Internal Revenue Service
Status of GAO Financial Audit and Related Financial Management Report Recommendations Gao ID: GAO-11-536 June 22, 2011In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation's tax laws. Since its first audit of IRS's financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS's financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS's financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS's efforts to address the weaknesses GAO identified in previous years' audits. The purpose of this report is to (1) provide an overview of the financial management challenges still facing IRS, (2) provide the status of financial audit and financial management-related recommendations and the actions needed to address them, and (3) highlight the relationship between GAO's recommendations and internal control activities central to IRS's mission and goals.
IRS has made progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 11 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of nearly 300 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces significant financial management challenges in (1) resolving its remaining material weaknesses and significant deficiency in internal control, (2) developing outcome-oriented performance metrics, and (3) correcting numerous other internal control issues, especially those relating to safeguarding tax receipts and taxpayer information. At the beginning of GAO's audit of IRS's fiscal year 2010 financial statements, 85 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the underlying issues. During the fiscal year 2010 financial audit, IRS took actions that GAO considered sufficient to close 37 recommendations. At the same time, GAO identified additional internal control issues resulting in 29 new recommendations. In total, 77 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 77 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle for IRS. Effective implementation of GAO's recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management, which are integral to effectively carrying out its tax administration responsibilities. Most recommendations can be addressed within the next year or two. However, a few recommendations, particularly those concerning the functionality of IRS's automated systems, are complex and will require several more years to effectively address. GAO is not making any recommendations in this report. In commenting on a draft of this report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices.
GAO-11-536, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations
This is the accessible text file for GAO report number GAO-11-536
entitled 'Internal Revenue Service: Status of GAO Financial Audit and
Related Financial Management Report Recommendations' which was
released on June 22, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to the Commissioner of Internal Revenue:
June 2011:
Internal Revenue Service:
Status of GAO Financial Audit and Related Financial Management Report
Recommendations:
GAO-11-536:
GAO Highlights:
Highlights of GAO-11-536, a report to the Commissioner of Internal
Revenue.
Why GAO Did This Study:
In its role as the nation‘s tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility to annually collect
trillions of dollars in taxes, process hundreds of millions of tax and
information returns, and enforce the nation‘s tax laws. Since its
first audit of IRS‘s financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS‘s financial management
operations. In related reports, GAO has recommended corrective actions
to address those weaknesses.
Each year, as part of the annual audit of IRS‘s financial statements,
GAO makes recommendations to address any new weaknesses identified and
follows up on the status of IRS‘s efforts to address the weaknesses
GAO identified in previous years‘ audits. The purpose of this report
is to (1) provide an overview of the financial management challenges
still facing IRS, (2) provide the status of financial audit and
financial management–related recommendations and the actions needed to
address them, and (3) highlight the relationship between GAO‘s
recommendations and internal control activities central to IRS‘s
mission and goals.
What GAO Found:
IRS has made progress in improving its internal controls and financial
management since its first financial statement audit in 1992, as
evidenced by 11 consecutive years of clean audit opinions on its
financial statements, the resolution of several material internal
control weaknesses, and actions resulting in the closure of nearly 300
financial management recommendations. This progress has been the
result of hard work throughout IRS and sustained commitment at the top
levels of the agency. However, IRS still faces significant financial
management challenges in (1) resolving its remaining material
weaknesses and significant deficiency in internal control, (2)
developing outcome-oriented performance metrics, and (3) correcting
numerous other internal control issues, especially those relating to
safeguarding tax receipts and taxpayer information. At the beginning
of GAO‘s audit of IRS‘s fiscal year 2010 financial statements, 85
financial management–related recommendations from prior audits
remained open because IRS had not fully addressed the underlying
issues. During the fiscal year 2010 financial audit, IRS took actions
that GAO considered sufficient to close 37 recommendations. At the
same time, GAO identified additional internal control issues resulting
in 29 new recommendations. In total, 77 recommendations remain open.
To assist IRS in evaluating and improving internal controls, GAO
categorized the 77 open recommendations by various internal control
activities, which, in turn, were grouped into three broad control
categories.
Table: Summary of Open Recommendations by Control Category:
Safeguarding of assets and security activities:
Open at the beginning of 2010: 19;
Closed during 2010 audit: 4;
New from 2010 audit: 14;
Total remaining open: 29.
Proper recording and documenting of transactions:
Open at the beginning of 2010: 39;
Closed during 2010 audit: 18;
New from 2010 audit: 9;
Total remaining open: 30.
Effective management review and oversight:
Open at the beginning of 2010: 27;
Closed during 2010 audit: 15;
New from 2010 audit: 6;
Total remaining open: 18.
Total:
Open at the beginning of 2010: 85;
Closed during 2010 audit: 37;
New from 2010 audit: 29;
Total remaining open: 77.
Source: GAO.
[End of table]
The continued existence of internal control weaknesses that gave rise
to these recommendations represents a serious obstacle for IRS.
Effective implementation of GAO‘s recommendations can greatly assist
IRS in improving its internal controls and achieving sound financial
management, which are integral to effectively carrying out its tax
administration responsibilities. Most recommendations can be addressed
within the next year or two. However, a few recommendations,
particularly those concerning the functionality of IRS‘s automated
systems, are complex and will require several more years to
effectively address.
What GAO Recommends:
GAO is not making any recommendations in this report. In commenting on
a draft of this report, IRS stated that it is committed to
implementing appropriate improvements to maintain sound financial
management practices.
View [hyperlink, http://www.gao.gov/products/GAO-11-536] or key
components. For more information, contact Steven J. Sebastian at (202)
512-3406 or sebastians@gao.gov.
[End of section]
Contents:
Letter:
Background:
Scope and Methodology:
IRS Faces Significant Financial Management Challenges:
Status of Recommendations Based on the Fiscal Year 2010 Financial
Statement Audit:
Open Recommendations Grouped by Internal Control Activity:
Concluding Observations:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations from Internal Revenue
Service Financial Audits and Related Management Reports:
Appendix II: Open Recommendations Arranged by Material Weakness,
Significant Deficiency, Compliance, or Other Control Issue:
Appendix III: Comments from the Internal Revenue Service:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Summary of Recommendations Grouped by Control Activity:
Table 2: Open Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
Table 3: Open Recommendation to Improve IRS's Segregation of Duties:
Table 4: Open Recommendations to Improve IRS's Access Restrictions to
and Accountability for Resources and Records:
Table 5: Open Recommendations to Improve IRS's Documentation of
Transactions and Internal Control:
Table 6: Open Recommendations to Improve IRS's Accurate and Timely
Recording of Transactions and Events:
Table 7: Open Recommendations to Improve IRS's Execution of
Transactions and Events:
Table 8: Open Recommendations to Improve IRS's Reviews by Management
at the Functional or Activity Level:
Table 9: Open Recommendation to Improve IRS's Establishment and Review
of Performance Measures and Indicators:
Table 10: Open Recommendations to Improve IRS's Management of Human
Capital:
Table 11: Status of GAO Recommendations from Internal Revenue Service
Financial Audits and Related Management Reports:
Table 12: Material Weakness: Controls over Unpaid Assessments:
Table 13: Significant Deficiency: Tax Refund Disbursements:
Table 14: Compliance with Laws and Regulations: Timely Release of
Liens:
Table 15: Other Control Issues Not Associated with a Material
Weakness, Significant Deficiency, or Compliance Issue:
Abbreviations:
CFO: Chief Financial Officer:
FMFIA: Federal Managers' Financial Integrity Act of 1982:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
OMB: Office of Management and Budget:
SCC: service center campus:
TAC: Taxpayer Assistance Center:
TFRP: Trust Fund Recovery Penalty:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 22, 2011:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Dear Mr. Shulman:
In its role as the nation's tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility to collect taxes, process
tax returns, and enforce the nation's tax laws. In fiscal year 2010,
IRS collected about $2.3 trillion in tax payments, processed hundreds
of millions of tax and information returns, and paid nearly $470
billion in refunds to taxpayers. Because of its role and overall
mission, IRS's activities affect virtually all of the nation's
citizens. It is therefore critical that the agency strive to maintain
sound internal control and financial management practices.
IRS has made much progress in improving its financial management since
it was first required to prepare a set of financial statements nearly
two decades ago. This progress is reflected in IRS's 11-year record of
clean audit opinions on its financial statements and correcting
several material weaknesses[Footnote 1] and significant deficiencies
[Footnote 2] in internal controls over the years. At the same time,
IRS continues to face significant financial management challenges in
achieving the overarching goals of effective federal financial
management--accountability and useful management information. To
enable more effective financial and operational management, IRS needs
to (1) address its remaining material weaknesses and its significant
deficiency in internal control, (2) develop performance metrics that
will enhance its ability to manage for outcomes, and (3) implement
corrective actions to address other identified internal control issues.
An agency's internal control serves as the first line of defense in
safeguarding its assets and in preventing and detecting errors and
fraud, as well as in helping to effectively manage its stewardship
over public resources.[Footnote 3] For many years, IRS has had
weaknesses in internal controls over fundamental elements of its
operations that leave it vulnerable to a greater risk of fraud, waste,
abuse, and mismanagement. During our audit of IRS's fiscal year 2010
financial statements,[Footnote 4] we found that IRS continued to be
challenged with two long-standing material weaknesses in internal
control that are at the heart of its operations--weaknesses in
internal controls over unpaid tax assessments[Footnote 5] and over
information systems security. We also found that IRS had a new
significant deficiency in internal control over tax refund
disbursements. In addition, as in past years, IRS management faces a
challenge in enhancing and using its financial management capabilities
to develop and use outcome-oriented performance metrics[Footnote 6]
critical to providing the foundation upon which an agency can manage
its operations for outcomes. Finally, we identified other internal
control issues that need management attention, in particular several
that relate to safeguarding tax receipts and taxpayer information.
To assist IRS in strengthening its internal controls and improving its
operations, over the years we have made numerous recommendations as
part of our annual financial statement audits and other financial
management-related work at IRS. This report (1) provides an overview
of financial management challenges still facing IRS; (2) describes the
status of financial audit and financial management-related
recommendations and the actions needed to address them, as summarized
in appendix I; and (3) discusses how the unresolved recommendations
relate to control activities central to IRS's mission and goals. To
assist IRS in addressing those control activities, appendix II
provides summary information regarding the primary internal control
issue to which each open recommendation is related. This report does
not include our recommendations related to IRS's information systems
security even though they also are the result of our annual financial
audits and are financial management-related; those recommendations are
reported separately because of the sensitive nature of many of the
issues that give rise to the recommendations.[Footnote 7] We are not
making any new recommendations in this report.
Background:
Internal control is not one event, but a series of activities that
occur throughout an entity's operations and on an ongoing basis.
Internal control should be an integral part of each system that
management uses to regulate and guide its operations rather than as a
separate system within an agency. In this sense, internal control is
management control that is built into the entity as a part of its
infrastructure to help managers run the entity and achieve their goals
on an ongoing basis.
Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires
agencies to establish and maintain effective internal control. The
agency head must annually evaluate and report on the control and
financial systems that protect the integrity of its federal programs.
The requirements of FMFIA serve as an umbrella under which other
reviews, evaluations, and audits should be coordinated and considered
to support management's assertion about the effectiveness of internal
control over operations, financial reporting, and compliance with laws
and regulations.
Office of Management and Budget (OMB) Circular No. A-123, Management's
Responsibility for Internal Control, provides the implementing
guidance for FMFIA, and prescribes the specific requirements for
assessing and reporting on internal controls consistent with the
Standards for Internal Control in the Federal Government (internal
control standards) issued by the Comptroller General of the United
States.[Footnote 8] The circular defines management's responsibilities
related to internal control and the process for assessing internal
control effectiveness, and provides specific requirements for
conducting management's assessment of the effectiveness of internal
control over financial reporting. The circular requires management to
annually provide assurances on internal control and emphasizes the
need for integrated and coordinated internal control assessments that
synchronize all internal control-related activities.[Footnote 9]
FMFIA requires GAO to issue standards for internal control in the
federal government. The internal control standards provide the overall
framework for establishing and maintaining effective internal control
and for identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.
As summarized in the internal control standards, internal control in
the government is defined by the following five elements, which also
provide the basis against which internal controls are to be evaluated:
* Control environment: Management and employees should establish and
maintain an environment throughout the organization that sets a
positive and supportive attitude toward internal control and
conscientious management.
* Risk assessment: Internal control should provide for an assessment
of the risks the agency faces from both external and internal sources.
* Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities should
be effective and efficient in accomplishing the agency's control
objectives.
* Information and communication: Information should be recorded and
communicated to management and others within the entity who need it
and in a form and within a time frame that enables them to carry out
their internal control and other responsibilities.
* Monitoring: Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved.
A key objective in our annual audits of IRS's financial statements is
to obtain reasonable assurance that IRS maintained effective internal
control with respect to financial reporting. While we use all five
elements of internal control as a basis for evaluating the
effectiveness of IRS's internal controls, our ongoing evaluations and
tests have focused heavily on control activities, where we have
identified numerous internal control weaknesses and have provided
recommendations for corrective action. Control activities are the
policies, procedures, techniques, and mechanisms that enforce
management's directives. In other words, they are the activities
conducted in the everyday course of business that are intended to
accomplish a control objective, such as ensuring IRS employees
successfully complete background checks prior to being granted access
to taxpayer information and receipts. Control activities are an
integral part of an entity's planning, implementing, reviewing, and
accountability for stewardship of government resources and achievement
of effective results.
Scope and Methodology:
To accomplish our objectives, we evaluated the effectiveness of
corrective actions IRS implemented during fiscal year 2010 in response
to open recommendations as part of our fiscal years 2010 and 2009
financial audits. To determine the current status of the
recommendations, we (1) obtained IRS's reported status of each
recommendation and corrective action taken or planned as of March
2011, (2) compared IRS's reported status to our fiscal year 2010 audit
findings to identify any differences between IRS's and our conclusions
regarding the status of each recommendation, and (3) performed
additional follow-up work to assess IRS's actions taken to address the
open recommendations. For our recommendations to IRS regarding
information security, this report includes only summary data on the
number of those recommendations and their general makeup. Because of
the sensitive nature of many of the issues related to our
recommendations regarding information security, we have reported our
recommendations for corrective action to IRS separately.[Footnote 10]
In order to determine how IRS's open recommendations, including those
identified in our June 2011 management report,[Footnote 11] fit within
the agency's management and internal control structure, we compared
the open recommendations and the issues that gave rise to them to the
(1) control activities listed in the internal control standards, (2)
list of major factors and examples outlined in our Internal Control
Management and Evaluation Tool,[Footnote 12] and (3) criteria and
objectives for federal financial management as discussed in the Chief
Financial Officers Act of 1990(CFO Act) and the Federal Accounting
Standards Advisory Board's (FASAB) Statement of Federal Financial
Accounting Concepts No. 1, Objectives of Federal Financial
Reporting.[Footnote 13] We also considered whether IRS had addressed,
in whole or in part, the underlying control issues that gave rise to
the recommendations; and other legal requirements and implementing
guidance, such as OMB Circular No. A-123 and FMFIA.
Our work was performed from December 2010 through April 2011 in
accordance with generally accepted government auditing standards.
IRS Faces Significant Financial Management Challenges:
IRS continues to make progress in resolving its internal control
weaknesses and addressing outstanding recommendations, but it still
faces significant financial management challenges. Since we first
began auditing IRS's financial statements in fiscal year 1992, IRS has
taken a significant number of actions that enabled us to conclude that
it had effectively resolved several material weaknesses and
significant deficiencies and to close almost 300 of our previously
reported financial management-related recommendations. This includes
37 recommendations we are closing with this report based on actions
IRS took through March 2011.
Nevertheless, IRS continues to face challenges in improving the
effectiveness of its financial and operational management.
Specifically, IRS continues to face management challenges in (1)
resolving its two material weaknesses and one significant deficiency
in internal control, (2) developing performance measures and managing
for outcomes, and (3) addressing its remaining internal control
issues, particularly those dealing with safeguarding of taxpayer
receipts and information. Further, as in previous years' audits, our
fiscal year 2010 audit continued to identify additional internal
control issues, resulting in 29 new recommendations for corrective
action. These issues are discussed in detail in our June 2011
management report to IRS.[Footnote 14] In addition, as noted earlier,
we also identified numerous issues related to information security
during our fiscal year 2010 audit that we reported separately because
of the sensitive nature of many of those issues.[Footnote 15]
We have made numerous recommendations to IRS over the years--including
new recommendations resulting from our fiscal year 2010 financial
audit--to address the issues comprising these weaknesses in internal
control. Successfully implementing these recommendations would assist
IRS in fully resolving these weaknesses. To its credit, IRS continues
to work to address the issues underlying these and other internal
control weaknesses.
Challenges in Resolving Two Long-standing Material Weaknesses and One
Significant Deficiency in Internal Control:
As we reported in our audit of IRS's fiscal year 2010 financial
statements,[Footnote 16] IRS continues to face significant challenges
in resolving its two remaining long-standing material weaknesses in
internal control concerning (1) unpaid tax assessments[Footnote 17]
and (2) information security.
IRS's continuing challenge in addressing its material weakness in
internal control over unpaid tax assessments results from its (1)
inability to use its general ledger and underlying subsidiary records
to report federal taxes receivable, compliance assessments, and
writeoffs in accordance with federal accounting standards without
significant compensating procedures; (2) lack of transaction
traceability for the reported balance in taxes receivable that
comprises over 80 percent of IRS's total assets as of September 30,
2010, and an effective transaction-based subledger for unpaid tax
assessment transactions; and (3) inability to effectively prevent or
timely detect and correct errors in taxpayer accounts. These control
deficiencies are caused primarily by IRS's continued reliance on
software applications that were not designed to provide the accurate,
complete, and timely transaction-level financial information that
management needs to make well-informed decisions or to accumulate and
report financial information in accordance with federal accounting
standards. These problems are likely to continue to exist until these
software applications are either significantly enhanced or replaced.
Successfully addressing these issues is vital and is one of the goals
of IRS's ongoing systems-modernization effort.
IRS's continuing challenge in addressing its material weakness in
internal control over the management of information systems security
is primarily due to IRS not having fully implemented key components of
its information security program. Although IRS has processes in place
intended to monitor and assess its internal controls, these processes
were not always effective. For example, (1) IRS's testing did not
detect many of the vulnerabilities we identified and did not assess a
key application in its current environment, and (2) IRS had not
effectively validated corrective actions reported to resolve
previously identified weaknesses. As we reported in our audit of IRS's
fiscal year 2010 financial statements,[Footnote 18] IRS has made
progress in addressing numerous weaknesses in information security
internal control. However, many of the weaknesses we reported in
previous years remain unresolved and continue to place IRS systems at
risk. For example, IRS (1) continued to allow individuals more access
to sensitive information contained on its network than needed to
perform their assigned duties, (2) had not completed actions to
address a vulnerability in its procurement system that allowed users
to enter commands that bypassed normal application security controls,
and (3) continued to allow visitors unnecessary access to secured
areas at one data center. In addition to unresolved issues, we
identified additional internal control deficiencies, that, along with
the unresolved deficiencies, continued to jeopardize the
confidentiality, integrity, and availability of information processed
by IRS's key systems, and increased the risk of material misstatement
for financial reporting. For example, IRS had not (1) appropriately
secured the database associated with the online system IRS used to
support and manage its computer access request, approval, and review
process; (2) appropriately restricted permissions on the database that
supported an application used for cost allocation of rent-related
data, allowing database users to run operating system commands; (3)
tested the Redesigned Revenue Accounting Control System (RRACS)
[Footnote 19] application security in its current production
environment, which would have enabled IRS to identify weaknesses
compromising IRS's ability to segregate incompatible duties and
jeopardize the integrity of the application's data, and (4) used
encrypted protocols on a server supporting the Electronic Federal Tax
Payment System[Footnote 20] and several internal routers, potentially
exposing user IDs and passwords transmitted in clear text across the
network to inappropriate disclosure and unauthorized use. Until IRS
takes additional steps to implement more comprehensive testing and
effective validation processes, its facilities, computing resources,
and information will remain vulnerable to inappropriate use,
modification, or disclosure, and agency management will have limited
assurance of the integrity and reliability of its financial and
taxpayer information.
In addition to the continuing challenges posed by the two long-
standing material weaknesses concerning unpaid tax assessments and
information security, our audit of IRS's fiscal year 2010 financial
statements[Footnote 21] also identified a significant deficiency in
IRS's internal control over tax refund disbursements. This significant
deficiency, which is the collective result of (1) a multiyear pattern
of our identifying and reporting deficiencies in IRS's internal
control over the processing of manual refunds;[Footnote 22] (2) the
increasing magnitude of manual refunds disbursed; and (3) new
deficiencies associated with the internal controls over the First-Time
Home Buyer Credit (FTHBC),[Footnote 23] increases the risk that IRS
may pay out duplicate or otherwise erroneous tax refunds to which
individuals or businesses are not entitled and for which IRS must use
resources attempting to recover. This new significant deficiency is an
example of the danger of not effectively addressing control
deficiencies as soon as they are identified so that they do not become
a more serious problem. We have reported numerous control deficiencies
associated with manual refund processing since 1999. Nine of those
deficiencies and their associated recommendations remain open, two of
which have been open since 2005.
Challenges in Developing and Implementing Performance Metrics to
Assist in Managing for Outcomes:
As we reported in our audit of IRS's fiscal year 2010 financial
statements,[Footnote 24] IRS continues to face challenges in
developing and instutionalizing the use of financial management
information to assist it in making operational decisions and in
measuring the effectiveness of its programs. IRS has not developed
cost-based (and when appropriate, revenue-based) outcome-oriented
performance measures that would enhance its ability to manage for
outcomes[Footnote 25] and integrated them into its routine management
and decision-making processes or its externally reported performance
metrics.[Footnote 26] Although IRS has developed projected direct tax
return on investment estimates[Footnote 27] for new enforcement (tax
collection) initiatives in its annual budget submissions, it has not
developed similar direct tax return on investment outcome-oriented
performance metrics to determine whether funded initiatives achieve
their originally projected outcomes. Lacking such performance metrics
inhibits IRS's ability to more fully assess and monitor the relative
merits of its existing programs, to evaluate new initiatives, or to
consider alternatives and adjust its strategies as needed. Outcome-
oriented performance metrics based on specific enforcement programs'
costs and revenues would assist IRS in improving its ability to (1)
establish measurable outcome goals, (2) evaluate the relative merits
of various program options, and (3) highlight opportunities for
optimizing the allocation of resources. They could also assist IRS in
more credibly demonstrating to Congress and the public that it is
using its appropriations wisely.
IRS's existing metrics focus on process-oriented workload measures of
program outputs[Footnote 28] rather than on measuring program
outcomes. For example, for its enforcement programs, IRS focuses on
measuring discrete activities within its overall tax collection
efforts, such as the percentage of various types of tax returns
examined, criminal investigations completed, and the number of tax
returns examined and closed. While such output measures can be useful
elements in assessing performance, they are not designed to measure
the contribution each of these activities makes to the collection of
unpaid taxes, nor do they compare the cost of collection activities to
the tax revenue generated. IRS's enforcement metrics do not include
revenue collected--a measure of outcome--compared to the cost of
collection, which could provide useful information on the benefits of
the enforcement programs. In addition, IRS's publicly available
performance metrics do not measure the internal cost of IRS's programs
either in the aggregate or per service or activity performed.[Footnote
29]
As we report in the "Status per IRS" section of appendix I in this
report, IRS has reported that it considers our recommendation to
develop outcome-oriented performance measures and related performance
goals for IRS's enforcement programs and activities to be closed.
[Footnote 30] We do not agree. Part of IRS's justification for closing
the recommendation is that it uses estimates of the cost-benefit
direct tax return on investment analysis to evaluate future scenarios
and to support funding requests for new initiatives in its annual
budget submissions. Using such estimates of prospective return on
investment information is useful for budgetary decision making, but
our recommendation is for IRS to develop outcome data on the actual
results of its programs and activities. We have also previously
recommended that IRS:
* extend the use of return on investment in future budget proposals to
include major enforcement programs,
* develop return on investment data for its enforcement programs using
actual revenue and full cost data and compare actual results to the
projected return on investment data included in its budget request,
and:
* provide Congress with information comparing projected savings to
actual savings in the year following the budget's implementation.
