommendations in "Management Report:
Improvements Are Needed in IRS's Internal Controls and Compliance with
Laws and Regulations" GAO-10-565R:
Recommendation #1: We recommend that you direct the appropriate IRS
officials to review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in the Custodial Detailed Data
Base (CDDB) resulted in misclassifications of account balances that,
in turn, resulted in inaccuracies in the amounts of reported unpaid
assessments.
Comments: IRS agrees with this recommendation. Each year IRS
identifies misclassifications of account balances during the review of
the sample cases selected for the unpaid assessment statistical
estimation and corrects the errors. In the cases of misclassification
of account balances caused by a systemic limitation in CDDB, IRS
identified programming changes to improve the business rules used by
CDDB to accurately classify unpaid tax assessments. IRS briefed GAO on
the pending programming changes February 23, 2010.
Recommendation #2: We recommend that you direct the appropriate IRS
officials to research and implement programming changes to allow CDDB
to more accurately classify such accounts among the three categories
of unpaid tax assessments.
Comments: IRS agrees with this recommendation. IRS continues to
identify programming changes to improve the accuracy of the
classification of the three categories of unpaid tax assessments in
CDDB. The IRS implemented programming changes in January 2010 to
classify non-payroll tax forms with reported amounts subject to a
Trust Fund Recovery Penalty (TFRP) assessment, and to classify other
TFRP assessments that were previously excluded from the TFRP analysis.
The IRS is scheduled to implement programming changes in July 2010
that will reduce movement in and out of financial write-off status and
identify payroll tax modules where a TFRP assessment was not made.
Four additional programming changes are scheduled for implementation
in January 2011 to improve the classification of installment
agreements, to address one-time refund offsets, to allow CDDB to
correctly adjust balances in the subsidiary ledger in cases where TFRP
payments were not cross-referenced correctly, and to add an allocation
methodology in CDDB to classify modules with split financial
classifications. IRS briefed GAO on all of these changes on February
23, 2010.
Recommendation #3: We recommend that you direct the appropriate IRS
officials to research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that affect the financial
reporting of unpaid tax assessments.
Comments: IRS agrees with this recommendation. Each year IRS
identifies misclassifications of account balances during the review of
the sample cases selected for the unpaid assessment statistical
estimation and corrects the errors. In addition, IRS reviews Internal
Revenue Manual (IRM) procedures to ensure proper internal controls are
in place, makes revisions when necessary, and ensures the internal
control processes are followed.
Recommendation #4: Once IRS identifies the control weaknesses that
result in inaccuracies or errors that affect the financial reporting
of unpaid tax assessments, we recommend that you direct the
appropriate IRS officials to implement control procedures to routinely
prevent, or to detect and correct, such errors.
Comments: IRS agrees with this recommendation. IRS will continue to
identify and validate corrective actions were completed. We will
continue to monitor appropriate procedures, controls and program
modifications.
Recommendation #5: To ensure that Trust Fund Recovery Penalty (TFRP)
payments are always and accurately credited to all related parties
when received, we recommend that you direct the appropriate IRS
officials to revise the Internal Revenue Manual (IRM) to provide
specific requirements for supervisors to review the accuracy of credit
transactions related to TFRP payments processed through the Automated
Trust Fund Recovery (ATFR) system. This guidance should provide
specific areas to review and list the ATFR system reports that can
facilitate supervisory reviews.
Comments: IRS agrees with this recommendation. IRS updated IRM 5.19.14
in May 2010 to include supervisory reviews of the accuracy and
timeliness of credit transactions related to TFRP payments processed
through ATFR and identified the areas and system reports for review.
Recommendation #6: To ensure that TFRP payments are always and
accurately credited to all related parties when received, we recommend
that you direct the appropriate IRS officials to formalize and
implement the quarterly reviews of TFRP payment transactions to
monitor compliance with IRM requirements.
Recommendation #7: To ensure that TFRP payments are always and
accurately credited to all related parties when received, we recommend
that you direct the appropriate IRS officials to develop procedures to
analyze the results of the quarterly reviews so that specific factors
causing the errors are identified.
Recommendation #8: To ensure that TFRP payments are always and
accurately credited to all related parties when received, we recommend
that you direct appropriate IRS officials to develop procedures to
address the factors causing errors in the processing of TFRP payment
transactions identified through the analyses of the quarterly review
results.
Comments: IRS agrees with these recommendations. In May 2009, the IRS
created the "Quality Assurance Internal Compliance Review" (QAICR) to
expand testing beyond existing reviews to further gauge the accuracy
and effectiveness of ATFR and to identify TFRP program deficiencies.
The IRS quarterly review closely mirrors the GAO review, incorporating
TFRP campus case reviews, analysis of findings, and implementation of
corrective actions needed to address identified deficiencies. A pilot
quarterly review was performed in January 2010, and the results were
given to GAO. Quarterly quality reviews began in April 2010.
Recommendation #9: We recommend that you direct the appropriate IRS
officials to revise the existing methodology for extracting the pre-
posted revenue component of the comparison to ensure that non-tax
revenues and tax revenue transactions already posted to the master
files are properly excluded.
