Management Report
Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness
Gao ID: GAO-11-494R June 21, 2011
In November 2010, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2010, and 2009, and on the effectiveness of its internal control over financial reporting as of September 30, 2010. We also reported our conclusions on IRS's compliance with selected provisions of laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996. In March 2011, we issued a report on information security issues identified during our fiscal year 2010 audit, along with associated recommendations for corrective actions. The purpose of this report is to present internal control issues identified during our audit of IRS's fiscal year 2010 financial statements for which we do not already have any recommendations outstanding. While two of these issues contributed to a significant deficiency in internal control discussed in our report on the results of our fiscal year 2010 financial statement audit, they all warrant IRS management's attention. This report provides 29 recommendations to address the internal control issues we identified. We will issue a separate report on the status of IRS's implementation of the recommendations from our prior IRS financial audits and related financial management reports, as well as this one.
During our audit of IRS's fiscal year 2010 financial statements, we identified several internal control issues for which we do not already have recommendations outstanding. These issues involved the following: (1) First-Time Homebuyer Tax Credits. IRS's internal controls were not fully effective in identifying instances where taxpayers improperly made duplicate First-Time Homebuyer Credit (FTHBC) claims during fiscal year 2010. (2) Authorization of manual refunds. Manual refund units at two IRS service center campuses (SCC) did not have current lists of officials authorized to approve manual refunds. (3) Authorization of goods and services. IRS did not always obtain approval before requesting and receiving services from vendors as required by IRS policy. (4) Approval of personnel actions. IRS did not always timely approve personnel actions for promotions prior to their effective dates as required by Office of Personnel Management guidelines. (5) Recording time and attendance. IRS did not always record Office of Chief Counsel employees' approved time card changes into IRS's electronic time and attendance system. (6) Verification of National Finance Center payroll changes. IRS did not timely detect payroll errors made by the National Finance Center (NFC), which processes IRS's payroll. (7) Cash receipts at the Beckley Finance Center. IRS did not have internal controls in place to appropriately safeguard and account for cash receipts at the Beckley Finance Center (BFC). (8) Contract employee background investigations. IRS did not ensure that background investigations were performed for certain SCC mail couriers who were transporting mail that included taxpayer information from the SCC to the post office. (9) Deposit courier trip times. Allowable time limits IRS established for some of its deposit courier routes greatly exceeded the average trip time and thus were not effective in identifying potential instances of SCC and lockbox bank deposit couriers making unauthorized stops during transit. (10) Transfer of taxpayer information between processing facilities. A courier vehicle's cargo door was not locked after it was loaded with taxpayer returns and other information, contrary to a requirement in the courier's contract. (11) Document transmittal forms. IRS's Small Business/Self-Employed Division managers were not adequately performing or documenting required reviews of internal control procedures over tracking and monitoring taxpayer receipts and information transmitted between IRS locations. (12) Compliance reviews of off-site processing facilities. IRS did not complete compliance reviews for its off-site processing facilities every 2 years as required by the Internal Revenue Manual (IRM). (13) After dark security controls. IRS's physical security controls intended to help prevent and detect unauthorized access to its processing facilities were not always effective. (14) Property and equipment records. IRS incorrectly recorded the asset purchase price for some assets in its property management system. (15) Disposal process for copiers. IRS disposed of copiers without ensuring that the copiers did not contain confidential taxpayer information or sensitive information on IRS employees or operations on the hard drives. These issues increase the risk that IRS may not prevent or promptly detect and correct (1) unauthorized or improper refunds, purchases, or promotions; (2) errors in the hours credited or amounts paid to staff; (3) loss or theft of cash receipts or taxpayer information; (4) security and control deficiencies at its SCCs and processing facilities; (5) data errors in its property records; and (6) improper disclosure of taxpayer and other sensitive data.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Steven J. Sebastian
Team:
Government Accountability Office: Financial Management and Assurance
Phone:
(202) 512-9521
GAO-11-494R, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness
This is the accessible text file for GAO report number GAO-11-494R
entitled 'Management Report: Improvements Are Needed to Enhance the
Internal Revenue Service's Internal Controls and Operating
Effectiveness' which was released on June 21, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-11-494R:
United States Government Accountability Office:
Washington, DC 20548:
June 21, 2011:
The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue:
Subject: Management Report: Improvements Are Needed to Enhance the
Internal Revenue Service's Internal Controls and Operating
Effectiveness:
Dear Mr. Shulman:
In November 2010, we issued our report on the results of our audit of
the financial statements of the Internal Revenue Service (IRS) as of,
and for the fiscal years ending, September 30, 2010, and 2009, and on
the effectiveness of its internal control over financial reporting as
of September 30, 2010.[Footnote 1] We also reported our conclusions on
IRS's compliance with selected provisions of laws and regulations and
on whether IRS's financial management systems substantially comply
with the requirements of the Federal Financial Management Improvement
Act of 1996. In March 2011, we issued a report on information security
issues identified during our fiscal year 2010 audit, along with
associated recommendations for corrective actions.[Footnote 2]
The purpose of this report is to present internal control issues
identified during our audit of IRS's fiscal year 2010 financial
statements for which we do not already have any recommendations
outstanding. While two of these issues contributed to a significant
deficiency in internal control discussed in our report on the results
of our fiscal year 2010 financial statement audit, they all warrant
IRS management's attention.[Footnote 3] This report provides 29
recommendations to address the internal control issues we identified.
We will issue a separate report on the status of IRS's implementation
of the recommendations from our prior IRS financial audits and related
financial management reports, as well as this one.
Results in Brief:
During our audit of IRS's fiscal year 2010 financial statements, we
identified several internal control issues for which we do not already
have recommendations outstanding. These issues involved the following:
* First-Time Homebuyer Tax Credits. IRS's internal controls were not
fully effective in identifying instances where taxpayers improperly
made duplicate First-Time Homebuyer Credit (FTHBC) claims during
fiscal year 2010. This occurred because IRS's related internal
controls were not timely updated to effectively detect instances where
taxpayers claimed the same FTHBC on both an amended 2008 tax return
and a 2009 tax return. Consequently, erroneous refunds were disbursed.
* Authorization of manual refunds. Manual refund units at two IRS
service center campuses (SCC) did not have current lists of officials
authorized to approve manual refunds.[Footnote 4] This occurred
because the appropriate managers did not always communicate staffing
changes to the manual refund unit as required by IRS policy, and
consequently, the lists became outdated.
* Authorization of goods and services. IRS did not always obtain
approval before requesting and receiving services from vendors as
required by IRS policy. This occurred because of an absence of
sufficient procedures to help ensure compliance, as well as a lack of
adherence to existing procedures.
* Approval of personnel actions. IRS did not always timely approve
personnel actions for promotions prior to their effective dates as
required by Office of Personnel Management guidelines. According to
IRS, this occurred because of a lack of understanding of the
requirements and because of the workload volume. In addition, IRS did
not have specific procedures requiring central review and monitoring
of the timeliness of personnel action requests and approvals to help
ensure compliance with the requirements.
* Recording time and attendance. IRS did not always record Office of
Chief Counsel employees' approved time card changes into IRS's
electronic time and attendance system. This occurred because IRS did
not have procedures in place to independently compare the time charges
on approved manual time cards to those entered into IRS's time and
attendance system to help ensure the accuracy of the system entries.
* Verification of National Finance Center payroll changes. IRS did not
timely detect payroll errors made by the National Finance Center
(NFC), which processes IRS's payroll. Although IRS was aware that NFC
would be making a system programming change, IRS did not perform any
testing after NFC implemented the change to help ensure that affected
employees' pay and contributions were calculated correctly.
Consequently, IRS was not aware that errors were made to some
employees' pay calculations until we identified the problem in August
2010.
* Cash receipts at the Beckley Finance Center. IRS did not have
internal controls in place to appropriately safeguard and account for
cash receipts at the Beckley Finance Center (BFC). BFC receives
various payments in the form of cash or checks daily; however, we
found that BFC staff did not (1) immediately record these receipts in
a control log when first received in the mail room, (2) maintain dual
control over these receipts prior to logging them, and (3) reconcile
the amount of receipts initially received to the amount deposited and
recorded. This occurred because IRS had not established procedures at
BFC requiring that these control activities be performed when handling
cash receipts.
* Contract employee background investigations. IRS did not ensure that
background investigations were performed for certain SCC mail couriers
who were transporting mail that included taxpayer information from the
SCC to the post office. Because IRS's policies and procedures do not
require assigning a contracting officer's technical representative to
contracts under $100,000, IRS had not assigned anyone to oversee this
particular courier contract. Consequently, background investigations
for these mail couriers were not performed.
* Deposit courier trip times. Allowable time limits IRS established
for some of its deposit courier routes greatly exceeded the average
trip time and thus were not effective in identifying potential
instances of SCC and lockbox bank deposit couriers making unauthorized
stops during transit. This occurred because IRS lacked a consistent
methodology for developing meaningful trip time limits, and thus the
SCC and lockbox bank officials we spoke with were generally unable to
explain or support how they arrived at each location's trip time
limits.
* Transfer of taxpayer information between processing facilities. A
courier vehicle's cargo door was not locked after it was loaded with
taxpayer returns and other information, contrary to a requirement in
the courier's contract. This occurred because neither the courier nor
the business unit shipping or receiving the information verified that
the cargo door was locked, and because IRS lacked sufficient guidance
for staff to properly monitor and enforce the provision requiring that
cargo contents be locked during transport.
* Document transmittal forms. IRS's Small Business/Self-Employed
Division managers were not adequately performing or documenting
required reviews of internal control procedures over tracking and
monitoring taxpayer receipts and information transmitted between IRS
locations. This occurred because the Internal Revenue Manual (IRM) did
not provide (1) a comprehensive process for managers to follow in
assessing the existence of key controls and (2) clear guidance for how
the reviews should be documented to help ensure that the controls were
operating as designed.[Footnote 5]
* Compliance reviews of off-site processing facilities. IRS did not
complete compliance reviews for its off-site processing facilities
every 2 years as required by the IRM. Although the IRM requires such
reviews at processing facilities, IRS officials stated that the
requirement was intended to apply only to the main SCC facility, and
thus IRS only conducted compliance reviews at its off-site processing
facilities once every 3 years. However, the IRM did not limit the
requirement to the main SCC facilities, nor did it provide a separate
requirement for off-site processing facilities, which, like the main
SCC facilities, process revenue receipts and taxpayer information.
* After dark security controls. IRS's physical security controls
intended to help prevent and detect unauthorized access to its
processing facilities were not always effective. Specifically, we
found that four exterior security lights were not functioning at one
SCC we visited, thus hindering a full view of the exterior perimeter
from the security cameras at night. However, the SCC's guards had not
communicated this problem to management for correction because IRS's
written procedures did not provide guidance to the security guards for
reporting exterior light outages. In addition, SCC management was not
aware of the outages because IRS did not require any of its periodic
physical security reviews to occur after dark.
* Property and equipment records. IRS incorrectly recorded the asset
purchase price for some assets in its property management system. This
occurred because IRS did not have procedures to verify that the asset
purchase price recorded in its property management system was accurate
and consistent with the accounting records.
* Disposal process for copiers. IRS disposed of copiers without
ensuring that the copiers did not contain confidential taxpayer
information or sensitive information on IRS employees or operations on
the hard drives. This occurred because IRS had not established
policies or procedures that required wiping or removing the hard
drives before disposing of the copiers.
These issues increase the risk that IRS may not prevent or promptly
detect and correct (1) unauthorized or improper refunds, purchases, or
promotions; (2) errors in the hours credited or amounts paid to staff;
(3) loss or theft of cash receipts or taxpayer information; (4)
security and control deficiencies at its SCCs and processing
facilities; (5) data errors in its property records; and (6) improper
disclosure of taxpayer and other sensitive data.
We are making 29 recommendations that if effectively implemented,
should address the internal control issues we identified. These
recommendations are intended to bring IRS into conformance with its
own policies, the Standards for Internal Control in the Federal
Government, or both.[Footnote 6]
We provided IRS with a draft of this report and obtained its written
comments. In its comments, IRS agreed with all of our recommendations
and described actions it had taken, had under way, or planned to take
to address the control weaknesses described in this report. In
addition to its written comments, IRS provided technical comments on a
draft of this report, which we incorporated as appropriate.
Specifically, in most instances where we recommended changes in policy
or procedures, we recommended that these be incorporated into the IRM.
IRS explained that while it agreed with the policies and procedures we
recommended, in a few instances the IRM was not the appropriate policy
vehicle for the affected business units because they use different
policy vehicles in those areas. Consequently, we modified three
recommendations to remove references to the IRM and eliminated one
recommendation because, as stated in the body of the report, the
business unit established a written procedure after we brought the
issue to its attention. At the end of our discussion of each of the
issues in this report, we provide the related recommendations and have
summarized IRS's related comments and our evaluation. IRS's comments
are reprinted in enclosure II.
Scope and Methodology:
This report addresses issues we identified during our audit of IRS's
fiscal years 2010 and 2009 financial statements. As part of our audit,
we tested IRS's internal control:
over financial reporting.[Footnote 7] We designed our audit procedures
to test relevant controls, including those for proper authorization,
execution, accounting, and reporting of transactions. To assess
internal controls related to safeguarding taxpayer receipts and
information, we visited three SCCs,[Footnote 8] four lockbox
banks,[Footnote 9] one off-site processing facility, eight Small
Business/Self-Employed Division units,[Footnote 10] and eight taxpayer
assistance centers.[Footnote 11] We performed our audit of IRS's
fiscal years 2010 and 2009 financial statements in accordance with
U.S. generally accepted government auditing standards. We believe that
our audit provided a reasonable basis for our findings and conclusions
in this report. Further details on our audit scope and methodology are
provided in our November 2010 report on the results of our audit of
IRS's fiscal year 2010 and 2009 financial statement audit and are
summarized in enclosure I.
First-Time Homebuyer Tax Credits:
During our fiscal year 2010 financial audit, we found that IRS's
internal controls were not fully effective in identifying instances
where taxpayers made duplicate FTHBC claims related to the same home
purchase,[Footnote 12] resulting in payment of erroneous refunds. This
internal control deficiency contributed to a significant deficiency in
IRS's internal control over tax refund disbursements discussed in our
report on the results of our fiscal year 2010 financial audit.
[Footnote 13]
The FTHBC is a refundable tax credit of up to the statutory limit of
$8,000 that an eligible first-time homebuyer could claim on a
principal residence purchased from January 1, 2009, to April 30, 2010.
[Footnote 14] For purposes of the credit, a first-time homebuyer is a
taxpayer who (1) did not own a principal residence during the 3 years
ending on the purchase date of his/her home or (2) meets the
requirements for the long-time resident special rule.[Footnote 15]
Eligible taxpayers who purchased a home during this period have the
choice of making the FTHBC claim on the tax return of the year they
purchased the home or amending their return of the year prior to the
purchase of their home to make the credit claim.