[Footnote 31]
The intent of our recommendations is to encourage IRS to develop
outcome-oriented performance metrics and to use them, along with other
metrics, in resource-allocation decisions. While IRS has not developed
or deployed such metrics for either funded initiatives or for ongoing
enforcement programs and activities, IRS officials informed us they
are considering options to collect direct tax return on investment
data for newly funded enforcement initiatives.
IRS officials also contended that it is not prudent to rely
exclusively on direct tax return on investment as the sole determinant
of resource allocation. As we have reported previously,[Footnote 32]
we acknowledge that IRS must consider other factors besides maximizing
revenue collection and least-cost operations. The fairness of IRS's
implementation of the tax code and treatment of all taxpayers are
important and we are cognizant of the many factors, such as coverage,
that are important considerations when making resource-allocation
decisions. These factors, and the decisions IRS makes about how to
respond to them, have a significant effect on taxpayers, as well as on
tax collections. We also acknowledge that IRS faces challenges in
developing outcome-oriented performance metrics, such as return on
investment, and integrating them into its resource allocation decision-
making process. Furthermore, developing such an approach is important
in order for IRS to make optimum use of its available resources and to
be able to credibly demonstrate it is doing so to Congress and the
public.
IRS's lack of outcome-oriented performance metrics is inconsistent
with federal financial management concepts as embodied in the Federal
Accounting Standards Advisory Board's Statement of Federal Financial
Accounting Concepts No. 1, Objectives of Federal Financial Reporting.
[Footnote 33] In its discussion of financial reporting concepts, FASAB
notes that federal financial data should provide accountability and
decision-useful information on the costs of programs and the outputs
and outcomes achieved, and it should provide data for evaluating
service efforts, costs, and accomplishments.
The absence of outcome metrics is also inconsistent with the
objectives of the CFO Act of 1990. A key objective of the act was for
agencies to routinely develop and use appropriate financial management
information to evaluate program effectiveness, make fully informed
operational decisions, and ensure accountability. While obtaining a
clean audit opinion on its financial statements is important in
itself, it is not the CFO Act's end goal. Rather, the act's end goal
is modern financial management systems that provide reliable, timely,
and useful financial information to support day-to-day decision making
and oversight. Such systems and practices should also provide for the
systematic measurement of both outputs and outcomes.
We have made several recommendations to IRS over the years to address
its financial management challenges in developing internal full cost
data for its programs and activities and for outcome-oriented
performance measures. Successfully addressing the remaining open
recommendations would enhance IRS's ability to effectively manage for
outcomes.
Challenges in Resolving Other Internal Control Issues:
IRS's actions over the years to resolve internal control weaknesses
enabled us to close nearly 300 internal control-related
recommendations. However, IRS also continues to face a challenge in
addressing numerous other unresolved internal control issues in
several aspects of its operations that, while neither individually nor
collectively representing a material weakness or significant
deficiency, nonetheless merit management attention to ensure they are
fully and effectively addressed. IRS now has a total of 57 open audit
recommendations resulting from internal control issues that we report
as "other control issues" in appendix II of this report. While most
were identified during our recent financial audits, some were
identified in our audits from 2005 or earlier. It is incumbent upon
IRS to effectively address these open recommendations and to improve
its system of internal controls so that IRS can identify and correct
potential weaknesses before they can grow into more serious problems.
Forty-four--77 percent--of the 57 "other" open recommendations address
issues related either directly or indirectly to physically
safeguarding of tax receipts and taxpayer information, a critical
element of IRS's responsibilities.[Footnote 34]
IRS processes billions of dollars annually in checks and currency and
other valuable assets, and it must safeguard and account for them to
prevent theft, fraud, and misuse. To do so, IRS has established
physical security, accountability, and accounting policies, processes,
and procedures to manage its activities involving transporting and
accounting for tax receipts and for handling and storing taxpayer
information. Although IRS has made substantial improvements in
safeguarding taxpayer receipts and information since our financial
audits first began identifying serious internal control issues in this
area, the task of ensuring ongoing control over such critical
responsibilities for IRS is a difficult one and requires constant
vigilance. Each year, we continue to identify control issues related
to IRS's safeguarding of taxpayer receipts and information. For
example, our fiscal year 2010 audit identified new internal control
issues and made 18 additional recommendations that related either
directly or indirectly to physically safeguarding taxpayer receipts
and information. The internal control issues encompassed in our open
recommendations cover critical physical security functions, such as:
* transporting taxpayer receipts and sensitive taxpayer information
among IRS facilities and lockbox banks[Footnote 35] and maintaining
physical security at IRS facilities to prevent loss, theft, or the
potential for fraud regarding tax receipts and taxpayer information;
* conducting inspections and audits of the design and operation of
IRS's physical security processes and controls designed to safeguard
tax receipts and taxpayer information;
* conducting appropriate background investigations and screening of
personnel, including contractors, with access to taxpayer information;
and:
* ensuring the proper destruction of documents and equipment to
prevent the inappropriate release of sensitive taxpayer information.
In light of the volume of taxpayer receipts and sensitive taxpayer
files that IRS is responsible for safeguarding, and the implications
for IRS's mission if they are lost, stolen, or the subject of fraud or
misuse, it is critical that IRS fully and effectively resolve the
internal control issues we have identified and work toward continually
improving its internal controls to prevent new issues from arising.
Status of Recommendations Based on the Fiscal Year 2010 Financial
Statement Audit:
In June 2010, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2009 and prior year
financial audits and other financial management-related work.[Footnote
36] In that report, we identified 85 audit recommendations that
remained open and thus required corrective action by IRS. A
significant number of these recommendations have been open for several
years, either because IRS had not taken corrective action or because
the actions taken had not yet effectively resolved the issues that
gave rise to the recommendations.
IRS has continued to work to address many of the internal control
issues to which these open recommendations relate. In the course of
performing our fiscal year 2010 financial audit, we identified
numerous actions IRS took to address many of its internal control
issues. On the basis of IRS's actions, which we were able to
substantiate through our audit, we have closed 37 of our prior years'
recommendations. However, a total of 48 recommendations from prior
years remain open, a significant number of which have been outstanding
for several years. IRS considers another 13 of the prior years'
recommendations to be effectively addressed and therefore closed.
However, we consider them to remain open. For 9 of the 13, in our
view, IRS's actions did not fully address the issue that gave rise to
the recommendations. For the remaining 4, we have not yet been able to
verify the effectiveness of IRS's actions because IRS's corrective
actions are ongoing. (The "Status per IRS" and "Status per GAO"
sections of appendix I provide a summary of both IRS's and our
assessment of IRS's actions on each recommendation.)
During our audit of IRS's fiscal year 2010 financial statements, we
identified additional issues that require corrective action. In our
June 2011 management report to IRS,[Footnote 37] we discussed these
issues, and made 29 new recommendations to address them. Consequently,
a total of 77 financial management-related recommendations need to be
addressed--48 from prior years and 29 new recommendations resulting
from our fiscal year 2010 audit. We consider all of the new
recommendations to be short-term.[Footnote 38] We also consider the
majority of the recommendations outstanding from prior years to be
short-term; however, a few, particularly those concerning the
functionality of IRS's automated systems, are complex and will require
several more years to fully and effectively address.
In addition to the 77 open recommendations from our financial audits
and other financial management-related work, there are 105 additional
open recommendations stemming from our assessment of IRS's information
security controls over key financial systems, information, and
interconnected networks conducted as an integral part of our annual
financial audits. The issues that led to our previously reported and
our newly identified recommendations related to information security
increase the risk of unauthorized disclosure, modification, or
destruction of financial and sensitive taxpayer data. Collectively,
they constitute IRS's material weakness in internal control over
information security for its financial and tax processing systems. As
discussed earlier in this report, recommendations resulting from the
information security issues identified in our annual audits of IRS's
financial statements are reported separately because of the sensitive
nature of many of these issues.[Footnote 39]
Appendix I presents a summary listing of (1) the 85 non-information-
systems security-related recommendations based on our financial
statement audits and other financial management-related work that we
had not previously reported as closed and the 29 new recommendations
based on our fiscal year 2010 financial audit, (2) IRS-reported
corrective actions taken or planned as of March 2011, and (3) our
analysis of whether the issues that gave rise to the recommendations
have been effectively addressed, based primarily on the work performed
during our fiscal year 2010 financial statement audit. The appendix
lists the recommendations by the year in which the recommendation was
made and by report number. Appendix II presents the 77 open
recommendations that remained as a result of closing the
aforementioned 37 recommendations and the addition of 29 new
recommendations from our fiscal year 2010 audit. The recommendations
have been arranged by related material weakness, significant
deficiency, and compliance issue as described in our opinion report on
IRS's financial statements,[Footnote 40] as well as other control
issues we have identified and discussed in our annual management
report to IRS.[Footnote 41]
Open Recommendations Grouped by Internal Control Activity:
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to
them, to internal control activities that are central to IRS's tax
administration responsibilities provides insight regarding their
significance.
Internal control standards consist of five elements--control
environment, risk assessment, control activities, information and
communication, and monitoring.[Footnote 42] For the control activities
element, the internal control standards explain that an agency's
system of internal control should provide for an assessment of the
risks the agency faces from both external and internal sources and
that internal control activities should help ensure that management's
directives are carried out. The control activities should be effective
and efficient in accomplishing the agency's control objectives. The
control activities element defines 11 specific control activities,
which we have grouped into three categories, as shown in table 1. Each
of the unresolved recommendations from our financial audits and
financial management-related work, and the underlying issues that gave
rise to them, can be traced to one of the 11 specific control
activities as shown in table 1.
Table 1: Summary of Recommendations Grouped by Control Activity:
Control activity: Safeguarding of assets and security activities:
Physical control over vulnerable assets:
Open at the beginning of 2010: 11;
Closed during 2010 audit: 0;
New from 2010 audit: 11;
Total remaining open: 22;
Percentage: 29%.
Segregation of duties:
Open at the beginning of 2010: 3;
Closed during 2010 audit: 2;
New from 2010 audit: 0;
Total remaining open: 1;
Percentage: 1%.
Controls over information processing:
Open at the beginning of 2010: 0;
Closed during 2010 audit: 0;
New from 2010 audit: 0;
Total remaining open: 0;
Percentage: 0.
Access restrictions to and accountability for resources and records:
Open at the beginning of 2010: 5;
Closed during 2010 audit: 2;
New from 2010 audit: 3;
Total remaining open: 6;
Percentage: 8%.
Control activity: Safeguarding of assets and security activities:
Subtotal;
Open at the beginning of 2010: 19;
Closed during 2010 audit: 4;
New from 2010 audit: 14;
Total remaining open: 29;
Percentage: 38%.
Control activity: Proper recording and documenting of transactions:
Appropriate documentation of transactions and internal controls:
Open at the beginning of 2010: 18;
Closed during 2010 audit: 8;
New from 2010 audit: 3;
Total remaining open: 13;
Percentage: 17%.
Accurate and timely recording of transactions and events:
Open at the beginning of 2010: 20;
Closed during 2010 audit: 10;
New from 2010 audit: 5;
Total remaining open: 15;
Percentage: 19%.
Proper execution of transactions and events:
Open at the beginning of 2010: 1;
Closed during 2010 audit: 0;
New from 2010 audit: 1;
Total remaining open: 2;
Percentage: 3%.
Control activity: Proper recording and documenting of transactions:
Subtotal;
Open at the beginning of 2010: 39;
Closed during 2010 audit: 18;
New from 2010 audit: 9;
Total remaining open: 30;
Percentage: 39%.
Control activity: Effective management review and oversight:
Reviews by management at the functional or activity level:
Open at the beginning of 2010: 15;
Closed during 2010 audit: 8;
New from 2010 audit: 6;
Total remaining open: 13;
Percentage: 17%.
Establishment and review of performance measures and indicators:
Open at the beginning of 2010: 3;
Closed during 2010 audit: 2;
New from 2010 audit: 0;
Total remaining open: 1;
Percentage: 1%.
Management of human capital:
Open at the beginning of 2010: 8;
Closed during 2010 audit: 4;
New from 2010 audit: 0;
Total remaining open: 4;
Percentage: 5%.
Top-level reviews of actual performance:
Open at the beginning of 2010: 1;
Closed during 2010 audit: 1;
New from 2010 audit: 0;
Total remaining open: 0;
Percentage: 0.
Control activity: Effective management review and oversight: Subtotal;
Open at the beginning of 2010: 27;
Closed during 2010 audit: 15;
New from 2010 audit: 6;
Total remaining open: 18;
Percentage: 23%.
Control activity: Total;
Open at the beginning of 2010: 85;
Closed during 2010 audit: 37;
New from 2010 audit: 29;
Total remaining open: 77;
Percentage: 100%.
Source: GAO.
[End of table]
As table 1 indicates, 29 (38 percent) of the unresolved
recommendations relate to IRS's controls over safeguarding of assets
and security activities, 30 (39 percent) relate to issues associated
with IRS's ability to properly record and document transactions, and
18 (23 percent) relate to issues associated with IRS's management
review and oversight.[Footnote 43]
In the following section, we group the 77 open recommendations under
the specific control activity to which the condition that gave rise to
them most appropriately fits. We define each control activity as
presented in the internal control standards and briefly identify some
of the key IRS operations that fall under that control activity.
Although not comprehensive, the descriptions are intended to help
explain why actions to strengthen these control activities are
important for IRS to efficiently and effectively carry out its overall
mission. Each control activity description includes a table of the
related open recommendations. The tables list the recommendations by
the year in which we made them (ID noumber). For each recommendation,
we also indicate whether it is a short-term or long-term
recommendation. We characterized a recommendation as short-term when
we believe that IRS had the capability to implement solutions within 2
years of the year in which we first reported the recommendations. Note
that for the internal control activity "top-level reviews of actual
performance," IRS addressed the outstanding recommendation from prior
years that related to this control activity, and we identified no new
issues during our fiscal year 2010 financial audit that relate to this
control activity.
Safeguarding of Assets and Security Activities:
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of
the most important control activities at IRS is the safeguarding of
assets. Internal control in this important area should be designed to
provide reasonable assurance regarding prevention or prompt detection
of unauthorized acquisition, use, or disposition of an agency's
assets. IRS has outstanding recommendations in the following three
control activities in the internal control standards that relate to
safeguarding of assets (including buildings and equipment as well as
tax receipts) and security activities (such as limiting access to only
authorized personnel): (1) physical control over vulnerable assets,
(2) segregation of duties, and (3) access restrictions to, and
accountability for, resources and records.
Physical Control over Vulnerable Assets:
[Text box: Internal control standard: An agency must establish
physical control to secure and safeguard vulnerable assets. Examples
include security for and limited access to assets such as cash,
securities, inventories, and equipment which might be vulnerable to
risk of loss or unauthorized use. Such assets should be periodically
counted and compared to control records. End of text box]
Of the trillions of dollars in taxes that IRS collects each year,
hundreds of billions is collected in the form of checks and cash
accompanied by tax returns and related information.[Footnote 44] IRS
collects taxes both at its own facilities as well as at lockbox banks.
[Footnote 45] IRS acts as custodian for (1) the tax payments it
receives until they are deposited in the General Fund of the U.S.
Treasury and (2) the tax returns and related information it receives
until they are either sent to the Federal Records Center or destroyed.
IRS is also charged with controlling many other assets, such as
computers and other equipment, but it is IRS's legal responsibility to
safeguard tax returns and the confidential information taxpayers
provide on those returns that makes the effectiveness of IRS's
internal controls over physical security essential to accomplishing
its mission.
While effective physical safeguards over receipts should exist
throughout the year, such safeguards are especially important during
the peak tax filing season. Each year during the weeks preceding and
shortly after April 15, an IRS service center[Footnote 46] or lockbox
bank may receive and process daily over 100,000 pieces of mail
containing returns, receipts, or both. The dollar value of receipts
each service center and lockbox bank processes increases to hundreds
of millions of dollars a day during the April 15 time frame.
The following 22 open recommendations in table 2 are designed to
improve IRS's physical controls over vulnerable assets. They include
recommendations for IRS to improve controls over (1) physical security
at its Taxpayer Assistance Centers (TAC),[Footnote 47] (2) courier
activities, (3) lockbox banks' handling of unprocessable items,
[Footnote 48] (4) the handling of hardcopy cash receipts, and (5)
property and equipment disposal procedures. We consider all of these
recommendations to be correctable on a short-term basis.
Table 2: Open Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets:
ID number: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers (TAC) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS
units, including those TACs that are not scheduled to be reconfigured
to the "new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term).
ID number: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
service center campus' (SCC) perimeter, such as adding or
repositioning existing CCTV cameras or removing obstructions. (short-
term).
ID number: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed or
shipped out, or both. (short-term).
ID number: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term).
ID number: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term).
ID number: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term).
ID number: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each Taxpayer Assistance Center (TAC)
location to ensure that the inventory is current and complete as of
the testing date. (short-term).
ID number: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term).
ID number: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term).
ID number: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term).
ID number: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses (SCC) and lockbox banks to acknowledge and
track transmittals of unprocessable items with receipts. These
procedures should include monitoring discrepancies and instituting
appropriate corrective actions as needed. (short-term).
ID number: 11-08;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring cash receipts to be immediately
logged under dual control when first discovered in the mail room.
(short-term).
ID number: 11-09;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring mail room staff to maintain custody
of the control log at all times. (short-term).
ID number: 11-10;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring the amount of cash receipts initially
discovered in the mail room to be independently reconciled to the
amount deposited and recorded in the general ledger. (short-term).
ID number: 11-14;
Recommendation: Establish procedures to provide a consistent
methodology for calculating and establishing allowable deposit courier
trip time limits to be used by both service center campuses (SCCs) and
lockbox banks that would assist in detecting potential unauthorized
stops or other contractual violations by deposit couriers. Such
procedures should include instructions for documenting and supporting
how the trip limits were determined and require justification and
approval for all established time limits that exceed the average trip
time. (short-term).
ID number: 11-15;
Recommendation: Establish procedures to require periodic reassessments
of and updates to deposit courier allowable trip time limits to
account for changes in courier routes or other conditions that may
affect trip times. (short-term).
ID number: 11-16;
Recommendation: Enforce existing contractual requirements for the
cargo doors of contract courier vehicles to be locked after picking up
taxpayer information. (short-term).
ID number: 11-17;
Recommendation: Establish procedures to prevent or detect unauthorized
access to taxpayer information in contract courier vehicles during
transit. These procedures should detail specific activities to be
performed by both the business unit sending and receiving the
information transported by the contract courier. (short-term).
ID number: 11-18;
Recommendation: Revise the guidance for conducting the periodic
reviews of the contract couriers transporting taxpayer information
from one IRS processing facility to another to include procedures for
(1) physically verifying that courier vehicle cargo doors are locked
after picking up this information and remain locked during transit to
the final destination, and (2) documenting the basis for the
reviewer's conclusions. (short-term).
ID number: 11-27;
Recommendation: Finalize procedures requiring that copier hard drives
be removed and destroyed or otherwise appropriately cleaned before
disposing of copiers. (short-term).
ID number: 11-28;
Recommendation: Revise the IRM to incorporate the new copier disposal
procedures that require that copier hard drives be removed and
destroyed or otherwise appropriately cleaned before disposing of
copiers. (short-term).
ID number: 11-29;
Recommendation: Issue a memorandum to all business units reminding
them that only designated Real Estate Facilities Management (REFM)
staff are authorized to dispose of copiers. (short-term).
Source: GAO.
[End of table]
Segregation of Duties:
[Text box: Internal control standard: Key duties and responsibilities
need to be divided or segregated among different people to reduce the
risk of error or fraud. This should include separating the
responsibilities for authorizing transactions, processing and
recording them, reviewing the transactions, and handling any related
assets. No one individual should control all key aspects of a
transaction or event. End of text box]
As noted in the previous section, IRS employees process hundreds of
billions of dollars in tax receipts in the form of cash and checks.
Consequently, it is critical that IRS maintain appropriate separation
of duties to allow for adequate oversight of staff and protection of
these vulnerable resources so that no single individual would be in a
position of causing an error or irregularity, or potentially
converting the asset to personal use, and then concealing it. For
example, when an IRS field office receives taxpayer receipts and
returns, it is responsible for depositing the cash and checks in a
depository institution and forwarding the related taxpayer information
received, such as tax returns, to an IRS service center for further
processing. In order to adequately safeguard receipts from theft, the
person responsible for recording the information from the taxpayer
receipts on a voucher should be different from the individual who
prepares those receipts for transmittal to the service center for
further processing.
Implementing the following recommendation in table 3 would help IRS
improve its separation of duties, which will in turn strengthen
controls over tax receipts. This recommendation is short-term in
nature.
Table 3: Open Recommendation to Improve IRS's Segregation of Duties:
ID number: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term).
Source: GAO.
[End of table]
Access Restrictions to and Accountability for Resources and Records:
[Text box: Internal control standard: Access to resources and records
should be limited to authorized individuals, and accountability for
their custody and use should be assigned and maintained. Periodic
comparison of resources with the recorded accountability should be
made to help reduce the risk of errors, fraud, misuse, or unauthorized
alteration. End of text box]
Because IRS is responsible for maintaining accountability over a large
volume of cash and checks, it is imperative that it maintain strong
controls to appropriately restrict access to those assets, the records
relied on to track those assets, and sensitive taxpayer information.
Although IRS has a number of both physical and information systems
controls in place, some of the issues we have identified in our
financial audits over the years pertain to ensuring that (1) those
individuals who have direct access to cash and checks are
appropriately vetted, such as through appropriate background
investigations, before being granted access to taxpayer receipts and
information and (2) IRS maintains effective access security control.
The following six short-term recommendations in table 4 are intended
to help IRS improve its access restrictions to assets and records.
Table 4: Open Recommendations to Improve IRS's Access Restrictions to
and Accountability for Resources and Records:
ID number: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to Taxpayer Assistance
Centers (TAC) and other field offices. (short-term).
ID number: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 (Recommendation for Juvenile Employment)
by contacting the reference directly and documenting the details of
this contact. (short-term).
ID number: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term).
ID number: 11-11;
Recommendation: Perform a review of all existing contracts under
$100,000 that (1) do not have an appointed contracting officer's
technical representative (COTR) and (2) do not require that contract
employees obtain background investigations to assess whether the
services performed under each contract warrant a requirement that
contract employees obtain background investigations. (short-term).
ID number: 11-12;
Recommendation: Based on a review of all existing contracts under
$100,000 without an appointed contracting officer's technical
representative (COTR) that should require contract employees to obtain
favorable background investigation results, amend those contracts to
require that favorable background investigations be obtained for all
relevant contract employees before routine, unescorted, unsupervised
physical access to taxpayer information is granted. (short-term).
ID number: 11-13;
Recommendation: Establish a policy requiring collaborative oversight
between IRS's key offices in determining whether potential service
contracts involve routine, unescorted, unsupervised physical access to
taxpayer information, thus requiring background investigations,
regardless of contract award amount. This policy should include a
process for the requiring business unit to communicate to the Office
of Procurement and the Human Capital Office the services to be
provided under the contract and any potential exposure of taxpayer
information to contract employees providing the services, and for all
three units to (1) evaluate the risk of exposure of taxpayer
information prior to finalizing and awarding the contract and (2)
ensure that the final contract requires favorable background
investigations as applicable, commensurate with the assessed risk.
(short-term).
Source: GAO.
[End of table]
Proper Recording and Documenting of Transactions:
IRS has a number of internal control issues related to recording
transactions, documenting events, and tracking the processing of
taxpayer receipts or information. IRS has outstanding recommendations
in the following three control activities related to proper recording
and documenting of transactions: (1) appropriate documentation of
transactions and internal controls, (2) accurate and timely recording
of transactions and events, and (3) proper execution of transactions
and events.
Appropriate Documentation of Transactions and Internal Control:
[Text box: Internal control standard: Internal control and all
transactions and other significant events need to be clearly
documented, and the documentation should be readily available for
examination. The documentation should appear in management directives,
administrative policies, or operating manuals and may be in paper or
electronic form. All documentation and records should be properly
managed and maintained. End of text box]
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under
contract to process taxpayer receipts for the federal government.