Comments: IRS agrees with this recommendation. IRS revised the pre-
posted extraction methodology in May 2010 to define transactions that
should be excluded from the pre-posted revenue file and added other
indicators to better identify pre-posted revenue when the original
indicator is changed. IRS sampled the interim pre-posted output file
using the new methodology and verified that all non-custodial revenue
was excluded.
Recommendation #10: We recommend that you direct the appropriate IRS
officials to update the desk procedures governing the general ledger
to master files comparison to ensure that it reflects the current
process and controls.
Comments: IRS agrees with this recommendation. IRS will complete the
update of the desk procedures for the general ledger to master file
comparison to ensure that it reflects the current process and controls
by December 31, 2010.
Recommendation #11: We recommend that you direct the appropriate IRS
officials to revise the cost allocation desk guide to better document
the cost allocation process. This should include ensuring that all key
processing steps are included and identifying the key sources of input
data and the controls necessary to help ensure their reliability.
Comments: IRS agrees with this recommendation. IRS revised the cost
allocation desk guide in January 2010. The revised desk guide includes
key processing steps, key sources of input data, and the controls
necessary to help ensure their reliability.
Recommendation #12: We recommend that you direct the appropriate IRS
officials to revise the IRM and cost allocation desk guide to require
appropriate segregation of duties within the cost allocation process.
Recommendation #13: We recommend that you direct the appropriate IRS
officials to revise the IRM and cost allocation desk guide to require
timely, documented supervisory reviews at key process points to help
prevent and detect cost allocation processing errors.
Comments: IRS agrees with these recommendations. The IRS Chief
Financial Officer will update IRM 1.32.3, Managerial Cost Accounting,
and the cost allocation desk guide to require appropriate segregation
of duties and documented supervisory reviews in the cost allocation
process by June 30, 2010.
Recommendation #14: We recommend that you direct the appropriate IRS
officials to establish controls over the cycle run spreadsheet to help
minimize the risk of error or omission. At a minimum, this should
include assigning a unique, sortable identifier to each row in the
spreadsheet and implementing controls to promptly and accurately
record the status of processing steps in a manner that ensures each
cycle run is performed and is performed in the proper sequence.
Comments: IRS agrees with this recommendation. IRS established
procedures and controls over the master version of the cycle-run
spreadsheet to minimize the risk of error or omission in May 2010.
Each step in the process now contains a unique cycle identifier for
the cycle-run order. In addition, IRS reviews and validates that each
cycle is performed in the proper sequence.
Recommendation #15: We recommend that you direct the appropriate IRS
officials to revise the IRM to require Central Insolvency Operation
(CIO) to timely provide service center campuses an acknowledgment of
receipt for each Form 3210, Document Transmittal, related to a
duplicate refund transcript sent to them by a service center campus
for review.
Comments: IRS agrees with this recommendation. IRS will update IRM
5.9.16 covering the CIO by December 31, 2010, to require that Form
3210, acknowledgment for duplicate refund transcripts, be returned to
the issuer within 5 days of receipt.
Recommendation #16: We recommend that you direct the appropriate IRS
officials to revise the IRM to require service center campuses to
verify that an acknowledgment of receipt has been received from CIO
for 100 percent of the Form 3210 transmittals related to duplicate
refund transcripts they have forwarded to CIO for review.
Comments: IRS agrees with this recommendation. IRS will revise IRM
3,17.79 to include procedures for verification of Form 3210
acknowledgments received from the CIO for duplicate refund transcripts
at service center campuses by January 31, 2011.
Recommendation #17: We recommend that you direct the appropriate IRS
officials to revise the IRM to require service center campuses to
resolve any instances in which an acknowledgment of receipt for a Form
3210 transmittal related to duplicate refund transcripts is not
received.
Comments: IRS agrees with this recommendation. Wage and Investment
will revise IRM 3.17 to include procedures for follow-up/resolution of
non-receipt of Form 3210 acknowledgment of duplicate refund
transcripts from CIO function by January 31, 2011.
Recommendation #18: We recommend that you direct the appropriate IRS
officials to require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks.
Recommendation #19: We recommend that you direct the appropriate IRS
officials to establish procedures to track service center campus
acknowledgments of unprocessable items with receipts.
Recommendation #20: We recommend that you direct the appropriate IRS
officials to establish procedures to monitor the process used by
service center campuses and lockbox banks to acknowledge and track
transmittals of unprocessable items with receipts. These procedures
should include monitoring discrepancies and instituting appropriate
corrective actions as needed.
Comments: IRS agrees with recommendations #18, #19, and #20. IRS is
developing standardized procedures for the Lockbox Document Transmittals
(LDT) in the lockbox network and the service center campuses. IRS
revised the LDT form and drafted instructions to include an
acknowledgment from the service center campus to the lockbox site.
Once the form and instructions have been finalized, the Lockbox Field
Coordinators will conduct training with the banks and service center
campuses. The Lockbox Bank Performance Measure 'Mailout Review' Data
Collection Instrument also will be updated to include tracking and
monitoring adherence to the procedures and implementation of
corrective actions, as needed. IRS expects to implement these changes
by December 31, 2010.
Recommendation #21: We recommend that you direct the appropriate IRS
officials to review the audit management checklist for clarity and
revise the assessment questions as appropriate.
Comments: IRS agrees with this recommendation. IRS will review the
questions on the audit management checklist and modify them for
clarity by December 30, 2010.