In analyzing activity recorded in IRS's database of taxpayer accounts
from October 1, 2009, through May 31, 2010, we identified 201
taxpayers who appeared to have each been allowed two FTHBCs, which
collectively exceeded the maximum $8,000 statutory limit. From these
201 cases,[Footnote 16] we statistically selected a random sample of
20 FTHBCs, reviewed the supporting documentation, and found that in 18
of these cases the taxpayers had submitted a claim on a 2008 amended
return followed by a second claim on the 2009 return. In each case,
IRS allowed both claims and consequently paid an erroneous refund.
We expanded our analysis to encompass activity recorded in IRS's
database of taxpayer accounts from April 2009 through mid-July 2010,
and found an additional 201 taxpayers who also appeared to have been
allowed multiple FTHBCs that collectively exceeded the $8,000
statutory limit. However, the procedures we used to identify these 402
total suspicious cases were only able to detect instances where IRS
allowed FTHBCs totaling more than $8,000, which is the maximum dollar
limit under the law. Our procedures were not able to detect instances
where IRS allowed multiple FTHBCs totaling less than $8,000 and to
determine whether each one was allowable. Consequently, the actual
number of taxpayers who were erroneously allowed multiple FTHBCs may
be larger.
Internal control standards provide that internal control should be
designed to provide reasonable assurance regarding the prevention of
or prompt detection of unauthorized use or disposition of agency
assets.[Footnote 17] This includes providing reasonable assurance that
improper refund disbursements will be prevented or detected. However,
when the specific filing requirements related to FTHBC were initiated,
IRS's related internal controls were not revised to provide for
effective detection of instances where taxpayers claimed the same
FTHBC on both an amended 2008 tax return and an original 2009 tax
return and thereby prevent erroneous refunds. For example, IRS uses
numerous validity checks imbedded in its automated systems to detect a
variety of erroneous or otherwise improper tax returns during
processing. IRS informed us that at the time these erroneous refunds
were disbursed, it had validity checks in place to prevent the
acceptance of duplicate FTHBC claims filed on original tax returns.
However, the validity checks were not designed to detect duplicate
FTHBC claims that appeared on amended tax returns.
Subsequent to our testing, IRS informed us that it had implemented new
validity checks in its automated systems. According to IRS, the new
validity checks prevent the acceptance of duplicate FTHBC claims where
one was filed on an amended tax return and the combined dollar amount
exceeds the maximum statutory limit. Per IRS, its automated systems
will reject the FTHBC claim if it does not pass its new validity
checks.[Footnote 18] For example, the automated systems will reject
the FTHBC claim if a taxpayer submits a second FTHBC claim and the sum
of the two claims submitted by the taxpayer exceed the maximum
statutory limit of $8,000. However, IRS has not implemented procedures
to monitor and verify the effectiveness of the new validity checks. If
the effectiveness of these validity checks is not routinely monitored,
IRS lacks assurance that they are functioning properly. This increases
the risk that IRS may continue to disburse erroneous FTHBC-related
refunds for amended returns.
Recommendation:
We recommend that you direct the appropriate IRS officials to put
procedures in place to periodically monitor the effectiveness of the
new FTHBC validity checks for the duration of the filing of FTHBC
claims to verify that they are working as intended.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it has established
procedures to monitor the effectiveness of its validity checks and
controls via daily reports. IRS's proposed actions, if successfully
carried out, should address the intent of our recommendation. We will
evaluate the effectiveness of IRS's efforts during our audit of IRS's
fiscal year 2011 financial statements.
Authorization of Manual Refunds:
During our fiscal year 2010 financial audit, we found an internal
control deficiency in the processing of manual refunds, which
ultimately contributed to a significant deficiency in IRS's internal
control over tax refund disbursements that we discussed in our report
on the results of our fiscal year 2010 financial audit.[Footnote 19]
Specifically, we found that the manual refund units at two SCCs were
relying on outdated lists of approving officials to verify that manual
refunds were properly authorized. To ensure proper segregation of
duties, management authorizes specific individuals to approve manual
refunds for processing and other specific individuals to actually
process the refunds. In each IRS SCC, the manual refund unit maintains
a list of officials currently authorized to approve manual refunds.
When processing manual refunds, the manual refund unit is required to
verify each signed manual refund against the list of authorized
approving officials to help ensure that only authorized individuals
approve manual refunds. For this control to be effective, the list
needs to reflect accurate, up-to-date information. However, at the two
SCCs we visited, we identified instances where the list contained
outdated information. Specifically, we found the following.
* At one SCC, the list of authorized approving officials contained
names of three IRS employees from the Criminal Investigation Unit
whose authority to approve manual refunds ceased when their manual
refund unit dissolved in January 2010. This occurred because the
Criminal Investigation Unit, because of an oversight, did not notify
the manual refund unit of the personnel changes so the list could be
updated.
* At the same SCC, we found that an employee's role changed, resulting
in the termination of the employee's authority to approve manual
refunds. However, the employee's business unit's manager did not
notify the manual refund unit of the change. Consequently, at the time
of our visit, this employee's name erroneously remained on the manual
refund unit's list of authorized manual refund approving officials.
* At another SCC, we found that an employee who had retired in January
2010 was still included on the list of officials authorized to approve
manual refunds at the time of our testing in June 2010. The manual
refund unit at this SCC had not received notification of the personnel
change because the secretary of the delegating manager forgot to
inform the unit of the employee's retirement.
Internal control standards state that information should be recorded
and communicated to management and others within the entity who need
it and in a form and within a time frame that enables them to carry
out their internal control and other responsibilities.[Footnote 20]
Additionally, the IRM states that while the manual refund unit
maintains the list of employees authorized to approve manual refunds,
it is the responsibility of the appropriate managers to immediately
notify the manual refund unit of personnel changes so it can timely
update the lists of employees authorized to approve refund requests.
The IRM also states that the manual refund unit will annually solicit
an update of officials authorized to approve manual refunds from the
directors and heads of offices.[Footnote 21] Delays in timely
communicating personnel changes to the manual refund unit increase the
risk that unauthorized individuals can approve manual refunds and that
erroneous or fraudulent refunds will be issued, thereby exposing the
federal government to unnecessary losses.
Recommendation:
We recommend that you direct the appropriate IRS officials to
establish a mechanism to enforce the existing requirement for
appropriate managers to immediately notify the manual refund units of
any personnel changes affecting the approval or processing of manual
refunds. This may be accomplished through mechanisms such as issuing
periodic alerts, providing training, having the manual refund unit
perform quarterly validations of the list of manual refund approving
officials, or a combination of these.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it would require
all SCC accounting functions to provide a list of manual refund
authorizers to the head of each business operating division quarterly
to validate the individuals who are still authorized to sign manual
refunds, starting at the end of June 2011. IRS stated that it will
incorporate this change into the IRM by August 2011. However, it is
not clear how this approach will ensure that the manual refund units
are timely made aware of personnel changes affecting the approval or
processing of manual refunds as intended by this recommendation. We
will follow up during our audit of IRS's fiscal year 2011 financial
statements to determine if this approach achieves the objective of
this recommendation.
Authorization of Goods and Services:
During our fiscal year 2010 financial audit, we found that IRS did not
always obtain the requisite approval before entering into an agreement
with, and receiving services from, vendors. IRS requires its employees
to obtain various approvals before procuring goods and services in
order to ensure that IRS has a legitimate business need for the goods
and services and that sufficient funding is set aside to pay for them.
Specifically, once an individual identifies the need for a good or
service, the individual is required to forward the request to an
approving official, who determines whether IRS has a legitimate
business need for the good or service. If the approving official
agrees with the need and approves the purchase, the request is then to
be forwarded to a financial plan manager who must also approve the
requisition, thereby indicating that sufficient funding exists to pay
for it. Once these approvals have been obtained, IRS can begin the
process of procuring the good or service. If IRS procures the good or
service using the Office of Procurement, a contracting officer (CO) is
assigned to process the request.[Footnote 22] The CO may delegate
certain administrative tasks, such as issuing orders against an
awarded contract, monitoring contract performance, and performing
receipt and acceptance functions, but the CO is still the only
individual authorized to modify the contract in any way.
During our fiscal year 2010 testing of a statistical sample of 115
nonpayroll expenses, we identified two cases in which IRS personnel
did not request and obtain the proper approvals before acquiring
services from vendors.[Footnote 23] Specifically, we found the
following.
* In one case, an IRS employee requested that a contractor conduct a
training course for IRS staff that began on March 22, 2010, but did
not receive approval from the financial plan manager indicating that
funding was available until March 23, 2010, a day after the class had
already started. The IRM states that the Standard Form 182, which is
used to procure a training course conducted by an outside instructor,
must be approved and funding obtained prior to the training event,
which includes obtaining a signature from the financial plan manager.
[Footnote 24]
* In the other case, an IRS employee requested services outside the
scope of a contract without first seeking approval from the CO.
Specifically, under a contract for document-shredding services, an
employee--who was not the CO--requested that the vendor make an 11TH
trip to pick up documents for shredding when the contract only allowed
for 10 pickups. By requesting and receiving the additional trip
without proper authority to modify the contract terms, the employee
established an unauthorized commitment.[Footnote 25] In addition,
funds had not previously been set aside and approved for an 11TH
pickup. The Federal Acquisition Regulation states that only a CO is
authorized to modify contracts and bind the agency to a modified
contract.[Footnote 26]
In both cases, we found that these staff did not follow IRS's policy
to obtain the requisite approvals before procuring goods or services.
In the first case, an IRS official stated that the individual who
procured the training course focused only on the need for the class
and anticipated that the financial plan manager's approval would be
obtained before the class concluded. In the second case, an IRS
official stated that the individual who requested additional services
from the vendor did not recognize that the services authorized under
the contract had already been exhausted because IRS did not require
the individual to compare the services received to date against the
contract terms prior to ordering additional services.
Internal control standards state that transactions and other
significant events should be authorized and executed only by persons
acting within the scope of their authority. This is the principal
means of ensuring that only valid transactions to exchange, transfer,
use, or commit resources and other events are initiated or entered
into. By procuring goods/services without obtaining required approvals
from the proper officials, employees risk binding IRS to a service
that the agency does not want or for which it does not have sufficient
funding or, in certain circumstances, creating unauthorized
commitments that require IRS to incur unplanned costs if it chooses to
ratify the commitment. It also further increases IRS's risk of
fraudulent and unauthorized purchases and noncompliance with relevant
laws, regulations, and IRS policies.
Recommendations:
We recommend that you direct the appropriate IRS officials to take the
following actions:
* Send out a reminder to all staff to follow policies and procedures
for obtaining approval and funding of proposed purchases prior to
entering into an agreement with vendors.
* Establish formal written procedures requiring staff to review
purchase contract terms against the goods and services received to
date before requesting additional goods or services.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and plans to develop formal
written instructions by the end of June 2011 to address the
requirement to review contract terms and status of deliverables, and
ensure that all related ordering activity is in compliance with the
terms and conditions of the contract. IRS also stated that it plans to
disseminate these instructions to all of its requisition tracking
system users and business units, and send a reminder by the end of
July 2011 to all employees to follow policies and procedures for
obtaining approval and funding of proposed purchases prior to entering
into agreements with vendors. IRS's proposed actions, if successfully
carried out, should address the intent of our recommendations. We will
evaluate the effectiveness of IRS's efforts during our audit of IRS's
fiscal year 2011 financial statements.
Approval of Personnel Actions:
During our fiscal year 2010 financial audit, we found that IRS did not
always approve personnel actions for promotions prior to their
effective dates. Timely approval of promotions prior to effective
dates is essential in order to help ensure that employees are properly
qualified for their new duties and to minimize the risk that employees
may be compensated at a higher rate than that to which they are
entitled.
IRS follows the Office of Personnel Management's (OPM) Guide to
Processing Personnel Actions on preparing personnel actions.
Accordingly, IRS uses the OPM Request for Personnel Action, Standard
Form 52 (SF-52), which states that the approver certifies that the
information entered on the form is accurate and that the processed
action is in compliance with statutory and regulatory requirements.
[Footnote 27] IRS's business operations divisions, referred to as
business units, initiate SF-52s in HR Connect--IRS's personnel system--
and forward them through HR Connect to human resource (HR) specialists
in IRS's Human Capital Office for approval and processing. All HR
specialists are instructed to follow OPM guidelines and to process
actions within established time frames.[Footnote 28] For SF-52s
approved with a promotion action, the HR specialists are to review the
merit promotion rules and verify each employee's eligibility for the
requested promotion prior to the effective date of the
promotion.[Footnote 29] However, during our testing of a statistical
sample of 80 employees who were paid from October 1, 2009, through
June 30, 2010, we found that IRS did not approve 2 of the 80
employees' SF-52s--both of which were associated with promotion
actions--until after the effective dates of the actions.[Footnote 30]
In the first instance, an employee was selected for a competitive
temporary promotion on July 24, 2009, with an effective date of August
2, 2009.[Footnote 31] IRS did not approve the promotion until August
19, 2009, 17 days after the effective date of the promotion. In the
second instance, an employee received a career ladder promotion
effective June 21, 2009. The employee's manager initiated and
submitted the personnel action stating that the employee was eligible
for promotion on May 29, 2009. The HR specialists received the
personnel action request on June 2, 2009, but didn't approve the
promotion until July 2, 2009, 30 days after receipt.
The IRM requires that IRS's human resource policies and procedures
conform with existing legal requirements, including applicable OPM
regulations.[Footnote 32] In addition, the IRM incorporates by
reference the OPM guide for IRS to use for processing accession
actions and conversions to other appointments in the competitive and
excepted service.[Footnote 33] The OPM guide requires that (1) no
personnel action can be made effective prior to the date on which the
appointing officer approved the action and (2) approval of a personnel
action certifies that the action meets all legal and regulatory
requirements. According to IRS officials, several factors contributed
to the delays in approving personnel actions. In the first case, IRS
officials informed us that although IRS provided its HR specialists
training for approving personnel actions, the HR specialist in this
case misunderstood the process and erroneously waited for paperwork
that was not required for the approval process. In the second case,
IRS officials said the HR specialist's workload volume caused the
delay in approving the promotion. IRS officials also informed us that
delays may also occur in approving personnel actions when the business
units submit personnel action requests close to the effective dates of
the actions. Because IRS did not centrally review and monitor the
timeliness of personnel action requests and approvals to ensure
compliance with applicable requirements, IRS was not aware that the
promotions we identified were approved after their effective dates.
Had IRS established and implemented procedures for monitoring the
timeliness of these actions, it might have also recognized actions
needed to provide additional instruction or adjust the workload levels
of staff to help ensure that approvals occurred on time. Promoting
employees prior to an HR specialist's approval increases the risk that
employees may (1) be paid at higher rates than they are entitled and
(2) not meet minimum qualification requirements to effectively perform
their new duties.