Therefore, it is important that IRS maintain effective controls to
ensure that all documents and records are properly and timely
recorded, managed, and maintained both at its facilities and at the
lockbox banks. In this regard, it is critical that IRS adequately
document and disseminate its procedures to ensure that they are
available for IRS employees. IRS must also document its management
reviews of controls, such as those regarding refunds and returned
checks, document transmittals, and reviews of TAC operations. To
ensure future availability of adequate documentation, IRS must ensure
that (1) its systems, particularly those now being developed and
implemented, have appropriate capability to identify and trace
individual transactions and (2) all critical steps in its accounting
processes are adequately documented. Resolving the following 13
recommendations in table 5 would assist IRS in improving its
documentation of transactions and related internal control procedures.
All of these recommendations have been classified as short-term.
Table 5: Open Recommendations to Improve IRS's Documentation of
Transactions and Internal Control:
ID number: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term).
ID number: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term).
ID number: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including service center campuses (SCC), Taxpayer
Assistance Centers (TAC), and units within the Large and Mid-sized
Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE)
business operating units, establish a system to track acknowledged
copies of document transmittals. (short-term).
ID number: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term).
ID number: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
Taxpayer Assistance Center (TAC) managers in conducting reviews of
outlying TACs and documenting the results. This guidance should
include a description of the key controls that should be in place at
outlying TACs, specify how often these key controls should be
reviewed, and specify how the results of each review should be
documented, including follow-up on issues identified in previous TAC
reviews. (short-term).
ID number: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
Trust Fund Recovery Penalty (TFRP) payments processed through the
Automated Trust Fund Recovery (ATFR) system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term).
ID number: 10-15;
Recommendation: Revise the IRM to require IRS's Central Insolvency
Operation (CIO) to timely provide service center campuses (SSC) an
acknowledgment of receipt for each form 3210 transmittal related to a
duplicate refund transcript sent to them by a service center campus
for review. (short-term).
ID number: 10-16;
Recommendation: Revise the IRM to require service center campuses
(SCC) to verify that an acknowledgment of receipt has been received
from IRS's Central Insolvency Operation (CIO) for 100 percent of the
form 3210 transmittals related to duplicate refund transcripts they
have forwarded to CIO for review. (short-term).
ID number: 10-17;
Recommendation: Revise the IRM to require service center campuses
(SCC) to resolve any instances in which an acknowledgment of receipt
for a form 3210 transmittal related to duplicate refund transcripts is
not received. (short-term).
ID number: 10-26;
Recommendation: Review the Taxpayer Assistance Center Security and
Remittance Review Database (TSRRD) for clarity and revise review
questions as appropriate. (short-term).
ID number: 11-19;
Recommendation: Revise the IRM to include a comprehensive process that
Small Business Self Employed (SBSE) unit managers should follow when
performing reviews of the document transmittal process for determining
whether staff are (1) maintaining control copies of document
transmittal forms, (2) reconciling all document transmittal forms on a
biweekly basis to ensure that all transmittals were received, and (3)
following up on transmittals that are not timely acknowledged. (short-
term).
ID number: 11-20;
Recommendation: Revise the IRM to include specifying minimally
acceptable steps the Small Business Self Employed (SBSE) unit managers
should follow in documenting the results of required reviews of the
document transmittal process. (short-term).
ID number: 11-24;
Recommendation: Revise the post orders for the service center campuses
(SCC) and lockbox bank security guards to include specific procedures
for timely reporting exterior lighting outages to SCC or lockbox bank
facilities management. These procedures should specify (1) whom to
contact to report lighting outages and (2) how to document and track
lighting outages until resolved. (short-term).
Source: GAO.
[End of table]
Accurate and Timely Recording of Transactions and Events:
[Text box: Internal control standard: Transactions should be promptly
recorded to maintain their relevance and value to management in
controlling operations and making decisions. This applies to the
entire process or life cycle of a transaction or event from the
initiation and authorization through its final classification in
summary records. In addition, control activities help to ensure that
all transactions are completely and accurately recorded. End of text
box]
IRS maintains sensitive records for tens of millions of taxpayers in
addition to maintaining its own financial records. To maintain these
records, IRS often has to rely on outdated computer systems or manual
work-arounds. Unfortunately, some of IRS's recordkeeping difficulties
we have reported on over the years will not be fully addressed until
it can replace its aging systems; an effort that is long-term and, in
part, dependent on obtaining future funding.
Implementation of the following 15 recommendations in table 6 would
strengthen IRS's recordkeeping abilities. Thirteen of these
recommendations are short-term, and 2 are long-term regarding
requirements for new systems for maintaining taxpayer records. Several
of the recommendations listed deal with financial reporting processes,
such as maintaining subsidiary records, recording budgetary
transactions, and tracking program costs. Some of the issues that gave
rise to several of our recommendations directly affect taxpayers, such
as those involving duplicate assessments, errors in calculating and
reporting manual interest, errors in calculating penalties, and
collection of trust fund recovery penalty assessments. Two of these
recommendations have remained open for 10 years or more, reflecting
the complex nature of the underlying systems issues that must be
resolved to fully address some of these control deficiencies.
Table 6: Open Recommendations to Improve IRS's Accurate and Timely
Recording of Transactions and Events:
ID number: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term).
ID number: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term).
ID number: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term).
ID number: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in the Custodial Detail Data Base
(CDDB) resulted in misclassifications of account balances that, in
turn, resulted in material inaccuracies in the amounts of reported
unpaid assessments. (short-term).
ID number: 10-02;
Recommendation: Research and implement programming changes to allow
the Custodial Detail Data Base (CDDB) to more accurately classify such
accounts among the three categories of unpaid tax assessments. (short-
term).
ID number: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that materially affect the
financial reporting of unpaid tax assessments. (short-term).
ID number: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that materially affect the financial
reporting of unpaid tax assessments, implement control procedures to
routinely prevent, or to detect and correct, such errors. (short-term).
ID number: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment
transactions so that specific factors causing the errors are
identified. (short-term).
ID number: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of Trust Fund Recovery Penalty (TFRP) payment
transactions identified through the analyses of the quarterly review
results. (short-term).
ID number: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term).
ID number: 11-04;
Recommendation: Establish formal written procedures requiring staff to
review purchase contract terms against the goods and services received
to date before requesting additional goods or services. (short-term).
ID number: 11-05;
Recommendation: Establish procedures to centrally review and monitor
the timeliness of personnel action requests and approvals to help
ensure compliance with the IRM and applicable Office of Personnel
Management (OPM) regulations and guidance. (short-term).
ID number: 11-06;
Recommendation: Adopt the local field office's timekeeping procedures
or similar procedures for entering and verifying the accuracy of time
and attendance information entered into the Single Entry Time
Reporting System (SETR) throughout IRS for use by all units in which
employees do not enter their own time charges directly to SETR. (short-
term).
ID number: 11-07;
Recommendation: Further revise the detailed procedures for
implementing the requirement to validate the appropriateness of the
National Finance Center (NFC) programming changes after such changes
are made. These revisions should (1) clarify the criteria for
determining which programming changes will be subject to validation,
(2) identify officials responsible for making and documenting these
determinations, and (3) require post-implementation statistical
sampling from a targeted population that consists of employees who are
most likely to be affected by the NFC programming changes. (short-
term).
ID number: 11-26;
Recommendation: Take steps to effectively implement the procedures
requiring property staff to verify that the asset purchase price shown
in the Asset Management Report agrees with the asset purchase price
shown in the Integrated Financial System (IFS) and to resolve any
variances before entering the information into the Information
Technology Asset Management System (ITAMS). (short-term).
Source: GAO.
[End of table]
Proper Execution of Transactions and Events:
[Text box: Internal control standard: Transactions and other
significant events should be authorized and executed only by persons
acting within the scope of their authority. This is the principal
means of ensuring that only valid transactions to exchange, transfer,
use, or commit resources and other events are initiated or entered
into. Authorizations should be clearly communicated to managers and
employees. End of text box]
Each year, IRS spends approximately $250 million to cover the cost of
its employees' travel in addition to entering into agreements with,
and receiving services from, vendors. Failure to ensure that employees
obtain appropriate authorizations for their travel or approval for
procurements leaves the IRS open to fraud, waste, or abuse. IRS's
actions to address the following two short-term recommendations in
table 7 would improve IRS's controls over travel costs and approvals
for the procurement of goods and services.
Table 7: Open Recommendations to Improve IRS's Execution of
Transactions and Events:
ID number: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term).
ID number: 11-03;
Recommendation: Send out a reminder to all staff to follow policies
and procedures for obtaining approval and funding of proposed
purchases prior to entering into an agreement with vendors. (short-
term).
Source: GAO.
[End of table]
Effective Management Review and Oversight:
All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set
the objectives, put control activities in place, and monitor and
evaluate controls to ensure that they are followed. Without adequate
monitoring by managers, there is a risk that internal control
activities may not be carried out effectively and in a timely manner.
IRS has outstanding recommendations in the following four control
activities related to effective management review and oversight: (1)
reviews by management at the functional or activity level, (2)
establishment and review of performance measures and indicators, (3)
management of human capital, and (4) top-level reviews of actual
performance.
Reviews by Management at the Functional or Activity Level:
[Text box: Internal control standard: Managers need to compare actual
performance to planned or expected results throughout the organization
and analyze significant differences. End of text box]
IRS employs over 100,000 full-time and seasonal employees. In
addition, IRS is also responsible for overseeing lockbox banks
processing tens of thousands of individual receipts, totaling hundreds
of billions of dollars. Effective management oversight of operations
is important at any organization, but is imperative at IRS given its
mission.
Implementing the following 12 short-term and 1 long-term
recommendations in table 8 would improve IRS's management oversight of
several areas of its operations, including monitoring of contractor
and off-site processing facilities, release of tax liens, and issuance
of manual refunds.
Table 8: Open Recommendations to Improve IRS's Reviews by Management
at the Functional or Activity Level:
ID number: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term).
ID number: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term).
ID number: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term).
ID number: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term).
ID number: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
Taxpayer Assistance Center (TAC) location, group, territory, area, and
nationwide. (long-term).
ID number: 10-06;
Recommendation: Formalize and implement the quarterly reviews of Trust
Fund Recovery Penalty (TFRP) payment transactions to monitor
compliance with IRM requirements. (short-term).
ID number: 10-33;
Recommendation: Establish procedures requiring the Director of IRS's
Human Capital Office, Leadership, Education and Delivery Services (HCO
LEADS) or designee to periodically monitor each business unit's
progress in complying with mandatory briefing requirements. (short-
term).
ID number: 11-01;
Recommendation: Put procedures in place to periodically monitor the
effectiveness of the new First-Time Home Buyers Credit (FTHBC)
validity check for the duration of the filing of FTHBC claims to
verify it is working as intended. (short-term).
ID number: 11-02;
Recommendation: Establish a mechanism to enforce the existing
requirement for appropriate managers to immediately notify the manual
refund units of any personnel changes affecting the approval or
processing of manual refunds. This may be accomplished through
mechanisms such as issuing periodic alerts, providing training or
having the manual refund unit perform quarterly validations of the
list of manual refund approving officials, or a combination of these.
(short-term).
ID number: 11-21;
Recommendation: Define and specify in the IRM which types of IRS
facilities constitute a processing facility. (short-term).
ID number: 11-22;
Recommendation: Perform an assessment of off-site processing
facilities to determine the frequency with which compliance reviews
should be performed for these locations commensurate with the specific
operational activities performed and the assessed level of risk
associated with the facility. (short-term).
ID number: 11-23;
Recommendation: Based on the results of an assessment of off-site
processing facilities that process taxpayer receipts and related
taxpayer information, revise the IRM to specify the frequency with
which compliance reviews should be performed at these facilities.
(short-term).
ID number: 11-25;
Recommendation: Revise the nature and scope of the service center
campuses' (SCC) and lockbox banks' physical security reviews to
include periodic after dark assessments of physical security controls.
(short-term).
Source: GAO.
[End of table]
Establishment and Review of Performance Measures and Indicators:
[Text box: Internal control standard: Activities need to be
established to monitor performance measures and indicators. These
controls could call for comparisons and assessments relating different
sets of data to one another so that analyses of the relationships can
be made and appropriate actions taken. Controls should also be aimed
at validating the propriety and integrity of both organizational and
individual performance measures and indicators. End of text box]
IRS's operations include a wide range of activities, including
educating taxpayers, processing taxpayer receipts and data, disbursing
hundreds of billions of dollars in refunds to millions of taxpayers,
maintaining extensive information on tens of millions of taxpayers,
and seeking collection from individuals and businesses that fail to
comply with the nation's tax laws. Within its compliance function, IRS
has numerous activities, including identifying businesses and
individuals that underreport income, collecting from taxpayers who do
not pay taxes, and collecting from those receiving refunds for which
they are not entitled. Although IRS has at its peak over 100,000
employees, it still faces resource constraints in attempting to
fulfill its duties. It is vitally important for IRS to have sound
performance measures to assist it in assessing its performance and
targeting its resources to maximize the government's return on
investment.
The following long-term recommendation in table 9 is designed to
assist IRS in (1) evaluating its operations and (2) determining which
activities are the most beneficial. This recommendation is directed at
improving IRS's ability to measure and evaluate the internal costs,
direct benefits, and outcomes of its operations--particularly with
regard to identifying its most cost-effective tax collection
activities.
Table 9: Open Recommendation to Improve IRS's Establishment and Review
of Performance Measures and Indicators:
ID number: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term).
Source: GAO.
[End of table]
Management of Human Capital:
[Text box: Internal control standard: Effective management of an
organization‘s workforce”its human capital”is essential to achieving
results and an important part of internal control. Management should
view human capital as an asset rather than a cost. Only when the right
personnel for the job are on board and are provided the right
training, tools, structure, incentives, and responsibilities is
operational success possible. Management should ensure that skill
needs are continually assessed and that the organization is able to
obtain a workforce that has the required skills that match those
necessary to achieve organizational goals. Training should be aimed at
developing and retaining employee skill levels to meet changing
organizational needs. Qualified and continuous supervision should be
provided to ensure that internal control objectives are achieved.
Performance evaluation and feedback, supplemented by an effective
reward system, should be designed to help employees understand the
connection between their performance and the organization‘s success.
As a part of its human capital planning, management should also
consider how best to retain valuable employees, plan for their
eventual succession, and ensure continuity of needed skills and
abilities. End of text box]
IRS's operations cover a wide range of technical activities requiring
specific expertise in tax-related matters; financial management; and
systems design, development, and maintenance. Because IRS has tens of
thousands of employees spread throughout the country, it is imperative
that management establish and maintain up-to-date guidance and provide
appropriate training for its staff. Taking action to implement the
following four short-term recommendations in table 10 would assist IRS
in its management of human capital.
Table 10: Open Recommendations to Improve IRS's Management of Human
Capital:
ID number: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term).
ID number: 10-27;
Recommendation: Provide training to Taxpayer Assistance Center (TAC)
group managers to assist with their understanding of the TAC Security
and Remittance Review Database (TSRRD) review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term).
ID number: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all service center campus Unit Security
Representatives (USR) to complete (1) the required initial USR
training prior to assuming their responsibilities, and (2) annual
refresher training each year thereafter. (short-term).
ID number: 10-32;
Recommendation: Establish a process to periodically review and update
service center campus Unit Security Representatives (USR) training
materials as appropriate. (short-term).
Source: GAO.
[End of table]
Concluding Observations:
Increased budgetary pressures and an increased public awareness of the
importance of internal control have served to provide additional
pressure on IRS to carry out its mission more efficiently and
effectively while continuing to protect taxpayers' information.
Sound financial management and effective internal controls are
essential if IRS is to efficiently and effectively achieve its goals.
IRS has made substantial progress in improving its financial
management and internal control since its first financial audit, as
evidenced by unqualified audit opinions on its financial statements
for the past 11 years, resolution of several material internal control
weaknesses, significant deficiencies, and other control issues, and
actions taken resulting in the closure of hundreds of financial
management recommendations. This progress has been the result of hard
work by many individuals throughout IRS and sustained commitment of
IRS leadership. Nonetheless, more needs to be done to fully address
the agency's continuing financial management challenges--resolving
material weaknesses and significant deficiencies in internal control;
developing outcome-oriented performance metrics that can facilitate
managing operations for outcomes; and correcting numerous other
internal control issues. Effective implementation of the
recommendations we have made through our financial audits and related
work could greatly assist IRS in improving its internal controls and
achieving sound financial management.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS expressed its
appreciation for our acknowledgment of the agency's progress in
addressing its financial management challenges as evidenced by our
closure of 37 open financial management recommendations from prior GAO
reports. IRS also commented that it is committed to implementing
appropriate improvement to ensure that it maintains sound financial
management practices. We will review the effectiveness of further
corrective actions IRS has taken or will take to address all open
recommendations as part of our audit of IRS's fiscal year 2011
financial statements.
We are sending copies of this report to the Chairmen and Ranking
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term
Growth, Senate Committee on Finance. We are also sending copies to the
Chairmen and Ranking Members of the House Committee on Appropriations;
House Committee on Ways and Means; the Chairman and Vice Chairman of
the Joint Committee on Taxation; the Secretary of the Treasury; the
Director of OMB; the Chairman of the IRS Oversight Board; and other
interested parties. The report is also available at no charge on the
GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staffs have any questions concerning this report,
please contact me at (202) 512-3406 or sebastians@gao.gov. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made major
contributions to this report are listed in appendix IV.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
[End of section]
Appendix I: Status of GAO Recommendations from Internal Revenue
Service Financial Audits and Related Management Reports:
This appendix presents a list of (1) the 85 recommendations that we
had not previously reported as closed, (2) Internal Revenue Service
(IRS) reported corrective actions taken or planned as of March 2011,
and (3) our analysis of whether the issues that gave rise to the
recommendations have been effectively addressed. It also includes 29
recommendations based on our fiscal year 2010 financial statement
audit. Table 11 lists the recommendations by the year and
recommendation number (ID number) and also identifies the report in
which the recommendation was made.
Table 11: Status of GAO Recommendations from Internal Revenue Service
Financial Audits and Related Management Reports:
ID number: 94-02;
Recommendation: Monitor implementation of actions to reduce the errors
in calculating and reporting manual interest on taxpayer accounts, and
test the effectiveness of these actions. (short-term);
Source report: Financial Management: Important IRS Revenue Information
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993), page 32;
Status per IRS: Closed. IRS has implemented and is monitoring actions
to reduce errors in calculating and reporting manual interest. IRS
tests the effectiveness of these actions and measures accuracy through
monthly sampling of manual interest transactions. IRS continues to
increase the automation of restricted interest calculations and
updated the Decision Modeling Incorporated/Automated Computational
Tool Software in 2010. IRS created manual interest training and
updated the training in 2010. IRS updated IRM 20.2 formalizing
guidance on interest computations. IRS developed a quality review
process, the Complex Interest Quality Measurement System (CIQMS) and
formalized it by requiring completion of the Complex Interest Job Aid
to document the reviews. As part of CIQMS, IRS finished developing the
statistical sampling program with assistance from its Small
Business/Self Employed business unit's Research and Testing on
September 30, 2010. IRS completed selecting and reviewing a sample of
closed cases in fiscal year 2010 which provided a statistically valid
tool to measure the accuracy of manual interest transactions. In
fiscal year 2011 IRS expanded sampling of manual interest transactions
by including open modules to identify sources of significant errors or
trends, and develop necessary corrective actions;
Status per GAO: Closed. IRS has undertaken several actions to
strengthen controls over this area, such as updating guidance,
implementing standardized software to aid in the computation of
manually calculated interest, and providing training related to manual
interest calculations. We verified that IRS began testing samples of
manual interest transactions in fiscal year 2011, making statistically
valid projections of the results, and evaluating the results to gauge
the effectiveness of its actions.
ID number: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term);
Source report: Internal Revenue Service: Immediate and Long-Term
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct.
30, 1998), page 14;
Status per IRS: Open. The Small Business/Self Employed (SB/SE)
business unit's Campus Compliance Services (CCS) continues to refine
and expand its Quality Assurance Internal Compliance Review (QAICR)
process by modifying the procedures for performing the reviews,
associated data collection instruments, and error determination
criteria. The results of the QAICR testing are captured by both
individual review periods and cumulatively to identify recurring
errors and trends. Additionally, CCS instituted a 100 percent review
process to identify missing or incorrect cross-references prior to the
posting of the related transactions. In coordination with SB/SE, the
Chief Financial Officer (CFO) plans to complete a readiness test by
reviewing the SB/SE QAICR standard operating procedures (SOP)
documentation, and case review results. CFO will verify that case
reviews are conducted in accordance with the standard operating
procedures (SOPs)2 by September 30, 2011;
Status per GAO: Open. During our fiscal year 2009 audit, we tested a
statistical sample of payments recorded on Trust Fund Recovery Penalty
(TFRP) accounts and estimated that nearly 9 percent of TFRP payment
transactions in the first 3 months of fiscal year 2009 that were
posted on TFRP accounts could contain errors. While IRS continued its
efforts to improve controls over the crediting of TFRP payments to all
related parties, we did not test IRS controls in this area as part of
our fiscal year 2010 audit as both we and IRS believed that the
corrective actions initiated by IRS thus far had not been in place
long enough to significantly improve the accuracy of TFRP payment
processing. Furthermore, as of February 2011, IRS's Automated Trust
Fund Recovery (ATFR) system continued to be unable to process all TFRP
related payments. IRS reported that ATFR could automatically reduce
the amounts owed on all related accounts for only about 57 percent of
TFRP payments processed through the system. The remaining TFRP
payments continue to require some form of manual processing to record
the reduction of the liability in related accounts. Until IRS
successfully implements effective controls over the recording of TFRP
payments, opportunities for errors and omissions with TFRP payments
continue to exist. We will continue to monitor IRS's actions to
address this recommendation during our fiscal year 2011 audit.
ID number: 99-36;
Recommendation: Make enhancements to IRS financial systems to include
recording plant and equipment (P&E) and capital leases as assets when
purchased and to generate detailed records for P&E that reconcile to
the financial records. (long-term);
Source report: Internal Revenue Service: Serious Weaknesses Impact
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9,
1999), page 37, no. 25;
Status per IRS: Closed. Between 1999 and 2010, IRS has continued to
make improvements toward addressing this recommendation through the
implementation of various IRS systems. In 1999, IRS implemented the
Automated Financial System (AFS) whereby all transactions were posted
to expense accounts at a detailed level and then reclassified to asset
accounts at a summary level. In October 2004, IRS implemented the
Integrated Financial System (IFS) in which IRS posts directly to its
asset accounts. Additionally, IRS maintains detailed records of asset
purchases with current year asset and expense database files;
Status per GAO: Closed. IRS has taken actions to address this
recommendation. We confirmed that over the years, IRS has improved its
financial systems so that IRS records P&E and capital leases when
purchased and it maintains detailed P&E records. However, our audits
continue to find that these property records do not always reconcile
to the financial records. However, in order to provide a
recommendation more closely aligned with the current status of the
remaining issues to be resolved we are closing this recommendation
based on IRS's progress to date and have reported the remaining issue,
along with a related recommendation for corrective action in our June
2011 management report. (See recommendation number 11-26 in this
report).
ID number: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000), page
42;
Status per IRS: Open. IRS continues to conduct independent semiannual
Quality Assurance internal reviews. The latest review identified late
releases that were caused by issues previously identified by IRS or
the auditors. IRS completed corrective actions for certain cases and
is in the process of either solving or defining a specific solution
for the remaining cases. IRS continued throughout the year to
investigate and address causes of late lien releases and now documents
the issue in the Lien Action Plan. IRS has conducted in-depth
discussions with Centralized Lien Unit (CLU), Insolvency and Filing,
and Payment Compliance analysts to identify potential solutions.
Discussions have been conducted with programming analysts and the
Ogden Campus staff to examine systemic and procedural problems;
Status per GAO: Open. During our fiscal year 2010 audit, we continued
to find that IRS did not always timely release liens. In IRS's own OMB
A-123 testing of lien releases, it identified 9 instances out of 59
cases tested in which it did not release the applicable federal tax
lien within the statutory 30-day period. The time between the
satisfaction of the liability and release of the lien ranged from 33
days to more than 97 days. Based on these results, IRS estimated that
for about 15 percent of unpaid tax assessment cases that were resolved
in fiscal year 2010, in which it had filed a tax lien, it did not
release the lien within 30 days of the resolution of the case.
