Summary
In November 2007, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2007, and 2006, and on the effectiveness of its internal controls as of September 30, 2007. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2007, regarding internal controls that could be improved for which we currently do not have a specific recommendation outstanding. Although not all of these issues were discussed in our fiscal year 2007 audit report, they all warrant management's consideration. This report contains 24 recommendations that we are proposing IRS implement to improve its internal controls. We will issue a separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one. We conducted our audit in accordance with U.S. generally accepted government auditing standards.
During our audit of IRS's fiscal year 2007 financial statements, we identified several internal control matters not addressed by previous recommendations. These matters concern the following: summary information reported in the Interim Revenue Accounting Control System (IRACS), IRS's general ledger system for tax-related transactions, could not be traced to the underlying detailed transaction records. Supervisory review procedures for IRS's unpaid assessments estimation process were not effective in preventing or detecting errors. Controls over computer programs affecting penalty assessments did not ensure that the programs always functioned in accordance with IRS's policies and procedures. Documentation of off-site Taxpayer Assistance Center (TAC) managers' reviews was not always readily available and, when provided, lacked the information needed to effectively assess the internal control environment at 5 of the 10 TACs we visited. In addition, these managers lacked clear, comprehensive, and up-to-date guidance for conducting and documenting TAC reviews. Computer access rights of employees responsible for processing cash deposits were not properly restricted to prevent unauthorized adjustments to certain taxpayer account information at 4 of the 10 TACs we visited. First responders to duress alarms were not always qualified or located to effectively respond to emergencies at 5 of the 10 TACs we visited. Documentary evidence demonstrating that background investigations--with favorable results--had been completed for contractors before they were given unescorted access to the facilities was not obtained at six TACs and three field offices we visited. Documentary evidence that background investigations--with favorable results--had been completed for contractors working at off-site shredding facilities was not obtained before they were given access to taxpayer and sensitive information. IRS also was not performing periodic, unannounced inspections of these facilities. New policies and procedures for hiring juveniles were not fully implemented. Evidence of supervisory reviews of documentation demonstrating compliance with key controls related to the processing of Tax Exempt/Government Entity (TE/GE) user fees was lacking. Key controls over IRS's purchase card program were not adequate. Information on new assets was not always recorded in IRS's property and equipment inventory system within required time frames. Travel authorizations for employees were not always approved before travel was initiated. These internal control matters increase the risk that IRS may fail to prevent or timely detect (1) errors in financial data and reporting, computer-generated penalty assessments, and user fee processing; (2) the loss, theft, or misuse of taxpayer receipts, information, and government property; (3) improper or fraudulent procurement; and (4) unauthorized travel.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Steven J. Sebastian
Government Accountability Office: Financial Management and Assurance
(202) 512-9521
Recommendations for Executive Action
Recommendation: The Commission of Internal Revenue should direct appropriate IRS officials to verify that when it becomes fully operational, Custodial Detail Data Base (CDDB), when used in conjunction with IRACS, will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Government Standard General Ledger (SGL) and Federal Financial Management Systems Requirements (FFMSR), and thus FFMIA.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS has agreed with this new recommendation. GAO will followup during our FY 2008 and subsequent audits to assess the effectiveness of IRS's implementation of CDDB and enhancements to IRACs.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to document and implement the specific procedures to be performed by the statistician in each step of the unpaid assessments estimation process.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation. Specifically, IRS stated that by June 30, 2008, it will document procedures to be performed by the statistician in each step of the unpaid assessments estimation process. Since this is a recent recommendation we issued on June 4, 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation. Specifically, IRS stated that by June 30, 2008, it will document procedures to be followed by reviewers during their review of the unpaid assessments statistical estimates. Since this is a recent recommendation we issued on June 4, 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: To address the inconsistency in assigning the effective date of an accuracy penalty, the Commissioner of Internal Revenue should direct the appropriate IRS officials to modify the Business Master File (BMF) computer program so that the date of the deficiency assessment is used as the effective date of any related accuracy penalty.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation concerning the modification of computer programs affecting penalty assessments. However, IRS stated that it will not be able to implement changes in its Business Master File computer program to establish the date of the deficiency assessment as the effective date of any related accuracy penalty until July 31, 2009. Since this is a recent recommendation issued in June 2008, we will evaluate the effectiveness of IRS's efforts in this area after they are fully implemented during future audits.
Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the Internal Revenue Manual (IRM).
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to review existing programs in the master files that affect penalty calculations. Specifically, IRS plans to complete its ongoing review of the master file programs to identify instances where they are not functioning in accordance with the intent of the Internal Revenue Manual by July 31, 2008. Since this is a recent recommendation issued in June 2008, we will evaluate the results of IRS's study as part of our audit of IRS's fiscal year 2008 financial statements.
Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to correct computer programs affecting penalty calculations. Specifically, IRS stated that it has initiated corrective actions in instances where programs were not functioning in accordance with the Internal Revenue Manual. Since this is a new recommendation we issued on June 2008, we will evaluate the effectiveness of IRS's efforts after they are fully implemented during future audits.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: The Internal Revenue Service (IRS) agreed with our recommendation concerning the need to develop updated guidance to help off-site TAC managers conduct reviews of outlying TACs. IRS stated that it would update the Internal Revenue Manual to include (1) the expectation that Area Directors are responsible and accountable for the oversight of all TAC activities, and (2) the requirement to maintain documentation of managerial reviews. IRS indicated that Field Assistance will use the remittance and security database to validate that all required reviews are complete. It will include directions related to this issue in the field operational reviews at the group, area, and territory levels by July 31, 2008. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Per IRS: IRS agreed with our recommendation concerning the need to better communicate updated guidance to help off-site TAC managers conduct reviews of outlying TACs. IRS stated that the Director, Field Assistance will issue a quarterly reminder for the required reviews beginning in July 2008. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish a mechanism to monitor compliance with the existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation and stated that it updated the IRM in April 2008 to require the use of the "restrict" command code on computer access rights for all employees with the responsibility for collecting cash. IRS indicated that the Form 809 annual reconciliation will now include a reminder to group managers of the requirement to restrict command codes. IRS also stated that it will direct areas and territories to review command code restrictions during on-going operational reviews, and it will look for ways to systemically monitor compliance. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning the qualifications and proximity of designated first responders to TAC duress alarms. IRS stated that it would reissue guidance by August 31, 2008 on the requirement that first responders be armed officials, such as onsite contract guards, Federal Protective Service Police, or local police. IRS indicated that it will monitor that Territory Managers are periodically verifying the accuracy of the call listing for first responders provided to the Security Console/Mega Center by requiring that managers put the date of verification on the monthly TAC Duress Alarm Report. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning the need for IRM modifications related to the qualifications and proximity of designated first responders to TAC duress alarms. IRS stated that it revised the IRM to include the requirement that first responders be armed officials, such as onsite contract guards, Federal Protective Service Police, or local police. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation and stated that it expects to have agreement with GSA on established procedures for performing background investigations on GSA contractors/janitors by October 31, 2009. IRS also stated that it will use compensating controls outlined in the IRM to safeguard valuable assets, such as financial instruments and taxpayer and other sensitive data, from GSA contractors until background check requirements are implemented. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts during future audits.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to require, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning off-site contractor access to sensitive information. IRS stated that it is developing a National Shred/Burn Contract that will result in standard security procedures for the handling of sensitive information and will require specialized background investigations for employees who handle these materials before granting them access to IRS information. IRS also stated that these contracts will include provisions requiring periodic, random, and unannounced inspections of contractor facilities in line with the IRM, which requires contract provisions to allow IRS inspections in order to ensure the safeguarding of IRS information. IRS stated that it expects to implement the National Contract by October 31, 2008. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts during future audits.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information, document the results, including identification of any security issues, and verify that the contractor has taken appropriate corrective actions on any security issues observed.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning off-site contractor access to sensitive information. IRS stated that it had revised the IRM to require contract provisions to allow IRS inspection of contractor facilities and operations to ensure the safeguarding of IRS information. IRS also stated that it is developing a National Shred/Burn Contract that will result in standard security procedures for the handling of sensitive information and will require specialized background investigations for employees who handle these materials before granting them access to IRS information and expects to implement the National Contract by October 31, 2008. Per GAO: This is a recent recommendation issued in June 2008. We will evaluate the effectiveness of IRS's efforts during future audits.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning off-site contractor access to sensitive information. IRS stated that it is developing a National Shred/Burn Contract that will ensure that contractor background investigations are completed before granting them access to IRS information. IRS stated that it expects to implement the National Contract by October 31, 2008. Per GAO: This is a recent recommendation issued in June 2008. GAO will evaluate the effectiveness of IRS's efforts during future audits.
Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to reinforce existing policies requiring IRS personnel to use the revised Form 13094 when hiring juveniles.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning reinforcing existing policies related to juvenile hiring. IRS stated that the Human Capital Office (HCO) issued a notice in September 2007 to each Employment Branch Chief emphasizing adherence and compliance with these policies. IRS indicated that it reemphasized these policies during a recent Continuing Professional Education meeting and will continue to send out periodic reminders. Per GAO: This is a recent recommendation issued in June 2008. GAO will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to reinforce existing policies requiring IRS personnel to verify the information on Form 13094 by contacting the reference directly and documenting the details of this contact.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation concerning reinforcing existing policies related to juvenile hiring. IRS stated that the Human Capital Office (HCO) issued a notice in July 2007 to each Employment Operations Centers reemphasizing the requirement to use the revised Form 13094 and to implement follow-up procedures on juvenile recommendations. IRS also stated that it revised the form 13094 in December 2007 to include a signature and date block where it will document the verification process. IRS indicated that it reemphasized these policies during a recent Continuing Professional Education meeting and will monitor policy compliance as a part of the HCO's accountability program reviews. Per GAO: This is a recent recommendation issued in June 2008. GAO will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenuse should issue a memorandum to Receipt and Control Operations (RCO) Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits, and (2) key documentation to be signed and dated by the supervisor as evidence of that review.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with our recommendation regarding supervisory review of user fee processing. Specifically, IRS stated that it issued a memorandum in April 2008 to appropriate managers reiterating the requirement to follow Internal Revenue Manual procedures for supervisory review of key Tax Exempt/Government Entity user fee documents and to sign or initial these documents as evidence of their review. Since this is a recent recommendation issued in June 2008, we will evaluate the effectiveness of IRS efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to provide for detailed internal control procedures over the review and reconciliation of monthly purchase card account statements. Specifically, IRS stated that its electronic Purchase Card Module, implemented in October 2007, allows cardholders and approving officials to electronically reconcile and approve purchase card transactions and maintains evidence of their signatures, approvals, and dates of action. Since this recommendation was recently issued in June 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation regarding modification of guidelines to require verification of funds before making purchase card purchases. Specifically, IRS stated that it issued guidance in July 2007 requiring verification of funds availability before purchases are made by cardholders and approved by managers. IRS further stated that this guidance was incorporated in the Internal Revenue Manual and purchase card training courses, and that its Requisition Tracking System must now show available funds in order to create a commitment for any purchase. Since this recommendation was recently issued in June 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to modify guidelines regarding the retention of supporting documents for purchase card transactions. Specifically, IRS stated that it modified its purchase card documentation guidelines in October 2007. Under this modified guidance, electronic records of purchase card activities and paper documents, such as packing slips and receipts, will be retained by IRS for 3 years. Since this is a recent recommendation issued on June 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase cardholders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as 3 years.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to modify guidelines regarding the retention of supporting documents for purchase card transactions. Specifically, IRS stated that it modified its purchase card documentation guidelines in October 2007. Under this modified guidance, electronic records of purchase card activities and paper documents, such as packing slips and receipts, will be retained by IRS for 3 years. Since this is a recent recommendation issued on June 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS existing policy requiring that new assets be inputted into the inventory system within 10 days after receipt.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation regarding the timely recording of new assets into the inventory system. Specifically, IRS stated that it will issue a memorandum by October 31, 2008 to all personnel responsible for updating inventory records that reiterates IRS's policy to record accountability data related to new assets into the inventory system within 10 days after receipt. We will review the memorandum to be issued during our audit of IRS's fiscal year 2008 financial statements and evaluate the effectiveness of IRS's efforts during future audits.
Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approval of travel authorizations prior to the initiation of their travel.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS agreed with this new recommendation to reiterate IRS policy regarding travel authorization. Specifically, IRS stated that it has already issued periodic notices to its employees in 2007 and 2008 that reiterated the policy to obtain approval of travel authorizations before initiation of travel. IRS also stated that from May through July 2008, it will implement an integrated travel system that will prevent employees from completing reservations in its online booking tool without an approved travel authorization. Since this is a recent recommendation issued on June 2008, we will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2008 financial statements.