Recommendation #22: We recommend that you direct the appropriate IRS
officials to issue written guidance to accompany the audit management
checklist that explains the relevance of the questions and the methods
that should be used to assess and test the related controls.
Comments: IRS agrees with this recommendation. IRS incorporated
instructions for completing the audit management checklist in the
December 18, 2009 revision of the checklist.
Recommendation #23: We recommend that you direct the appropriate IRS
officials to provide training to physical security analysts
responsible for completing the audit management checklist to help
ensure that checklist questions are answered appropriately and
accurately.
Comments: IRS agrees with this recommendation. IRS will provide
training to physical security analysts on completing the audit
management checklist by December 31, 2010.
Recommendation #24: We recommend that you direct the appropriate IRS
officials to establish and document the minimum frequency for how
often the audit management checklist should be completed at each
service center campus and field office.
Comments: IRS agrees with this recommendation. IRS documented the
frequency for completing the audit management checklist at the service
center campuses and field offices in Physical Security and Emergency
Preparedness (PSEP) Standard Operating Procedure 09-0011 Audit
Activity Management Program, dated August 25, 2009.
Recommendation #25: We recommend that you direct the appropriate IRS
officials to establish policies requiring documented managerial
reviews of completed audit management checklists. These reviews should
document (1) the time and date of the review, (2) the name of the
manager performing the review, (3) the supporting documentation
reviewed, (4) any problems identified with the responses on the
checklists, and (5) corrective actions to be taken.
Comments: IRS agrees with this recommendation. PSEP Standard Operating
Procedure (SOP) 09-0011 Audit Activity Management Program, dated
August 25, 2009, contains the requirement for documented management
reviews of the audit management checklist. IRS will modify the SOP to
include the time and date of the review, the name of the manager
performing the review, the supporting documentation reviewed, and any
problems identified with corrective actions to be taken by July 30,
2010.
Recommendation #26: We recommend that you direct the appropriate IRS
officials to review the Taxpayer Assistance Centers Security and
Remittance Review Database (TSRRD) for clarity and revise review
questions as appropriate.
Comments: IRS agrees with this recommendation. IRS will review the
TSRRD and, where appropriate, clarify and revise the review questions.
The TSRRD will be revised to add an IRM point of reference and
instructions on how to complete database questions properly by January
31, 2011.
Recommendation #27: We recommend that you direct the appropriate IRS
officials to provide training to Taxpayer Assistance Centers (TAC) group
managers to assist with their understanding of the TSRRD review
questions and related objectives. This training should be provided on
an ongoing basis to account for changes in TSRRD questions and for
newly hired or appointed TAC group managers.
Comments: IRS agrees with this recommendation. IRS will include
training on the TSRRD in the Filing Season Readiness Workshop DVD
delivered to all group managers annually. IRS will conduct the
training by March 31, 2011.
Recommendation #28: We recommend that you direct the appropriate IRS
officials to establish policies that require territory managers or a
manager at least one level above the group manager to periodically
review the information entered into the TSRRD for accuracy and
completeness prior to the results being forwarded to Field Assistance
Office headquarters management. This review should be signed and
documented, and include (1) the time and date of the review, (2) the
name of the manager performing the review, (3) the task performed
during the review, (4) any problems or questions identified, and (5)
planned corrective actions.
Comments: IRS agrees with this recommendation. IRS will update policy to
include instructions for the Field Assistance territory manager, or a
manager one level above, to review the frontline manager's completed
TSRRD responses by March 31, 2011. Managers will review the forms and
enter the review results into the TSRRD, and forward it to the
territory manager for review and approval along with the planned
corrective actions for any problems identified. The review document
will include the reviewer's name, date and time of review, issues
identified, and corrective actions taken.
Recommendation #29: We recommend that you direct the appropriate IRS
officials to analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information.
Comments: IRS agrees with this recommendation. IRS will develop a
policy that requires security awareness training for all IRS
contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information by June 30, 2011.
Recommendation #30: We recommend that you direct the appropriate IRS
officials to designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all Unit Security Representatives (USRs) to complete
(1) the required initial USR training prior to assuming their
responsibilities, and (2) annual refresher training each year
thereafter.
Comments: IRS agrees with this recommendation. All USRs and Alternate
USRs were required to take the initial training class by May 31, 2010,
and before newly appointed USRs are provided security codes. Annual
refresher training is required thereafter. To ensure compliance, IRS
plans to implement by December 31, 2010, a reporting capability to
identify USRs who fail to comply with initial and annual refresher
training requirements. This reporting process will track USR
compliance in the Enterprise Learning Management System (ELMS)
Learning History and provide notification to affected USRs, their
respective managers, and the USR point of contact for remediation.
Recommendation #31: We recommend that you direct the appropriate IRS
officials to update USR training manuals to ensure they reflect
current security policies and procedures.
Comments: IRS agrees with this recommendation. On December 15, 2009,
IRS launched two new online training courses for all Integrated Data
Retrieval System (IDRS) USRs to incorporate current security policies
and procedures for USR Initial Training and IDRS USR Annual Refresher
Training. These courses provide the initial and annual refresher
training required for all IDRS USRs before performing such duties.
Recommendation #32: We recommend that you direct the appropriate IRS
officials to establish a process to periodically review and update
training materials as appropriate.