Continued weaknesses in IRS's controls over this area results in its
noncompliance with Internal Revenue Code Section 6325 which requires
IRS to release its tax liens within 30 days of the date the related
tax liability is fully satisfied. We will continue to monitor IRS's
actions to address this recommendation during our fiscal year 2011 and
future audits.
ID number: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Source report: Internal Revenue Service: Recommendations to Improve
Financial and Operational Management (GAO-01-42, Nov. 17, 2000), page
74;
Status per IRS: Closed. Between 2001 and 2010, IRS has continued to
make improvements toward addressing this recommendation through the
implementation of various IRS systems. In 2001, IRS implemented the
Automated Financial System (AFS) in which all transactions were posted
to expense accounts at a detailed level and then reclassified to asset
accounts including leasehold improvements (LHI) at a summary level. In
October 2004, IRS implemented the Integrated Financial System (IFS)
through which IRS posts directly to the asset accounts. Additionally,
IRS maintains detailed records of asset purchases with current year
asset and expense database files;
Status per GAO: Open. Although IRS has not established a subsidiary
ledger for leasehold improvements, it has made progress toward
addressing our recommendations by recording leasehold improvement
(LHI) costs as they occur. In addition, in fiscal years 2009 and 2010,
IRS developed and used a methodology to write off LHI. However, IRS is
still in the process of formally documenting its existing procedures
for recording and writing off LHI. We will review and evaluate these
procedures during our fiscal year 2011audit.
ID number: 01-39;
Recommendation: Develop a mechanism to track and report the actual
costs associated with reimbursable activities. (long-term);
Source report: Management Letter: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-01-880R, July 30,
2001), page 4;
Status per IRS: Closed. The IRS revised the Internal Revenue Manual
(IRM) to include guidance for tracking and reporting actual costs
associated with reimbursable activities. The IRM was also updated to
include procedures on how to determine actual costs related to advance
payments and how to deal with differences between actual and advance
payment amounts, including refunds or billings if necessary;
Status per GAO: Closed. We confirmed that IRS revised its IRM to
address this recommendation. The IRM now includes guidance for
tracking and reporting the actual costs associated with reimbursable
activities. It further clarifies the processing steps for agreements
requiring advance payments to ensure such payments are properly
adjusted to actual costs incurred at the end of the agreement term.
ID number: 02-16;
Recommendation: Ensure that field office management complies with
existing receipt control policies that require a segregation of duties
between employees who prepare control logs for walk-in payments and
employees who reconcile the control logs to the actual payments.
(short-term);
Source report: Management Report: Improvements Needed in IRS's
Accounting Procedures and Internal Controls (GAO-02-746R, July 18,
2002), page 6;
Status per IRS: Closed. IRS continues to emphasize the requirements of
segregation of duties and annually performs operational reviews at all
levels to ensure field operations comply with the requirements of
segregation of duties. IRS Field Assistance (FA) Headquarters
conducted reviews at eight Taxpayer Assistance Centers (TACs) on the
remittance process during fiscal year 2010 and concluded that controls
are in place to ensure segregation of duties between the employees who
prepare Forms 795 and 3210 and the employees who reconcile and
transmit payments. FA conducts an annual Filing Season Readiness
Workshop to address remittance and data security which reiterates that
the originator of Form 795 and the reviewer must be different
employees. FA will revise the "Managing a TAC" course by December 31,
2010, to include a discussion on the segregation of duties
requirements as outlined in IRM 21.3.4;
Status per GAO: Closed. We verified that IRS emphasizes the
requirements for segregation of duties in its routine training
provided to TAC managers. In addition, during our fiscal year 2010
audit, we did not identify any instances where duties among IRS TAC
employees who receive payments, prepare control logs, and reconcile
those payments to the control logs were not adequately segregated.
ID number: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005), page 14;
Status per IRS: Open. SB/SE published a revision to the IRM that
clarified the segregation of duties between Revenue Officers and
clerical personnel related to Collection Field function payment
posting vouchers, document transmittal forms, and transmittal
packages. IRS is analyzing the results of a process analysis of SB/SE
field office remittance processing practices that was completed on
February 15, 2011;
Status per GAO: Open. We plan to evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005), page 14;
Status per IRS: Open. IRS reviewed group managers' compliance with the
control review requirements of remittance packages sent to Submission
Processing in its fiscal year 2010 Director of Collection Operational
Reviews. The IRS review of the Operational Review findings confirmed
that management lacked understanding of the control review
requirements in the IRM. IRS revised the IRM to clarify the control
review requirements. IRS is reviewing group manager compliance with
the control review requirements of remittance package transmittals
sent to Submission Processing in its fiscal year 2011 Director of
Collection Operational Reviews. IRS will review the results of the
Operational Review findings for compliance with the IRM which is
scheduled to be completed by June 30, 2011;
Status per GAO: Open. IRS's efforts to address this recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005), page 20;
Status per IRS: Open. IRS continues to enforce requirements to monitor
accounts related to manual refunds. This includes improving
identification of problems with duplicate refunds, updating
requirements to enforce monitoring, conducting more frequent reviews
to ensure proper monitoring, and providing refresher training
reminders to managers and employees initiating and monitoring manual
refunds. IRS initiated a manual refund reporting process to identify
internal control deficiencies and provide data to help prevent
duplicate refunds. IRS continues to monitor manual refunds on a weekly
basis and conduct a quarterly review to ensure managers and employees
are adhering to the prescribed IRM procedures. In addition, IRS
continues to use the Taxpayer Advocate Service (TAS) Managers Forum to
reinforce the requirements to monitor accounts after the issuance of a
manual refund;
Status per GAO: Open. During our fiscal year 2010 audit, we continued
to find instances where manual refund initiators or individuals
responsible for centralized monitoring did not monitor accounts for
duplicate manual refunds and supervisors did not verify that manual
refund initiators or those responsible for centralized monitoring were
following proper procedures for monitoring manual refunds. We will
continue to evaluate the effectiveness of IRS's actions during our
fiscal year 2011 audit.
ID number: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-05-247R, Apr. 27, 2005), page 20;
Status per IRS: Open. IRS continues to strengthen oversight of
requirements to monitor manual refunds. In January 2010, IRS revised
the IRM to centralize controls for documenting the monitoring process
and supervisory reviews. IRS also updated the IRM to simplify the
monitoring requirements. Submission Processing (SP) Accounting updated
the IRM to reject refund documents that do not contain an open control
base used for monitoring. SP also introduced managerial monitoring
reviews into the Embedded Quality Review System (EQRS), a tool that
will provide managerial accountability to ensure monitoring is
complete;
Status per GAO: Open. During our fiscal year 2010 audit, we continued
to find instances where the manual refund initiators or individuals
responsible for centralized monitoring did not document their
monitoring of accounts to prevent duplicate refunds. We also found
instances where the supervisory review of the monitoring activity was
not documented. We will continue to evaluate the effectiveness of
IRS's corrective actions during our fiscal year 2011 audit.
ID number: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006), page 5;
Status per IRS: Open. IRS Accounts Management (AM) has procedures
requiring that Refund Inquiry (RI) Unit managers document their review
of Forms 3210, Document Transmittal, prior to sending return refund
checks to the Financial Management Service (FMS) for final processing.
The IRM requires managers to conduct random sample reviews of incoming
and outgoing Forms 3210 to ensure the accuracy of the outgoing
documents and their contents, and that they are properly added to the
Returned Refund Check System. On January 1, 2011, Submission
Processing revised the IRM for the Payment Perfection Team to use Form
3210 to route returned refund checks to the RI units and include the
check number, amount, and symbol. This information will ensure RI can
track refund checks throughout the process including forwarding the
returned refunds to FMS. Submission Processing issued SERP Alert
101149 to provide specific guidance on securing returned refund
checks. Submission Processing updated the IRM regarding Manual Deposit
for Field Office Payment Processing to include a requirement for
supervisory review of controls over outgoing remittances in the
January 1, 2011 edition;
Status per GAO: Open. While IRS revised its IRM to require that Refund
Inquiry Unit managers conduct periodic, random sample reviews of
outgoing Forms 3210, we continued to identify instances during our
fiscal year 2010 audit where Refund Inquiry Unit managers were unaware
of the review requirements regarding document transmittals. We will
continue to assess IRS's actions during our fiscal year 2011 audit.
ID number: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including service center campuses (SCC), Taxpayer
Assistance Centers (TAC), and units within the Large and Mid-sized
Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE)
business operating units, establish a system to track acknowledged
copies of document transmittals. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006), page 6;
Status per IRS: Closed. IRS has procedures in place to ensure
compliance with tracking acknowledgment of document transmittals.
Large Business & International (LB&I) issued an annual memorandum
reiterating Form 3210 procedures which provided specific IRM guidance
related to the preparation, tracking, and monitoring of Form 3210. All
Tax Exempt and Government Entities (TE/GE) Exam managers used the
Quick Reference Guide for processing checks and Area Managers verified
that tracking measures were in place during operational reviews. TE/GE
revised sections of the IRM to include more explicit instructions
regarding check information entered into group logbooks, preparation
of Forms 3244-A and 3210 and follow-up of unacknowledged Forms 3210
identified in the logbook. Wage & Investment (W&I) also has a system
in place to monitor the use of Form 3210 when mailing documents to SP
Centers and reiterate this requirement while conducting workshops and
annual training. Further, W&I monitors compliance through operational
reviews which have provided evidence that sustained improvement has
been achieved in compliance with tracking acknowledgment copies of
Form 3210 document transmittals;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issues that gave rise to this
recommendation. During our fiscal year 2010 audit, we identified
instances at two TACs where there was no system in place to monitor
acknowledged/unacknowledged transmittals to the SCC. We will continue
to assess IRS's actions during our fiscal year 2011 audit.
ID number: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006), page 6;
Status per IRS: Open. TE/GE Employee Plans (EP) Exam Director and Area
Managers use a check sheet during the operation reviews of all EP
Areas and EP Exam Groups to ensure payments and remittances
transmitted between IRS locations are tracked according to guidelines.
The managers notate recommendations and follow up actions based on the
operational reviews. EP Exam discusses check processing with the Group
Managers during Area conference calls and instructs the Group Managers
to remind employees on proper handling and tracking of checks and to
surface any errors identified. In EO Examinations, Area Managers will
review whether groups are complying with Form 3210 follow-up
procedures in their operational reviews. W&I Field Assistance updated
the IRM to include specific procedures on how to complete Forms 795
and 3210 Review Logs. The procedures require managers to sign the
Review Log to ensure the acknowledgments were received. FA conducted
reviews at eight TACs during fiscal year 2010, which confirmed that
the new procedures are being followed. FA sends communications and
quarterly reminders to all managers advising of the types of required
reviews, including Forms 795 and 3210. Accounts Management
Headquarters conducted site reviews to ensure compliance with existing
requirements. LB&I issued its annual executive memorandum to remind
managers of their responsibility for preparing and tracking the
shipment of returns as outlined in the IRM. LB&I emphasized the need
for verification that transmittals are tracked through operational
reviews and the Annual Assurance Reporting Process. Various industries
have incorporated the review of Form 3210 procedures into their
Territory Manager operational review check sheets. LB&I also
emphasized the Territorial Manager operational review of the Form 3210
process in training material to new front line managers in the
"Aspiring Team Manager Workshops.";
Status per GAO: Open. During our fiscal year 2010 audit, we identified
instances at all eight TACs we visited where managers were not
documenting their reviews of document transmittals. IRS's update to
the IRM occurred subsequent to our fiscal year 2010 field visits. We
will review the implementation of this new requirement during our
fiscal year 2011 audit.
ID number: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers (TAC) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS
units, including those TACs that are not scheduled to be reconfigured
to the "new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006), page 8;
Status per IRS: Open. IRS's Real Estate and Facilities Management
(REFM) continues to oversee, implement and track the TAC Model status
while Physical Security and Emergency Preparedness (PSEP) provides
guidance, oversight and status updates to W&I on interim solutions to
mitigate security vulnerabilities. REFM will build out all TACs in
compliance with the established security guidelines proposed by PSEP.
Of the 401 TAC locations, 244 have the model TAC with another 18
scheduled for completion prior to the 2011 filing season. Due to the
complexity of each build out, and funding and scheduling
considerations, IRS cannot give definitive implementation dates for
all locations. In the interim, IRS continues to utilize the following
solutions to help secure non-model TACs: theater rope or other
barriers, signage, and minor alterations;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 06-07;
Recommendation: Document supervisory visits by offsite managers to
Taxpayer Assistance Centers (TAC) not having a manager permanently on-
site. This documentation should be signed by the manager and should
(1) record the time and date of the visit, (2) identify the manager
performing the visit, (3) indicate the tasks performed during the
visit, (4) note any problems identified, and (5) describe corrective
actions planned. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-06-543R, May 12, 2006), page 8;
Status per IRS: Closed. W&I Field Assistance continues to use the TAC
Security Remittance Review Database (TSRRD) to document supervisory
reviews. Managers are required to conduct and document their reviews
to ensure the protection of data, and compliance with remittance and
security procedures. They are required to submit remittance
information semiannually. The TSRRD indicates if the review was
conducted on site. The TSRRD also documents (1) the time and date of
the review; (2) the name of the manager performing the review; (3) the
task performed during the review; (4) any problems or questions
identified; and (5) planned corrective actions;
Status per GAO: Closed. W&I Field Assistance implemented the TAC
Security and Remittance Review Database (TSRRD) to document
supervisory reviews of all TACs, including those performed by offsite
managers. The TSRRD documents (1) the time and date of the review;
(2) the name of the manager performing the review; (3) the task
performed during the review; (4) any problems or questions identified;
and (5) planned corrective actions.
ID number: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
service center campus' (SCC) perimeter, such as adding or
repositioning existing CCTV cameras or removing obstructions. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007), page 7;
Status per IRS: Open. PSEP Risk Management will require Territory
Managers and Area Directors to validate that their SCC CCTV cameras
(1) are compliant with IRM 10.2.14 (Methods of Providing Protection),
(2) are not obstructed, (3) have a clear view of the entire exterior
perimeter, and that (4) repairs are completed timely. PSEP Systems
Resources and Designs will remind Area Directors and Territory
Managers of the purpose and importance of completing the Audit
Management Checklist accurately. PSEP Risk Management will initiate
random "Quality Assurance Reviews" nation-wide in February 2011 to
ensure Area Directors and Territory Managers comply with standards and
requirements. PSEP RM will make this requirement a Special Interest
Item (SII) to review and validate CCTV compliance and unobstructed
CCTV Camera observation of the entire perimeter of a Campus or
Computing Center;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007), page 9;
Status per IRS: Open. IRS provided training to manual refund
initiators to ensure they monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
Accounts Management has mandated that their managers and employees
initiating manual refunds take the manual refund training course which
includes a new lesson on monitoring manual refunds. Submission
Processing and Compliance have added manual refund monitoring to their
CPE training curriculum conducted annually;
Status per GAO: Open. During our fiscal year 2010 audit, we found that
several manual refund initiators indicated that they either had not
received training or could not recall if manual refunds were covered
in the training received. During the fiscal year 2011 audit, we will
continue to evaluate IRS's progress in meeting this recommendation.
ID number: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed or
shipped out, or both. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-07-689R, May 11, 2007), page 20;
Status per IRS: Closed. IRS continues to follow procedures implemented
on March 3, 2009, which state, in part, "an Employee Resource Center
(ERC) work ticket call type has been established to specifically
identify when secured storage space is needed. Requesters will
initiate the ERC ticket process by requesting 'Property Consultation'
services, which initiates Real Estate and Facilities Management (REFM)
activity to work with the requester on obtaining whatever secured
storage space is needed.";
Status per GAO: Open. Although IRS established procedures to ensure
that sufficient secured space was available for all property and
equipment not currently in use, we found that IRS's secured storage
space was not effective in safeguarding its property and equipment.
During our fiscal year 2010 physical inventory testing, IRS was unable
to locate a desk top computer that was supposed to be maintained in
one of its secured storage rooms. According to the IRS officials, the
desk top computer had been lost. We will continue to assess the
effectiveness of IRS's procedures to properly secure and safeguard
property and equipment not in use during our fiscal year 2011 audit.
ID number: 07-24;
Recommendation: To the extent that IRS intends to use the information
security work conducted under the Federal Information Security
Management Act of 2002 (FISMA) to meet related Office of Management
and Budget (OMB) Circular A-123 requirements, identify the areas where
the work conducted under FISMA does not meet the requirements of A-123
and, considering the findings and recommendations of our work on IRS's
information security, expand FISMA procedures or perform additional
procedures as part of the A-123 reviews to augment FISMA work. (short-
term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB)
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007), page 10;
Status per IRS: Closed. On June 30, 2009, the IRS implemented a review
process for evaluating controls over information technology relating
to financial statement reporting. The review focused on the systems
that affect recording of financial transactions and included assessing
the annual FISMA evaluations of CFO oriented financial systems. In
addition, the ACFO obtained copies of the Chief Information Officer's
annual FISMA report evaluating the IRS servicewide information
technology security program and found that it met A-123 requirements.
The annual Treasury Inspector General for Tax Administration report
evaluating the IRS compliance with FISMA requirements was also
reviewed to identify any A-123 FISMA issues. These procedures are
still in place for the current fiscal year;
Status per GAO: Closed. During fiscal year 2010, we reviewed IRS's A-
123 support for its FISMA work related to the evaluation of internal
controls over systems that record financial transactions, and its
assessment of the annual FISMA report on IRS's information security
program to determine if it met A-123 requirements. We concluded that
IRS's A-123 test procedures related to its FISMA reviews were
adequate, appropriately conducted, and documented, in all material
respects. We also agreed with IRS's conclusion that it met A-123
requirements in the context of a preexisting material weakness in
information security. However, once this material weakness has been
resolved, the scope of IRS's work to monitor the effectiveness of
internal control over information security will need to be
significantly expanded in order to put IRS in a position to support a
conclusion that internal control over information security at IRS is
effective.
ID number: 07-25;
Recommendation: Revise Office of Management and Budget (OMB) Circular
No. A-123 test plans to include appropriate consideration of the
design of internal controls in addition to implementation of controls
over individual transactions. (short-term);
Source report: Management Report: IRS's First Year Implementation of
the Requirements of the Office of Management and Budget's (OMB)
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007), page 10;
Status per IRS: Closed. On June 30, 2009, IRS implemented a "Fiscal
Year 2009 Control Design" template that annotates which design
activity was completed for each transaction. IRS enhanced its testing
to include procedures for design control activities published in
Standard Operating Procedures (SOPs), IRM references, and business
process documentation. The IRS's A-123 team along with the process
owner evaluates procedures to identify the key internal controls and
to determine whether the control fully addresses multiple risks. Test
plans are updated accordingly as needed for GAO review. These
procedures will continue to be used during the current fiscal year;
Status per GAO: Closed. During fiscal year 2010, we concluded that
IRS's A-123 test plans included appropriate consideration of the
design of controls. Also, we reviewed IRS's A-123 internal control
test results and found that for all transactions tested, IRS
appropriately considered the design of internal controls in its
respective test plans.
ID number: 08-01;
Recommendation: As IRS proceeds with its implementation of the
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it
becomes fully operational and is used in conjunction with the Interim
Revenue and Accounting Control System (IRACS), will provide IRS with
the direct transaction traceability for all of its tax-related
transactions as required by the U.S. Standard General Ledger (USSGL),
Federal Financial Management System Requirements (FFMSR), and the
Federal Financial Management Improvement Act of 1996 (FFMIA). (long-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 5;
Status per IRS: Closed. IRS implemented the Redesign Revenue
Accounting and Control System (RRACS) in January 2010, a significant
enhancement to IRACS, which records revenue, refund, and unpaid tax
assessment transactions to the USSGL accounts. During the fiscal year
2010 audit, it was determined that RRACS posted tax revenue and tax
refund transactions in conformance with the USSGL. Additional
conclusions were reached that IRS recorded unpaid tax assessments,
including taxes receivable, in substantial conformance with the USSGL
because the adjustments were recorded in accordance with the USSGL,
and the reported gross taxes receivable could be traced through the
adjustments to the unadjusted taxes receivable (contained in CDDB),
and from there to the underlying transaction detail which had been
recorded in accordance with the USSGL;
Status per GAO: Closed. During our fiscal year 2010 audit, we
concluded that IRS's financial management systems substantially
complied with the U.S. Standard General Ledger (USSGL) at the
transaction level. We also determined that RRACS systems posted
revenue and refund transactions in conformance with the USSGL. Also,
we found that IRS recorded federal taxes receivable in substantial
conformance with the USSGL because although the adjustments to federal
taxes receivable were not traceable to underlying transaction detail,
the adjustments themselves were recorded in accordance with the USSGL,
and the reported gross federal taxes receivable balance could be
traced through the adjustments to the unadjusted federal taxes
receivable balance, and from there to underlying transaction detail,
which had also been recorded in accordance with the USSGL.
ID number: 08-02;
Recommendation: Document and implement the specific procedures to be
performed by the IRS statistician in each step of the unpaid
assessment estimation process. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 7;
Status per IRS: Closed. IRS documented and implemented the specific
procedures that the IRS statistician follows in each step of the
unpaid assessments estimation process;
Status per GAO: Closed. During fiscal year 2010, IRS finalized
documentation detailing the specific procedures to be performed by
IRS's statistician in each step of the unpaid assessment estimation
process. We confirmed that IRS implemented these detailed steps as
part of its formal unpaid assessments estimation process during fiscal
year 2010.
ID number: 08-03;
Recommendation: Document and implement specific detailed procedures
for reviewers to follow in their review of unpaid assessments
statistical estimates. Specifically, IRS should require that a
detailed supervisory review be performed to ensure (1) the statistical
validity of the sampling plans, (2) data entered into the sample
selection programs agree with the sampling plans, (3) data entered
into the statistical projection programs agree with IRS's sample
review results, (4) data on the spreadsheets used to compile the
interim projections and roll-forward results trace back to supporting
statistical projection results, and (5) the calculations on these
spreadsheets are mathematically correct. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 7;
Status per IRS: Closed. IRS documented and implemented the specific
procedures for reviewers to follow in reviewing the unpaid assessments
statistical estimates;
Status per GAO: Closed. During fiscal year 2010, IRS finalized
documentation detailing the specific procedures to be performed by
supervisors in reviewing the work of its statistician in preparing
IRS's unpaid assessments statistical estimates. The guidance includes
specific procedures to ensure: (1) the statistical validity of the
sampling plans, (2) data entered into the sample selection programs
agree with the sampling plans, (3) data entered into the statistical
projection programs agree with IRS's sample review results, (4) data
on the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection
results, and (5) the calculations on these spreadsheets are
mathematically correct. We confirmed that IRS implemented these
detailed steps as part of its formal unpaid assessments estimation
process during fiscal year 2010.
ID number: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 10;
Status per IRS: Closed. The cross-functional working group to address
penalty and interest programming issues continues to identify and
assess penalty and interest issues. Presently IRS has resolved or
implemented program changes and tested them for eight of the
identified issues. IRS also implemented program changes and is either
reviewing test data or requesting data for testing for four work
requests;
Status per GAO: Open. While IRS completed corrective actions to
address some of the programming issues and is continuing work on
others identified from its internal review, it has not yet completed
all of its planned programming corrections. We will continue to review
IRS's corrective actions to address this recommendation during our
fiscal year 2011 audit.
ID number: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
Taxpayer Assistance Center (TAC) managers in conducting reviews of
outlying TACs and documenting the results. This guidance should
include a description of the key controls that should be in place at
outlying TACs, specify how often these key controls should be
reviewed, and specify how the results of each review should be
documented, including follow-up on issues identified in previous TAC
reviews. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 11;
Status per IRS: Open. W&I Field Assistance (FA) continues to use the
TAC Security Remittance Review Database (TSRRD) to document
supervisory reviews. Managers are required to conduct and document
their reviews to ensure the protection of data and compliance with
remittance and security procedures. FA updated the questions in the
TSRRD to document supervisory reviews conducted at the TACs.
Additionally, FA will rephrase any database questions for
clarification as needed. FA provided continuing professional education
(CPE) training in 2010 to managers and staff on how to use the TSRRD
and will provide CPE training again for 2011. Territory Managers are
required to review the information input to the TSRRD database per the
IRM. Field Assistance Headquarters (HQ) will randomly request data to
validate responses. HQ completed an analysis of the data and shared it
with area offices. HQ conducted five on-site reviews in two area
offices and found TACs are following the required procedures;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. FA informed us that all of the reviews assessing controls
over taxpayer receipts and information are documented in the TSRRD.