Recommendation:
We recommend that you direct the appropriate IRS officials to
establish procedures to centrally review and monitor the timeliness of
personnel action requests and approvals to help ensure compliance with
the IRM and applicable OPM regulations and guidance.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it developed a
report and a process in April 2011 to centrally review and monitor the
timeliness of noncompetitive personnel actions, and plans to establish
a similar system to track the timeliness of competitive personnel
actions by the end of August 2011. In addition, IRS said that it plans
to establish a centralized quality review program to further support
the ongoing evaluation of results and identify opportunities for
improvement by the end of July 2011. IRS's proposed actions, if
successfully carried out, should address the intent of our
recommendation. We will evaluate the effectiveness of IRS's efforts
during our audit of IRS's fiscal year 2011 financial statements and
future audits.
Recording Time and Attendance:
During our fiscal year 2010 financial audit, we found that IRS's
controls were not fully effective in ensuring that all approved
changes to time cards were appropriately entered into IRS's electronic
time and attendance system. IRS employees record their time and
attendance information either directly into IRS's Single Entry Time
Reporting System (SETR), which is IRS's electronic time and attendance
system, or by use of other forms or formats for subsequent input into
SETR.[Footnote 34] IRS's Office of Chief Counsel uses a manual time
and attendance recordkeeping process whereby employees prepare manual
hard-copy time cards that are signed by approving officials and then
forwarded to an office manager--designated in SETR as a "proxy"--for
electronic entry into SETR. However, during our testing of a
statistical sample of 80 payroll transactions, we found that one
employee's manual time card was approved for 6 credit hours earned,
but the electronic time card from SETR showed only 5 credit hours
earned.[Footnote 35] IRS officials informed us that the employee
decided to work an additional hour on the last day of the pay period,
which was after the employee's initial time card had been approved and
entered electronically into SETR. The employee prepared an amended
time card, which the approving official signed and provided to the
designated proxy. However, the proxy did not enter the subsequent
change in the time and attendance system. IRS did not have procedures
in place requiring an independent review of the approved manual time
cards to the time and attendance information entered into SETR.
Consequently, IRS was unaware of the discrepancy until we identified
the problem. IRS subsequently corrected the electronic time card in
SETR, about 9 months after the initial manual time card had been
approved.
Internal control standards state that transactions should be
accurately and timely recorded to maintain their relevance and value
to management in controlling operations and making decisions. This
applies to the entire process or life cycle of a transaction or event
from initiation and authorization through its final classification in
summary records.[Footnote 36] If IRS does not properly record its
employees' time and attendance, employees may not be properly paid or
credited for hours they worked, or may be overpaid or overcredited for
hours they did not work.
Subsequent to our apprising IRS of this issue, IRS officials informed
us that the Office of Chief Counsel field office where the error
occurred had established and implemented new procedures in February
2011 for that field office to help ensure that manual time cards were
accurately entered into SETR. Specifically, the new procedures require
one timekeeper to enter the time cards into SETR for his or her
assigned staff, and a second timekeeper to verify each manual time
card against the hours recorded. Both timekeepers are required to sign
each time card signifying entry and verification. After the time is
entered and verified in SETR, the office manager or other designated
supervisory staff member will sign the approval in SETR. Under the new
procedures, the office manager will also regularly audit the time
cards to help ensure that all required signatures (i.e., approving
official, timekeeper, and verifying timekeeper) are present, and send
quarterly reminders to all staff reminding them to compare their
manual time card leave and credit hour balances with the balances
shown on either their earnings and leave statements or in SETR. We
have reviewed these new procedures and believe that if fully and
effectively implemented, they should help prevent or detect future
errors. However, these new procedures are currently only applicable to
the specific field office where the error occurred. As such, they do
not preclude similar errors from occurring in other locations that
also use hard-copy or other alternative time and attendance forms for
subsequent input into SETR.
Recommendation:
We recommend that you direct the appropriate IRS officials to adopt
the local field office's timekeeping procedures or similar procedures
for entering and verifying the accuracy of time and attendance
information entered into SETR throughout IRS for use by all units in
which employees do not enter their own time charges directly to SETR.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and said that it plans to modify
its procedures for reporting and approving time and attendance by the
end of August 2011 to include the recommended requirements. IRS stated
that it would also disseminate the procedures to all of its SETR
business unit points of contact who are currently able to approve time
cards in SETR. IRS's proposed actions, if successfully carried out,
should address the intent of our recommendation. We will evaluate the
effectiveness of IRS's efforts during our audit of IRS's fiscal year
2011 financial statements and future audits.
Verification of NFC Payroll Changes:
During our fiscal year 2010 financial audit, we found that IRS did not
always timely detect errors made by the National Finance Center (NFC)
in processing IRS's payroll.[Footnote 37] Specifically, we found that
NFC made a programming change to its systems that caused incorrect
computations of the Thrift Savings Plan (TSP) mandatory agency
contribution for some IRS employees, and gave these employees 2
percent of their base pay instead of the statutorily required 1
percent for several months in 2009. IRS was not aware of these errors
until we identified the problem during our testing in August 2010.
In June 2009, the President signed into law the Thrift Savings Plan
Enhancement Act that eliminated the waiting period of up to a year
that previously prevented newly hired federal employees covered under
the Federal Employees Retirement System from becoming immediately
eligible to receive the TSP agency automatic 1 percent of base pay
contribution and the agency matching contribution.[Footnote 38] To
implement this legislation, NFC informed IRS that it would perform an
automated system sweep to identify and update the payroll/personnel
system database records for employees who were in the waiting period
with the appropriate eligibility codes so that the employees could
begin receiving their TSP agency contributions as appropriate.
However, errors made in NFC's sweep process resulted in NFC crediting
excess TSP agency contributions for 67 IRS employees totaling over
$7,700 from June until November 2009.[Footnote 39] IRS was unaware of
these errors until we identified the problem during our testing in
August 2010. NFC corrected the errors in December 2010 and January
2011 but was unable to correct errors or recover overpayments that
were beyond the 1-year time limit allowed for recovery or were
associated with employees who had since left IRS.[Footnote 40]
Internal control standards state that transactions should be
accurately and timely recorded. Managers also need to compare actual
performance to planned or expected results and analyze significant
differences.[Footnote 41] In addition, the Department of Agriculture's
Office of Inspector General (IG) conducts an annual audit of NFC's
internal control structure in accordance with the American Institute
of Certified Public Accountant's Statement on Auditing Standards (SAS)
No. 70 and issues a report (SAS 70 report).[Footnote 42] In its 2010
SAS 70 report on NFC, the IG issued an unqualified opinion and
reported no material weaknesses in internal control.[Footnote 43]
However, the IG noted that it is not feasible for NFC's service-
related control objectives to be solely achieved by NFC's control
activities and procedures. Accordingly, the IG reported that user
agencies should establish controls or procedures to complement those
at NFC.
However, IRS did not have procedures to detect errors that may result
from NFC's system programming changes, and thus it did not identify
the errors we identified. According to IRS officials, IRS participated
in NFC's tests of planned programming changes prior to implementation,
but did not perform any tests of the results after such programming
changes were made to help ensure that they were made correctly.
Because running simulations on test data may yield different results
than actual programming changes on live production data, it is
essential that postimplementation tests be performed to ensure that
such changes yield expected results.
We previously reported on a similar issue identified during our audit
of IRS's fiscal year 2003 financial statements.[Footnote 44] At that
time, we found that 131 IRS employees erroneously received excess
mandatory contributions to their TSP accounts, equaling 2 percent of
their base pay rather than the 1 percent required by law. However, in
those instances NFC was unable to determine the cause of the errors.
Based on our recommendation at the time, IRS expanded its existing
quarterly random sample review of payroll activities to include the
recalculation of agency TSP contributions. While this is still a valid
control that IRS should continue, this test did not identify the TSP
errors we found in fiscal year 2010 because it was not designed to
test a specific population, such as only those employees affected by a
specific system programming change. Because IRS did not have controls
in place to verify that NFC's system programming changes were properly
made, IRS did not detect the payroll errors made by NFC and lost the
ability to recover all of the excess TSP contributions. Such
recoveries could have been used to help pay for its operations.
Subsequent to our bringing this issue to its attention, IRS updated
its procedures to require review of a separate random sample of
employees after NFC makes system changes that affect a large volume of
employees to help ensure that the NFC system changes worked properly
and to identify and remediate any problems identified. However, IRS's
procedures do not specify that this random sample be drawn from a
population that consists only of those employees likely to be affected
by the NFC programming changes, and thus the sample results may not be
an accurate indicator of the effectiveness of NFC's changes. As we
noted earlier, IRS's normal quarterly random sample review of payroll
activities did not identify the TSP errors we identified because IRS
sampled from the entire population of IRS employees while the
programming change only affected individuals covered under the Federal
Employees Retirement System who were in the TSP waiting period. In
addition, these new procedures did not provide the criteria for
determining what programming changes will be subject to validation or
establish responsibility for making and documenting this determination.
Recommendation:
We recommend that you further revise your detailed procedures for
implementing the requirement to validate the appropriateness of NFC
programming changes after such changes are made. These revisions
should (1) clarify the criteria for determining what programming
changes will be subject to validation, (2) identify officials
responsible for making and documenting these determinations, and (3)
require postimplementation statistical sampling from a targeted
population that consists of employees who are most likely to be
affected by the NFC programming change.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and stated that it would develop a
detailed standard operating procedure by the end of September 2011
that would address the elements cited in our recommendation. IRS's
proposed actions, if successfully carried out, should address the
intent of our recommendation. We will evaluate the effectiveness of
IRS's efforts during our audit of IRS's fiscal year 2012 financial
statements.
Cash Receipts at the Beckley Finance Center:
During our fiscal year 2010 financial audit, we found that IRS did not
have internal controls in place to appropriately safeguard and
establish accountability for cash receipts received at its Finance
Center in Beckley, West Virginia (BFC). BFC receives nontax payments
in the form of cash or checks from customers, vendors, and employees
daily.[Footnote 45] BFC is responsible for handling all aspects of the
processing of these receipts, from opening the mail, logging the
payments received, and depositing the funds, to recording the
transactions into IRS's financial system.
During our review of IRS's controls over such receipts at BFC, we
found the following.
* Receipts were not immediately logged when first discovered in the
mail room and were not under dual control at all times before they
were recorded on a control log. Three BFC contract employees were
responsible for handling receipts in the mailroom prior to the
receipts being logged.[Footnote 46] Upon discovery of receipts, the
employee responsible for opening the mail transferred the receipts to
a second employee who was responsible for reconciling the receipts to
any documentation that accompanied the receipts. The second employee
then transferred the receipts to a third employee, who was solely
responsible for logging the receipts onto a control log. Each employee
performed his or her assigned processing steps without the
participation or intervention of another employee or a supervisor.
* BFC did not perform a reconciliation or other procedures to ensure
that the amount of cash receipts initially received in the mail room
matched the amount deposited and recorded, thus ensuring
accountability for all cash receipts. After receipts were logged, the
BFC mail room staff provided the receipts and the control log to an
IRS accounting technician under single control to prepare the deposit.
Once the deposit was prepared, the technician returned a photocopy of
the log to the mail room; however, mail room staff did not verify that
the log had not been changed. Additionally, while IRS staff reconciled
the deposit amount to the amount recorded in IRS's general ledger, no
one reconciled or compared the amount deposited and recorded back to
the original log of receipts received in the mail room.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, such as cash.
[Footnote 47] Such assets should be periodically counted and compared
to control records. The standards further state that key duties and
responsibilities need to be divided or segregated among different
individuals to reduce the risk of error or fraud. However, we found
that IRS had not established procedures at BFC consistent with these
requirements. The lack of adequate internal controls and
accountability over cash receipts increased the risk that loss or
theft would not be prevented or detected by BFC in a timely manner.
IRS made notable progress in the past in addressing internal control
weaknesses related to safeguarding taxpayer receipts processed at its
primary submission processing locations, such as SCCs and lockbox
banks. IRS's efforts to address these weaknesses resulted in our
closing a significant deficiency in internal control over hard-copy
taxpayer receipts in fiscal year 2008. However, it is important that
the basic safeguarding controls established in these locations be
extended to other locations that receive and process nontax cash
receipts. After we identified the issues at BFC, IRS revised its BFC
desk procedures in September 2010 to require (1) cash receipts to be
immediately logged under dual control when first discovered in the
mail room, (2) mail room staff to maintain a copy of the log at all
times, and (3) the amount of cash receipts initially discovered in the
mail room to be independently reconciled to the amount deposited and
recorded. These actions should help address this issue. However, to
further reduce the risks we identified during our audit, it is
important that IRS appropriately implement these requirements.
Recommendations:
We recommend that you direct the appropriate IRS officials to take
steps to effectively implement procedures at BFC requiring:
* cash receipts to be immediately logged under dual control when first
discovered in the mail room,
* mail room staff to maintain custody of the control log at all times,
and:
* the amount of cash receipts initially discovered in the mail room to
be independently reconciled to the amount deposited and recorded in
the general ledger.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and indicated that it revised its
check deposit process, updated it desk procedures, and trained
employees on the new process to address these recommendations in late
fiscal year 2010. IRS's proposed actions, if successfully carried out,
should address the intent of our recommendations. We will evaluate the
effectiveness of IRS's efforts during our audit of IRS's fiscal year
2011 financial statements.
Contract Employee Background Investigations:
During our fiscal year 2010 financial audit, we found that IRS's
controls were not fully effective in ensuring that all individuals
responsible for handling sensitive taxpayer data had received
favorable background investigation results before being granted access
to that information. Specifically, at one of the SCCs we visited,
background investigations had not been performed for three contract
employees responsible for picking up outgoing mail, sorting it at a
non-IRS facility, and then delivering it to a U.S. post office for
mailing. These contract mail couriers had physical possession of first-
class mail, which contained information relating to taxpayers. In
previous years' audits, we found that IRS allowed contract employees
at its SCCs, lockbox banks, taxpayer assistance centers, field
offices, and off-site contractor facilities access to cash, checks,
and other taxpayer information before management had received
satisfactory results of each individual's background investigations,
thereby subjecting IRS to an increased risk of theft or misuse of
taxpayer receipts and data.[Footnote 48] As a result, we recommended
that IRS (1) clarify its requirements for which contract employees are
subject to background investigations, (2) maintain appropriate
documentation of background investigation results, and (3) enforce the
requirement that appropriate background investigations be completed
before contractors are granted routine, unescorted, unsupervised
access to IRS facilities and to taxpayer data and receipts. In
response to our recommendations, IRS implemented several corrective
actions to strengthen controls over contract employee background
investigations, but deficiencies in such controls continue to exist.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, which include
sensitive taxpayer information.[Footnote 49] The IRM requires that
when work is performed outside an IRS facility, contract employees may
not have access to taxpayer information or data unless IRS has
received favorable background investigation results.[Footnote 50]
Furthermore, the IRM requires that individuals engaged in procurement-
related activities should ensure that all IRS contracts contain
appropriate language holding contractors and other service providers
accountable for complying with federal and IRS privacy, information
protection, and data security policies and procedures.[Footnote 51]
Consequently, the IRM states that a contracting officer's technical
representative (COTR) is responsible for designating and documenting
the risk level of each position within the contract, and initiating
the process for obtaining background investigations as
required.[Footnote 52] However, in this case no COTR was assigned to
the contract, and thus no responsibility had been assigned to ensure
that the background investigations were required and performed.