Comments: IRS agrees with this recommendation. IRS implemented an
annual review and update of the IDRS USR training material. IRS
completed a training content update in December 2009 and expects to
complete the next update by December 31, 2010.
Recommendation #33: We recommend that you direct the appropriate IRS
officials to establish procedures requiring Human Capital Office,
Leadership, Education and Delivery Services (NCO LEADS) or their
designee to periodically monitor each business unit's progress in
complying with mandatory briefing requirements.
Comments: IRS agrees with this recommendation. IRS will distribute
reports to the business units providing each business unit's progress
in complying with the mandatory briefings requirement. Reports will be
produced weekly during the mandatory briefing period from July through
September and monthly for the remainder of the year. IRS also will
begin distribution of a quarterly summary report to the heads of
offices by January 31, 2011.
Recommendation #34: We recommend that you direct the appropriate IRS
officials to establish procedures requiring contracting officers
(COs)/contracting officer's technical representatives (COTRs) to
obtain and retain written documentation from end users confirming
receipt and acceptability of purchased goods and/or services prior to
entering acknowledgment of receipt and acceptance in the Web Request
Tracking System (WebRTS).
Comments: IRS agrees with this recommendation. IRS updated the Receipt
and Acceptance Handbook in March 2010 to include the requirement to
obtain and retain documentation to support receipt and acceptance
before entering the acknowledgment in WebRTS and provided the updated
handbook to GAO on March 31, 2010. In addition, Procurement's Policy
and Procedures Memorandum No. 46.5, Monitoring Receipt, Acceptance and
Quality Assurance through Contract Administration Plans, dated January
1, 2010, instructs all Procurement personnel and COTRs to maintain
documentation of receipt of supplies or services. IRS has reinforced
this requirement through presentations at the 2010 Procurement
Partnership Conference in March 2010, and the 2010 CFO Customer
Conference in May 2010.
Recommendation #35: We recommend that you direct the appropriate IRS
officials to reiterate IRS's policy for staff to indicate in WebRTS
during final receipt and acceptance that the payment is a final
payment to close out a contract or purchase order to help ensure any
remaining obligated funds are timely deobligated.
Comments: IRS agrees with this recommendation. IRS issued a WebRTS
broadcast e-mail to all WebRTS users on June 2, 2010, to reinforce the
use of the receipt and acceptance final flag to ensure timely closure
of obligations. IRS will reissue this broadcast quarterly.
Recommendation #36: We recommend that you direct the appropriate IRS
officials to re-evaluate and, as necessary, revise the aging criteria
for the Aging Unliquidated Obligation reviews so that unliquidated
obligations are reviewed sooner in order to timely detect and
deobligate excess obligations.
Comments: IRS agrees with this recommendation. IRS revised the aging
criteria for the FY 2010 Aging Unliquidated Obligation reviews from
300 days to 240 days to review unliquidated obligations sooner.
Recommendation #37: We recommend that you direct the appropriate IRS
officials to provide technicians and supervisors who are responsible
for recording and reviewing obligation transactions with training on
the proper usage of manually linked obligation transactions to
reinforce IRS's existing policy requiring that transactions be
recorded accurately to the upward and downward adjustments to prior
year obligation accounts.
Comments; IRS agrees with this recommendation. IRS revised the manual
linking of obligations process, updated the related procedures, and
provided additional training to technicians and supervisors in October
2009. IRS provided GAO with the revised procedures and conducted a
walk-through of the process for GAO on March 11, 2010.
Recommendation #38: We recommend that you direct the appropriate IRS
officials to develop controls to improve the linked obligation
transaction review process to timely detect and correct erroneous
links between unrelated upward and downward adjustments to prior year
obligation transactions.
Comments: IRS agrees with this recommendation. IRS revised internal
processes and implemented procedures to add a second level review of
all linked obligations at the time of the actual linking on March 16,
2010.
Recommendation #39: We recommend that you direct the appropriate IRS
officials to establish a formal funds control process to set aside
amounts for tax law enforcement and related support activities, as
required by annual appropriations acts.
Recommendation #40: We recommend that you direct the appropriate IRS
officials to establish a policy to periodically monitor throughout the
year the amount of different appropriations accounts attributed to the
set-aside to assess IRS's progress toward complying with the
requirement.
Recommendation #41: We recommend that you direct the appropriate IRS
officials to take action based on the results of its periodic
assessments, to allocate the required amount of appropriations to tax
law enforcement and related support activities to comply with the set-
aside requirement.
Comments: IRS disagrees with recommendations #39, #40, and #41. In
FY 2009, the IRS fully funded its tax law enforcement activities and
met the intent of the allocation adjustment. The IRS obligated $5.11
billion of the $5.12 billion (99.7 percent) enforcement appropriation
and fully supported the enforcement activities from the operations
support account. The IRS obligated $3.75 billion of the $3.76 billion
(99.7 percent) of the operations support appropriation expiring funds.