However, during our fiscal year 2010 audit, we found that certain
questions in the TSRRD were unclear or ambiguous, contributing to
incorrect responses entered by group managers completing the reviews.
We will continue to evaluate the effectiveness of IRS's corrective
actions during our fiscal year 2011 audit.
ID number: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to Taxpayer Assistance
Centers (TAC) and other field offices. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 16;
Status per IRS: Open. IRS continues to work with the General Services
Administration (GSA) to complete janitorial background investigations.
GSA completed background investigations for approximately 96 percent
of the Level III and Level IV buildings. IRS requested a Background
Investigation (BI) for all IRS facilities; however, GSA agreed to
perform background investigations only for some buildings (level III
and IV). IRS expects GSA to complete delivery on this entire
initiative by June 15, 2011. In the interim, IRS requested that GSA
arrange for daytime janitorial cleaning only, in order for IRS
employees to observe janitorial staff in buildings where a BI has not
been conducted;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 08-13;
Recommendation: Require including, in all shredding service contracts,
provisions requiring (1) completed background investigations for
contractor employees before they are granted access to sensitive IRS
information, and (2) periodic, unannounced inspections at off-site
shredding facilities by IRS to verify ongoing compliance with IRS
safeguards and security requirements. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 17;
Status per IRS: Closed. The National NISH Contract services 552 (95
percent) of the 584 locations needing shredding service. IRS will add
the remainder of the locations as NISH gains capability. All non-NISH
shredding contractors follow the same performance work statement as
that of the National NISH Contract. As individual local contracts
expire, IRS adds this specific requirement to new contracts. In the
interim, all contractors under the old contract provisions have agreed
to comply with this specific requirement, even though the old contract
has not yet expired;
Status per GAO: Closed. IRS provided a Performance Work Statement for
Secured Document Destruction Services for the remaining sites not
covered under the nationwide NISH contract, which states that the (1)
contractor shall perform background investigations on all employees
involved in IRS document destruction and that these investigations
shall be performed using NISH guidelines and (2) provisions of the
contract must allow for, at a minimum, the annual IRS inspection of
the contractor facility and operations to ensure the safeguarding of
IRS information.
ID number: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 17;
Status per IRS: Closed. The IRM specifies that the contract contain
provisions for IRS inspection of the contractor facility and
operations to ensure the safeguarding of IRS information, including
periodic unannounced inspections at off-site contractor facilities.
The Performance Work Statement for NISH and non-NISH shredding
contractors includes provisions that require contractor reviews and
stipulates that the compliance reviews may be conducted unannounced.
Further, as the national contract administrator, NISH is required to
document results of its reviews and follow up with local contractors
to make sure any corrective actions that may be needed are developed;
Status per GAO: Open. IRS's update to the IRM specifies that off-site
shredding contracts contain provisions for periodic IRS inspections;
however, the language does not include specific provisions requiring
that IRS personnel (1) conduct periodic, unannounced inspections at
off-site contractor facilities entrusted with sensitive IRS
information; (2) document the results, including identification of any
security issues; and (3) verify that the contractor has taken
appropriate corrective actions on any security issues observed. During
our March 2011 internal control testing conducted as part of our
ongoing fiscal year 2011 IRS financial audit, we found that while the
appropriate language was included in the shredding contracts, site
inspections were not being performed by IRS personnel.
ID number: 08-15;
Recommendation: Establish procedures to require obtaining and
reviewing documentation of completed background investigations for all
shredding contractors before granting them access to taxpayer or other
sensitive IRS information. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 18;
Status per IRS: Closed. NISH reviewed all background investigations
upon visiting contractor facilities to ensure local sub-contractors
were in compliance. NISH obtained and reviewed the lists of contractor
employees and the dates of their completed background investigations
from the Prime Contractor prior to the start date of the contractual
duties. NISH and non-NISH vendors are required to report to the IRS on
a quarterly basis (within 30 days of the end of each fiscal quarter)
the start date for each employee on the Contract as well as the
completion date of the NACI-type background investigation. IRS
requires a National Association for Information Destruction (NAID)
Contractor certification or alternatively, a NAID compliant
certification if the vendor is not a member of NAID. This is a higher
standard than the typical fingerprint review or criminal record check.
IRS annually reviews all contractor records and performs a random
check of contractor records to ensure compliance;
Status per GAO: Closed. IRS included language in the Performance Work
Statement for Secured Document Destruction Services that requires
shredding contactor companies to report to IRS on a quarterly basis
the start date and background investigation completion date for each
contractor involved in the destruction of IRS information.
ID number: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 (Recommendation for Juvenile Employment)
by contacting the reference directly and documenting the details of
this contact. (short-term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 19;
Status per IRS: Closed. The HCO Employment, Talent, and Security (ETS)
Division conducted aggressive training and outreach to Employment
Offices on using the current version of Form 13094 (Recommendation for
Juvenile Employment), contacting appropriate references and
documenting results accordingly. The Director, ETS, implemented an
internal tracking system to monitor juvenile hires and validated that
references were checked and documented. The system is updated each pay
period. Area Directors conduct monthly reviews of the program and
report to the Director on a bi-monthly basis at Senior Leaders'
Operation Review meetings. The Director monitors the Treasury
Integrated Management Information System (TIMIS) focus reports of
Juvenile hires every month. ETS developed a centralized quality review
of forms for juveniles hired during fiscal year 2011 and completed
internal program audits during the first and second quarters of fiscal
year 2011;
Status per GAO: Open. IRS's actions to date have not been fully
effective in addressing the issues that gave rise to our
recommendation. During our fiscal year 2010 audit, we found that IRS
employment offices did not obtain a correctly completed Form 13094 for
28 of the 38 juveniles hired between October 1, 2009, and April 30,
2010. In these instances, the person that signed as the reference was
different than the person listed as the reference on Form 13094. In
addition, we identified one instance where the IRS employment office
staff did not document the required verification of the information on
Form 13094 by contacting the reference directly, which was due to the
IRS employment office using the outdated Form 13094. We will continue
to review IRS's corrective actions during our fiscal year 2011 audit.
ID number: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Source report: Management Report: Improvements Needed in IRS's
Internal Controls (GAO-08-368R, June 4, 2008), page 25;
Status per IRS: Closed. Agency-Wide Shared Services (AWSS) Employee
Support Services Travel Services implemented in March 2010 a system of
contacting employees who are scheduled to travel within three days and
whose authorization is unsigned. If the travel is still necessary, the
traveler's manager must sign the authorization, reducing the instances
of unauthorized travel;
Status per GAO: Open. During our fiscal year 2010 audit, we found four
instances in which IRS employees conducted official travel prior to
obtaining written supervisory approval. One of these trips occurred
after IRS (1) issued a memorandum reiterating the policy to prepare an
authorization before traveling and (2) implemented its new procedures
for contacting employees with unsigned travel authorizations. Because
the employee in this case did not submit the travel request until 1
business day before travel, IRS's new system of contacting employees
was ineffective in reducing unauthorized travel in this instance. We
will continue to monitor the effectiveness of IRS's actions during our
fiscal year 2011 audit.
ID number: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 10;
Status per IRS: Open. IRS will develop minimum requirements to use off-
site courier surveillance when SP observers note time discrepancies or
other inconsistencies as documented on Form 10160, Receipt for
Transport of IRS Deposit. SP will update the Statement of Work and the
IRM during the third quarter of fiscal year 2011. SP Headquarters
Deposit Analysts started surveillance of courier contractors during
the unannounced internal security reviews beginning in August 2010 and
conducted the final review in December 2010. IRS updated the Lockbox
Security Guidelines (LSG) in January 2011 to require that lockbox
banks conduct an annual analysis to establish acceptable courier
timeframes of inbound and outbound deliveries;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 10;
Status per IRS: Open. IRS will document minimum requirements in the
IRM for conducting off-site surveillance of couriers entrusted with
taxpayer receipts and information after reviews are completed as
discussed in recommendation 09-03. IRS will make these updates to the
Courier Contract Statement of Work and the IRM during the third
quarter of fiscal year 2011;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
Taxpayer Assistance Center (TAC) location, group, territory, area, and
nationwide. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 11;
Status per IRS: Open. W&I Field Assistance (FA) and Accounts
Management Services have developed an electronic Form 795 which
automates the existing manual remittance reporting process. IRS has
reached the first milestone in building the Collection Activity
Report, which tracks cash and non-cash remittances by geographical
regions, which the territories now use. FA will start mandating use of
the revised Form 795A to collect and report the data at the TAC level.
Anticipated completion of the recommendation is October 2012;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will continue to evaluate IRS's actions during our fiscal
year 2011 audit.
ID number: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 13;
Status per IRS: Closed. PSEP Risk Management requested that PSEP Area
Directors and Territory Managers validate their new local procedures
to address the IRM requirement. This validation includes
implementation and compliance with the procedures. PSEP Risk
Management confirmed that this action was completed by September 7,
2010;
Status per GAO: Open. IRS responded to the recommendation by revising
its IRM to require a readily available inventory of all duress alarms
for individuals conducting the alarm tests. However, this revision did
not include specific instructions or guidance that would ensure that
an inventory of all duress alarms is documented for each location and
is readily available to individuals conducting duress alarm tests. As
a result, during our fiscal year 2010 audit, we found that duress
alarm testing did not cover all duress alarms at the location for
seven of the eight field offices we visited. We will continue to
evaluate this issue during our fiscal year 2011 audit.
ID number: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each Taxpayer Assistance Center (TAC)
location to ensure that the inventory is current and complete as of
the testing date. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 13;
Status per IRS: Closed. PSEP Risk Management requested that PSEP Area
Directors and Territory Managers validate their new local procedures
to address this IRM requirement. PSEP Risk Management confirmed that
this action was completed by September 7, 2010;
Status per GAO: Open. While IRS implemented a policy in the IRM
requiring a quarterly validation of the duress alarm inventory,
specific instructions or guidance outlining how this policy would be
met were not implemented. As a result, during our fiscal year 2010
financial audit, we identified instances at all eight field offices we
visited where duress alarm testing did not include a documented
quarterly validation of the inventory of all duress alarms as required
by the IRM. Additionally, we noted several instances where duress
alarm points listed on the inventory provided to the test conductor
were either no longer in TAC space or had been removed. For example,
one noted location of a duress alarm was in a space occupied by a non-
IRS agency and the other had been removed due to a space conversion.
We will continue to evaluate this issue during our fiscal year 2011
audit.
ID number: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 13;
Status per IRS: Closed. Physical Security and Emergency Preparedness
(PSEP) Risk Management requested that PSEP Area Directors and
Territory Managers validate their new local procedures to address this
IRM requirement. PSEP Risk Management confirmed that this action was
completed by September 7, 2010;
Status per GAO: Open. During our fiscal year 2010 financial audit, we
identified instances at all eight field offices we visited where local
instructions, outlining necessary steps for properly completing the
quarterly duress alarm tests, were not provided to the individual(s)
performing the duress alarm testing. For example, at three field
offices we visited, instructions identifying the location of each
duress alarm on site were not provided to the local official
performing the test resulting in the omission of several alarms from
the test. At four other field offices, we found that the conductor did
not receive the test results for all the duress alarm points because
the test conductor was not instructed to allow a waiting period before
activating the alarms. As a result, the central monitoring station
never received the signal. We will continue to evaluate this issue
during our fiscal year 2011 audit.
ID number: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 13;
Status per IRS: Closed. PSEP Risk Management developed detailed
procedures for the Emergency Signal History Reports that were sent to
the Area Directors and Territory Managers. The procedures require that
security analysts review and document their review of the Emergency
Signal History Reports. PSEP RM distributed the procedures on August
3, 2010;
Status per GAO: Open. During our fiscal year 2010 financial audit, we
identified instances at all eight field offices we visited where there
was no routine documented review of the Emergency Signal History
Report or emergency contact list provided to the central monitoring
station. During our discussions, PSEP analysts and others responsible
for conducting the tests were unsure as to how to obtain the
"Emergency Signal History Report" and associated zone description and
disposition information outlined in the IRM. Furthermore, we
identified several instances where the central monitoring station
contact list was either outdated or listed unqualified individuals as
the first responder. We will continue to evaluate IRS's actions during
our fiscal year 2011 audit.
ID number: 09-11;
Recommendation: Revise the IRM section related to the limited use of
expired appropriations to provide additional guidance to help
employees distinguish between procurement actions that constitute new
obligations and those that merely adjust or liquidate prior
obligations that the IRS incurred during an expired appropriation's
original period of availability. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 17;
Status per IRS: Closed. IRS published one new IRM section and revised
two IRM sections to provide additional guidance and establish year-end
procedures for expired and closing appropriations. The CFO published
IRM 1.35.15. Annual Close Guidelines effective September 8, 2009.
Agency-Wide Shared Services revised IRM 1.32.6, Purchase Card Program
Handbook effective January 21, 2010, and Corporate Budget revised IRM
1.33.4, Financial Operating Guidelines, effective April 1, 2010;
Status per GAO: Closed. We reviewed IRM 1.35.15, which was issued
September 8, 2009, and noted that it provides policies and procedures
for expired appropriations (including situations when it is
appropriate to use expired appropriations), procedures for closing
transactions with canceled appropriations, and policies for paying
invoices after a fiscal year appropriation is canceled. We also
reviewed the revised version of IRM 1.33.4, which clarified procedures
regarding the use of expired appropriations and used examples to
further illustrate the policies and procedures. We reviewed IRM 1.32.6
which was revised as of January 21, 2010, and determined that the
revisions addressed the issue of improperly using expired
appropriations to fund purchase card transactions.
ID number: 09-13;
Recommendation: Perform existing reviews of transactions recorded in
undelivered orders obligation accounts in a more timely manner in an
effort to detect and correct errors, such as duplicate receipt and
acceptance charges, earlier in the process. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 19;
Status per IRS: Closed. The CFO initiated weekly reviews of receipt
and acceptance transactions to more timely identify and correct
errors. The policies and procedures were updated accordingly in
December 2008;
Status per GAO: Closed. We obtained information about the Aging
Unliquidated Accruals (AUA) process, which is designed to review IRS
receipt and acceptance transactions in order to more timely identify
and correct errors. We confirmed that IRS was conducting the AUA
reviews.
ID number: 09-14;
Recommendation: Establish a formal, documented process for identifying
over time the full range of IRS's programs and underlying activities,
outputs, and services for which IRS believes full cost information
would be useful to executives and program managers. Such a process
should (1) be formally established and documented through policies,
procedures, guidance, meeting minutes, and other appropriate means;
(2) define the roles and responsibilities of the Chief Financial
Officer (CFO) and other business units in the process;
and (3) be focused on the goal of determining what cost information
would be useful and the most appropriate means of developing and
reporting it for both existing programs and new programs as they are
initiated. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 22;
Status per IRS: Closed. The Associate Chief Financial Officer for
Internal Financial Management documented and formalized the cost
accounting policy and process including the roles and responsibilities
of the Chief Financial Officer, business units, and the Cost Users
Group in IRM 1.32.3, Managerial Cost Accounting. The IRM was published
in July 2009 and revised in June 2010. The Chief Financial Officer
continues to determine useful cost information and the ways for
developing and reporting this information for existing programs and
new programs as they are initiated;
Status per GAO: Closed. The revised IRM section assigns the CFO
responsibility for "working with each unit to identify the specific
costs accumulated for identified products and services or metrics and
designing the proper costing and allocation methodologies." IRS
established the Cost User's Group as the formal mechanism though which
IRS's business units can participate in identifying and developing
full cost information for their various programs and activities. The
Cost User's Group has established a 2-year history of regular meetings
focused on Managerial Cost Accounting and the development of internal
cost-benefit information for business units.
ID number: 09-15;
Recommendation: For each of the IRS programs, activities, outputs, and
services identified for which full cost information would be useful to
IRS executives and program managers, complete the development of full
cost methodologies to routinely accumulate and report on their full
costs, including down to the activity level where appropriate. Such
full cost data should be readily accessible to IRS program managers
whenever they are needed, and they should include both personnel costs
based on time spent on specific activities as well as all associated
non-personnel costs and be drawn from or reconcilable to IRS's
financial accounting system. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 22;
Status per IRS: Closed. IRS developed cost performance measures at the
request of management for a range of products and services in
Enforcement and Operations Support. These measures have been
incorporated into a series of regularly updated reports to management
for their review and action. The CFO continually updates cost benefit
analyses related to Field Collection; Automated Collection System
(ACS); Automated Substitute for Return (ASFR); Automated Underreporter
(AUR); Field Exam; Correspondence Exam; and Earned Income Tax Credit
(EITC)-Exam and EITC-AUR, Notices, CAWR/FUTA, 6020(b) as well as
additional analyses requested by the Business Units;
Status per GAO: Closed. IRS has continued to conduct annual updates of
the internal cost-benefit analyses for several programs, and it has
completed additional analyses. Although IRS has not yet completed
internal cost-benefit analyses of the full range of its programs and
activities, its continuing progress in responding to the requests of
the business units for internal cost-benefit information fulfills the
intent of our recommendation.
ID number: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June
24, 2009), page 25;
Status per IRS: Closed. The IRS improved the analytical tools it uses
to make informed resource decisions for major enforcement programs.
The IRS continued to use cost/benefit analysis, return on investment,
evaluation of possible future scenarios, and enterprise risk
management techniques for a wide range of resource allocations
decisions, such as service and enforcement initiatives included in the
President's Budget. The IRS continued to use a broader set of tools to
evaluate its enforcement program, such as cost/benefit analysis that
incorporates a wide range of tangible and intangible costs and
benefits (such as equitable coverage rates for different groups of
taxpayers, enhancing respect for the law, and ensuring that
disadvantaged populations of taxpayers receive adequate levels of
service). It is not prudent to rely exclusively on return on
investment as the sole determinant of resource allocation;
Status per GAO: Open. Although IRS began using internal cost-benefit
analyses and projections as part of its support for future enforcement
initiatives in its annual budget submissions, it has not developed
outcome-oriented performance measures and related goals to measure the
effectiveness of its existing programs. We recognize that IRS must
take into consideration coverage and equitable taxpayer treatment when
making decisions, and we have not advocated that IRS use cost-benefit
analysis as the sole measure of effectiveness. However, measuring the
cost-benefit--return on investment--of IRS's enforcement programs and
activities is an important element in measuring their effectiveness.
IRS continues to update internal cost-benefit data annually for the
enforcement programs for which it had previously developed such data,
and it developed new internal cost-benefit data for additional
programs. Such analyses could be, but have not been, used to develop
performance metrics and related goals. We will continue to review and
monitor IRS's progress in addressing this recommendation during our
fiscal year 2011 audit.
ID number: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in the Custodial Detail Data Base
(CDDB) resulted in misclassifications of account balances that, in
turn, resulted in material inaccuracies in the amounts of reported
unpaid assessments. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 10;
Status per IRS: Open. Each year IRS identifies misclassifications of
account balances during the review of the sample cases selected for
the unpaid assessment statistical estimation and corrects the errors.
In the cases of misclassification of account balances caused by a
systemic limitation in CDDB, IRS has identified pending programming
changes to improve the business rules used by CDDB to accurately
classify unpaid tax assessments. IRS is scheduled to implement these
changes in June 2011;
Status per GAO: Open. During our fiscal year 2010 audit, we and IRS
continued to identify misclassified unpaid assessments accounts
resulting from systemic limitations. As part of its unpaid assessments
estimation process, IRS identified 33 cases in its taxes receivable
sample that were either misclassified in whole or in part due to CDDB
systemic limitations and recorded adjustments to these accounts to
reflect the correct classification or value at the point in time that
IRS sampled the account information. On the basis of a statistical
projection of these individual adjustments, IRS made multibillion
dollar adjustments to the year-end balances of all three categories of
unpaid tax assessments generated by CDDB in order to produce reliable
amounts for external reporting. While IRS identified and documented
specific account modules that were misclassified as a result of
systemic limitations, it has not compiled a listing of these systemic
limitations in order to track and monitor the status of programming
changes aimed at addressing these limitations. We will continue to
monitor IRS's actions to address this recommendation as part of our
fiscal year 2011 audit.
ID number: 10-02;
Recommendation: Research and implement programming changes to allow
the Custodial Detail Data Base (CDDB) to more accurately classify such
accounts among the three categories of unpaid tax assessments. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 10;
Status per IRS: Open. IRS continues to identify programming changes to
improve the accuracy of the classification of the three categories of
unpaid tax assessments in CDDB. Five additional programming changes
are scheduled to be implemented to improve the classification of
installment agreements, to address one-time refund offsets, to allow
CDDB to correctly adjust balances in the subsidiary ledger in cases
where TFRP payments were not cross-referenced correctly, and to add an
allocation methodology in CDDB to classify modules with split
financial classifications;
Status per GAO: Open. IRS is in the process of implementing numerous
programming changes to improve CDDB's accuracy in classifying accounts
among the three categories of unpaid assessments. We will continue to
monitor IRS's corrective actions to address this recommendation as
part of our fiscal year 2011 audit.
ID number: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that materially affect the
financial reporting of unpaid tax assessments. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 10;
Status per IRS: Open. Each year IRS identifies and corrects
misclassifications of account balances during the review of the sample
cases selected for the unpaid assessment statistical estimation. In
addition, IRS reviews IRM procedures to ensure proper internal
controls are in place, makes revisions when necessary, and ensures the
internal control processes are followed. IRS compiled a detailed
report of errors identified during the financial audit process for
fiscal year 2010. On December 8, 2010, CFO distributed this report to
the Business Operating Divisions to remediate the errors;
Status per GAO: Open. During our fiscal year 2010 audit, we and IRS
continued to identify misclassified unpaid assessments accounts
resulting from IRS processing errors or delays. As part of its unpaid
assessments estimation process, IRS identified 15 cases in its taxes
receivable sample that were misclassified in whole or in part due to
errors in the taxpayer accounts, and recorded adjustments to these
accounts to reflect the correct classification or value at the point
in time that IRS sampled the account information. On the basis of a
statistical projection of these individual adjustments, IRS made
multibillion dollar adjustments to the year-end balances of all three
categories of unpaid tax assessments generated by CDDB in order to
produce reliable amounts for external reporting. While IRS compiled a
report listing the errors identified in its unpaid assessment
estimation process and attempted to identify the IRS unit where the
error occurred, IRS did not identify the control weaknesses that
resulted in the error or delay. IRS cannot implement appropriate
corrective actions unless it knows the control weakness or weaknesses
that resulted in the error or delay. We will continue to monitor IRS's
actions to address this recommendation as part of our fiscal year 2011
and future audits.
ID number: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that materially affect the financial
reporting of unpaid tax assessments, implement control procedures to
routinely prevent, or to detect and correct, such errors. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page. 10;
Status per IRS: Open. IRS will continue to identify and validate
corrective actions that were completed. IRS will continue to monitor
appropriate procedures, controls and program modifications. IRS
compiled a detailed report of errors identified during the financial
audit process for fiscal year 2010. On December 8, 2010, CFO
distributed this report to the Business Operating Divisions to
remediate the errors;
Status per GAO: Open. During our fiscal year 2010 audit, we and IRS
continued to identify misclassified unpaid assessments accounts
resulting from IRS processing errors or delays. As part of its unpaid
assessments estimation process, IRS identified 15 cases in its taxes
receivable sample that were misclassified in whole or in part due to
errors in the taxpayer accounts, and recorded adjustments to these
accounts to reflect the correct classification or value at the point
in time that IRS sampled the account information. On the basis of a
statistical projection of these individual adjustments, IRS made
multibillion dollar adjustments to the year-end balances of all three
categories of unpaid tax assessments generated by CDDB in order to
produce reliable amounts for external reporting. While IRS compiled a
report listing the errors identified in its unpaid assessment
estimation process and attempted to identify the IRS unit where the
error occurred, IRS did not identify the control weaknesses that
resulted in the error or delay. IRS cannot implement appropriate
corrective actions unless it knows the control weakness or weaknesses
that resulted in the error or delay. We will continue to monitor IRS's
actions to address this recommendation as part of our fiscal year 2011
audit.