In establishing the contract for mail courier services at this SCC,
IRS procurement staff followed IRS Policy and Procedures Memorandum
No. 1.6 (C), which only requires appointing a COTR for contracts
exceeding $100,000. In this case, the mail courier services contract
was actually paid for by the U.S. Postal Service, and thus because the
contract cost to IRS was less than $100,000, IRS did not appoint a
COTR. In the absence of an assigned COTR, IRS procurement officials
stated that the business unit requesting the contract service (the
requesting business unit) was expected to assume responsibility for
ensuring that required background investigations were performed for
the contract employees. However, this expectation was not documented
in any written policy. Consequently, the requesting business unit
representatives responded that they were unaware of any policy or
procedure requiring them to assess the need and initiate the
provisions for a background investigation in these types of contracts.
Lacking such a policy, no representatives of the procurement office or
the requesting business unit with whom we spoke claimed responsibility
for ensuring that background investigations were performed for this
contract. Procurement officials stated that had the requesting
business unit clearly communicated to them that background
investigations were necessary and that contractors would be taking the
mail to a non-IRS facility before delivering it to the post office,
they would have included the provision for obtaining background
investigations in the contract. The requesting business unit officials
said that they were unaware of the requirement and that officials in
the Personnel Security unit of IRS's Human Capital Office had the
requisite technical expertise to determine which contract services
warranted contract employee background investigations. Without a
clear, documented policy establishing responsibility for assessing
disclosure risk and ensuring that all contracts involving routine,
unescorted, unsupervised physical access to taxpayer information
require background investigations, regardless of contract award
amount, IRS cannot ensure that necessary background investigations
have been performed. This, in turn, increases the risk that contract
employees with unsuitable backgrounds may be granted access to
taxpayer information.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Perform a review of all existing contracts under $100,000 that (1)
do not have an appointed COTR and (2) do not require that contract
employees obtain background investigations to assess whether the
services performed under each contract warrant a requirement that
contract employees obtain background investigations.
* Based on a review of all existing contracts under $100,000 without
an appointed COTR that should require contract employees to obtain
favorable background investigation results, amend those contracts to
require that favorable background investigations be obtained for all
relevant contract employees before routine, unescorted, unsupervised
physical access to taxpayer information is granted.
* Establish a policy requiring collaborative oversight between IRS's
key offices in determining whether potential service contracts involve
routine, unescorted, unsupervised physical access to taxpayer
information, thus requiring background investigations, regardless of
contract award amount. This policy should include a process for the
requiring business unit to communicate to the Office of Procurement
and the Human Capital Office the services to be provided under the
contract and any potential exposure of taxpayer information to
contract employees providing the services, and for all three units to
(1) evaluate the risk of exposure of taxpayer information prior to
finalizing and awarding the contract and (2) ensure that the final
contract requires favorable background investigations as applicable,
commensurate with the assessed risk.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that by June 2013 it
would review all existing service contracts under $100,000 to
determine whether the services performed under these contracts warrant
obtaining background investigations, and ensure that all of the
contracts identified contain the necessary security requirements by
September 2013. In addition, IRS stated that its Contractor Security
Lifecycle Program Office, in conjunction with IRS's Agency-Wide Shared
Services, Procurement, and Human Capital offices, will establish a
policy and procedures by December 2012 requiring business units to (1)
identify service contracts where contractors will have routine,
unescorted, unsupervised physical access to taxpayer information; (2)
document the risk of exposure for taxpayer data; and (3) ensure that
security requirements are included in the contract as applicable.
IRS's proposed actions, if successfully carried out, should address
the intent of our recommendations. We will evaluate IRS's progress and
the effectiveness of its actions during future audits.
Deposit Courier Trip Times:
During our fiscal year 2010 financial audit, we found that IRS's
allowable time limits for some of its courier routes were not
effective in identifying potential instances of SCC and lockbox bank
deposit couriers making unauthorized stops during transit. IRS
contracts with courier companies to transfer taxpayer receipts from
its SCCs and lockbox banks to financial institutions for deposit. We
previously identified instances where couriers did not follow IRS
policies for handling taxpayer receipts and information.[Footnote 53]
These instances included couriers (1) making unauthorized stops, (2)
leaving vehicles containing deposits unattended, and (3) transferring
taxpayer receipts and information from the vehicle used to pick up the
deposits to another vehicle. We reported these issues to IRS along
with recommendations to improve related controls. IRS responded to our
recommendations by establishing policies for SCC and lockbox bank
management to monitor deposit courier trip times to detect and prevent
issues such as couriers making unauthorized stops. These policies
required SCC and lockbox bank officials to establish deposit courier
trip time limits in the courier contracts that if exceeded would
initiate management discussions with couriers to determine if
corrective actions are needed. These time limits were not intended to
be maximums that take into account all possible contingencies, but
were intended to help keep couriers accountable for their trip times
and to help SCC and lockbox bank management in monitoring couriers.
However, we found that implementation of the requirements was not
effective in improving the monitoring and oversight of deposit
couriers. During our audit, we found at all three SCCs and at three of
the four lockbox banks we visited that the controls were not effective
in identifying potential instances of deposit couriers making
unauthorized stops. At each site visited, we selected a nonstatistical
sample of deposit courier trip times for a 1-month period and
calculated the average time to make a deposit run. We then compared
these calculated average times to the allowable time limits outlined
in the various courier contracts. In each case, the allowable time
limit for deposit courier trips was in excess of the calculated
average trip time by wide margins. As shown below, most of the
established time limits we reviewed included unexplained cushions that
limited the effectiveness of these monitoring controls in helping to
ensure that receipts were transported as required to the depository
institution. Specifically, we found the following.
* At the three SCCs, the allowable deposit trip time outlined in the
courier contracts ranged from 12 minutes to 27 minutes greater than
the average trip times, which were approximately 17 minutes for each
SCC.
* At one lockbox bank, the allowable deposit trip time was almost
twice as long as the average trip time of approximately 66 minutes.
* One lockbox bank used four different allowable trip times, ranging
from 30 minutes to 60 minutes, to monitor a deposit trip that took on
average 24 minutes to complete.
* At another lockbox bank, IRS and bank management officials
established the allowable trip time at 128 minutes, despite the fact
that actual trip times ranged from 46 minutes to 113 minutes during
the 10-day period they analyzed prior to establishing the limit.
* Additionally, one SCC changed depository bank locations to a site
closer to the IRS facility approximately 6 months prior to our site
visit. However, IRS had not updated the time limits accordingly after
the change.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, such as taxpayer
receipts and related information, and that access be limited to
authorized individuals to reduce the risk of unauthorized use or loss
to the government.[Footnote 54] Additionally, the IRM requires
couriers to provide dedicated service for transportation of a deposit
between the IRS facility and the depository institution with a
transportation time that is not in excess of the time allowed in the
courier contract. The IRM and Lockbox Security Guidelines (LSG)
[Footnote 55] further require that SCC and lockbox bank officials,
respectively, follow up with deposit couriers for any trip in excess
of the established time limit.[Footnote 56] However, we found that
there was no consistent methodology for calculating acceptable deposit
courier trip time limits that would allow for the identification of
potential unauthorized stops. The SCC and lockbox officials we spoke
with could not clearly explain or support how they arrived at their
established trip limits. In addition, they were not required to and
did not periodically reassess or revise the limits when conditions
changed, such as when the depository location changed. By not
establishing meaningful trip limits that would allow for effective
monitoring of the transfer of deposits or periodically reassessing and
updating these limits when conditions change, IRS is at increased risk
of taxpayer receipts and information being lost or diverted while in
the custody of contract couriers, and that any losses that occur may
not be timely detected.
Recommendations:
We recommend that you direct the appropriate IRS officials to take the
following actions:
* Establish procedures to provide a consistent methodology for
calculating and establishing allowable deposit courier trip time
limits to be used by both SCCs and lockbox banks that would assist in
detecting potential unauthorized stops or other contractual violations
for deposit couriers. Such procedures should include instructions for
documenting and supporting how the trip limits were determined and
require justification and approval for all established time limits
that exceed the average trip time.
* Establish procedures to require periodic reassessments of, and
updates to, deposit courier allowable trip time limits to account for
changes in courier routes or other conditions that may affect trip
times.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that it updated the LSG
in January 2011 to include a consistent methodology for calculating
and establishing allowable deposit courier trip time limits for
lockbox banks. IRS also said it updated each SCC's courier contract
statement of work to reflect new delivery time frames based on courier
surveillance. IRS stated that by December 2011 it will establish
procedures to require periodic reassessments of, and updates to,
deposit courier allowable trip time limits to account for changes in
courier routes or other conditions that may affect trip times, and
will explore the use of Global Positioning System technology to track
the deposit courier trip for each delivery, the use of lockbox bank
staff to transport paper deposits in lieu of a dedicated courier, or
both. IRS's proposed actions, if successfully carried out, should
address the intent of our recommendations. We will evaluate the
progress and effectiveness of IRS's efforts during our audit of IRS's
fiscal year 2011 financial statements and future audits.
Transfer of Taxpayer Information between Processing Facilities:
During our fiscal year 2010 financial audit, we found deficiencies in
IRS's controls over contract couriers' transportation and safeguarding
of taxpayer information between processing facilities. Four of IRS's
SCCs use contract couriers to transport taxpayer information between
the main campus facilities and their off-site facilities for further
processing. These off-site processing facilities can range from 2 to
80 miles away from the starting destination. We reviewed the internal
controls at one of the four SCCs with an off-site processing facility
and found that (1) a courier vehicle's cargo door was not locked after
it was loaded with taxpayer returns and other taxpayer-related
information and (2) no procedures were in place to assure the sender
or the recipient of the information that contract courier vehicles'
cargo doors had not been opened or the contents had not been tampered
with during transit.
The courier contract states that taxpayer information must be secured
in a locked vehicle during transit. However, neither the courier nor
the business unit shipping the information verified that the courier
vehicle's cargo door was locked before the courier proceeded to its
destination, and the business unit receiving the information did not
verify that the vehicle's cargo door remained locked during transit.
We also found that IRS's control intended to monitor and enforce the
contract provision requiring that cargo contents be secured during
transit was not effective. Specifically, IRS's Agency-Wide Shared
Services performs monthly reviews of the contract couriers to assess
and enforce compliance with contractual agreements, including whether
cargo doors on contract courier vehicles are locked after the vehicles
are loaded with taxpayer information and remain locked during transit.
However, the guidance provided to the reviewers did not contain
detailed instructions for assessing whether the cargo doors were
locked during transit. We analyzed the Agency-Wide Shared Services'
monthly reviews of the couriers covering a 9-month period at this SCC.
In each case, we were unable to determine how the reviewer assessed
that the cargo doors were locked during transit because the reviewer
did not document how the assessment results were obtained.
Additionally, the business units responsible for the shipment and
receipt of the taxpayer returns and other information confirmed that
there were no controls in place to verify that the information
transmitted was properly safeguarded during transit, for example, with
a tamper-resistant security seal attached to the latch of the cargo
door. Without sufficient controls for monitoring contractual
compliance and other controls to detect unauthorized access to
taxpayer information transferred from one processing facility to
another, IRS cannot ensure that this information will be properly
safeguarded during transit. Additionally, because there is the
potential for taxpayer receipts to be included in these shipments, IRS
cannot ensure that taxpayer receipts will be safeguarded during
transit.[Footnote 57]
Internal control standards require physical controls to limit access
to vulnerable assets and require that access to resources and records,
such as taxpayer receipts and taxpayer information, be limited to
authorized individuals to reduce the risk of unauthorized use or loss
to the government.[Footnote 58] Additionally, the IRM states that tax
information transmitted from one location to another must be provided
adequate safeguards.[Footnote 59] The IRM also requires that IRS
facilities management take responsibility for the security and
accountability of taxpayer receipts and information during transit. By
not ensuring that courier vehicles and their contents are
appropriately secured during transit between the SCCs and their off-
site processing facilities, IRS increases the risk of loss, theft, and
misuse of taxpayer information and receipts.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Enforce existing contractual requirements for the cargo doors of
contract courier vehicles to be locked after picking up taxpayer
information.
* Establish procedures to prevent or detect unauthorized access to
taxpayer information in contract courier vehicles during transit.
These procedures should detail specific activities to be performed by
both the business units sending and receiving the information
transported by the contract courier.
* Revise the guidance for conducting the periodic reviews of the
contract couriers transporting taxpayer information from one IRS
processing facility to another to include procedures for (1)
physically verifying that courier vehicle cargo doors are locked after
picking up this information and remain locked during transit to the
final destination and (2) documenting the basis for the reviewer's
conclusions.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and indicated that it has already
taken actions and has other actions under way to address them.
Specifically, IRS stated that in February 2011, it sent a notice to
key staff and managers reminding them of the contract requirements for
secure transport, and began monthly random reviews of compliance with
requirements beginning in April 2011. IRS also indicated that by
December 2011 it will (1) establish procedures to prevent and detect
unauthorized access to taxpayer information in contract courier
vehicles during transit and (2) revise the guidance for conducting
periodic reviews of the contract couriers to include physically
verifying that courier vehicle cargo doors are locked after pickup and
remain locked during transit to the final destination. IRS added that
the Submission Processing unit will begin conducting a separate
monthly review and documenting the results beginning in January 2012.
IRS's proposed actions, if successfully carried out, should address
the intent of our recommendations. We will evaluate the effectiveness
of IRS's efforts during our audit of IRS's fiscal year 2011 financial
statements and future audits.
Document Transmittal Forms:
During our fiscal year 2010 audit, we found that IRS did not
adequately monitor or document required reviews of internal control
procedures over tracking and monitoring taxpayer receipts and
information transmitted between IRS locations. When IRS's Small
Business/Self-Employed Division (SB/SE) units transmit taxpayer
receipts, information, or both to another IRS location, they are
required to include a document transmittal form listing the documents
and receipts included in the package. Recipients are required to
acknowledge receipt of the items; if the recipient does not
acknowledge receipt within 10 days, the sender is required to initiate
follow-up.[Footnote 60] To facilitate this, senders must maintain a
control copy of each transmittal form sent and track which ones have
been appropriately acknowledged by the recipient in order to know
which ones require follow-up. To help enforce the transmittal
requirements, the IRM requires unit managers to perform periodic
reviews of the document transmittal process to determine whether all
of the required controls are in place and operating effectively and to
document such reviews.