The characterization of the 2009 appropriations act in the report is
incorrect. The requirement that the IRS spend $7A87 billion on tax law
enforcement and related support activities applies to the enforcement
appropriation and the operations support appropriation. The intent of
the requirement is for the IRS to fully fund enforcement activities
and related support activities without diverting funds to
non-enforcement activities, and the IRS met that requirement. The IRS
cannot unilaterally "set aside" funds from its Taxpayer Services,
Business Systems Modernization, and Health Insurance Tax Credit
Administration appropriations to fund enforcement activities. The IRS
must obtain Office of Management and Budget (OMB) and Congressional
approval to move funds among its five appropriation accounts.
Further, the IRS cannot "set aside" funds in the Operations Support
account exclusively for enforcement activities. The Operations Support
account funds both the enforcement and the taxpayer service programs.
Operations Support obligations fund common services, including rent,
utilities, and information technology infrastructure. The IRS cannot
split Operations Support obligations between enforcement and other
activities in its accounting system. During the development of the IRS
FY 2009 budget request, the pro-rata share of operations support
funding attributable to enforcement activities was calculated using an
allocation methodology that allocates operations support funds between
taxpayer and enforcement activities based on many factors, including
Full-Time Equivalent utilization. Congress added $143 million in FY
2009 funding to the taxpayer service account. As a result of the
increase in FY 2009 taxpayer service funding that was not anticipated
when the FY 2009 budget was developed, the proportion of Operations
Support obligations allocated to taxpayer service increased in the
post FY 2009 year-end allocation of total Operations Support
obligations between Taxpayer Service and Enforcement.
In accordance with the FY 2009 enacted budget, the IRS hired 3,000 new
enforcement personnel, fully funded enforcement activities, and spent
the funding in the Taxpayer Services, Enforcement, and Operation
Support accounts consistent with the intent of the law. Because of the
unexpected increase in FY 2009 taxpayer service funding, the post year-
end allocation methodology run increased the portion of Operations
Support dollars allocated to Taxpayer Service.
The IRS also disagrees with the characterization of the supplemental
analysis provided to GAO in April. The primary change in the April
analysis was the assumption that all Enforcement account funds, the
pro-rated Operations Support enforcement obligations, and Operations
Support balances as of October 1, 2009, were available for the
Enforcement Program. This assumption is based on the administrative
provision in the appropriations language that "resources shall be
available." The initial, more conservative analysis, under
which the IRS operated in FY 2009, only included obligations in the
Enforcement Program total and excluded unobligated Operations Support
balances.
Thus, the IRS disagrees that the failure to comply with the
appropriations act requirement is attributable to a lack of internal
controls to monitor and ensure compliance with its appropriations act
requirements. Upon receipt of the additional taxpayer service funds in
the FY 2009 enacted budget, the IRS identified the issue and informed
both OMB and the House and Senate appropriations committees that the
IRS would not meet the funding level contained in the appropriations
language. The solution to this issue is a change in the appropriations
language to allow the IRS to allocate Operations Support costs between
Taxpayer Service and Enforcement Operations in accordance with both
the intent of the Congressional allocation adjustment and the IRS cost
allocation methodology. The FY 2010 President's Budget Request
proposed the required change to appropriations language, and the FY
2010 House Budget Resolution contained the proposed language that
"provides that such sums as may be necessary shall be available from
the Operations Support account in the Internal Revenue Service to
fully support these Enforcement activities." The enacted FY 2010
budget, however, did not include the House Budget Resolution language,
and the IRS plans to propose the required language in its FY 2012
budget request.
[End of section]
GAO Contact and Staff Acknowledgments:
GAO Contact:
Steve Sebastian, (202) 512-3406 or Sebastians@gao.gov:
Acknowledgments:
The following individuals made major contributions to this report:
Doreen Eng, Assistant Director; LaDonna Towler, Auditor-in-Charge;
Russell Brown; Nina Crocker; Oliver Culley; F. Abe Dymond; Lauren S.
Fassler; Chuck Fox; Mickie Gray; Ryan Guthrie; Mary Ann Hardy; David
Hayes; Ted Hu; Luke Karboski; Sharon Kittrell; Tuan Lam; Rich Larsen;
Delores Lee; Jenny Li; Joshua Marcus; Stephanie Miller; Marc
Oestreicher; John Sawyer; Christopher Spain; Chevalier Strong; and
Tina Wu.
[End of section]
Footnotes:
[1] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176]
(Washington, D.C.: Nov. 10, 2009).
[2] GAO, Information Security: IRS Needs to Continue to Address
Significant Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19,
2010).
[3] IRS's master file contains the detailed records of taxpayer
accounts. There are several master files, the most significant of
which are the individual master file, which contains tax records of
individual taxpayers, and the business master file, which contains tax
records of corporations and other businesses.
[4] The statute enacting IRS's fiscal year 2009 appropriations
required IRS to set aside a minimum of $6,997,000,000 for tax law
enforcement, and make an additional $490,000,000 available for
enhanced tax law enforcement. See Financial Services and General
Government Appropriations Act, 2009, Pub. L. No. 111-8, div. D, tit.
I, § 105, 123 Stat. 630, 636 (Mar. 11, 2009) (IRS's fiscal year 2009
appropriations act). IRS officials informed us that they interpreted
the act as requiring them to set aside $7,487,000,000 (i.e., the sum
of the two amounts) for fiscal year 2009 tax law enforcement
activities and related support activities.
[5] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999), contains the internal control
standards to be followed by executive agencies in establishing and
maintaining systems of internal control as required by 31 U.S.C. §
3512 (c), (d) (commonly referred to as the Federal Managers' Financial
Integrity Act of 1982).