ID number: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
Trust Fund Recovery Penalty (TFRP) payments processed through the
Automated Trust Fund Recovery (ATFR) system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 15;
Status per IRS: Open. IRS revised the IRM in May 2010 to include
supervisory reviews of credit transactions related to TFRP payments
processed through ATFR and to identify the areas and ATFR system
reports to review. IRS will add an additional IRM requirement to
include 100 percent review of payment cross-references prior to
account postings. Publication of the revised IRM is expected by the
end of fiscal year 2011;
Status per GAO: Open. IRS is in the process of adding an additional
IRM requirement to specify how supervisors should review processed
TFRP transactions for accuracy. In the meantime, IRS revised the IRM
to provide guidance on how supervisors should manage a unit's TFRP
payment inventory to ensure timely processing. We will continue to
monitor IRS's actions to address this recommendation during our fiscal
year 2011 audit.
ID number: 10-06;
Recommendation: Formalize and implement the quarterly reviews of Trust
Fund Recovery Penalty (TFRP) payment transactions to monitor
compliance with the IRM requirements. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 15;
Status per IRS: Open. IRS implemented its formal quarterly reviews of
TFRP payment transactions to monitor compliance with IRM requirements
and began its official reviews in April 2010. IRS completed reviews in
May, August, and September 2010. The reviews will be performed on a
quarterly basis. IRS will create formal documentation of this process
by the end of calendar year 2011;
Status per GAO: Open. While IRS has formally implemented quarterly
reviews of TFRP payment transactions, it is still in the process of
formalizing standard procedures for the review, the analysis of
results, and the corrective actions based on its analysis. We will
continue to monitor IRS's actions to address this recommendation
during our fiscal year 2011 audit.
ID number: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment
transactions so that specific factors causing the errors are
identified. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 15;
Status per IRS: Open. IRS implemented its formal quarterly reviews in
April 2010 which encompass procedures for both Campus and Headquarters
to identify and analyze error trends based on the findings from each
quarterly review and the cumulative review results. This process will
continue on a quarterly basis. IRS will create formal documentation
for this process by the end of calendar year 2011;
Status per GAO: Open. While IRS has formally implemented quarterly
reviews of TFRP payment transactions, it is still in the process of
formalizing standard procedures for the review, the analysis of
results, and the corrective actions based on its analysis. We will
continue to monitor IRS's actions to address this recommendation
during our fiscal year 2011 audit.
ID number: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of Trust Fund Recovery Penalty (TFRP) payment
transactions identified through the analyses of the quarterly review
results. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 15;
Status per IRS: Open. IRS developed procedures for addressing the root
causes of error trends found during the quarterly and cumulative
Quality Assurance Internal Compliance Reviews. This process will
continue on a quarterly basis. IRS will create formal documentation
for this process by the end of calendar year 2011;
Status per GAO: Open. While IRS has formally implemented quarterly
reviews of TFRP payment transactions, it is still in the process of
formalizing standard procedures for the review, the analysis of
results, and the corrective actions based on its analysis. We will
continue to monitor IRS's actions to address this recommendation
during our fiscal year 2011 audit.
ID number: 10-09;
Recommendation: Revise the existing methodology for extracting the
preposted revenue component of the comparison of general ledger tax
revenue receipts to the detailed transaction support in the master
files to ensure that nontax revenues and tax revenue transactions
already posted to the master files are properly excluded. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 17;
Status per IRS: Closed. IRS revised and tested the extraction
methodology in May 2010 to exclude non-tax and posted revenue
transactions from the pre-posted revenue file. IRS provided to GAO the
9-month sample file in July 2010 for the audit with successful results;
Status per GAO: Closed. IRS revised its methodology for extracting the
preposted revenue component of its general ledger to master files
comparison. This revised methodology appropriately ensures that nontax
revenues and tax revenue transactions already posted to the master
files are properly excluded.
ID number: 10-10;
Recommendation: Update the desk procedures governing the comparison of
general ledger tax revenue receipts to the detailed transaction
support in the master files to ensure that the procedures reflect the
current process and controls. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 17;
Status per IRS: Closed. IRS updated the desk procedures for the
general ledger to master file comparison on December 21, 2010;
Status per GAO: Closed. IRS updated the desk procedures governing the
general ledger to master files comparison to ensure that it reflects
the most current process and controls. In addition, we were informed
by CFO officials that these procedures would be revisited periodically
to ensure they remain current.
ID number: 10-11;
Recommendation: Revise the cost allocation desk guide to better
document the cost allocation process. This should include ensuring
that all key processing steps are included and identifying the key
sources of input data and the controls necessary to help ensure their
reliability. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 19;
Status per IRS: Closed. IRS revised the cost allocation desk guide on
January 29, 2010, to better document the cost allocation process. The
guide includes key processing steps, identification of input data
sources, and the controls to ensure their reliability;
Status per GAO: Closed. We verified that IRS revised its cost
allocation desk guide and created work instructions/job aids that
include key processing steps, key sources of input data, and controls
to ensure reliability throughout the cost allocation process.
ID number: 10-12;
Recommendation: Revise the IRM and cost allocation desk guide to
require appropriate segregation of duties within the cost allocation
process. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 20;
Status per IRS: Closed. The CFO updated the IRM relating to Managerial
Cost Accounting, on June 8, 2010, and the cost allocation desk guide
on January 29, 2010, to require appropriate segregation of duties
within the cost allocation process;
Status per GAO: Closed. We verified that IRS revised its IRM and cost
allocation desk guide to require segregation of duties when creating,
executing, and reconciling monthly cost allocation cycles. During our
fiscal year 2010 audit, we observed that IRS implemented these new
requirements. IRS segregated the duties of cost accountants during its
edit check processes (which occur between executing cycle runs) by
having a cost accountant other than the one executing the edit check
verify that the cycle ran successfully.
ID number: 10-13;
Recommendation: Revise the IRM and cost allocation desk guide to
require timely, documented supervisory reviews at key process points
to help prevent and detect cost allocation processing errors. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 20;
Status per IRS: Closed. The CFO updated the IRM relating to Managerial
Cost Accounting, on June 8, 2010, and the cost allocation desk guide
on January 29, 2010, to require documented supervisory reviews within
the cost allocation process;
Status per GAO: Closed. We verified that IRS revised its IRM and cost
allocation desk guide to require documented supervisory reviews when
creating, executing, and reconciling monthly cost allocation cycles.
During our fiscal year 2010 audit, we observed that IRS implemented
these new requirements. Specifically, the supervisor reviewed and
signed off on completed cycle-run steps within the cycle-run
spreadsheet before the cost accountants proceeded to the next step.
ID number: 10-14;
Recommendation: Establish controls over the cycle-run spreadsheet to
help minimize the risk of error or omission. At a minimum, this should
include assigning a unique, sortable identifier to each row in the
spreadsheet and implementing controls to promptly and accurately
record the status of processing steps in a manner that ensures each
cycle run is performed and is performed in the proper sequence. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 20;
Status per IRS: Closed. IRS established procedures and controls over
the master version of the cycle-run spreadsheet to minimize the risk
of error or omission on May 6, 2010. Each step in the process contains
a unique cycle identifier for the cycle-run order. Reviews and
validations are conducted to ensure that each cycle is performed in
the proper sequence. The cycle-run spreadsheet is controlled to limit
access to only authorized employees;
Status per GAO: Closed. We verified that IRS established procedures
and implemented controls over the cycle-run spreadsheet, including
supervisory review and sign-off of completed cycle-run steps within
the cycle-run spreadsheet before the cost accountants proceed to the
next step. While IRS chose not to assign a unique, sortable identifier
to each row in the spreadsheet, the implementation of supervisory
reviews at key processing steps helped to ensure that each cycle run
was performed and performed in the proper sequence and thus met the
intent of our recommendation.
ID number: 10-15;
Recommendation: Revise the IRM to require IRS's Central Insolvency
Operation (CIO) to timely provide service center campuses (SSC) an
acknowledgment of receipt for each Form 3210 transmittal related to a
duplicate refund transcript sent to them by a service center campus
for review. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 21;
Status per IRS: Open. IRS is in the process of revising the IRM
specifically relating to Payments in Bankruptcy to include a provision
requiring that receipt acknowledgments for Form 3210 be returned
timely to the originator. Until the changes in IRM are effective, CIO
has issued an e-mail alert with these instructions to the manager of
the CIO department that works the duplicate refund transcripts;
Status per GAO: Open. During our fiscal year 2010 audit, we continued
to find instances where the manual refund units at the service centers
tested either did not have procedures for communicating the
information taken from the Duplicate Refund (DUPREF) transcripts, or
the information was not routed in a timely manner. As IRS has noted,
it is in the process of revising the IRM. We will continue to evaluate
IRS's corrective actions during our fiscal year 2011 financial audit.
Additionally, we will review revisions to the IRM to validate
procedural revisions specific to this recommendation as well as e-mail
alerts that precede the IRM revisions.
ID number: 10-16;
Recommendation: Revise the IRM to require service center campuses
(SCC) to verify that an acknowledgment of receipt has been received
from IRS's Central Insolvency Operation (CIO) for 100 percent of the
form 3210 transmittals related to duplicate refund transcripts they
have forwarded to CIO for review. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 21;
Status per IRS: Open. IRS revised the IRM to include procedures for
verifying Form 3210 acknowledgments received from CIO for duplicate
refund transcripts at service center campuses. The IRM instructs the
Accounting function to review the transcript and stop the duplicate
refund prior to cycle cutoff. The intended recipient will then route
the acknowledgments to the originator for any subsequent action. IRS
will update the fiscal year 2011 revision of the IRM with additional
procedures for recipients to route documents to the required function
within 24 hours of receipt/review;
Status per GAO: Open. We have verified that IRS has revised the IRM to
include procedures for verifying acknowledgments received from CIO for
duplicate refund transcripts at SCCs. We will continue to evaluate the
effectiveness of IRS's ongoing efforts to address this recommendation
during our fiscal year 2011 audit.
ID number: 10-17;
Recommendation: Revise the IRM to require service center campuses
(SCC) to resolve any instances in which an acknowledgment of receipt
for a Form 3210 transmittal related to duplicate refund transcripts is
not received. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 21;
Status per IRS: Open. IRS revised the IRM to include procedures for
following up and resolving instances where Form 3210 was not received
from the Central Insolvency Operation function;
Status per GAO: Open. We have verified that IRS has revised the IRM to
include procedures for following-up and resolving instances where Form
3210 transmittals were not received from the Central Insolvency
Operation (CIO). We will continue to evaluate the effectiveness of
IRS's ongoing efforts to address this recommendation during our fiscal
year 2011 audit.
ID number: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 23;
Status per IRS: Open. IRS developed the Lockbox Document Transmittal
(LDT) forms (for IMF and BMF) and the related instructions for use
when transferring unprocessable items with receipts from lockbox banks
to service center campuses. The forms include an acknowledgment page
that is verified by the Submission Processing Center (SPC) and is
faxed back to the lockbox bank site;
Status per GAO: Open. We plan to evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 23;
Status per IRS: Open. IRS added instructions to the IRM in December
2010, addressing receipt and acknowledgment of the lockbox transmittal
form. IRS issued an Alert to add new procedures to the IRM that
require acknowledging and retaining copies of the new Lockbox
Transmittal. IRS also issued an Alert to add new procedures to
acknowledge LDT if a package of unprocessable receipts is sent
directly to Batching;
Status per GAO: Open. We plan to evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses (SCC) and lockbox banks to acknowledge and
track transmittals of unprocessable items with receipts. These
procedures should include monitoring discrepancies and instituting
appropriate corrective actions as needed. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 23;
Status per IRS: Open. IRS developed the LDT forms for transferring
unprocessable items with receipts from lockbox banks to service center
campuses. The instructions include follow-up procedures for
unacknowledged LDTs and for handling inconsistencies when the volume
does not agree. The 2011 IRM and lockbox processing guidelines (LPG)
will include instructions. The forms include an acknowledgment page
that the SPC will verify and fax back to the lockbox bank site daily.
In December 2010, IRS updated the Processing Internal Control (PIC)
data collection instrument (DCI) to include random reviews performed
by the Lockbox Field Coordinators of the retained LDTs and faxed
acknowledgments. These reviews will take place during peak on-site
reviews. Also in December 2010, IRS updated the Receipt and Control
Mail Out Package DCI. Each Lockbox Field Coordinator met with their
applicable lockbox bank site personnel, as well as their SPC receiving
areas, and provided instructions and training on the new LDT process.
IRS conducted LDT training in September 2010. The existing Lockbox
DCI, specifically the Receipt and Control Mail Out Package DCI and the
Unprocessable With-Remit DCI, captured review data through December
31, 2010. SP will provide feedback from the DCI reviews to the SPCs
and Lockbox Bank Sites;
Status per GAO: Open. We plan to evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 10-21;
Recommendation: Review the Physical Security and Emergency
Preparedness audit management checklist for clarity and revise the
assessment questions as appropriate. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 25;
Status per IRS: Closed. AWSS's PSEP reviewed the questions on the
audit management checklist and modified them for clarity on November
29, 2010, for use in calendar year 2011;
Status per GAO: Closed. IRS reviewed the audit management checklist
and revised assessment questions on November 29, 2010, to more clearly
identify which questions were relevant to the type of IRS facility
being reviewed.
ID number: 10-22;
Recommendation: Issue written guidance to accompany the Physical
Security and Emergency Preparedness audit management checklist that
explains the relevance of the questions and the methods that should be
used to assess and test the related controls. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 25;
Status per IRS: Closed. AWSS's PSEP incorporated instructions for
completing the audit management checklist and included them in the
November 29, 2010, revision for use during calendar year 2011;
Status per GAO: Closed. IRS issued written guidance for completing the
audit management checklist on November 29, 2010.
ID number: 10-23;
Recommendation: Provide training to physical security analysts
responsible for completing the Physical Security and Emergency
Preparedness audit management checklist to help ensure that checklist
questions are answered appropriately and accurately. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 25;
Status per IRS: Closed. IRS provided training to physical security
analysts on completing the audit management checklist on December 15,
2010;
Status per GAO: Closed. IRS PSEP Territory Directors validated to
their Area Directors on December 15, 2010, that all security analysts
received Audit Management Checklist training.
ID number: 10-24;
Recommendation: Establish and document the minimum frequency for how
often the Physical Security and Emergency Preparedness audit
management checklist should be completed at each service center campus
(SCC) and field office. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 25;
Status per IRS: Closed. AWSS's PSEP documented the frequency for
completing the audit management checklist at the service center
campuses and field offices in the PSEP Standard Operating Procedure
Audit Activity Management Program, dated July 27, 2010;
Status per GAO: Closed. On July 27, 2010, IRS established and
documented the minimum frequency for how often the audit management
checklist should be completed at each SCC and field office.
ID number: 10-25;
Recommendation: Establish policies requiring documented managerial
reviews of completed Physical Security and Emergency Preparedness
audit management checklists. These reviews should document (1) the
time and date of the review, (2) the name of the manager performing
the review, (3) the supporting documentation reviewed, (4) any
problems identified with the responses on the checklists, and (5)
corrective actions to be taken. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 25;
Status per IRS: Closed. AWSS's PSEP modified the PSEP Standard
Operating Procedure Audit Activity Management Program, on July 27,
2010, to establish policies requiring documented managerial reviews of
completed audit management checklists;
Status per GAO: Closed. In July 2010, IRS established policies
requiring documented managerial reviews of completed audit management
checklists. The newly established policies require that the territory
manager's review include a review of supporting documentation to
verify the accuracy of the responses on the checklist, problems
identified with responses, and corrective actions to be taken;
and be digitally signed and dated by the territory manager.
ID number: 10-26;
Recommendation: Review the Taxpayer Assistance Center Security and
Remittance Review Database (TSRRD) for clarity and revise review
questions as appropriate. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 28;
Status per IRS: Open. IRS included guidance on how to use the TAC
Security and Remittance Review Database (TSRRD) in the 2010 and 2011
CPE training via the Filing Season Readiness (FSR) Workshop. IRS
provided the 2011 FSR training through December 31, 2010 via the web.
TAC managers certified to their Territory Managers on January 14,
2011, that they had completed this training;
Status per GAO: Open. We will evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 10-27;
Recommendation: Provide training to Taxpayer Assistance Center (TAC)
group managers to assist with their understanding of the TAC Security
and Remittance Review Database (TSRRD) review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 28;
Status per IRS: Open. IRS included guidance on how to use the TAC
TSRRD in the 2010 and 2011 CPE training via the Filing Season
Readiness (FSR) Workshop. IRS provided the 2011 FSR training through
December 31, 2010 via the web. TAC managers certified to their
Territory Managers on January 14, 2011 that they had completed this
training;
Status per GAO: Open. We will evaluate the effectiveness of IRS's
corrective actions during our fiscal year 2011 audit.
ID number: 10-28;
Recommendation: Establish policies that require territory managers or
a manager at least one level above the group manager to periodically
review the information entered into the Taxpayer Assistance Center
Security and Remittance Review Database (TSRRD) for accuracy and
completeness prior to the results being forwarded to Field Assistance
Office headquarters management. This review should be signed and
documented, and include (1) the time and date of the review, (2) the
name of the manager performing the review, (3) the task performed
during the review, (4) any problems or questions identified, and (5)
planned corrective actions. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 28;
Status per IRS: Closed. IRS Territory Managers (TM) are required to
review the information input by TAC group managers into the TAC TSRRD
prior to sending it to Field Assistance headquarters management per
IRM 1.4.11-11. TAC managers use the TSRRD to document supervisory
reviews. Managers must establish and maintain appropriate
recordkeeping systems which will support the data that is submitted in
the TSRRD. Upon completion, managers will print a copy prior to
electronic submission, which may be used for the TM's follow-up
review. Once the manager submits the information in the TSRRD, the TM
will review the information for accuracy and completeness prior to the
deadline. The TM will sign, date, and address any problems, questions,
or planned corrective actions for each review. The TM may document
these actions in the operational review process;
Status per GAO: Closed. We verified that IRS established policies in
the IRM that require territory managers to review the information
input by group managers into the TSRRD prior to sending it to FA
headquarters. The newly established policies require that territory
managers sign and date the review, as well as address any problems,
questions or planned corrective actions.
ID number: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 29;
Status per IRS: Closed. AWSS's PSEP revised Procurement Policy 39.1(c)
on September 7, 2010, to require security awareness training for all
IRS contractors with unescorted physical access to taxpayer
information. AWSS PSEP changed the policy to require contractors who
were previously exempted from Security Awareness Training to take the
PSEP briefing within 10 days of reporting to duty and annually
thereafter;
Status per GAO: Open. IRS's actions to date have not met the intent of
our recommendation. IRS's Revised Procurement Policy 39.1(c) states
that certain types of contractors, such as janitorial and building
maintenance (who can have unescorted, unsupervised physical access to
taxpayer information), are not required to receive Security Awareness
Training--with the exception of Physical Security Training (also
referred to as the PSEP briefing). However, the PSEP briefing does not
cover key elements of security awareness, including (1) authorized and
unauthorized disclosures of taxpayer information, (2) basic protection
policies concerning taxpayer receipts and information, and (3) federal
penalties for not protecting this information. We will continue to
assess IRS's actions in this area during our fiscal year 2011 audit.
ID number: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all service center campus Unit Security
Representatives (USR) to complete (1) the required initial USR
training prior to assuming their responsibilities, and (2) annual
refresher training each year thereafter. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 31;
Status per IRS: Open. All USRs and alternate USRs completed the
initial USR training class by May 31, 2010. New USRs will complete the
initial USR training class prior to assuming their responsibilities.
Annual refresher training is mandatory for all USRs thereafter. The
IDRS Security Project Management Office will implement a reporting
capability to identify USRs who fail to comply with initial and annual
refresher training requirements. The reporting process will track USR
compliance in the Enterprise Learning Management System (ELMS)
Learning History and provide notification to affected USRs, their
respective managers, and the USR points of contact for remediation,
when necessary;
Status per GAO: Open. During our fiscal year 2010 audit, we continued
to find that USRs did not complete the required initial USR training
or complete the required annual refresher training, or both. We will
evaluate the effectiveness of IRS's ongoing efforts to address this
recommendation, during our fiscal year 2011 audit. We will also verify
that IRS has implemented a reporting capability to identify USRs who
have failed to comply with initial and annual refresher training
requirements.
ID number: 10-31;
Recommendation: Update service center campus Unit Security
Representatives' (USR) training manuals to ensure they reflect current
security policies and procedures. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 31;
Status per IRS: Closed. On December 15, 2009, the IDRS Project
Management Office launched two new ELMS Interactive online training
courses for all IDRS USRs to incorporate current security policies and
procedures. In collaboration with MITS E-Learning, these interactive
training courses include slide presentations and accompanying voice-
recording narratives;
Status per GAO: Closed. IRS has documented and we have verified that
the USR training manuals were updated in December 2009. We will,
however, continue to monitor IRS's updates and improvements to ensure
that training manuals reflect current security policies and procedures.
ID number: 10-32;
Recommendation: Establish a process to periodically review and update
service center campus Unit Security Representatives (USR) training
materials as appropriate. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 31;
Status per IRS: Open. The IDRS Security Project Management Office will
ensure annual reviews of the IDRS USR training material occur. Annual
reviews were implemented on December 31, 2010. Training material will
be updated as appropriate. The IRS completed a review and update of
USR training materials in December 2009. In November 2010, the IRS
completed another review of USR training material. As a result, the
initial and refresher USR courses are being updated;
Status per GAO: Open. The steps IRS has taken to address the issues
related to this recommendation were implemented after our fiscal year
2010 audit's completion. Therefore, we will review and evaluate IRS's
implementation of annual reviews as well as initial and refresher USR
courses during our fiscal year 2011 audit.
ID number: 10-33;
Recommendation: Establish procedures requiring the Director of IRS's
Human Capital Office, Leadership, Education and Delivery Services (HCO
LEADS) or designee to periodically monitor each business unit's
progress in complying with mandatory briefing requirements. (short-
term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 33;
Status per IRS: Open. Effective July 17, 2010, LEADS provided weekly
statistics on each unit's progress in complying with the mandatory
briefings requirement broken out by Business Unit. LEADS will
distribute quarterly summary reports to the heads of offices;
Status per GAO: Open. IRS's efforts to address our recommendation are
ongoing. We will evaluate IRS's actions during our fiscal year 2011
audit.
ID number: 10-34;
Recommendation: Establish procedures requiring contracting officers
(COs) or contracting officer's technical representatives (COTRs) to
obtain and retain written documentation from end users confirming
receipt and acceptability of purchased goods or services prior to
entering acknowledgment of receipt and acceptance in the Web Request
Tracking System (WebTRS). (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 34;
Status per IRS: Closed. IRS updated the Receipt and Acceptance
Handbook in March 2010 to include the requirement to obtain and retain
documentation to support receipt and acceptance before entering the
acknowledgment in WebRTS. In addition, Procurement's Policy and
Procedures Memorandum relating to Monitoring Receipt, Acceptance and
Quality Assurance through Contract Administration Plans, instructs all
Procurement personnel and COTRs to maintain documentation of receipt
of supplies or services. IRS has reinforced this requirement through
presentations at the 2010 Procurement Partnership Conference in March
2010, and the 2010 CFO Customer Conference in May 2010;
Status per GAO: Closed. We confirmed that IRS updated the Receipt and
Acceptance Handbook in March 2010 to include the requirement to obtain
and retain documentation to support receipt and acceptance before
entering the acknowledgment in WebRTS. However during our fiscal year
2010 audit, we found eight instances in which the COTRs did not either
obtain or retain written documentation confirming receipt of the
service from the end user prior to entering receipt and acceptance. Of
these eight instances, three occurred following IRS's update to its
guidance. We will continue to monitor the issue in future audits and
assess the effectiveness of IRS's actions to determine what additional
corrective actions may be needed.
ID number: 10-35;
Recommendation: Reiterate IRS's policy for staff to indicate in the
Web Request Tracking System (WebRTS) during final receipt and
acceptance that the payment is a final payment to close out a contract
or purchase order to help ensure any remaining obligated funds are
timely deobligated. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 37;
Status per IRS: Closed. IRS issued a WebRTS broadcast e-mail to all
WebRTS users on June 2, 2010, to reinforce the use of the receipt and
acceptance final flag to ensure timely closure of obligations;
Status per GAO: Closed. We reviewed the WebRTS broadcast e-mail
message and noted that it does reinforce the use of the receipt and
acceptance final flag to ensure timely closure of obligations.
ID number: 10-36;
Recommendation: Re-evaluate and, as necessary, revise the aging
criteria for the Aging Unliquidated Obligation reviews so that
unliquidated obligations are reviewed sooner in order to timely detect
and deobligate excess obligations. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 37;
Status per IRS: Closed. On January 4, 2010, the IRS revised the aging
criteria for the fiscal year 2010 Aging Unliquidated Obligation
reviews from 300 days to 240 days to review a broader scope of
unliquidated obligations sooner. IRS determined that decreasing the
aging criteria further would not only provide a minimal benefit, but
increases the Aging Unliquidated Obligation review volume to an
unreasonable level;
Status per GAO: Closed. During the fiscal year 2010 audit, we
confirmed that IRS reevaluated the aging criteria for Aging
Unliquidated Obligation reviews and revised the aging criteria for
obligations from over 300 days of no activity to over 240 days of no
activity.
ID number: 10-37;
Recommendation: Provide technicians and supervisors who are
responsible for recording and reviewing obligation transactions with
training on the proper usage of manually linked obligation
transactions to reinforce IRS's existing policy requiring that
transactions be recorded accurately to the upward and downward
adjustments to prior year obligation accounts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 39;
Status per IRS: Closed. IRS revised the internal Beckley Finance
Center process, updated the related procedures, and provided
additional training to technicians and supervisors responsible for the
manual linking of obligations in October 2009. IRS provided GAO with
copies of the procedures and a walk-through of the Beckley Finance
Center process on March 11, 2010;
Status per GAO: Closed. IRS updated the procedures related to manually
linked up/down transactions and provided additional training to
technicians and supervisors responsible for the manual linking of
obligations in October 2009. We did not find any exceptions that were
related to this issue in our fiscal year 2010 audit testing.
ID number: 10-38;
Recommendation: Develop controls to improve the linked obligation
transaction review process to timely detect and correct erroneous
links between unrelated upward and downward adjustments to prior year
obligation transactions. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 39;
Status per IRS: Closed. IRS revised internal Beckley Finance Center
processes and implemented procedures to add a second level review of
all linked obligations at the time of actual linking on March 16, 2010;
Status per GAO: Closed. IRS established review procedures of manually
linked up/down transactions. We did not find any exceptions that were
related to this issue in our fiscal year 2010 audit testing.
ID number: 10-39;
Recommendation: Establish a formal funds control process to set aside
amounts for tax law enforcement and related support activities, as
required by annual appropriations acts. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 43;
Status per IRS: Closed. The Tax Law Enforcement Appropriations set-
aside requirement was not included in the full year continuing
appropriations act for fiscal year 2011, as amended. The
appropriations act contained language that specifically eliminated it;
Status per GAO: Closed. The Tax Law Enforcement Appropriations set-
aside requirement is not included in the full year continuing
appropriations act for fiscal year 2011, as amended;
therefore there is no similar set-aside requirement in fiscal year
2011. Because our recommendation is contingent on a set-aside
requirement that is included in the appropriations act;
and such a requirement was not included in fiscal year 2011
appropriations act, we are closing this recommendation. However, if
such a set-aside requirement should exist in future years, IRS should
establish a funds control process to ensure compliance.
ID number: 10-40;
Recommendation: Establish a policy to periodically monitor throughout
the year the amount of different appropriations accounts attributed to
the set-aside to assess IRS's progress toward complying with the
requirement. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 43;
Status per IRS: Closed. The IRS has established a policy to
periodically monitor its progress toward achieving the targeted level
of activity for tax law enforcement and related support activities;
Status per GAO: Closed. During the fiscal year 2010 audit, we
confirmed that IRS established a process to periodically monitor its
progress toward achieving compliance with the enforcement set-aside
requirement.
ID number: 10-41;
Recommendation: Based on the results of its periodic assessments, take
action to allocate the required amount of appropriations to tax law
enforcement and related support activities to comply with the set-
aside requirement. (short-term);
Source report: Management Report: Improvements Are Needed in IRS's
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010), page 43;
Status per IRS: Closed. The Tax Law Enforcement Appropriations set-
aside requirement was not included in the full year continuing
appropriations act for fiscal year 2011, as amended. The
appropriations act contained language that specifically eliminated it;
Status per GAO: Closed. The Tax Law Enforcement Appropriations set-
aside requirement is not included in the full year continuing
appropriations act for fiscal year 2011, as amended;
therefore there is no similar set-aside requirement in fiscal year
2011. Because our recommendation is contingent on a set-aside
requirement that is included in the appropriations act, and such a
requirement was not included in fiscal year 2011 appropriations act,
we are closing this recommendation.
ID number: 11-01;
Recommendation: Put procedures in place to periodically monitor the
effectiveness of the new First-Time Home Buyers Credit (FTHBC)
validity checks for the duration of the filing of FTHBC claims to
verify that they are working as intended. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 9;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-02;
Recommendation: Establish a mechanism to enforce the existing
requirement for appropriate managers to immediately notify the manual
refund units of any personnel changes affecting the approval or
processing of manual refunds. This may be accomplished through
mechanisms such as issuing periodic alerts, providing training or
having the manual refund unit perform quarterly validations of the
list of manual refund approving officials, or a combination of these.
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 10;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-03;
Recommendation: Send out a reminder to all staff to follow policies
and procedures for obtaining approval and funding of proposed
purchases prior to entering into an agreement with vendors. (short-
term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 13;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-04;
Recommendation: Establish formal written procedures requiring staff to
review purchase contract terms against the goods and services received
to date before requesting additional goods or services. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 13;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-05;
Recommendation: Establish procedures to centrally review and monitor
the timeliness of personnel action requests and approvals to help
ensure compliance with the IRM and applicable Office of Personnel
Management (OPM) regulations and guidance. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 15;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-06;
Recommendation: Adopt the local field office's timekeeping procedures
or similar procedures for entering and verifying the accuracy of time
and attendance information entered into the Single Entry Time
Reporting System (SETR) throughout IRS for use by all units in which
employees do not enter their own time charges directly to SETR. (short-
term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 17;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-07;
Recommendation: Further revise the detailed procedures for
implementing the requirement to validate the appropriateness of the
National Finance Center (NFC) programming changes after such changes
are made. These revisions should (1) clarify the criteria for
determining which programming changes will be subject to validation,
(2) identify officials responsible for making and documenting these
determinations, and (3) require postimplementation statistical
sampling from a targeted population that consists of employees who are
most likely to be affected by the NFC programming change. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 20;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-08;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring cash receipts to be immediately
logged under dual control when first discovered in the mail room.
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 22;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-09;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring mail room staff to maintain custody
of the control log at all times. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 22;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-10;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring the amount of cash receipts initially
discovered in the mail room to be independently reconciled to the
amount deposited and recorded in the general ledger. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 22;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-11;
Recommendation: Perform a review of all existing contracts under
$100,000 that (1) do not have an appointed contracting officer's
technical representative (COTR) and (2) do not require that contract
employees obtain background investigations to assess whether the
services performed under each contract warrant a requirement that
contract employees obtain background investigations. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 24;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-12;
Recommendation: Based on a review of all existing contracts under
$100,000 without an appointed contracting officer's technical
representative (COTR) that should require contract employees to obtain
favorable background investigation results, amend those contracts to
require that favorable background investigations be obtained for all
relevant contract employees before routine, unescorted, unsupervised
physical access to taxpayer information is granted. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 24;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-13;
Recommendation: Establish a policy requiring collaborative oversight
between IRS's key offices in determining whether potential service
contracts involve routine, unescorted, unsupervised physical access to
taxpayer information, thus requiring background investigations,
regardless of contract award amount. This policy should include a
process for the requiring business unit to communicate to the Office
of Procurement and the Human Capital Office the services to be
provided under the contract and any potential exposure of taxpayer
information to contract employees providing the services, and for all
three units to (1) evaluate the risk of exposure of taxpayer
information prior to finalizing and awarding the contract and (2)
ensure that the final contract requires favorable background
investigations as applicable, commensurate with the assessed risk.
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 24;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-14;
Recommendation: Establish procedures to provide a consistent
methodology for calculating and establishing allowable deposit courier
trip time limits to be used by both service center campuses and
lockbox banks that would assist in detecting potential unauthorized
stops or other contractual violations for deposit couriers. Such
procedures should include instructions for documenting and supporting
how the trip limits were determined and require justification and
approval for all established time limits that exceed the average trip
time. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 27;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-15;
Recommendation: Establish procedures to require periodic reassessments
of, and updates to, deposit courier allowable trip time limits to
account for changes in courier routes or other conditions that may
affect trip times. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 27;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-16;
Recommendation: Enforce existing contractual requirements for the
cargo doors of contract courier vehicles to be locked after picking up
taxpayer information. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 29;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-17;
Recommendation: Establish procedures to prevent or detect unauthorized
access to taxpayer information in contract courier vehicles during
transit. These procedures should detail specific activities to be
performed by both the business units sending and receiving the
information transported by the contract courier. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 29;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-18;
Recommendation: Revise the guidance for conducting the periodic
reviews of the contract couriers transporting taxpayer information
from one IRS processing facility to another to include procedures for
(1) physically verifying that courier vehicle cargo doors are locked
after picking up this information and remain locked during transit to
the final destination and (2) documenting the basis for the reviewer's
conclusions. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 29;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-19;
Recommendation: Revise the IRM to include a comprehensive process that
Small Business/Self Employed (SB/SE) unit managers should follow when
performing reviews of the document transmittal process for determining
whether staff are (1) maintaining control copies of document
transmittal forms, (2) reconciling all document transmittal forms on a
biweekly basis to ensure that all transmittals were received, and (3)
following up on transmittals that are not timely acknowledged. (short-
term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 31;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-20;
Recommendation: Revise the IRM to include specifying minimally
acceptable steps the Small Business/Self Employed (SB/SE) unit
managers should follow in documenting the results of required reviews
of the document transmittal process. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 32;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-21;
Recommendation: Define and specify in the IRM which types of IRS
facilities constitute a processing facility. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 33;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-22;
Recommendation: Perform an assessment of the off-site processing
facilities to determine the frequency with which compliance reviews
should be performed for these locations commensurate with the specific
operational activities performed and the assessed level of risk
associated with the facility. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 34;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-23;
Recommendation: Based on the results of an assessment of off-site
processing facilities that process taxpayer receipts and related
taxpayer information, revise the IRM to specify the frequency with
which compliance reviews should be performed at these facilities.
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 34;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-24;
Recommendation: Revise the post orders for the service center campuses
(SCC) and lockbox bank security guards to include specific procedures
for timely reporting exterior lighting outages to SCC or lockbox bank
facilities management. These procedures should specify (1) whom to
contact to report lighting outages and (2) how to document and track
lighting outages until resolved. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 35;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-25;
Recommendation: Revise the nature and scope of the service center
campuses' (SCC) and lockbox banks' physical security reviews to
include periodic after dark assessments of physical security controls.
(short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 35;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-26;
Recommendation: Take steps to effectively implement the procedures
requiring property staff to verify that the asset purchase price shown
in the Asset Management Report agrees with the asset purchase price
shown in the Integrated Financial System (IFS) and to resolve any
variances before entering the information into the Information
Technology Asset Management System (ITAMS). (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 37;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-27;
Recommendation: Finalize procedures requiring that copier hard drives
be removed and destroyed or otherwise appropriately cleaned before
disposing of copiers. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 39;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-28;
Recommendation: Revise the IRM to incorporate the new copier disposal
procedures that require that copier hard drives be removed and
destroyed or otherwise appropriately cleaned before disposing of
copiers. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 39;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
ID number: 11-29;
Recommendation: Issue a memorandum to all business units reminding
them that only designated Real Estate Facilities Management (REFM)
staff are authorized to dispose of copiers. (short-term);
Source report: Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June
21, 2011), page 39;
Status per IRS: Because this is a new recommendation, GAO did not
obtain information on IRS's status in addressing it;
Status per GAO: Open. This is a recent recommendation. We will verify
IRS's corrective actions during our fiscal year 2011 and future audits.
Source: GAO and IRS.
[End of table]
[End of section]
Appendix II: Open Recommendations Arranged by Material Weakness,
Significant Deficiency, Compliance, or Other Control Issue:
For several years, we have reported material weaknesses, significant
deficiencies, noncompliance with laws and regulations, and other
control issues in our annual financial statement audits and related
management reports.[Footnote 49] Appendix II provides summary
information regarding the primary issue to which each open
recommendation is most closely related. To compile this summary, we
analyzed the nature of the open recommendations to relate them to the
material weaknesses, significant deficiency, compliance issue, or
other control issues (not associated with a material weakness,
significant deficiency, or compliance issue) identified as part of our
financial statement audit.
Material Weakness: Unpaid Tax Assessments:
The Internal Revenue Service (IRS) has weaknesses in its internal
control over the management of unpaid tax assessments resulting from
the agency's (1) inability to use its general ledger and underlying
subsidiary records to report federal taxes receivable, compliance
assessments, and writeoffs in accordance with federal accounting
standards without significant compensating procedures, (2) lack of
transaction traceability for the reported balance in taxes receivable
that comprises over 80 percent of IRS's total assets as of September
30, 2010, and an effective transaction-based subledger for unpaid tax
assessment transactions, and (3) inability to effectively prevent or
timely detect and correct errors in taxpayer accounts. The
recommendations in table 12 address these weaknesses.
Table 12: Material Weakness: Controls over Unpaid Assessments:
ID number: 99-01;
Recommendation: Manually review and eliminate duplicate or other
assessments that have already been paid off to assure that all
accounts related to a single assessment are appropriately credited for
payments received. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 08-06;
Recommendation: In instances where computer programs that control
penalty assessments are not functioning in accordance with the intent
of the IRM, take appropriate action to correct the programs so that
they function in accordance with the IRM. (long-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-01;
Recommendation: Review the results of IRS's unpaid assessments
compensating statistical estimation process to identify and document
instances where systemic limitations in the Custodial Detail Data Base
(CDDB) resulted in misclassifications of account balances that, in
turn, resulted in material inaccuracies in the amounts of reported
unpaid assessments. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-02;
Recommendation: Research and implement programming changes to allow
the Custodial Detail Data Base (CDDB) to more accurately classify such
accounts among the three categories of unpaid tax assessments. (short-
term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-03;
Recommendation: Research and identify control weaknesses resulting in
inaccuracies or errors in taxpayer accounts that materially affect the
financial reporting of unpaid tax assessments. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-04;
Recommendation: Once IRS identifies the control weaknesses that result
in inaccuracies or errors that materially affect the financial
reporting of unpaid tax assessments, implement control procedures to
routinely prevent, or to detect and correct, such errors. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-05;
Recommendation: Revise the IRM to provide specific requirements for
supervisors to review the accuracy of credit transactions related to
Trust Fund Recovery Penalty (TFRP) payments processed through the
Automated Trust Fund Recovery (ATFR) system. This guidance should
provide specific areas to review and list the ATFR system reports that
can facilitate supervisory reviews. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 10-06;
Recommendation: Formalize and implement the quarterly reviews of Trust
Fund Recovery Penalty (TFRP) payment transactions to monitor
compliance with IRM requirements. (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID number: 10-07;
Recommendation: Develop procedures to analyze the results of the
quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment
transactions so that specific factors causing the errors are
identified. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
ID number: 10-08;
Recommendation: Develop procedures to address the factors causing
errors in the processing of Trust Fund Recovery Penalty (TFRP) payment
transactions identified through the analyses of the quarterly review
results. (short-term);
Control activity: Accurate and timely recording of transactions and
events.
Source: GAO.
[End of table]
Material Weakness: Information Security:
IRS has serious internal control weaknesses over information security
that result primarily from IRS not having fully implemented key
components of its information security program. These weaknesses,
collectively, represent a material weakness. For example, (1) IRS's
testing did not detect many of the vulnerabilities we identified and
did not assess a key application in its current environment, and (2)
IRS did not effectively validate corrective actions reported to
resolve previously identified weaknesses. Although IRS has made some
progress in addressing previous weaknesses we identified in its
information systems and physical security controls, as of March 2011,
there were 105 open recommendations designed to help IRS improve its
information systems security controls. Those recommendations are
reported separately and are not included in this report primarily
because of the sensitive nature of some of the issues.[Footnote 50]
Significant Deficiency: Tax Refund Disbursements:
IRS has significant internal control weaknesses over its tax refund
disbursements. In our audit of IRS's fiscal year 2010 financial
statements,[Footnote 51] we reported a significant deficiency in IRS's
internal control over tax refund disbursements that resulted from (1)
a multiyear pattern of our identifying deficiencies in IRS's internal
control over the processing of manual refunds, which we have reported
for several years;[Footnote 52] (2) the increasing magnitude of manual
tax refunds disbursed; and (3) new deficiencies associated with the
First-Time Home Buyer Credit (FTHBC). This significant deficiency
increases the risk that IRS may pay out duplicate or otherwise
erroneous tax refunds to which individuals or businesses are not
entitled and for which IRS must spend resources attempting to recover.
The recommendations in table 13 address our findings.
Table 13: Significant Deficiency: Tax Refund Disbursements:
ID number: 05-38;
Recommendation: Enforce requirements for monitoring accounts and
reviewing monitoring of accounts for manual refunds. (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID number: 05-39;
Recommendation: Enforce requirements for documenting monitoring
actions and supervisory review for manual refunds. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 06-01;
Recommendation: Require that Refund Inquiry Unit managers or
supervisors document their review of all forms used to record and
transmit returned refund checks prior to sending them for final
processing. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 07-08;
Recommendation: Require that managers or supervisors provide the
manual refund initiators in their units with training on the most
current requirements to help ensure that they fulfill their
responsibilities to monitor manual refunds and document their
monitoring actions to prevent the issuance of duplicate refunds.
(short-term);
Control activity: Management of human capital.
ID number: 10-15;
Recommendation: Revise the IRM to require IRS's Central Insolvency
Operation (CIO) to timely provide service center campuses (SCC) an
acknowledgment of receipt for each form 3210 transmittal related to a
duplicate refund transcript sent to them by a service center campus
for review. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 10-16;
Recommendation: Revise the IRM to require service center campuses
(SCC) to verify that an acknowledgment of receipt has been received
from IRS's Central Insolvency Operation (CIO) for 100 percent of the
form 3210 transmittals related to duplicate refund transcripts they
have been forwarded to CIO for review. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 10-17;
Recommendation: Revise the IRM to require service center campuses
(SCC) to resolve any instances in which an acknowledgment of receipt
for a form 3210 transmittal related to duplicate refund transcripts is
not received. (short-term);
Control activity: Appropriate documentation of transactions and
internal controls.
ID number: 11-01;
Recommendation: Put procedures in place to periodically monitor the
effectiveness of the new First-Time Home Buyers Credit (FTHBC)
validity checks for the duration of the filing of FTHBC claims to
verify that they are working as intended. (short-term);
Control activity: Reviews by management at the functional or activity
level.
ID number: 11-02;
Recommendation: Establish a mechanism to enforce the existing
requirement for appropriate managers to immediately notify the manual
refund units of any personnel changes affecting the approval or
processing of manual refunds. This may be accomplished through
mechanisms such as issuing periodic alerts, providing training or
having the manual refund unit perform quarterly validations of the
list of manual refund approving officials, or a combination of these.
(short-term);
Control activity: Reviews by management at the functional or activity
level.
Source: GAO.
[End of table]
Release of Federal Tax Liens:
IRS continues to be noncompliant with the laws and regulations
governing the release of federal tax liens.[Footnote 53] We found IRS
did not always release applicable federal tax liens within 30 days of
tax liabilities being either paid off or abated, as required by the
Internal Revenue Code (section 6325). The Internal Revenue Code grants
IRS the power to file a lien against the property of any taxpayer who
neglects or refuses to pay all assessed federal taxes. The lien serves
to protect the interest of the federal government and as a public
notice to current and potential creditors of the government's interest
in the taxpayer's property. The recommendation in table 14 addresses
our finding.
Table 14: Compliance with Laws and Regulations: Timely Release of
Liens:
ID number: 01-06;
Recommendation: Implement procedures to closely monitor the release of
tax liens to ensure that they are released within 30 days of the date
the related tax liability is fully satisfied. As part of these
procedures, IRS should carefully analyze the causes of the delays in
releasing tax liens identified by our work and prior work by IRS's
former internal audit function and ensure that such procedures
effectively address these issues. (short-term);
Control activity: Reviews by management at the functional or activity
level.
Source: GAO.
[End of table]
Other Control Issues:
The 57 recommendations listed in table 15 pertain to issues that do
not rise individually or in the aggregate to the level of a material
weakness or significant deficiency in internal control, or to a
reportable noncompliance with laws and regulations. However, these
issues do represent weaknesses in various aspects of IRS's internal
controls that should be addressed.
Table 15: Other Control Issues Not Associated with a Material
Weakness, Significant Deficiency, or Compliance Issue:
ID number: 01-17;
Recommendation: Develop a subsidiary ledger for leasehold improvements
and implement procedures to record leasehold improvement costs as they
occur. (long-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 05-32;
Recommendation: Establish policies and procedures to require
appropriate segregation of duties in small business/self-employed
units of field offices with respect to preparation of Payment Posting
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term);
Control Activity: Segregation of duties.
ID number: 05-33;
Recommendation: Enforce the requirement that a document transmittal
form listing the enclosed Daily Report of Collection Activity forms be
included in transmittal packages, using such methods as more frequent
inspections or increased reliance on error reports compiled by the
service center teller units receiving the information. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 06-02;
Recommendation: Enforce compliance with existing requirements that all
IRS units transmitting taxpayer receipts and information from one IRS
facility to another, including service center campuses (SCC), Taxpayer
Assistance Centers (TAC), and units within the Large and Mid-sized
Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE)
business operating units, establish a system to track acknowledged
copies of document transmittals. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 06-04;
Recommendation: Require that managers or supervisors document their
reviews of document transmittals to ensure that taxpayer receipts
and/or taxpayer information mailed between IRS locations are tracked
according to guidelines. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 06-05;
Recommendation: Equip all Taxpayer Assistance Centers (TAC) with
adequate physical security controls to deter and prevent unauthorized
access to restricted areas or office space occupied by other IRS
units, including those TACs that are not scheduled to be reconfigured
to the "new TAC" model in the near future. This includes appropriately
separating customer service waiting areas from restricted areas in the
near future by physical barriers, such as locked doors marked with
signs barring entrance by unescorted customers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 07-04;
Recommendation: Develop and implement appropriate corrective actions
for any gaps in closed circuit television (CCTV) camera coverage that
do not provide an unobstructed view of the entire exterior of the
Service Center Campus' (SCC) perimeter, such as adding or
repositioning existing CCTV cameras or removing obstructions. (short-
term);
Control Activity: Physical control over vulnerable assets.
ID number: 07-20;
Recommendation: Establish and maintain sufficient secured storage
space to properly secure and safeguard property and equipment
inventory, including in-stock inventories, assets from incoming
shipments, and assets that are in the process of being excessed or
shipped out, or both. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 08-07;
Recommendation: Develop and provide comprehensive guidance to assist
Taxpayer Assistance Center (TAC) managers in conducting reviews of
outlying TACs and documenting the results. This guidance should
include a description of the key controls that should be in place at
outlying TACs, specify how often these key controls should be
reviewed, and specify how the results of each review should be
documented, including follow-up on issues identified in previous TAC
reviews. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 08-12;
Recommendation: Establish procedures to require documentation
demonstrating that favorable background checks have been completed for
all contractors prior to allowing them access to Taxpayer Assistance
Centers (TAC) and other field offices. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 08-14;
Recommendation: Revise the IRM to include a requirement that IRS
conduct periodic, unannounced inspections at off-site contractor
facilities entrusted with sensitive IRS information;
document the results, including identification of any security issues;
and verify that the contractor has taken appropriate corrective
actions on any security issues observed. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 08-17;
Recommendation: Reinforce existing policies requiring verification of
the information on Form 13094 (Recommendation for Juvenile Employment)
by contacting the reference directly and documenting the details of
this contact. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 08-24;
Recommendation: Issue a memorandum to employees that reiterates IRS
policy requiring all employees to obtain appropriate approvals of
travel authorizations prior to the initiation of their travel. (short-
term);
Control Activity: Proper execution of transactions and events.
ID number: 09-03;
Recommendation: Document in the IRM minimum requirements for
establishing criteria for time discrepancies or other inconsistencies,
which if noted as part of the required monitoring of Form 10160,
Receipt for Transport of IRS Deposit, would require off-site
surveillance of couriers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-04;
Recommendation: Document in the IRM minimum requirements for
conducting off-site surveillance of couriers entrusted with taxpayer
receipts and information. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-05;
Recommendation: Establish procedures to track and routinely report the
total dollar amounts and volumes of receipts collected by individual
Taxpayer Assistance Center (TAC) location, group, territory, area, and
nationwide. (long-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 09-06;
Recommendation: Establish procedures to ensure that an inventory of
all duress alarms is documented for each location and is readily
available to individuals conducting duress alarm tests before each
test is conducted. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-07;
Recommendation: Establish procedures to periodically update the
inventory of duress alarms at each Taxpayer Assistance Center (TAC)
location to ensure that the inventory is current and complete as of
the testing date. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-08;
Recommendation: Provide instructions for conducting quarterly duress
alarm tests to ensure that IRS officials conducting the test (1)
document the test results for each duress alarm listed in the
inventory, including date, findings, and planned corrective action and
(2) track the findings until they are properly resolved. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-09;
Recommendation: Establish procedures requiring that each physical
security analyst conduct a periodic documented review of the Emergency
Signal History Report and emergency contact list for its respective
location to ensure that (1) appropriate corrective actions have been
planned for all incidents reported by the central monitoring station
and (2) the emergency contact list for each location is current and
includes only appropriate contacts. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 09-16;
Recommendation: Develop outcome-oriented performance measures and
related performance goals for IRS's enforcement programs and
activities that include measures of the full cost of, and the revenue
collected from, those programs and activities (return on investment)
to assist IRS's managers in optimizing resource allocation decisions
and evaluating the effectiveness of their activities. (long-term);
Control Activity: Establishment and review of performance measures and
indicators.
ID number: 10-18;
Recommendation: Require service center campuses to acknowledge
unprocessable items with receipts received from lockbox banks. (short-
term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 10-19;
Recommendation: Establish procedures to track service center campus
acknowledgments of unprocessable items with receipts. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 10-20;
Recommendation: Establish procedures to monitor the process used by
service center campuses (SCC) and lockbox banks to acknowledge and
track transmittals of unprocessable items with receipts. These
procedures should include monitoring discrepancies and instituting
appropriate corrective actions as needed. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 10-26;
Recommendation: Review the Taxpayer Assistance Center Security and
Remittance Review Database (TSRRD) for clarity and revise review
questions as appropriate. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 10-27;
Recommendation: Provide training to Taxpayer Assistance Center (TAC)
group managers to assist with their understanding of the TAC Security
and Remittance Review Database (TSRRD) review questions and related
objectives. This training should be provided on an ongoing basis to
account for changes in TSRRD questions and for newly hired or
appointed TAC group managers. (short-term);
Control Activity: Management of human capital.
ID number: 10-29;
Recommendation: Analyze the various contractor access arrangements and
establish a policy that requires security awareness training for all
IRS contractors who are provided unescorted physical access to its
facilities or taxpayer receipts and information. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 10-30;
Recommendation: Designate management responsibility and establish a
process for monitoring compliance with and enforcing the IRM
requirement for all service center campus Unit Security
Representatives (USR) to complete (1) the required initial USR
training prior to assuming their responsibilities, and (2) annual
refresher training each year thereafter. (short-term);
Control Activity: Management of human capital.
ID number: 10-32;
Recommendation: Establish a process to periodically review and update
service center campus Unit Security Representatives (USR) training
materials as appropriate. (short-term);
Control Activity: Management of human capital.
ID number: 10-33;
Recommendation: Establish procedures requiring the Director of IRS's
Human Capital Office, Leadership, Education and Delivery Services (HCO
LEADS) or designee to periodically monitor each business unit's
progress in complying with mandatory briefing requirements. (short-
term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 11-03;
Recommendation: Send out a reminder to all staff to follow policies
and procedures for obtaining approval and funding of proposed
purchases prior to entering into an agreement with vendors. (short-
term);
Control Activity: Proper execution of transactions and events.
ID number: 11-04;
Recommendation: Establish formal written procedures requiring staff to
review purchase contract terms against the goods and services received
to date before requesting additional goods or services. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 11-05;
Recommendation: Establish procedures to centrally review and monitor
the timeliness of personnel action requests and approvals to help
ensure compliance with the IRM and applicable Office of Personnel
Management (OPM) regulations and guidance. (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 11-06;
Recommendation: Adopt the local field office's timekeeping procedures
or similar procedures for entering and verifying the accuracy of time
and attendance information entered into the Single Entry Time
Reporting System (SETR) throughout IRS for use by all units in which
employees do not enter their own time charges directly to SETR. (short-
term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 11-07;
Recommendation: Further revise the detailed procedures for
implementing the requirement to validate the appropriateness of the
National Finance Center (NFC) programming changes after such changes
are made. These revisions should (1) clarify the criteria for
determining which programming changes will be subject to validation,
(2) identify officials responsible for making and documenting these
determinations, and (3) require postimplementation statistical
sampling from a targeted population that consists of employees who are
most likely to be affected by the NFC programming changes. (short-
term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 11-08;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring cash receipts to be immediately
logged under dual control when first discovered in the mail room.
(short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-09;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring mail room staff to maintain custody
of the control log at all times. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-10;
Recommendation: Take steps to effectively implement procedures at the
Beckley Finance Center requiring the amount of cash receipts initially
discovered in the mail room to be independently reconciled to the
amount deposited and recorded in the general ledger. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-11;
Recommendation: Perform a review of all existing contracts under
$100,000 that (1) do not have an appointed contracting officer's
technical representative (COTR) and (2) do not require that contract
employees obtain background investigations to assess whether the
services performed under each contract warrant a requirement that
contract employees obtain background investigations. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 11-12;
Recommendation: Based on a review of all existing contracts under
$100,000 without an appointed contracting officer's technical
representative (COTR) that should require contract employees to obtain
favorable background investigation results, amend those contracts to
require that favorable background investigations be obtained for all
relevant contract employees before routine, unescorted, unsupervised
physical access to taxpayer information is granted. (short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 11-13;
Recommendation: Establish a policy requiring collaborative oversight
between IRS's key offices in determining whether potential service
contracts involve routine, unescorted, unsupervised physical access to
taxpayer information, thus requiring background investigations,
regardless of contract award amount. This policy should include a
process for the requiring business unit to communicate to the Office
of Procurement and the Human Capital Office the services to be
provided under the contract and any potential exposure of taxpayer
information to contract employees providing the services, and for all
three units to (1) evaluate the risk of exposure of taxpayer
information prior to finalizing and awarding the contract and (2)
ensure that the final contract requires favorable background
investigations as applicable, commensurate with the assessed risk.
(short-term);
Control Activity: Access restrictions to and accountability for
resources and records.
ID number: 11-14;
Recommendation: Establish procedures to provide a consistent
methodology for calculating and establishing allowable deposit courier
trip time limits to be used by both service center campuses (SCCs) and
lockbox banks that would assist in detecting potential unauthorized
stops or other contractual violations by deposit couriers. Such
procedures should include instructions for documenting and supporting
how the trip limits were determined and require justification and
approval for all established time limits that exceed the average trip
time. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-15;
Recommendation: Establish procedures to require periodic reassessments
of and updates to deposit courier allowable trip time limits to
account for changes in courier routes or other conditions that may
affect trip times. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-16;
Recommendation: Enforce existing contractual requirements for the
cargo doors of contract courier vehicles to be locked after picking up
taxpayer information. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-17;
Recommendation: Establish procedures to prevent or detect unauthorized
access to taxpayer information in contract courier vehicles during
transit. These procedures should detail specific activities to be
performed by both the business unit sending and receiving the
information transported by the contract courier. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-18;
Recommendation: Revise the guidance for conducting the periodic
reviews of the contract couriers transporting taxpayer information
from one IRS processing facility to another to include procedures for
(1) physically verifying that courier vehicle cargo doors are locked
after picking up this information and remain locked during transit to
the final destination, and (2) documenting the basis for the
reviewer's conclusions. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-19;
Recommendation: Revise the IRM to include a comprehensive process that
Small Business Self Employed (SBSE) unit managers should follow when
performing reviews of the document transmittal process for determining
whether staff are (1) maintaining control copies of document
transmittal forms, (2) reconciling all document transmittal forms on a
biweekly basis to ensure that all transmittals were received, and (3)
following up on transmittals that are not timely acknowledged. (short-
term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 11-20;
Recommendation: Revise the IRM to include specifying minimally
acceptable steps the Small Business Self Employed (SBSE) unit managers
should follow in documenting the results of required reviews of the
document transmittal process. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 11-21;
Recommendation: Define and specify in the IRM which types of IRS
facilities constitute a processing facility. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 11-22;
Recommendation: Perform an assessment of off-site processing
facilities to determine the frequency with which compliance reviews
should be performed for these locations commensurate with the specific
operational activities performed and the assessed level of risk
associated with the facility. (short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 11-23;
Recommendation: Based on the results of an assessment of off-site
processing facilities that process taxpayer receipts and related
taxpayer information, revise the IRM to specify the frequency with
which compliance reviews should be performed at these facilities.
(short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 11-24;
Recommendation: Revise the post orders for the service center campuses
(SCC) and lockbox bank security guards to include specific procedures
for timely reporting exterior lighting outages to SCC or lockbox bank
facilities management. These procedures should specify (1) whom to
contact to report lighting outages and (2) how to document and track
lighting outages until resolved. (short-term);
Control Activity: Appropriate documentation of transactions and
internal controls.
ID number: 11-25;
Recommendation: Revise the nature and scope of the service center
campuses' (SCC) and lockbox banks' physical security reviews to
include periodic after dark assessments of physical security controls.
(short-term);
Control Activity: Reviews by management at the functional or activity
level.
ID number: 11-26;
Recommendation: Take steps to effectively implement the procedures
requiring property staff to verify that the asset purchase price shown
in the Asset Management Report agrees with the asset purchase price
shown in the Integrated Financial System (IFS) and to resolve any
variances before entering the information into the Information
Technology Asset Management System (ITAMS). (short-term);
Control Activity: Accurate and timely recording of transactions and
events.
ID number: 11-27;
Recommendation: Finalize procedures requiring that copier hard drives
be removed and destroyed or otherwise appropriately cleaned before
disposing of copiers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-28;
Recommendation: Revise the IRM to incorporate the new copier disposal
procedures that require that copier hard drives be removed and
destroyed or otherwise appropriately cleaned before disposing of
copiers. (short-term);
Control Activity: Physical control over vulnerable assets.
ID number: 11-29;
Recommendation: Issue a memorandum to all business units reminding
them that only designated Real Estate Facilities Management (REFM)
staff are authorized to dispose of copiers. (short-term);
Control Activity: Physical control over vulnerable assets.
Source: GAO.
[End of table]
[End of section]
Appendix III: Comments from the Internal Revenue Service:
Department Of The Treasury:
Internal Revenue Service:
Commissioner:
Washington, D.C. 20224
June 9, 2011:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled IRS: Status of GAO Financial Audit and Related
Financial Management Report Recommendations (GA0-11-536).
As GAO noted in the report, IRS has made significant progress in
improving its internal controls and financial management as evidenced
by 11 consecutive years of clean audit opinions on its financial
statement. We are pleased that you acknowledged our progress in
addressing our financial management challenges and agreed to close 37
prior year financial management recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions, please contact me, or a member of your staff may
contact Pamela LaRue, Chief Financial Officer, at (202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, the following individuals made
major contributions to this report: William J. Cordrey, Assistant
Director; Crystal Alfred; Russell Brown; Ray B. Bush; Stephanie Chen;
Jeremy Choi; Oliver Culley; Charles Ego; Doreen Eng; Charles Fox;
Valerie Freeman; Ryan Guthrie; Ted Hu; Richard Larsen; Tuan Lam;
Delores Lee; Jenny Li; Cynthia Ma; Joshua Marcus; Julie Phillips; John
Sawyer; Christopher Spain; Cynthia Teddleton; Lien To; LaDonna Towler;
Cherry Vasquez; Gary Wiggins; and Ting-Ting Wu.
[End of section]
Footnotes:
[1] A material weakness is a deficiency, or a combination of
deficiencies, in internal control such that there is a reasonable
possibility that a material misstatement of the entity's financial
statements will not be prevented, or detected and corrected on a
timely basis. A control deficiency exists when the design or operation
of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent, or detect
and correct misstatements on a timely basis.
[2] A significant deficiency is a deficiency, or a combination of
deficiencies, in internal control that is less severe than a material
weakness, yet important enough to merit attention by those charged
with governance.
[3] Management is responsible for establishing and maintaining
internal control to achieve the objectives of effective and efficient
operations, reliable financial reporting, and compliance with
applicable laws and regulations. See 31 U.S.C. § 3512(c), (d),
commonly known as the Federal Managers' Financial Integrity Act of
1982 (FMFIA); see also, GAO, Standards for Internal Control in the
Federal Government, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.:
November 1999), 4-5. The actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for results-
oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and
to take corresponding corrective actions.
[4] GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142]
(Washington, D.C.: Nov. 10, 2010).
[5] An unpaid assessment is a legally enforceable claim against a
taxpayer and consists of taxes, penalties, and interest that have not
been collected or abated (a reduction in a tax assessment).
[6] The term "outcome-oriented performance metrics," refers to the
measurement of the end result of a work activity or series of
activities, such as the taxes collected as a result of a tax
assessment and the collection actions taken by IRS employees, such as
telephone calls to tax debtors.
[7] Although most of our recommendations regarding our information
security work are sensitive and reported to IRS separately, we have
reported our objectives, summary results, and nonsensitive
recommendations in a publicly available report. See GAO, Information
Security: IRS Needs to Enhance Internal Control over Financial
Reporting and Taxpayer Data, [hyperlink,
http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15,
2011).
[8] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: Nov. 1, 1999), contains the internal control
standards to be followed by executive agencies in establishing and
maintaining systems of internal control as required by FMFIA.
[9] The circular requires agencies and individual federal managers to
take systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined
in app. A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
control through management assurance statements.
[10] See [hyperlink, http://www.gao.gov/products/GAO-11-308].
[11] GAO, Management Report: Improvements Are Needed to Enhance the
Internal Revenue Service's Internal Controls and Operating
Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-494R]
(Washington, D.C.: June 21, 2011).
[12] GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G]
(Washington, D.C.: Aug. 1, 2001).
[13] FASAB, Statement of Federal Financial Concepts No. 1: Objectives
of Federal Financial Reporting, version 09 (Washington, D.C.: June 30,
2010).
[14] [hyperlink, http://www.gao.gov/products/GAO-11-494R].
[15] See [hyperlink, http://www.gao.gov/products/GAO-11-308].
[16] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[17] Unpaid assessments are unpaid taxes. For reporting purposes,
federal accounting standards classify unpaid assessments into federal
taxes receivables, compliance assessments, and writeoffs. Federal
taxes receivable are taxes due from taxpayers for which IRS can
support the existence of a receivable through taxpayer agreement or a
favorable court ruling. Compliance assessments are assessments where
neither the taxpayer nor the court has affirmed that the amounts are
owed. Writeoffs represent unpaid tax assessments for which IRS does
not expect further collection because of factors such as the
taxpayer's death, bankruptcy, or insolvency.
[18] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[19] In January 2010, IRS implemented RRACS to account for custodial
tax activities, including tax revenue, tax refunds, and taxes
receivable. RRACS is an enhancement to the previous general ledger
system known as the Interim Revenue Accounting Control System (IRACS)
and RRACS is designed to conform to the governmentwide United States
Standard General Ledger (USSGL) at the transaction level.
[20] The Electronic Federal Tax Payment System is a tax payment system
provided free by the U.S. Department of the Treasury, through which
businesses and individuals can pay federal taxes electronically by
means of the Internet or by phone.
[21] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[22] [hyperlink, http://www.gao.gov/products/GAO-11-494R]; GAO,
Management Report: Improvements Needed in IRS's Internal Controls,
[hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington,
D.C.: May 11, 2007); Management Report: Improvements Needed in IRS's
Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-06-543R] (Washington, D.C.: May 12,
2006); and Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R]
(Washington, D.C.: Apr. 27, 2005).
[23] See the First-Time Home Buyers Credit (FTHBC), which is codified,
as amended, at 26 U.S.C. § 36. The FTHBC was first enacted by section
3011 of the Housing and Economic Recovery Act of 2008. The new credit
was originally available for a limited time only, applying to
taxpayers who purchased a principal residence after April 8, 2008, and
before July 1, 2009. Taxpayers were permitted to claim a fully
refundable credit up to 10 percent of the purchase price of the home,
with a maximum available credit of $7,500. This credit was to be
repaid within 15 years with payments beginning in the 2011 and 2012
filing seasons, respectively, for 2008 and 2009 home purchases.
Section 1006 of the American Recovery and Reinvestment Act of 2009
extended the FTHBC to include purchases made on or after January 1,
2009, and before December 1, 2009; increased the maximum credit to
$8,000; and eliminated the repayment requirement as long as the
taxpayer retains the residence for 36 months. Further, section 11 of
the Worker, Homeownership, and Business Assistance Act of 2009
extended the FTHBC for purchases made from December 1, 2009, to April
30, 2010, and extended eligibility for the credit (with a maximum
available credit of $6,500) to qualifying longtime resident
homebuyers. The law allowed taxpayers to claim the credit if they
entered into a binding contract for the purchase of a home prior to
May 1, 2010, and closed on the home prior to July 1, 2010. Section 2
of the Homebuyer Assistance and Improvement Act of 2010 extended the
closing deadline to September 30, 2010, for taxpayers who entered into
a binding contract prior to May 1, 2010. While Congress did not renew
the credit for tax year 2011, members of the military and certain
other federal employees, who met certain requirements, had until April
30, 2011, to purchase a home or enter into a written binding contract
in order to qualify for the credit. These taxpayers who entered into a
binding contract prior to May 1, 2011, may also claim an FTHBC for a
purchase made after April 30, 2011, and before July 1, 2011.
[24] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[25] An "outcome" is a measure of the end result of a work activity or
series of activities, such as the taxes collected, and is a measure of
the results of providing outputs.
[26] IRS's performance metrics are reported externally by means of its
Management Discussion and Analysis section of its annual financial
statements. See GAO-11-142.
[27] IRS's direct tax return on investment calculations include the
agency's internal costs and the tax revenue collected. However, IRS's
direct tax return on investment calculations have limitations that
reflect the challenges of estimating returns on investments. For
example, they do not include benefits of improved voluntary
compliance. In addition, the "investment" or costs should ideally
recognize not just IRS costs but any costs borne by others. IRS's
return on investment estimates provide useful information but, given
the limits of current data, are not complete estimates of benefits and
costs.
[28] An "output" measure is a measure of the quantity of services
provided, such as the number of phone calls made to taxpayers in an
effort to collect unpaid taxes.
[29] IRS's measure of its "conviction efficiency rate" is a partial
exception in that it measures the total cost of its criminal
investigations divided by the number of convictions.
[30] See appendix I, recommendation 09-16, in this report.
[31] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request
and Interim Performance Results of IRS's 2008 Tax Filing Season,
[hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.:
Mar. 13, 2008); Internal Revenue Service: Review of the Fiscal Year
2010 Budget Request, [hyperlink,
http://www.gao.gov/products/GAO-09-754] (Washington, D.C.: June 13,
2009); and Internal Revenue Service: Assessment of Budget
Justification for Fiscal Year 2011 Identified Opportunities to Enhance
Transparency, [hyperlink, http://www.gao.gov/products/GAO-10-687R]
(Washington, D.C.: May 26, 2010).
[32] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-08-166]
(Washington, D.C.: Nov. 9, 2007); Financial Audit: IRS's Fiscal Years
2008 and 2007 Financial Statements, [hyperlink,
http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10,
2008); and Management Report: Improvements Are Needed to Enhance IRS's
Internal Controls and Operating Effectiveness, [hyperlink,
http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24,
2009).
[33] FASAB, Statement of Federal Financial Concepts No. 1: Objectives
of Federal Financial Reporting.
[34] IRS's need to safeguard tax receipts and taxpayer information
extends beyond the Control Activity of Safeguarding Assets, as
reflected in tables 1 through 4 of this report. For our analysis in
this section, we included recommendations related directly to guarding
tax information and receipts, such as the transportation of
information between IRS facilities, and those indirectly related, such
as IRS's need to obtain background investigations on individuals with
access to tax receipts or information.
[35] Lockbox banks are financial institutions designated as
depositories and financial agents of the U.S. government to perform
certain financial services, including processing tax documents,
depositing the receipts, and forwarding the documents and data to the
IRS service center campuses (SCC) that process tax returns and
payments.
[36] GAO, Internal Revenue Service: Status of Financial Audit and
Related Financial Management Report Recommendations, [hyperlink,
http://www.gao.gov/products/GAO-10-597] (Washington, D.C.: June 30,
2010).
[37] [hyperlink, http://www.gao.gov/products/GAO-11-494R].
[38] We define short-term recommendations as those that we believed
could be addressed within 2 years from the time we made the
recommendation. We define long-term recommendations as those we
expected to require 2 years or more to implement from the time we made
the recommendation.
[39] See [hyperlink, http://www.gao.gov/products/GAO-11-308].
[40] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[41] See [hyperlink, http://www.gao.gov/products/GAO-11-494R] for the
recommendations resulting from our fiscal year 2010 audit.
[42] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[43] The number of recommendations cited in the earlier report section
on "challenges in resolving other internal control issues" in which we
discuss the open recommendations concerning safeguarding taxpayer
receipts and taxpayer information does not match the control activity
information in the table 1 section on "safeguarding of assets and
security activities." The recommendations concerning safeguarding of
taxpayer receipts and taxpayer information included in that table 1
section are limited to those recommendations that are related directly
to such safeguarding, such as physical safeguards over the
transportation of checks and tax returns. Other recommendations that
are related indirectly to safeguarding taxpayer receipts and
information, such as management oversight and the adequacy of policies
and procedures, are included in the other two sections of table 1,
"proper recording and documenting of transactions" and "effective
management review and oversight." The previous section's discussion of
recommendations related to the "safeguarding of taxpayer receipts and
information" includes both directly and indirectly related
recommendations.
[44] The majority of federal tax payments are made for both businesses
and individuals through the Electronic Federal Tax Payment System.
[45] Lockbox banks operate under contract with the Department of the
Treasury's (Treasury) Financial Management Service. The three lockbox
banks perform processing functions in seven locations throughout the
United States.
[46] Six of IRS's 10 service center campuses (SCC) process tax returns
and payments submitted by taxpayers.
[47] IRS's 401 TACs are small field assistance units located in
various cities and towns in every state, are part of IRS's Wage and
Investment operating division, and are designated to serve taxpayers
who choose to seek help from IRS in person.
[48] IRS defines unprocessable items as any document, correspondence,
or item that cannot be processed by the lockbox bank, such as
unacceptable forms of payment--traveler's checks, gold coins, and
other items of value that are easily negotiable.
[49] See GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009
Financial Statements, [hyperlink,
http://www.gao.gov/products/GAO-11-142] (Washington, D.C.: Nov. 10,
2010); and Management Report: Improvements Are Needed to Enhance the
Internal Revenue Service's Internal Controls and Operating
Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-494R]
(Washington, D.C.: June 21, 2011) for the fiscal year 2010 reports.
[50] Although most of our recommendations regarding our information
security work are sensitive and reported to IRS separately, we have
reported our objectives, summary results, and nonsensitive
recommendations in a publicly available report. See GAO, Information
Security: IRS Needs to Enhance Internal Control over Financial
Reporting and Taxpayer Data, [hyperlink,
http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15,
2011).
[51] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[52] GAO, Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-11-494R]
(Washington, D.C.: June 21, 2011); Management Report: Improvements
Needed in IRS's Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11,
2007); Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-06-543R]
(Washington, D.C.: May 12, 2006); and Management Report: Improvements
Needed in IRS's Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27,
2005).
[53] [hyperlink, http://www.gao.gov/products/GAO-11-142].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