During our fiscal year 2010 financial audit, we found that at seven of
the eight SB/SE units we visited, unit managers either did not perform
or did not document periodic reviews of the document transmittal
control process as required. Specifically, at four locations we
visited, managers asserted that the reviews were performed, but we
found that the scope of the reviews was not sufficient to determine
whether the information sent was timely received and acknowledged by
the recipient. At the fifth location, the manager informed us that the
review was performed, but it was not documented. At the sixth
location, the manager documented the reviews, but the review
documentation did not show the review dates. At the seventh location,
the manager told us that he did not perform the reviews because he
thought that the location was exempt from performing them because of a
shortage of staff to perform the reviews.
Internal control standards require agencies to (1) establish physical
controls to secure and safeguard vulnerable assets, (2) ensure that
ongoing monitoring occurs in the course of normal operations, and (3)
enforce adherence to management policies and procedural requirements.
[Footnote 61] The IRM requires that SB/SE unit managers perform
reviews of the transmittal process to help enforce the transmittal
requirements. However, the process it describes for conducting these
reviews does not ensure that all controls are effectively assessed.
For example, the IRM directs managers to retrieve document transmittal
forms by random date and to verify that controls over the transmittal
process were followed for those forms. However, should the manager
retrieve document transmittals that were timely received from
recipients, the manager is unable to determine, from the process
described in the IRM, whether staff are (1) maintaining control copies
of document transmittal forms, (2) reconciling all document
transmittal forms to ensure that all transmittals were received, or
(3) following up on transmittals that are not timely received.
Additionally, while the IRM states that managers must document their
reviews, the guidance does not provide any minimum requirements for
the documentation. For example, the IRM includes suggested
documentation methods, but none of the methods are explicitly
required. Without a thorough process for assessing key controls and
specific guidance for documenting the reviews, SB/SE unit managers did
not sufficiently conduct the periodic monitoring intended to help
ensure that employees appropriately track taxpayer receipts and
information transmitted between IRS locations.
Consequently, we observed several weaknesses in the transmittal
process that managers had not identified during their reviews,
including senders of document transmittals not (1) maintaining control
copies of document transmittals, (2) tracking the status of
transmittals sent, or (3) following up with recipients who had not
acknowledged receipt of transmittals within 10 business days as
required. By not adequately monitoring the key controls over taxpayer
receipts and information transmitted between locations, IRS increases
the risk that SB/SE unit employees will not follow procedures for
tracking taxpayer receipts and information sent from one IRS location
to another, thus increasing the risk of loss, theft, and misuse of
taxpayer receipts and information.
Recommendations:
We recommend that you direct the appropriate IRS officials to revise
the IRM to do the following:
* Include a comprehensive process that SB/SE unit managers should
follow when performing reviews of the document transmittal process for
determining whether staff are (1) maintaining control copies of
document transmittal forms, (2) reconciling all document transmittal
forms on a biweekly basis to ensure that all transmittals were
received, and (3) following up on transmittals that are not timely
acknowledged.
* Include specifying minimally acceptable steps SB/SE unit managers
should follow in documenting the results of required reviews of the
document transmittal process.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that it would update
the IRM by November 2011 to refine the current review requirements and
clarify the minimally acceptable documentation that SB/SE managers
should complete when conducting the reviews and reporting the results.
IRS's proposed actions, if successfully carried out, should address
the intent of our recommendations. We will evaluate the effectiveness
of IRS's efforts during future audits.
Compliance Reviews of Off-site Processing Facilities:
During our fiscal year 2010 financial audit, we found that IRS did not
complete compliance reviews of its off-site processing facilities once
every 2 years as required in the IRM. IRS's Physical Security and
Emergency Preparedness personnel conduct reviews to assess compliance
with established minimum physical security standards and requirements
for which managers and employees are responsible. These compliance
reviews are IRS's primary tools for evaluating the effectiveness and
appropriateness of existing security procedures and requirements at
its processing facilities as well as identifying areas for future
security program emphasis. At the conclusion of a compliance review,
the review team meets with upper management to discuss its findings,
related recommendations for improving controls, and time frames for
implementing corrective actions. Consequently, these reviews are an
important control to help IRS ensure that the facilities used to
process taxpayer receipts, returns, and other information are
adequately equipped with the appropriate security controls to prevent
unauthorized access and to protect the data and people at these
facilities.
Four of IRS's 10 SCCs utilize off-site processing facilities that are
not located on the premises of the main campus. These off-site
processing facilities perform key tax processing functions, such as
receiving, extracting, and sorting receipts and other taxpayer
information; transcribing hard-copy taxpayer information and related
documents to an electronic format; and analyzing original tax
documents for final processing and review. Each function is a key
component of IRS's responsibility for processing taxpayer receipts and
related taxpayer information. At the off-site processing facility we
visited in April 2010, IRS officials stated that compliance reviews
for that facility were being performed once every 3 years. However,
IRS officials at this facility could not provide documentation
supporting the 3-year requirement and, as a result, informed us that
they would perform future compliance reviews at that facility once
every 2 years. We subsequently inquired and found that compliance
reviews were also being performed once every 3 years at the other
three off-site processing facilities.
Internal control standards require that agencies establish physical
controls to secure and safeguard vulnerable assets, ensure that
ongoing monitoring occurs in the course of normal operations, and
communicate deficiencies found during monitoring to appropriate levels
of management.[Footnote 62] These standards also require that agencies
identify and analyze relevant risks associated with achieving
objectives. The analysis may include assessing the likelihood of
occurrence, deciding how to manage the risk, and determining what
actions should be taken. The IRM states that at a minimum, compliance
reviews of processing and computing center facilities will be
conducted every 2 years (or more frequently if circumstances warrant,
such as major renovations or relocations) and that reviews of all
other offices will be conducted every 3 years (or more frequently if
circumstances warrant).[Footnote 63]
After we informed IRS that all four off-site processing facilities
were only receiving compliance reviews once every 3 years, IRS
officials responded that the intent of the IRM requirement to conduct
compliance reviews once every 2 years only pertained to SCCs, and that
all other facilities associated with that campus, whether they
processed taxpayer receipts and returns or not, were only required to
receive such reviews once every 3 years. However, the IRM does not
define "processing facility" as limited to SCCs, nor does it contain a
separate 3-year compliance review requirement for off-site facilities
that process taxpayer receipts and information. In addition, IRS had
not performed an assessment of the operational activities at these off-
site facilities to establish the minimum frequency requirement for the
compliance reviews. Because these off-site processing facilities
perform many of the same functions as SCCs with respect to taxpayer
receipts and information, they carry the same risks and thus warrant
similar controls as those required of SCCs.
Without clear guidance or instructions from IRS management on the
definition of processing facilities and the required frequency of
compliance reviews for these off-site processing facilities, IRS
increases the likelihood that reviews designed to assess physical
security controls at its revenue receipt processing facilities may not
occur as intended. This, in turn, increases the risk that IRS
management will not detect control deficiencies in a timely manner and
thus may fail to adequately safeguard taxpayer receipts and
information.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Define and specify in the IRM what types of IRS facilities
constitute a processing facility.
* Perform an assessment of the off-site processing facilities to
determine the frequency with which compliance reviews should be
performed for these locations commensurate with the specific
operational activities performed and the assessed level of risk
associated with the facility.
* Based on the results of an assessment of off-site processing
facilities that process taxpayer receipts and related taxpayer
information, revise the IRM to specify the frequency with which
compliance reviews should be performed at these facilities.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that by November 2011
it would revise the IRM to define and specify the types of facilities
that constitute a processing facility and require compliance reviews
to be performed at off-site processing facilities every 2 years. IRS's
proposed actions, if successfully carried out, should address the
intent of our recommendations. We will evaluate the effectiveness of
IRS's efforts during future audits.
After Dark Security Controls:
During our fiscal year 2010 financial audit, we found that IRS's
physical security controls intended to help prevent and detect
unauthorized access to its processing facilities were not always
effective. Specifically, we observed that four exterior security
lights were not functioning at one SCC, which hindered the security
guards' closed-circuit television (CCTV) coverage of the exterior
perimeter of the campus. The security guard on duty during our review
informed us that the security guards were aware of the lighting
outages, but none of the outages were reported to management because
they did not know the process for reporting them. Based on further
inquiries and analysis, we found that IRS did not provide specific and
consistent instructions in its security guard post orders for
reporting such issues.[Footnote 64] At five of its six SCCs with
revenue receipt processing functions and four of its seven lockbox
banks, IRS did not provide instructions in the security guards' post
orders for reporting exterior lighting outages to management for
correction. In addition, while IRS performs several different reviews
on a monthly, quarterly, and annual basis to monitor and assess
physical security controls at SCCs and lockbox banks, there was no
requirement for any of these reviews to occur after dark.
Consequently, these reviews would not necessarily detect exterior
lighting outages.
Internal control standards require that management establish physical
controls to secure and safeguard vulnerable assets.[Footnote 65]
Additionally, the IRM requires that IRS's facilities management
implement exterior protective lighting to provide a minimum acceptable
level of protection.[Footnote 66] Similarly, the LSG requires lockbox
banks to have adequate exterior lighting to ensure personnel security,
safety, and CCTV functionality.[Footnote 67] Functioning artificial
lighting is a key component to CCTV effectiveness. By allowing
nonfunctioning exterior security lights to go unreported by its
security guards and undetected by its security reviews, IRS increases
the risk that the perimeter of its processing facilities will not be
sufficiently illuminated to allow security guards to detect security
breaches. As a result, the risks of loss, theft, and misuse of
taxpayer receipts and information are increased.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Revise the post orders for the SCC and lockbox bank security guards
to include specific procedures for timely reporting exterior lighting
outages to SCC or lockbox bank facilities management. These procedures
should specify (1) whom to contact to report lighting outages and (2)
how to document and track lighting outages until resolved.
* Revise the nature and scope of the SCCs' and lockbox banks' physical
security reviews to include periodic after dark assessments of
physical security controls.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that it would update
the LSG by October 2011 and the IRM by November 2011 for lockbox banks
and SCCs, respectively, to require post orders to include specific
procedures for timely reporting lighting outages, including who to
contact and how to document and track the outages until resolved. IRS
also stated that it is in the process of updating the IRM to require
that SCC physical security reviews include periodic after dark
assessments of physical security, and planned to establish this
requirement for lockbox banks by January 2012. IRS's proposed actions,
if successfully carried out, should address the intent of our
recommendation. We will evaluate the effectiveness of IRS's efforts
during future audits.
Property and Equipment Records:
During our fiscal year 2010 financial audit, we found that IRS
incorrectly recorded the asset purchase prices for some of its assets
in its Information Technology Asset Management System (ITAMS), which
is the system IRS uses to track its property and equipment. In our
fiscal year 2001 financial audit,[Footnote 68] we reported instances
where assets recorded in IRS's administrative accounting system were
not recorded in IRS's property and equipment system. IRS developed
procedures in fiscal year 2004 to help ensure that the procurement
award and requisition numbers recorded in the property records were
accurate in order to link the assets recorded in the accounting
records to a corresponding asset record in ITAMS. However, during our
fiscal years 2007, 2008, and 2009 audits, we continued to find
differences between the two systems in the way some assets were
recorded. For example, we continued to find assets recorded in IRS's
Integrated Financial System (IFS), its current accounting system, that
were not recorded in ITAMS.[Footnote 69]
In testing fiscal year 2010 property and equipment purchases, we did
not identify any instances in which asset purchases were not recorded
in ITAMS as in previous years. However, we found that the acquisition
price recorded in ITAMS was not always consistent with the price
recorded in IFS. Specifically, we selected a nonstatistical sample of
five purchase transactions consisting of 22 assets, and found that IRS
inaccurately recorded the purchase price of 3 of the assets in ITAMS.
The purchase prices of the 3 items--which were all computer servers--
were correctly recorded in IFS but were incorrectly recorded in ITAMS.
For example, the purchase price of one of these servers was correctly
recorded in IFS as $367,609 but was incorrectly recorded in ITAMS as
$459,626, a difference of over $92,000. In all three instances, the
vendor provided erroneous price information to IRS on the Asset
Management Report, which IRS property staff used to create the asset
records in ITAMS.[Footnote 70] IRS did not identify these errors
because it did not compare the price on the Asset Management Report
with the invoice price recorded in IFS.
Internal control standards require that control activities ensure that
all transactions are completely and accurately recorded.[Footnote 71]
Although the IRM requires that certain minimum information must be
kept accurate and current in ITAMS, such as the asset assignment
(e.g., whether the asset is in use, retired, or disposed of), barcode,
serial number, building code, cost center, system name, computer name,
and contact name, the IRM did not specify accurate recording of the
asset purchase price.[Footnote 72] We also found that IRS did not have
procedures to help ensure that the asset purchase price entered in
ITAMS was consistent with the asset purchase price recorded in IFS. By
not ensuring that the information contained in ITAMS is accurate and
complete, management may be relying on inaccurate data for management
decision making.
After we identified the weakness, IRS established standard operating
procedures in February 2011 to require that asset management staff
compare the asset purchase price on the Asset Management Report with
the asset purchase price recorded in IFS and, if any variances are
identified, research and resolve the variances prior to entering the
information in ITAMS. While we commend IRS for taking action,
effective implementation is needed to help ensure that asset purchase
prices are recorded accurately in the property records.
Recommendation:
We recommend that you direct the appropriate IRS officials to take
steps to effectively implement the procedures requiring property staff
to verify that the asset purchase price shown in the Asset Management
Report agrees with the asset purchase price shown in IFS and to
resolve any variances before entering the information into ITAMS.
IRS Comments and Our Evaluation:
IRS agreed with our recommendation and reiterated that it revised its
standard operating procedures in February 2011 to require asset
management staff to conduct appropriate research to validate the price
data on the Asset Management Report against the pricing information in
IRS's requisition tracking system, which interfaces with IFS, prior to
uploading the data into ITAMS. However, it did not describe the steps
it has taken since then to implement these procedures. We will assess
IRS's implementation of the new requirement during our audit of IRS's
fiscal year 2011 financial statements to determine if the objective of
the recommendation has been met.
Disposal Process for Copiers:
During our fiscal year 2010 financial audit, we found that IRS
disposed of photocopy machines (copiers) without determining if the
copiers' hard drives contained sensitive taxpayer information and
ensuring that such information was appropriately destroyed or removed.
IRS has approximately 4,500 copiers located throughout its facilities
nationwide. Some of these copiers contain hard drives that store
images of the documents copied. Because of the nature of IRS's work,
the copier hard drives may contain confidential taxpayer information
or sensitive information on IRS employees or operations. Consequently,
it is critical that IRS establish and maintain controls to help ensure
that such information is not compromised. However, at the time we
conducted property physical inventory site visits to nine IRS
locations in July 2010 as part of our financial audit, we found that
IRS did not have a policy or procedures to help ensure that the copier
hard drive memories were appropriately erased or that the hard drives
were removed prior to disposal of the copiers.