[6] SCCs process tax returns and payments submitted by taxpayers.
[7] Consolidated campuses are SCC locations where the submission
processing function has been eliminated.
[8] Lockbox banks are financial institutions designated as
depositories and financial agents of the U.S. government under
contract with the U.S. Treasury's Financial Management Service to
perform certain financial services, including processing tax
documents, depositing the receipts, and then forwarding the documents
and data to IRS SCCs, which update taxpayers' accounts. During fiscal
year 2009, there were eight lockbox banks processing taxpayer receipts
on behalf of IRS.
[9] TACs are field assistance units, located within IRS's Wage and
Investment operating division, designed to serve taxpayers who choose
to seek help from IRS in person. Services provided include
interpreting tax laws and regulations, preparing tax returns,
resolving inquiries on taxpayer accounts, receiving payments,
forwarding those payments to appropriate SCCs for deposit and further
processing, and performing other services designed to minimize the
burden on taxpayers in satisfying their tax obligations. These offices
are much smaller facilities than SCCs or lockbox banks, with staffing
ranging from 1 to about 35 employees.
[10] Field offices are comprised of various units located within IRS's
Small Business and Self Employed (SB/SE), Large and Mid-Size Business
(LMSB), and Tax-Exempt and Government Entities (TE/GE) operating
divisions that administer tax services to corporations, partnerships,
small businesses, state and Indian tribal governments, major
universities, community organizations, municipalities, pension funds,
and individuals with certain types of nonsalary income.
[11] An unpaid assessment is a legally enforceable claim against a
taxpayer and consists of taxes, penalties, and interest that have been
assessed to the taxpayer but not yet collected or abated (reduced).
[12] Statement of Federal Financial Accounting Standards No. 7,
Accounting for Revenue and Other Financing Sources and Concepts for
Reconciling Budgetary and Financial Accounting, May 10, 1996.
[13] IRS reports federal taxes receivable on its balance sheet, net of
an allowance, for amounts considered uncollectible.
[14] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119]
(Washington, D.C.: Nov. 10, 2008).
[15] IRS's master files contain detailed records of taxpayer accounts.
However, the master files do not contain all the details necessary to
properly classify or estimate collectibility for unpaid tax assessment
accounts.
[16] CDDB uses a series of computer programs that analyze account
information in IRS's master files to classify them into the financial
reporting categories.
[17] CDDB also serves as a subsidiary ledger for tax revenue and
refunds, providing transactional traceability for tax revenue and
refund activity between the general ledger and the detailed records.
[18] An account module is a record in IRS's master files containing
tax assessment, payment, and other information related to a specific
type of tax for a specific period. A taxpayer may have multiple
account modules within IRS's master files under a unique taxpayer
identification number (i.e., Social Security number or an employer
identification number). Each unique account module is identified by
the taxpayer identification number, tax type (e.g., excise tax,
individual tax, payroll tax), and specific tax period (e.g., year,
quarter).
[19] According to federal accounting standards, the self-reporting of
an outstanding tax liability establishes the outstanding balance as a
tax receivable for financial reporting purposes.
[20] When a business willfully fails to collect, account for, or pay
the taxes it is legally required to withhold from its employees'
wages, such as Social Security or individual income tax withholdings
(what is commonly referred to as "trust fund taxes"), IRS assesses
underpayment penalties against the business and may impose an
additional trust fund recovery penalty (TFRP) against the responsible
officers.
[21] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[22] See for example, 26 U.S.C. §§ 6651, 6654-55, 6662, 6672, 7201-03.
[23] See 26 U.S.C. § 6672 and IRM §4.23.9.13, Trust Fund Recovery
Penalty (May 14, 2008).
[24] IRM § 5.7.7.4, Cross Referencing of Payments Made by Responsible
Persons (Apr. 13, 2006). This was the applicable criteria during the
first quarter of fiscal year 2009 for TFRP transactions we tested.
[25] We are 95 percent confident that the error rate does not exceed
15.1 percent. According to IRS, it initiated actions to strengthen
controls in this area. However, IRS believes that the actions taken
thus far have not significantly improved the internal controls and
that control deficiencies continue to exist over TFRP payment
processing during the first half of fiscal year 2010.
[26] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[27] GAO, Internal Revenue Service: Immediate and Long-Term Actions
Needed to Improve Financial Management, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-99-16] (Washington, D.C.: Oct.
30, 1998).
[28] According to IRS, about 15 percent of total TFRP payment
transactions are not processed through ATFR at all but are instead
completely manually processed. Such payments relate primarily to TFRP
assessments that IRS recorded prior to August 2001 using procedures
that prevent ATFR from recognizing related accounts in IRS's master
files.
[29] IRM § 5.19.14, Trust Fund Recovery Penalty (Dec. 22, 2009).
[30] As we have reported in conjunction with our annual audit of IRS's
financial statements for many years, IRS has a long-standing material
weakness in its internal control over unpaid assessments. Most
recently, we reported that (1) balances for unpaid assessments
reported in IRS's financial statements and required supplementary
information were not supported by its general ledger system, (2) IRS
lacked a subsidiary ledger to provide reliable transaction-level
information for unpaid tax assessments, and (3) IRS experienced errors
and delays in recording taxpayer information. Consequently, IRS
currently cannot produce reliable unpaid assessments information for
internal and external reporting due to systemic limitations and errors
in underlying taxpayer accounts, including errors in recording TFRP
payments. See [hyperlink, http://www.gao.gov/products/GAO-10-176].
[31] We are 95 percent confident that the actual error rate of invalid
pre-posted revenue transactions is not more than 45.3 percent.
[32] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[33] OMB Circular No. A-136, Financial Reporting Requirements (rev.
June 10, 2009).
[34] IRS defines a cost center as the lowest level at which IRS
segregates costs. Cost centers are organizational units that capture
costs where someone has control or responsibility. Each cost center
has a manager, a head count, and an assigned physical location.
[35] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[36] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[37] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[38] IRM § 21.4.4.6.1, Duplicate Refund Transcripts (Oct. 1, 2008).
[39] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[40] GAO, Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures, [hyperlink,
http://www.gao.gov/products/GAO-04-553R] (Washington, D.C.: Apr. 26,
2004); Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R]
(Washington, D.C.: Apr. 27, 2005); Management Report: Improvements
Needed in IRS's Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11,
2007); Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-08-368R]
(Washington, D.C.: June 4, 2008); and Management Report: Improvements
are Needed to Enhance IRS's Internal Controls and Operating
Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R]
(Washington, D.C.: June 24, 2009).
[41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[42] IRS requires the use of a transmittal form, such as a Form 795 or
Form 3210, which list the contents of the package when shipping tax
receipts from one IRS location to another.
[43] TAC group managers report to territory managers, who in turn
report to area directors.
[44] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[45] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[46] IDRS is an online data retrieval system that manages data
retrieved from IRS's master files, which contain detailed information
on taxpayers' filings of tax returns and tax-return-related documents.
IDRS allows IRS employees to (1) research taxpayer accounts; (2) enter
transactions, such as collections, adjustments, and abatements; and
(3) automatically generate notices, collection documents, and other
information.
[47] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[48] IRM § 10.8.34.2.1.11, Unit Security Representative (Sept. 1,
2007).
[49] IRM § 10.8.34.2.1.7, IDRS Security Officer (Sept. 1, 2007).
[50] IRM § 10.8.34.2.1.1, Division Commissioners, Chiefs, and Taxpayer
Advocate (Sept. 1, 2007).
[51] Fiscal year 2008 results were included because it was the most
recent year for which IRS could provide complete data at the time of
our review.
[52] Mandatory briefings for fiscal year 2008 included: (1)
Information Protection (Privacy/Disclosure); (2) Safety, Health, and
Environmental Awareness; (3) Prevention of Sexual Harassment; and (4)
Ethics. Mandatory briefings for fiscal year 2009 included (1)
Information Systems Security; (2) Notification and Federal Employee
Anti-Discrimination (No FEAR) Act; (3) Computer Security and
Unauthorized Access; and, (4) Information Protection. Staff in
specific positions may have additional briefing requirements specific
to their position.
[53] The Wage & Investment Division, which is IRS's largest operating
division, scheduled the fiscal year 2009 required briefings for
January through May 2010. Because this division's responsibilities
include processing tax returns, it relies on a large number of
seasonal staff that are only at IRS during these months.
[54] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[55] According to IRS officials, two business units--the Wage &
Investment Division and the Human Capital Office, Leadership,
Education and Delivery Services organization--provide the mandatory
briefings to their staff in a classroom setting.
[56] Other transactions, such as micro purchases up to $3,000, are
processed by business units rather than the Office of Procurement.
[57] A CO must assign a COTR for any contract of $100,000 or more. For
contracts under $100,000, a CO has the option of assigning a COTR. If
a COTR is not assigned to a contract, then the CO assumes the duties
otherwise performed by the COTR.
[58] For these five transactions, a COTR was assigned the
responsibility of confirming receipt with the end user. Of the 116
transactions we tested, 61 were transactions that were processed
through the procurement department. However, because our sample was
designed to test all nonpayroll expense transactions, including
transactions such as travel that do not go through the procurement
department, we are unable to project the exceptions that only applied
to procurement transactions to the entire population.
[59] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[60] For example, appropriated funds that are earmarked for tax law
enforcement may only be used for expenses related to that purpose.
[61] The first instance was identified during our testing of a
statistical sample of 58 undelivered order balances as of August 31,
2009. Based on our testing, we estimate that the value of undelivered
orders that could have the same control error could be as high as
$69.5 million (i.e., the net upper error limit at an 86 percent
confidence level). The second instance was identified during our
testing of a statistical sample of 43 expense transactions under
$50,000 other than payroll expenses as of May 31, 2009. Based on our
testing, we estimate that the value of nonpayroll expense transactions
less than $50,000 that could have the same control error could be as
high as $46.5 million (i.e., the net upper error limit at a 95 percent
confidence level). Because this second sample population consisted of
expenses rather than obligations, we cannot estimate the value of
potential excess obligated funds associated with these expenses.
[62] Agencies generally must obligate funds within their period of
availability or forfeit the ability to incur new obligations with the
funds. In some circumstances, appropriated funds may be awarded for
specific purposes with no time limit on when the funds may be used.
[63] After the appropriation's period of availability has ended,
agencies may use the funds for 5 years to adjust prior-year
obligations made from the same appropriation if needed. After that,
the funds are forfeited. See 31 U.S.C. §§ 1552-53.
[64] In the other instance we identified, the period of availability
expired September 30, 2008; however, the funds could still be
deobligated and used for an upward adjustment of a prior obligation
under that appropriation if needed.
[65] IRM § 1.33.4.2.4.2.4, AUC and AUO Reviews (Jan. 15, 2008).
[66] IRM § 1.33.4.4.4, Unliquidated Commitments/Obligations (Aug. 28,
2006).
[67] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[68] Upward and downward adjustments of prior-year obligations are
adjustments to obligations funded with prior-year appropriations.
[69] Expired funds are netted by obligation identification number and
fund. Unexpired funds are netted by obligation identification number,
fund, and commitment item.
[70] Based on our testing, we estimate that the value of downward
adjustments that could have the same control error could be as high as
$10.4 million (i.e., the net upper error limit at an 86 percent
confidence level).
[71] IRM § 1.33.4.4.3, Commitments/Obligations (Aug. 28, 2006).
[72] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[73] IRS's fiscal year 2009 appropriations act required IRS to set
aside a minimum of $6,997,000,000 for tax enforcement, and make an
additional $490,000,000 available for enhanced tax law enforcement.
See Financial Services and General Government Appropriations Act,
2009, Pub. L. No. 111-8, div. D, tit. I, § 105, 123 Stat. 630, 636
(Mar. 11, 2009). For purposes of this report, we refer to these
requirements as a "set-aside." IRS attorneys and IRS budget officials
informed us that they interpreted the act as requiring them to set
aside $7,487,000,000 (i.e., the sum of the two amounts) for fiscal
year 2009 tax law enforcement and related support activities.
[74] In fiscal year 2009, IRS was funded through a continuing
resolution from October 1, 2008, through March 11, 2009. See
Continuing Appropriations Resolution, 2009, Pub. L. No. 110-329, div.
A, 112 Stat. 3574 (Sept. 30, 2008), as amended by Pub. L. No. 111-6,
123 Stat. 522 (Mar. 6, 2009). A continuing resolution allows federal
agencies to continue operating when their regular appropriations acts
have not been enacted before the beginning of the new fiscal year.
However, they only provide funding for the period of the continuing
resolution and thereby create uncertainty about both the timing and
level of funding that ultimately will be available for the entire
fiscal year.
[75] See, for example, section 131 of the continuing resolution, which
appropriated an additional amount for IRS's "Taxpayer Services" to
meet the requirements of the Economic Stimulus Act of 2008 (P.L. 110-
185), at a rate for operations of $67,900,000. See Continuing
Appropriations Resolution, 2009, Pub. L. No. 110-329, div. A, 112
Stat. 3574, 3579 (Sept. 30, 2008), as amended by Pub. L. No. 111-6,
123 Stat. 522 (Mar. 6, 2009).
[76] As discussed earlier in this report, IRS uses a complex process
to allocate operations support costs--such as rent and facility costs,
technology support, and payroll operation costs--for its major
programs. One of the key factors that affects the amount of operations
support costs allocated to each program is the number of staff
assigned to each.
[77] The continuing resolution (P.L. 110-329) appropriated additional
funds for IRS's taxpayer services at a rate for operations of $67.9
million.
[78] See Financial Services and General Government Appropriations Act,
2009, Pub. L. No. 111-8, div. D, tit. I, § 101, 123 Stat. 630, 636
(Mar. 11, 2009).
[79] See Financial Services and General Government Appropriations Act,
2010, Pub. L. No. 111-117, div. C, tit. I, § 105, 123 Stat. 3159, 3165
(Dec. 16, 2009).
[80] We disagree with IRS that it must invoke its transfer authority
to transfer amounts between its annual appropriations accounts to
effectuate the set-aside. However, IRS may need to initiate
reprogramming actions (i.e., the shifting of funds within its
individual accounts from one program activity to another), which may
be subject to congressional notification requirements.
[81] As described in the cost allocation processing section of this
report, IRS allocates monthly a portion of operation support costs--
which are costs such as rent and technology support that benefit
multiple programs--to each of its major programs. These operations
support costs are considered part of the cost of running those
programs.
[82] See Financial Services and General Government Appropriations Act,
2009, Pub. L. No. 111-8, div. D, tit. I, § 105, 123 Stat. 630, 636
(Mar. 11, 2009).
[83] IRS contends that it must invoke its authority to transfer funds
between its appropriations accounts to use those accounts' funds to
satisfy the set-aside requirement. As noted in our report, we disagree
with this view given that the appropriations act allows IRS to use any
funds made available by the act to satisfy the requirement.
Regardless, IRS must identify the sources of funds to be used to
satisfy the set-aside requirement and take affirmative actions to
ensure such funds are used only for tax law enforcement and related
support activities.
[84] Continuing Appropriations Resolution, 2009, Pub. L. No. 110-329,
div. A, 112 Stat. 3574 (Sept. 30, 2008), as amended by Pub. L. No. 111-
6, 123 Stat. 522 (Mar. 6, 2009). The funding increase was appropriated
at a rate for operations of $67.9 million.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