IRS officials informed us that they realized in April 2010 that this
vulnerability existed. Subsequently, IRS's Real Estate Facilities
Management (REFM) Copier Contract Program Manager notified the REFM
staff responsible for copier disposal on May 10, 2010, not to release
any copiers until IRS could determine how to properly dispose of the
hard drives. However, three IRS employees subsequently disposed of
three additional copiers without wiping or destroying the hard drives.
According to IRS officials, the REFM Acting Chief of Logistics, the
REFM Acting Territory Manager, and an IRS Criminal Investigation Unit
employee each released a copier because they were not aware of the
notification. Both of the acting managers in REFM had authority to
physically dispose of copiers; however, the notification was issued
prior to their assuming these acting positions, and they had not been
responsible for copier disposals in their prior positions. The
Criminal Investigation Unit employee was not aware that he did not
have the authority to dispose of copiers. According to IRS officials,
only REFM personnel were authorized to physically dispose of copiers,
thereby serving as the control point to help ensure that the hard
drives of copiers were wiped or destroyed prior to copier disposal.
IRS informed us that it later located the three copiers and removed
and destroyed the hard drives.
The Internal Revenue Code provides that tax returns and return
information obtained by IRS are confidential and must be protected
from unauthorized disclosure.[Footnote 73] This means that unless a
limited statutory exception applies, the code prohibits IRS from
disclosing such sensitive taxpayer information to third parties,
including other government agencies. Also the Privacy Act of 1974
requires each federal agency to establish appropriate administrative,
technical, and physical safeguards to ensure the security and
confidentiality of records and to protect against any anticipated
threats to their security or integrity that could result in
substantial harm, embarrassment, inconvenience, or unfairness to any
individual on whom information is maintained.[Footnote 74] The IRM
requires that all IRS employees prevent unnecessary disclosure of
personally identifiable information in information systems, programs,
electronic formats, and hard-copy documents by adhering to proper
safeguarding measures.[Footnote 75] Because of the sensitive nature of
the information maintained on the copier hard drives, it is important
that IRS have procedures in place to ensure that this equipment is not
disposed of without first wiping or destroying each hard drive.
Without adequate controls to help ensure that sensitive information is
identified and appropriately removed from copier hard drives before
their disposal, there is an increased risk that taxpayer data or other
sensitive data could be compromised.
After we brought this issue to its attention, IRS drafted procedures
in February 2011 for the receipt, shipping, and destruction of all
electronic media, including hard drives found in some copiers.
Specifically, the new procedures require copier hard drives to be
removed and destroyed prior to copier disposal. These new procedures,
once finalized, appropriately disseminated to help ensure that all
those responsible are aware of the requirements, and effectively
implemented, should reduce the risk that taxpayer data or other
sensitive information could be compromised.
Recommendations:
We recommend that you direct the appropriate IRS officials to do the
following:
* Finalize procedures requiring that copier hard drives be removed and
destroyed or otherwise appropriately cleaned before disposing of
copiers.
* Revise the IRM to incorporate the new copier disposal procedures
that require that copier hard drives be removed and destroyed or
otherwise appropriately cleaned before disposing of copiers.
* Issue a memorandum to all business units reminding them that only
designated REFM staff are authorized to dispose of copiers.
IRS Comments and Our Evaluation:
IRS agreed with our recommendations and stated that it published
written procedures in March 2011 for the REFM field offices requiring
removal and destruction of copier hard drives prior to the disposal of
copiers and planned to revise the IRM to include the proper procedures
for handling copier hard drives prior to disposal. In addition, IRS
stated that the REFM Director will issue a memorandum to all IRS
business units in June 2011 reminding them that only designated REFM
staff are authorized to dispose of copiers. IRS's proposed actions, if
successfully carried out, should address the intent of our
recommendations. We will review the updated policies and procedures
and evaluate the effectiveness of IRS's efforts during our audit of
IRS's fiscal year 2011 financial statements.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and
Governmental Affairs and to the House Committee on Oversight and
Government Reform within 60 days of the date of this report. A written
statement must also be sent to the House and Senate Committees on
Appropriations with the agency's first request for appropriations made
more than 60 days after the date of this report. Furthermore, to
ensure that GAO has accurate, up-to-date information on the status of
your agency's actions on our recommendations, we request that you also
provide us with a copy of your agency's statement of actions taken on
open recommendations. Please send your statement of actions to me or
Doreen Eng, Assistant Director, at engd@gao.gov.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; Subcommittee
on Taxation and IRS Oversight, Senate Committee on Finance; House
Committee on Appropriations; and House Committee on Ways and Means,
and to the Chairman and Vice-Chairman of the Senate Joint Committee on
Taxation. We are also sending copies to the Secretary of the Treasury,
the Director of the Office of Management and Budget, and the Chairman
of the IRS Oversight Board. The report also is available at no charge
on GAO's Web site at [hyperlink, http://www.gao.gov].
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our audits of IRS's fiscal years
2010 and 2009 financial statements. Please contact me at (202) 512-
3406 or sebastians@gao.gov if you or your staff have any questions
concerning this report. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in enclosure III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures - 3:
[End of section]
Enclosure I: Details on Audit Methodology:
To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following.
* Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included selecting
statistical samples of unpaid assessments, revenue, refunds, payroll
and nonpayroll expenses, property and equipment, and undelivered order
transactions.[Footnote 76]
* Examined evidence supporting IRS's compliance with IRS learning and
education policies. This included selecting nonstatistical samples to
determine if employees completed all mandatory briefings within the
required time frames.
* Assessed the accounting principles used and significant estimates
made by management.
* Evaluated the overall presentation of the financial statements.
* Obtained an understanding of IRS and its operations, including its
internal control over financial reporting.
* Considered IRS's process for evaluating and reporting on internal
control and financial systems under 31 U.S.C. § 3512 (c), (d),
commonly referred to as the Federal Managers' Financial Integrity Act
of 1982, and Office of Management and Budget Circular No. A-123,
Management's Responsibility for Internal Control.
* Assessed the risk of (1) material misstatement in the financial
statements and (2) material weakness in internal control over
financial reporting.
* Tested relevant internal control over financial reporting.
* Evaluated the design and operating effectiveness of internal control
over financial reporting based on the assessed risk.
* Tested compliance with selected provisions of the following laws and
regulations: Internal Revenue Code; Antideficiency Act, as amended;
Purpose Statute; Prompt Payment Act; Pay and Allowance System for
Civilian Employees; Federal Employees' Retirement System Act of 1986,
as amended; Social Security Act of 1935, as amended; Federal Employees
Health Benefits Act of 1959, as amended; Economic Stimulus Act of
2008; American Recovery and Reinvestment Act of 2009; Worker,
Homeownership, and Business Assistance Act of 2009; Homebuyer
Assistance and Improvement Act of 2010; and Financial Services and
General Government Appropriations Act, 2010.
* Tested whether IRS's financial management systems substantially
complied with the three requirements of the Federal Financial
Management Improvement Act of 1996.
* Performed such other procedures as we considered necessary in the
circumstances.
[End of section]
Enclosure II: Comments from the Internal Revenue Service:
Department of the Treasury:
Internal Revenue Service:
Commissioner:
Washington, DC 20224:
June 9, 2011:
Mr. Steven J. Sebastian:
Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Sebastian:
I am writing in response to the Government Accountability Office (GAO)
draft report titled Management Report: Improvements Are Needed to
Enhance the IRS's Internal Controls and Operating Effectiveness (GAO-
11-494R) As GAO noted in the report titled Financial Audit: IRS's
Fiscal Years 2010 and 2009 Financial Statements, we continue to make
significant progress in addressing remaining financial management
challenges and have substantially mitigated weaknesses in internal
controls.
During fiscal year 2010, IRS Improved its compliance with requirements
of the Federal Financial Management Improvement Act by bringing its
financial management systems into compliance with the United States
Standard General Ledger. The enclosed response addresses each of your
recommendations.
We are committed to implementing appropriate improvements to ensure
that the IRS maintains sound financial management practices. If you
have any questions, please contact me, or a member of your staff may
contact Pamela LaRue, Chief Financial Officer, at (202) 622-6400.
Sincerely,
Signed by:
Douglas H. Shulman:
Enclosure:
[End of letter]
Enclosure:
Government Accountability Office (GAO) Recommendations and IRS
Responses to Management Report: Improvements Are Needed to Enhance
IRS's Internal Controls and Operating Effectiveness: GAO-11-494R:
Recommendation #1: We recommend that you direct the appropriate IRS
officials to put procedures in place to periodically monitor the
effectiveness of the new First-Time Homebuyer Credit (FTHBC) validity
checks for the duration of the filing of FTHBC claims to verify they
are working as intended.
Comments: The IRS agrees with this recommendation. The IRS has
established procedures to monitor the effectiveness of our validity
checks and controls, via the "Individual Master File Unpostables By
Reason Code" daily reports. The IRS reviews and resolves the
unpostable codes to monitor the effectiveness of the new FTHBC
validity check. This process will continue beyond the duration of the
filing of FTHBC claims.
Recommendation #2: We recommend that you direct the appropriate IRS
officials to establish a mechanism to enforce the existing requirement
for appropriate managers to immediately notify the Manual Refund Unit
of any personnel changes affecting the approval or processing of
manual refunds. This may be accomplished through mechanisms such as
periodic alerts, providing training and/or having the Manual Refund
Unit perform quarterly validations of the list of manual refund
approving officials.
Comments: The IRS agrees with this recommendation. The IRS will
incorporate a procedural change in Internal Revenue Manual (IRM)
3.17.79. Accounting Refund Transactions, by August 2011. This will
require all Service Center Accounting functions to provide a list of
manual refund authorizers to the Head of Office in each Business
Operating Division (BOD) to validate individuals who are still
authorized to sign manual refunds. This listing will be required on a
quarterly basis starting at the end of June 2011.
Recommendation #3: We recommend that you direct the appropriate IRS
officials to send out a reminder to all staff to follow policies and
procedures for obtaining approval and funding of proposed purchases
prior to entering into an agreement with vendors, Comments: The IRS
agrees with this recommendation. The IRS will send out a reminder by
the end of July 2011 to all employees to follow policies and
procedures for obtaining approval and funding of proposed purchases
prior to entering into an agreement with vendors. We will place the
reminder on the IRS Intranet site (iRWeb), and send notification via
IRS Headlines. and More.
Recommendation #4: We recommend that you direct the appropriate IRS
officials to establish formal written procedures requiring staff to
review purchase contract terms against the goods and services received
to date before requesting additional goods or services.
Comments: The IRS agrees with this recommendation. The IRS will
develop formal written instructions by the end of June 2011 to address
the requirement to review contract terms and status of deliverables,
and ensure that all related ordering activity is in compliance with
the terms and conditions of the contract. We will place the written
instructions on the Office of Procurement's website, as well as send
it to all web Requisition Tracking System (webRTS) users and business
units.
Recommendation #5: We recommend that you direct the appropriate IRS
officials to establish procedures to centrally review and monitor the
timeliness of personnel action requests and approvals to help ensure
compliance with the IRM and applicable Office of Personnel Management
(OPM) regulations and guidance.
Comments: The IRS agrees with this recommendation. In April 2011, IRS
developed a report and process that enables us to centrally review and
monitor timeliness of non-competitive personnel actions. We will
establish a similar system to track the timeliness of competitive
actions by the end of August 2011. In addition, we plan to establish
a centralized quality review program to further support the on-going
evaluation of results and identify improvement opportunities by the
end of July 2011.
Recommendation #6: We recommend that you direct the appropriate IRS
officials to adopt the local field office's timekeeping procedures or
similar procedures for entering and verifying the accuracy of time and
attendance information entered into the Single Entry Time Reporting
system (SETR) throughout IRS for use by all units in which employees
do not enter their own time charges directly to SETR.
Comments: The IRS agrees with this recommendation. The IRS will modify
Standard Operating Procedure (SOP) MPC-02, revision 1, Time &
Attendance Reporting, Approval and Maintenance Requirements, by the
end of August 2011 to include the recommended requirements. We will
place the revised SOP on the IRWeb, and forward it to all SETR
Business Unit points of contact that are currently able to approve
time sheets in SETR to disseminate.
Recommendation #7: We recommend that you further revise your detailed
procedures for implementing the requirement to validate the
appropriateness of the National Finance Center's (NFC) programming
changes after such changes are made. These revisions should (1)
clarify the criteria for determining what programming changes will be
subject to validation, (2) identify officials responsible for making
and documenting these determinations, and (3) require post-
implementation statistical sampling from a targeted population that
consists of employees that are most likely to be affected by the
NFC programming change.
Comments: The IRS agrees with this recommendation. The IRS will
develop a detailed SOP by the end of September 2011. When drafting the
SOP we will ensure that all three items in the recommendation are
addressed.
Recommendation #8: Removed by GAO.
Comments: The recommendation was removed by GAO. It will be deleted
from the final report.
Recommendation #9: We recommend that you direct the appropriate IRS
officials to take steps to effectively implement procedures at the
Beckley Finance Center (BFC) requiring cash receipts be immediately
logged under dual control when first discovered in the mail room.
Comments: The IRS agrees with this recommendation. In August 2010, the
IRS revised its check deposit process, updated its desk procedures,
and trained employees on the new process to address the requirement of
cash receipts being immediately logged under dual control when first
discovered in the mail room.
Recommendation #10: We recommend that you direct the appropriate IRS
officials to take steps to effectively implement procedures at BFC
requiring mail room staff to maintain custody of the control log at
all times.
Comments: The IRS agrees with this recommendation. In August 2010, the
IRS revised its check deposit process, updated its desk procedures,
and trained employees on the new process to address the requirement of
mail room staff maintaining custody of the control log at all times.
Recommendation #11: We recommend that you direct the appropriate IRS
officials to take steps to effectively implement procedures at BFC
requiring that the amount of cash receipts initially discovered in the
mail room be independently reconciled to the amount deposited and
recorded in the general ledger.
Comments: The IRS agrees with this recommendation, In August 2010, the
IRS revised its check deposit process, updated its desk procedures,
and trained employees on the new process to address the requirement of
cash receipts initially processed in the mail room being independently
reconciled to the amount deposited and recorded in the financial
system.
Recommendation #12: We recommend that you direct the appropriate IRS
officials to perform a review of all existing contracts under $100,000
that (1) do not nave an appointed Contracting Officer's Technical
Representative (COTR), and (2) do not require that contract employees
obtain background investigations, to assess whether the services
performed under the contract warrant a requirement that contract
employees obtain background investigations.
Comments: The IRS agrees with this recommendation. The IRS will issue
the Contractor Security Lifecycle Program (CSLP) Office policy in
December 2012, and will review all existing service contracts under
$100,000. The IRS will determine by June 2013 whether the services
performed under these contracts warrant obtaining background
investigations on the contract employee(s). The policy will require
business units to identify service contracts where contractors will
have routine, unescorted. unsupervised, physical access to taxpayer
information, document the risk of exposure to taxpayer data. and
ensure that the requirements of the Internal Revenue Service
Acquisition Procedures 1052.204-9005, Submission of Security Forms and
Related Materials, are included in the contract, as applicable.
Recommendation #13: We recommend that you direct the appropriate IRS
officials, based on a review of all existing contracts under $100,000
without an appointed COTR that should require contract employees to
obtain favorable background investigation results, to amend those
contracts to require that favorable background investigations be
obtained for all relevant contract employees before routine.
unescorted, unsupervised physical assess to taxpayer information is
granted.
Comments: The IRS agrees with this recommendation. The IRS will ensure
all existing service contracts under $100,000, identified in the above-
mentioned review, contain the necessary security requirements by
September 2013.
Recommendation #14: We recommend that you direct the appropriate IRS
officials to establish a policy requiring collaborative oversight
between IRS's key offices in determining whether potential service
contracts involve routine, unescorted, unsupervised physical access to
taxpayer information, thus requiring background investigations,
regardless of contract award amount. This policy should include a
process for the requiring business unit to communicate to the Office
of Procurement and the Human Capital Office the services to be
provided under the contract and any potential exposure of taxpayer
information to contract employees providing the services, and for all
three units to (1) evaluate the risk of exposure of taxpayer
information prior to finalizing and awarding the contract, and (2)
ensure that the final contract requires favorable background
investigations as applicable, commensurate with the assessed risk.
Comments: The IRS agrees with this recommendation. By December 2012,
the IRS CSLP Office, in conjunction with Agency-Wide Shared Services
(AWSS) Procurement and the IRS Human Capital Office (HCO), will
establish a policy and associated procedures requiring business units
to identify service contracts where contractors will have routine.
unescorted, unsupervised, physical access to taxpayer information.
document the risk of exposure to taxpayer data, and ensure that the
requirements of the Internal Revenue Service Acquisition Procedures
1052.204-9005. Submission of Security Forms and Related Materials, are
included in the contract, as applicable.
Recommendation #15. We recommend that you direct the appropriate IRS
officials to establish procedures to provide a consistent methodology
for calculating and establishing allowable deposit courier trip time
limits to be used by both Service Center Campuses (SCCs) and lockbox
banks that would assist in detecting potential unauthorized stops or
other contractual violations for deposit couriers. Such procedures
should include instructions for documenting and supporting how the
trip limits were determined and require justification and approval for
all established time limits that exceed the average trip time.
Comments: The IRS agrees with this recommendation. The IRS updated
each campus' courier contract Statement of Work (SOW) to reflect new
delivery timeframes for daily deposits to the depository drop-off
location based on data gathered during courier surveillance. The IRS
also updated the Lockbox Security Guidelines (LSG) 2.16, Establishing
Courier Timeframes, in January 2011, which serves as the SOW for
lockbox banks, to include procedures to provide a consistent
methodology to calculate and establish allowable deposit courier trip
time limits for lockbox banks. The LSG procedures document and support
how the trip limits are determined and require justification and
approval for deviations from established time limits. Additionally, IRS
will explore the use of real-time Global Positioning System technology
to track the deposit courier trip for each delivery in order to
monitor a driver/vehicle 24 hours a day, 7 days a week and/or use of
bank staff to transport paper deposits in lieu of a dedicated courier.
The IRS anticipates completing these actions by December 2011.
Recommendation #16: We recommend that you direct the appropriate IRS
officials to establish procedures to require periodic reassessments
of, and updates to, deposit courier allowable trip time limits to
account for changes in courier routes or other conditions that may
affect trip times.
Comments: The IRS agrees with this recommendation. The IRS updated the
IRM 3.5.45, Manual Deposit Process, in April 2011 to reflect
established timeframes that will be re-evaluated each year during the
annual unannounced security reviews or whenever changes occur in the
drop-off location. The IRS will also establish procedures by December
2011 to require periodic reassessments of, and updates to, deposit
courier allowable trip times to account for changes in courier routes
or other conditions that may affect trip times.
Recommendation #17: We recommend that you direct the appropriate IRS
officials to enforce existing contractual requirements for the cargo
doors of contract courier vehicles to be locked after picking up
taxpayer information.
Comments: The IRS agrees with this recommendation. The IRS sent a
notice to the sub-COTRs and Logistics Chiefs in each territory in
February 2011 reminding them of the contract requirements for secure
transport. Starting in April 2011, IRS implemented a monthly random
review of contractor adherence to the secure transport requirements,
including the requirement for cargo doors of contract courier vehicles
to be locked after picking up taxpayer information.
Recommendation #18: We recommend that you direct the appropriate IRS
officials to establish procedures to prevent or detect unauthorized
access to taxpayer information in contract courier vehicles during
transit. These procedures should detail specific activities to be
performed by both the business units sending and receiving the
information transported by the contract courier.
Comments: The IRS agrees with this recommendation. The IRS will
establish procedures to prevent and detect unauthorized access to
taxpayer information in contract courier vehicles during transit to
and from offsite processing facilities by December 2011. In February
2011, IRS sent a notice to the sub-COTRs and Logistics Chiefs in each
territory to remind them of the contract requirements for secure
transport. Starting in April 2011, IRS implemented a monthly random
review of contractor adherence to the secure transport requirements.
Recommendation #19: We recommend that you direct the appropriate IRS
officials to revise the guidance for conducting the periodic reviews
of the contract couriers transporting taxpayer information from one
IRS processing facility to another to include procedures for (1)
physically verifying that courier vehicle cargo doors are locked after
picking up this information and remain locked during transit to the
final destination, and (2) documenting the basis for the reviewers
conclusions.
Comments: The IRS agrees with this recommendation. By December 2011,
IRS will revise the guidance for conducting periodic reviews of the
contract couriers transporting taxpayer information to include
physically verifying that courier vehicle cargo doors are locked after
pick up and remain locked during transit to the final destination.
Starting in January 2012, Submission Processing will conduct one
review each month and document the results. In February 2011, IRS sent
a notice to the sub-COTRs and Logistics Chiefs in each territory to
remind them of the contract requirements for secure transport.
Starting in April 2011, IRS implemented a monthly random review of
contractor adherence to the secure transport requirements, including
the requirement for cargo doors of contract courier vehicles to be
locked after picking up taxpayer information.
Recommendation #20: We recommend that you direct the appropriate IRS
officials to revise the IRM to include a comprehensive process that
Small Business/Self-Employed Division (SB/SE) managers should follow
when performing reviews of the document transmittal process for
determining whether staff are (1) maintaining control copies of
document transmittal forms, (2) reconciling all document transmittal
forms on a biweekly basis to ensure that all transmittals were
received, and (3) following up on transmittals that are not timely
acknowledged.
Comments: The IRS agrees with this recommendation. The IRS will update
IRM 1.4.50. Collection Group Manager, Territory Manager, and Area
Director Operational Aid, by November 2011. The IRS will refine the
current review requirements to clarify the actions management should
take to determine whether staff are 1) maintaining control copies of
document transmittal forms, 2) reconciling all document transmittal
forms on a bi-weekly basis to ensure that all transmittals are
acknowledged, and 3) performing the follow-up procedures required in
IRM 5.1.2.4.4(1)g, Collection Field Clerical Staff Procedures for Form
795/795A Processing.
Recommendation #21: We recommend that you direct the appropriate IRS
officials to revise the IRM to include specifying minimally acceptable
steps SB/SE managers should follow in documenting the results of
required reviews of the document transmittal process.
Comments: The IRS agrees with this recommendation. The IRS will update
IRM 1.4.50, Collection Group Manager, Territory Manager, and Area
Director Operational Aid, by November 2011. The IRS will clarify the
minimally acceptable documentation the SB/SE managers should complete
when conducting the review and reporting the results.
Recommendation #22: We recommend that you direct the appropriate IRS
officials to define and specify in the IRM what types of IRS
facilities constitute a processing facility.
Comments: The IRS agrees with this recommendation. The IRS will revise
IRM 10.2,2. Physical Security Compliance Reviews, by November 2011 to
define and specify the types of facilities that constitute a
processing facility.
Recommendation #23: We recommend that you direct the appropriate IRS
officials to perform an assessment of the off-site processing
facilities to determine the frequency with which compliance reviews
should be performed for these locations commensurate with the specific
operational activities performed and assessed level of risk associated
with the facility.
Comments: The IRS agrees with this recommendation. The IRS currently
has a 2-year requirement established for Compliance Reviews at Main
Campus locations, and we will revise IRM 10.2.2, Physical Security
Compliance Reviews, by November 2011 to require that compliance
reviews be performed at off-site processing facilities every 2 years
due to the sensitive data processed at these locations.
Recommendation #24: We recommend that you direct the appropriate IRS
officials, based on the results of an assessment of off-site
processing facilities that process taxpayer receipts and related
taxpayer information, to revise the IRM to specify the frequency with
which compliance reviews should be performed at these facilities.
Comments: The IRS agrees with this recommendation. The IRS will revise
1RM 10.21, Physical Security Compliance Reviews, by November 2011, to
require that compliance reviews be performed at off-site processing
facilities every 2 years due to the sensitive data processed at these
locations.
Recommendation #25: We recommend that you direct the appropriate IRS
officials to revise the post orders for the SCCs and lockbox bank
security guards to include specific procedures for timely reporting
exterior lighting outages to SCC or lockbox bank facilities
management. These procedures should specify (1) whom to contact to
report lighting outages, and (2) how to document and track lighting
outages until resolved.
Comments: The IRS agrees with this recommendation. The IRS will update
the Lockbox Security Guidelines section 2.3.4.1.1, Post Orders, by
October 2011 with requirements for reporting lighting outages and
direct the banks to revise the lockbox security guards' post orders to
include specific procedures for timely reporting exterior lighting
outages to the lockbox bank facilities management. The IRS will also
revise IRM 10.2.12, Security Guard and Explosive Detector Dog Services
and Programs, by November 2011 to require that post orders include
procedures for Service Center Campus guards to report lighting
outages. The IRS will revise the procedures to specify who to contact
to report lighting outages and how to document and track the lighting
outages until the issue is resolved.
Recommendation #26: We recommend that you direct the appropriate IRS
officials to revise the nature and scope of the SCCs' and lockbox
banks' physical security reviews to include periodic after-dark
assessments of physical security controls.
Comments: The IRS agrees with this recommendation. The IRS is
currently updating IRM 10.2.12, Security Guard and Explosive Detector
Dog Services and Programs, to require that physical security reviews
of the SSCs include periodic after-dark assessments of physical
security. In January 2012, the IRS will update the IRM to require
after-dark reviews in the lockbox security guards' post orders, LSG
section 2.3.4,1 (6) (c) and 2.3.4.1.3, and Exhibit 13 of LSG 2.3 for
consistency.
Recommendation #27: We recommend that you direct the appropriate IRS
officials to take steps to effectively implement the procedures
requiring property staff to verify that the asset purchase price shown
in the Asset Management Report agrees with the asset purchase price
shown in the Integrated Financial System (IFS) and to resolve any
variances before entering the information into Information Technology
Asset Management System (ITAMS).
Comments: The IRS agrees with this recommendation. The IRS revised its
internal Standard Operating Procedures in February 2011 to require
that Asset Management personnel conduct appropriate research to
validate the price data supplied on the Asset Management Report
against the pricing information in webRTS prior to uploading the data
in ITAMS.
Recommendation #28: We recommend that you direct the appropriate IRS
officials to finalize procedures requiring that copier hard drives be
removed and destroyed or otherwise appropriately cleaned before
disposing of copiers.
Comments: The IRS agrees with the recommendation. The IRS National
Copier Contract COTR published written procedures in March 2011 to the
Real Estate and Facilities Management (REFM) field offices requiring
removal and destruction of copier hard drives prior to the disposal of
copiers.
Recommendation #29: We recommend that you direct the appropriate IRS
officials to revise the IRM to incorporate the new copier disposal
procedures that require that copier hard drives be removed and
destroyed or otherwise appropriately cleaned before disposing of
copiers.
Comments: The IRS agrees with the recommendation. In June 2011, IRS
will revise IRMs 1.14.4.12.24, 2.7.4, and 10.8.1.4.7.3 to include the
proper handling procedures of copier hard drives prior to the disposal
of copiers.
Recommendation #30: We recommend that you direct the appropriate IRS
officials to issue a memorandum to all business units reminding them
that only designated REFM staff are authorized to dispose of copiers.
Comments: The IRS agrees with this recommendation. In June 2011, the
Director, REFM, will issue a memorandum to all IRS business units
reminding them that only designated REFM staff are authorized to
dispose of copiers.
[End of section]
Enclosure III: GAO Contacts and Staff Acknowledgments:
GAO Contact:
Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov.
Staff Acknowledgments:
In addition to the contact named above, the following individuals made
major contributions to this report: Doreen Eng, Assistant Director;
Cynthia Teddleton, Auditor-in-Charge; Sharon Byrd; Nina Crocker;
Oliver Culley; Chuck Fox; Ryan Guthrie; Mary Arm Hardy; Tuan Lam;
Jenny Li; Cynthia Ma; Joshua Marcus; Emily Matic; Jean Mathew; Julie
Phillips; John Sawyer; Christopher Spain; Chevalier Strong; Lien To;
LaDonna Towler; and Cherry Vasquez.
[End of section]
Footnotes:
[1] GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial
Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142]
(Washington, D.C.: Nov. 10, 2010).
[2] GAO, Information Security: IRS Needs to Enhance Internal Control
over Financial Reporting and Taxpayer Data, [hyperlink,
http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15,
2011).
[3] A material weakness is a deficiency, or a combination of
deficiencies, in internal control such that there is a reasonable
possibility that a material misstatement of the entity's financial
statements will not be prevented, or detected and corrected, on a
timely basis. A control deficiency exists when the design or operation
of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent, or detect
and correct, misstatements on a timely basis. A significant deficiency
is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to
merit attention by those charged with governance.
[4] The preponderance of refunds are disbursed to taxpayers
automatically by IRS's automated systems once a tax return is posted
to the taxpayer's account and an overpayment to IRS is identified and
calculated. However, refunds meeting certain defined criteria, such as
those exceeding $10 million, are subject to manual review and approval
before disbursement and are known as manual refunds.
[5] The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct its operations, and contains policy,
direction, and delegations of authority necessary to carry out IRS's
responsibilities to administer tax law and other legal provisions.
[6] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999), contains the internal control
standards to be followed by executive agencies in establishing and
maintaining systems of internal control as required by 31 U.S.C. §
3512 (c), (d) (commonly referred to as the Federal Managers' Financial
Integrity Act of 1982).
[7] An entity's internal control over financial reporting is a process
effected by those charged with governance, management, and other
personnel, the objectives of which are to provide reasonable assurance
that (1) transactions are properly recorded, processed, and summarized
to permit the preparation of financial statements in accordance with
U.S. generally accepted accounting principles, and assets are
safeguarded against loss from unauthorized acquisition, use, or
disposition and (2) transactions are executed in accordance with the
laws governing the use of budget authority and other laws and
regulations that could have a direct and material effect on the
financial statements.
[8] SCCs process tax returns and payments submitted by taxpayers.
[9] Lockbox banks are financial institutions designated as
depositories and financial agents of the U.S. government under
contract with the Department of the Treasury's Financial Management
Service to perform certain financial services, including processing
tax documents, depositing the receipts, and then forwarding the
documents and data to IRS SCCs, which update taxpayers' accounts.
During fiscal year 2010, there were seven lockbox banks processing
taxpayer receipts on behalf of IRS.
[10] Small Business/Self-Employed Division units are field offices
that serve partially or fully self-employed individuals, individual
filers with certain types of nonsalary income, and small businesses.
[11] Taxpayer assistance centers are field assistance units, located
within IRS's Wage and Investment Division, designed to serve taxpayers
who choose to seek help from IRS in person. Services provided include
interpreting tax laws and regulations, preparing tax returns,
resolving inquiries on taxpayer accounts, receiving payments,
forwarding those payments to appropriate SCCs for deposit and further
processing, and performing other services designed to minimize the
burden on taxpayers in satisfying their tax obligations. These offices
are much smaller facilities than SCCs or lockbox banks, with staffing
ranging from 1 to about 35 employees.
[12] Making multiple FTHBC claims to receive multiple credits (e.g.,
two separate claims for $8,000 each) is different from making one
FTHBC claim, which is subsequently amended one or more times, to
receive a single credit (e.g., a first claim for $4,000 and a related
amended claim for another $4,000). In the first situation, the
taxpayer is claiming more than the statutory limit for his or her
circumstances. In the second situation, the taxpayer is correcting an
earlier error in which he or she did not claim the entire amount of
the credit to which he or she was entitled.
[13] See [hyperlink, http://www.gao.gov/products/GAO-11-142].
[14] See the FTHBC, which is codified, as amended, at 26 U.S.C. § 36.
The FTHBC was enacted in the Housing and Economic Recovery Act of
2008, Pub. L. No. 110-289, 122 Stat. 2654 (July 30, 2008), which
provided taxpayers with a refundable tax credit up to $7,500, which
taxpayers must repay over 15 years, beginning in the 2011 filing
season. It was subsequently amended three times with different
versions of the FTHBC. The American Recovery and Reinvestment Act of
2009, Pub. L. No. 111-5, 123 Stat. 115 (Feb. 17, 2009), increased the
maximum credit to $8,000, and waived the repayment requirement for
home purchases in 2009, so long as the home remains the taxpayer's
primary residence for 3 years; the Worker, Homeownership, and Business
Assistance Act of 2009, Pub. L. No. 111-92, 123 Stat. 2984 (Nov. 6,
2009), extended the time frame in which homebuyers could claim the
FTHBC and included several other modifications; and the Homebuyer
Assistance and Improvement Act of 2010, Pub. L. No. 111-198, 124 Stat.
1356 (July 2, 2010), included further credit modifications, such as
extending the time frame for taxpayers to close on a house if they
have entered into a written binding contract. While Congress did not
renew the credit for tax year 2011, members of the military and
certain other federal employees, who met certain requirements, had
until April 30, 2011, to purchase a home or enter into a written
binding contract in order to qualify for the credit. These taxpayers
who entered into a binding contract prior to May 1, 2011, may also
claim an FTHBC for a purchase made after April 30, 2011, and before
July 1, 2011. See 26 U.S.C. § 36(h)(3).
[15] For FTBHC purposes, a long-time resident is defined as a taxpayer
who has owned and used the same residence as a principal residence for
any 5 consecutive years during the 8-year period ending on the date of
the purchase of a subsequent principal residence. See 26 U.S.C. §
36(c)(6)
[16] We are 90 percent confident that 99 percent of the 201 FTHBC
claims we identified as potential duplicate FTHBC claims resulted in
the payment of erroneous tax refunds.
[17] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[18] The validity checks are not designed to reject instances where
the sum of two claims filed by a taxpayer is less than or equal to the
maximum statutory limit. A taxpayer can legitimately file multiple
amended FTHBC claims related to a single home purchase, so long as the
sum of the claims does not exceed the statutory limit. For example, an
eligible taxpayer who (1) miscalculated the price of the home and
filed a claim for an incorrect amount can file a related amended claim
for the difference; (2) filed a $7,500 FTHBC claim for a 2009 purchase
can file for a related amended claim equal to $500; and (3) purchased
a home for $80,000 and claimed a $4,000 credit when filing as married
filing separate can amend his/her return to file married filing
jointly and claim an additional $4,000 for the couple, provided the
spouse had not previously filed an FTHBC claim for the home.
[19] See [hyperlink, http://www.gao.gov/products/GAO-11-142].
[20] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[21] IRM § 3.17.79.3.5, Employee Authorized to Sign Requests for
Manual Refunds (Jan. 1, 2010).
[22] The majority of IRS's purchases go through the Office of
Procurement; however, nonprocurement transactions, such as advances,
rent, travel, postage, training, printing, reimbursable items, and
micropurchases up to $3,000, are processed by business units rather
than the Office of Procurement.
[23] We identified these two instances during our testing of a
statistical sample of 115 transactions covering expenses other than
payroll and travel recorded from October 1, 2009, through May 31,
2010. Based on our testing, we estimated that the value of such
expenses that could have the same control error could be as high as
$98.9 million (i.e., the net upper error limit at a 95 percent
confidence level) out of a population of $2.1 billion.
[24] IRM § 6.410.1.1.14.1, Acquiring Outservice Training, and §
6.410.1.1.14.2, Standard Form 182 Process (Mar. 12, 2009).
[25] An unauthorized commitment does not create a valid obligation and
constitutes a nonbinding agreement that a CO may later ratify. IRS
must have adequate funds available to cover the cost of ratifying an
unauthorized commitment. See Federal Acquisition Regulation, 48 C.F.R.
§ 1.602-3 (Ratification of Unauthorized Commitments by Contracting
Officers).
[26] Federal Acquisition Regulation, 48 C.F.R. §§ 1.602 (Contracting
Officers) and 43.102 (Contract Modifications Policy).
[27] Per 5 U.S.C. § 2951, OPM has issued implementing regulations (5
C.F.R. § 9.2) that prescribe requirements for executive agencies on
submitting information related to civilian employees, including
reporting on appointments and other personnel actions.
[28] According to IRS Human Capital Office officials, business units
are generally required to submit SF-52s to the HR specialists one full
pay period prior to the effective date of the personnel action. There
may be exceptions, such as requests for employee separations.
[29] All candidates for promotion must meet all minimum eligibility
and qualification requirements before they may be promoted.
[30] We performed dual purpose testing from a statistical sample of 80
payroll transactions, and the results of this type of testing must be
expressed in dollar values. However, because the errors we found
relate to the number of employees with unapproved personnel actions
rather than to payroll dollars, we are unable to project the number of
personnel actions related to promotions that contain errors.
[31] For each employee in our payroll transaction sample, we reviewed
the most recent personnel action affecting his/her authorized pay rate
that was in effect at the time of our testing in August 2010.
Consequently, some of the personnel actions reviewed were effective
prior to fiscal year 2010.
[32] IRM § 6.250.1.3, Issuing and Revising HRM Policies, Procedures,
and Programs (June 1, 2002).
[33] IRM § 6.300.1.2, Employment Procedures, Policies, and Delegations
(Nov. 6, 2009).
[34] IRS allows its units to use alternative methods of timekeeping as
long as all documents are controlled and retained.
[35] During our audit, we did not specifically test manual time cards
against time entered into SETR. This exception was identified in
conjunction with a test of the grade levels of approving officials who
entered data into SETR. Therefore, we cannot project the results
because we selected our sample from IRS's entire payroll and not just
from employees who used manual time cards.
[36] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[37] NFC is a component of the Department of Agriculture that provides
administrative and financial services to many federal agencies,
including IRS. IRS forwards personnel and payroll data to NFC to
process its payroll.
[38] See Pub. L. No. 111-31, div. B, tit. I, 123 Stat. 1853 (June 22,
2009); see also Thrift Savings Plan Bulletin for Agency TSP
Representatives No. 09-9, Participation in the Thrift Savings Plan
(Sept. 9, 2009), pp. 3-4.
[39] According to IRS officials, NFC was unable to explain how the
errors occurred or why they stopped in November 2009.
[40] See TSP regulation, 5 C.F.R. § 1605.12 (Removal of Erroneous
Contributions), which provides that after 1 year the erroneous amount
removed from the participant's account will not be returned to the
participant's employing agency and will instead be used to offset TSP
administrative expenses.
[41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[42] SAS No. 70, Service Organizations, provides guidance (1) on the
factors an independent auditor should consider when auditing the
financial statements of an entity that uses a service organization to
process certain transactions and (2) for independent auditors who
issue reports on the processing of transactions by a service
organization for use by other auditors. NFC is considered a "service
organization" as defined by SAS No. 70. SAS No. 70 will be replaced by
Statement on Standards for Attestation Engagements No. 16, Reporting
on Controls at a Service Organization, effective June 15, 2011, and by
Clarified Statement on Auditing Standards, Audit Considerations
Relating to an Entity Using a Service Organization, effective December
15, 2012.
[43] Department of Agriculture, Office of Inspector General, Audit
Report: Statement on Auditing Standards No. 70 Report on National
Finance Center Controls, Report No. 11401-33-FM (Washington, D.C.,
Sept. 24, 2010).
[44] GAO, Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures, [hyperlink,
http://www.gao.gov/products/GAO-04-553R] (Washington, D.C.: Apr. 26,
2004).
[45] IRS enters into agreements with other entities, including federal
agencies, state governments, and private organizations, to provide
services on a reimbursable basis. IRS refers to these entities as
customers.
[46] BFC's mail room staff consists entirely of contract employees who
are required to pass a background check.
[47] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[48] GAO, Management Report: Improvements Needed in IRS's Accounting
Procedures and Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-02-746R] (Washington, D.C.: July 18,
2002); Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-03-562R]
(Washington, D.C.: May 20, 2003); Management Report: Improvements
Needed in IRS's Internal Controls and Accounting Procedures,
[hyperlink, http://www.gao.gov/products/GAO-04-553R] (Washington,
D.C.: Apr. 26, 2004); Management Report: Improvements Needed in IRS's
Internal Controls, [hyperlink,
http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27,
2005); and Management Report: Improvements Needed in IRS's Internal
Controls, [hyperlink, http://www.gao.gov/products/GAO-08-368R]
(Washington, D.C.: June 4, 2008).
[49] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[50] IRM § 10.23.2.2, General Investigative Requirements (Oct. 16,
2008), and IRM § 10.23.2.8, Staff-Like Access (Apr. 4, 2008).
[51] IRM § 10.5.1.5.5, Personnel Engaged in Procurement Activities
(May 5, 2010).
[52] IRM § 10.23.2.6, Position Sensitivity Risk Designation Levels
(Oct. 16, 2008). A COTR is an authorized representative of the
contracting officer (CO) acting within the limits of his or her
authority as delegated by the CO. The COTR is generally responsible
for monitoring contract performance and furnishing technical direction
to the contractor after award, evaluating whether contractors are
meeting their duties and the requirements of the contract and
reporting back to the CO, performing receipt and acceptance functions,
and facilitating and administering administrative aspects of contracts.
[53] See [hyperlink, http://www.gao.gov/products/GAO-05-247R].
[54] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[55] The LSG outlines security guidelines for lockbox bank managers to
use so that they adhere to IRS's physical, personnel, and data
protection requirements to ensure protection of taxpayer receipts and
information.
[56] IRM § 3.8.45.19.3, Submission Processing Campus Receipt & Control
Requirements and Responsibilities (Jan. 1, 2011), and LSG 2.15(5),
Official Receipt for Transport of IRS Lockbox Deposit Form (Jan. 1,
2011).
[57] When IRS receives mail containing taxpayer information and
receipts, it is opened and sorted through various extraction methods.
Cash and noncash receipts are sometimes overlooked during the initial
mail extraction phase and are found later during further processing of
the mail. According to IRS, the identified receipts are called
"discovered remittances."
[58] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[59] IRM § 10.2.13.3.2.4 (1), Information Protection: Transmission
(Sept. 30, 2008).
[60] IRM § 5.1.2.4.3, Revenue Officer Procedures for Form 795/795A
(July 13, 2010); IRM § 5.1.2.4.5.1, Form 795 Follow up (July 13,
2010), and IRM § 5.1.2.4.4, Collection Field Clerical Staff Procedures
for Form 795/795A Processing (Aug. 15, 2008).
[61] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[62] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[63] IRM § 10.2.2, Physical Security Compliance Reviews (Sept. 26,
2008).
[64] Post orders are step-by-step procedures that specifically guide
security guards in their current duties. The post orders specify the
duties of each guard or post officer, along with instructions on how
to perform those duties.
[65] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[66] IRM § 10.2.11.9 (2)(c), Submission Processing Center and Facility
Security Level (FSL) IV Campus Protective Measures (Sept. 28, 2009).
[67] LSG § 2.3.2 (2)(h), Perimeter Security (Jan. 1, 2011).
[68] [hyperlink, http://www.gao.gov/products/GAO-02-746R].
[69] IFS is IRS's administrative accounting system, which IRS uses to
facilitate its core financial management activities, such as general
ledger, budget formulation, accounts payable, accounts receivable,
funds management, cost management, and financial reporting.
[70] The Asset Management Report is an electronic packing slip that
vendors provide to IRS prior to shipping the items ordered.
[71] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
[72] IRM § 2.14.1.9.1, ITAMS Asset (Device) Record (Sept. 21, 2007).
[73] See Internal Revenue Code, 26 U.S.C. § 6103 (Confidentiality and
Disclosure of Returns and Return Information).
[74] See the Privacy Act of 1974, which is codified, as amended, in
part at 5 U.S.C. § 552a(e)(10).
[75] IRM § 10.5.1.5.1, IRS Employees (May 5, 2010).
[76] These statistical samples were selected primarily to determine
the validity of balances and activities reported in IRS's financial
statements. We projected any errors in dollar amounts to the
population of transactions from which they were selected. In testing
some of these samples, certain attributes were identified that
indicated deficiencies in the design or operation of internal control.
These attributes, where applicable, were statistically projected to
the appropriate populations.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: