This is the accessible text file for GAO report number GAO-07-689R entitled 'Management Report: Improvements Needed in IRS's Internal Controls' which was released on May 14, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. May 11, 2007: The Honorable Mark W. Everson: Commissioner of Internal Revenue: Subject: Management Report: Improvements Needed in IRS's Internal Controls: Dear Mr. Everson: In November 2006, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2006, and 2005, and on the effectiveness of its internal controls as of September 30, 2006.[Footnote 1] We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2006, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2006 audit report, they all warrant management's consideration. This report contains 21 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our audit of IRS's fiscal year 2006 financial statements, we identified a number of internal control issues that adversely affected tax data, tax receipts, tax refunds, taxpayer penalties and fees, tax liens, and property and equipment. These issues concern: (1) encryption of off-site taxpayer data files, (2) placement of security cameras at tax return processing facilities, (3) manual refund policies and procedures, (4) refunds to taxpayers who owe payroll taxes, (5) assessment of taxpayer penalties, (6) timeliness of tax lien releases, (7) processing of Installment Agreement fees, and (8) procurement and security of property and equipment. Specifically, we found the following: * At three of the four lockbox banks[Footnote 2] we visited, the banks did not encrypt off-site backup files containing taxpayer information as required by IRS's guidelines. * At two of the six service center campuses (SCCs) we visited, security cameras did not provide complete coverage of the building exterior or the facility's external perimeter. * At two service center campuses, employees responsible for initiating manual refunds were not always monitoring taxpayer accounts to prevent duplicate refunds or documenting their review. * IRS issued refunds to taxpayers who owed trust fund recovery penalties associated with unpaid payroll taxes. * Errors in IRS's computer programs caused it to charge taxpayers excess penalties. * IRS did not always timely release its liens against taxpayers because it did not have procedures to expeditiously research and apply available credits from one tax period of the taxpayer's account to other tax periods that contained outstanding balances. * IRS did not always timely release its liens against taxpayers because it did not always follow its procedures to timely record bankruptcy discharges. * IRS did not always follow its policy of maintaining documentation to demonstrate that it delivered lien releases to the local court house after taxpayers fully satisfied their outstanding tax liabilities. * Errors occurred in IRS's processing of installment agreement user fees it collected from taxpayers. * At one site we visited, internal controls were not adequate to secure and safeguard property and equipment. The issues noted above increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) erroneous tax refunds could be issued; (3) taxpayers could be charged excess penalties or incorrect user fees; (4) tax liens may not be released promptly; and (5) physical assets could be stolen. At the end of our discussion of each of the issues in the following sections, we make recommendations for strengthening IRS's internal controls. These recommendations are intended to bring IRS into conformance with its own policies and with the internal control standards that all federal executive agencies are required to follow.[Footnote 3] In its comments, IRS agreed with our recommendations and described actions it had taken or planned to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provide our evaluation. Scope and Methodology: This report addresses issues we observed during our audit of IRS's fiscal years 2006 and 2005 financial statements. As part of this audit, we tested IRS's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. We conducted our fieldwork between January 2006 and November 2006. To assess internal control issues related to safeguarding taxpayer receipts and information, we visited six SCCs and four lockbox banks; for issues related to tax refunds, we visited two SCCs; and for issues related to property and equipment, we performed our testing at five IRS offices. Further details on our audit scope and methodology are included in our report on the results of our audits of IRS's fiscal years 2006 and 2005 financial statements[Footnote 4] and are reproduced in enclosure II. Safeguarding Backup Media: Lockbox banks are financial institutions under contract with the federal government to process mail-in tax payments and related documents on behalf of IRS. IRS expects these lockbox banks to appropriately safeguard the confidentiality of tax returns and the related information they process. Accordingly, IRS established requirements in its Internal Revenue Manual (IRM)[Footnote 5] and lockbox security guidelines (LSG)[Footnote 6] addressing backup procedures for information media (e.g., data tapes, cartridges, etc.) processed at lockbox banks. Specifically, in addition to specifying that backup media be stored off-site for recovery purposes and that the off-site storage location be geographically separate from the lockbox bank location, these requirements state that backup media containing taxpayer information must be encrypted prior to transmitting the information to a storage location outside of IRS's facilities. GAO's Standards for Internal Control in the Federal Government require that agencies establish physical controls to secure and safeguard vulnerable data and media files to reduce the risk of unauthorized use or loss to the government. In addition, the Office of Management and Budget (OMB) issued a memorandum[Footnote 7] in June 2006 requiring that all federal departments and agencies encrypt personally identifiable information that is physically transported outside of the agency's secured, physical perimeter. However, during our fiscal year 2006 audit, we found that three of the four lockbox banks we visited sent unencrypted backup tapes that contained taxpayer information to off-site storage facilities. When we initially notified IRS of the lack of encryption of backup tapes sent to off-site locations, IRS responded that two of the three lockbox banks would cease using off-site storage facilities and would instead securely store these backup tapes on-site at the lockbox bank. While retaining the backup information on-site avoids exposing it to potential compromise during transmission, it is inconsistent with the IRM and federal information security standards for off-site storage[Footnote 8] and thus increases the risk that the backup information may be lost along with the current information in the event of disaster, whether of accidental, criminal, or natural origin. At the third lockbox bank, we were informed that the bank would request a waiver from IRS's encryption requirement. However, granting of such a waiver by IRS is not consistent with the requirement contained in the OMB memorandum. Shipping unencrypted backup data off-site increases the risk that data containing taxpayer information may be compromised. During fiscal year 2006, IRS began conducting annual physical security reviews of lockbox banks to monitor their performance and adherence to key IRS physical security policies and procedures. In carrying out its reviews, IRS uses a physical security data collection instrument to assess controls and record the results of those assessments. While these reviews address various controls designed to safeguard taxpayer receipts and information, they do not address key controls designed to safeguard backup media containing personally identifiable information. For example, there are no questions on the physical security data collection instrument designed to ascertain whether lockbox banks are complying with the requirement to have backup tapes, which contain sensitive information, encrypted and stored at an approved off-site location. The lack of routine monitoring by IRS officials regarding data encryption and off-site storage of backup media increases the risk that lockbox bank deviations from related IRS procedures may not be timely identified, thereby increasing the risk of loss, theft, and/or misuse of media files containing taxpayer information. Recommendations: We recommend that IRS: * enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information; * ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 LSG; and: * revise instructions for its annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off- site location. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the encryption and storage of backup media containing federal taxpayer information. IRS indicated it will implement an Information Technology Security Audit Process by July 2007 and use it to ensure compliance with its policy of requiring that all lockbox banks encrypt backup media containing federal taxpayer information. IRS also indicated it will use this audit process to validate that all backup media, including files that may need to be recovered, are stored off-site. In addition, IRS stated that it will modify the Lockbox Security Guidelines to emphasize that all backup media, including files that may need to be recovered, is to be stored off-site. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. Maintenance and Placement of Security Cameras: To safeguard the hundreds of billions of dollars in payments and the related information entrusted to it annually by the nation's taxpayers, IRS has implemented physical security controls intended to prevent unauthorized access to its tax return processing facilities. Among these controls are security cameras, also referred to as closed circuit television (CCTV) cameras, which are used to aid security personnel in monitoring the exterior of these facilities. To be effective, security cameras must be properly maintained and placed at critical locations to collectively provide an unobstructed view of the entire exterior of the facility. However, at two of the six SCCs we visited during our fiscal year 2006 audit, we found that security cameras monitoring the facilities' exterior did not allow security personnel unobstructed coverage of the entire fence line of the property and the perimeter of the facility. At one of these SCCs, we found that guards were aware of the obstructions and had reported them to their superiors. However, no corrective actions were initiated nor was a time frame established identifying when the obstructions and weaknesses in the CCTV cameras would be corrected. Specifically, we found: * At one SCC, the views of five security cameras used to monitor the perimeter of the buildings were obstructed by trees situated between the cameras and the property fence line. In addition, the views of two other exterior security cameras were obstructed by a structural support column. * At the second SCC, three security cameras' views of entrances/exits and the perimeter of certain buildings were obstructed by overgrown trees and shrubs. GAO's Standards for Internal Control in the Federal Government require that management establish physical controls to secure and safeguard vulnerable assets and that access to resources and records should be limited to authorized individuals. Further, the IRM guidelines for security cameras at SCCs include placing cameras at critical locations to provide direct visual monitoring from a vantage point. However, because IRS's security cameras at SCCs do not always provide unobstructed exterior coverage of the entire fence line and perimeter of its facilities, the risk is increased that unauthorized individuals may access IRS facilities and compromise taxpayer records and data and/ or disrupt operations. Over the past 2 years, IRS has implemented quarterly physical security reviews of key perimeter access and other controls designed to monitor physical security controls used to safeguard taxpayer information and receipts and IRS's facilities, employees, taxpayers, and other visitors. These reviews include assessing whether security cameras at SCCs provide complete and unobstructed exterior coverage of the entire fence line and perimeter of the facility. However, we found that analysts performing these reviews are not required to (1) document planned implementation dates of the corrective actions cited to address any issues identified, and (2) follow up on prior findings to assess whether they were appropriately addressed according to plans. To be effective, any issues identified by these reviews should be systematically documented, appropriate corrective actions planned, and their status formally tracked to monitor disposition and final closure. Absent this, IRS lacks assurance that issues affecting CCTV cameras identified during these reviews are being effectively communicated and promptly and appropriately addressed. Recommendations: We recommend that IRS: * develop and implement appropriate corrective actions for any gaps in CCTV camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions; and: * revise instructions for quarterly physical security reviews to require analysts to (1) document any issues identified as well as planned implementation dates of corrective actions to be taken and (2) track the status of corrective actions identified during the quarterly assessments to ensure they are promptly implemented. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the maintenance and placement of security cameras at SCCs. IRS indicated that it is developing a plan to assess all CCTVs and mitigate findings by December 30, 2007. IRS also indicated that by June 30, 2007, it will implement procedures requiring Physical Security Analysts to document concerns identified during quarterly reviews, establish corrective action implementation dates, and track corrective actions to ensure they are implemented. Because IRS's planned actions in this area will not be completed for our fiscal year 2007 audit, we will evaluate the effectiveness of IRS's efforts during future audits. Manual Refund Policies and Procedures: IRS's internal controls for processing manual refunds were not fully effective in minimizing the risk of issuing duplicate refunds. We found that employees responsible for initiating manual refunds at the two service center campuses we visited were not always adhering to IRS's policies and procedures intended to minimize this risk. Specifically, manual refund initiators were not appropriately (1) monitoring taxpayer accounts to prevent duplicate refunds, or (2) documenting their monitoring activity. GAO's Standards for Internal Control in the Federal Government require that control activities, which are identified as necessary and described in the agency's policies and procedures, are in place and being applied properly so that only valid transactions are processed. Additionally, the IRM requires manual refund initiators to monitor manual refund accounts and to appropriately document their monitoring activities to prevent the issuance of a duplicate refund. However, because IRS staff at the two centers we visited did not consistently follow these procedures, the risk of duplicate refunds is increased. Most refunds are generated automatically by IRS's automated systems after the taxpayers' returns are posted to their accounts. However, in certain situations, various units within IRS's campuses process refunds manually to expedite the refund process when it is considered to be in the best interest of IRS or the taxpayer. A manual refund is a refund that is not generated through routine IRS automated system processing. Manual refunds bypass most of the automated validity checks performed and may be issued within a few days of initiation. However, while manual refunds can be paid out quickly, IRS's system does not record the manual refund generated on the taxpayer's master file account until several weeks after the manual refund is initiated. Conversely, automated refunds are first posted to the taxpayer's master file account and issued to taxpayers afterwards. The delay in recording manual refunds to taxpayer accounts increases the potential for erroneous or duplicate refunds because IRS's manual and automated refund processing are not systematically coordinated to prevent both refunds from being issued. To prevent duplicate refunds from being issued, the IRM requires manual refund initiators, who process manual refunds, to (1) closely monitor the taxpayer's account and (2) document their monitoring activity until the manual refund posts to the taxpayer's master file account. Once the manual refund posts to the master file, IRS's automated system is to prevent a duplicate automated refund from being issued. Throughout the period it takes for the manual refund to post, the manual refund initiators are responsible for monitoring the accounts for the posting of duplicate automated refunds. When manual refund initiators identify the posting of a duplicate automated refund, they must take the necessary action to stop the automated refund from actually being issued to the taxpayer. IRS provides a Manual Refund Desk Reference for manual refund initiators to use as a guide to initiate and process manual refunds. In most cases, the initiators primarily rely on the Manual Refund Desk Reference to process manual refunds and do not refer to the IRM. However, during our review of monitoring actions to prevent duplicate refunds at two service center campuses, we found the Manual Refund Desk Reference did not provide instructions to (1) monitor refund accounts to prevent duplicate refunds, and (2) document monitoring activity as required by the IRM. For example, at one site, the various units processing manual refunds were using different versions of the Manual Refund Desk Reference (i.e., April 2002, January 2003, April 2003, April 2004, March 2005, and April 2006), none of which complied with the IRM requirements. We also found that some of the initiators and their supervisors were not familiar with the procedures in the desk reference. As a result, the manual refund initiators in some of the units (1) were not monitoring the refund accounts to prevent the issuance of a duplicate refund; (2) stated that they monitor the taxpayer account, but were not documenting their monitoring activities; or (3) were only observing the account to see if the manual refund posted so they could close out their case, rather than also monitoring to detect and stop the issuance of duplicate automated refunds. As a result, the risk is increased that a duplicate refund generated will not be detected and stopped before being disbursed. Recommendations: We recommend that IRS: * revise procedures contained in the Manual Refund Desk Reference to reflect the IRM requirements for manual refund initiators to (1) monitor the manual refund accounts in order to prevent duplicate refunds, and (2) document their monitoring actions; * provide to all the IRS units responsible for processing manual refunds the same and most current version of the Manual Refund Desk Reference; and: * require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning monitoring manual refunds to prevent duplicate refunds and the need to document such monitoring actions. IRS stated that it will replace the Manual Refund Desk Reference with revisions to sections of its Internal Revenue Manual, which will be the official authoritative guidance for processing manual refunds and stated that it plans to inform its staff of this change by the end of May 2007. IRS also stated that it will ensure its managers and supervisors conduct training for manual refund initiators in its Submission Processing, Accounts Management, and Compliance operations to prevent the issuance of duplicate refunds, issue an information Alert to campuses, directing them to provide refresher training to the areas responsible for initiating manual refunds, and conduct classroom training for employees who initiate manual refunds. In addition, IRS indicated that it will ensure that Tax Examiners are reminded of their responsibility to monitor manual refunds to prevent the issuance of duplicate refunds and to document such monitoring. IRS stated that all of these actions will be complete by the end of July 2007. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. Refunds to Tax Debtors With Unpaid Payroll Taxes: During our fiscal year 2006 financial audit, we found that IRS issued refunds to tax debtors who still owed the government for unpaid payroll taxes. When an employer withholds taxes from an employee's wages, the employer is deemed to have a responsibility to hold these amounts "in trust" for the federal government until the employer makes a federal tax deposit in that amount.[Footnote 9] Employers are required to periodically deposit the withholdings from employees' wages with IRS. To the extent these withheld amounts are not forwarded to the federal government, the employer is liable for these amounts, as well as the employer's matching Federal Insurance Contribution Act (FICA)[Footnote 10] contributions. Individuals within the business (e.g., corporate officers) may be held personally liable for the withheld amounts not forwarded and assessed a civil monetary penalty known as a Trust Fund Recovery Penalty (TFRP).[Footnote 11] IRS has the authority to assess all responsible officers individually for the unpaid payroll taxes. Thus, IRS may record a TFRP assessment against several individuals for the employee-withholding component of the payroll tax liability of a given business in an effort to collect an employer's total tax liability. Although assessed to multiple parties, the employer's liability need only be paid once. When IRS records a TFRP assessment against an individual, it creates a separate subaccount on the taxpayer's master file account to distinguish this from the taxpayer's personal income tax liability. In our prior audits,[Footnote 12] we found errors involving IRS's failure to properly record payments made by individual officers to all related parties associated with the TFRP. Thus, as part of our fiscal year 2006 audit, we tested a statistical sample of payments recorded on TFRP accounts to determine the extent of any such errors in IRS's systems. In performing our work, we found that IRS issued refunds to seven individuals when they still had an outstanding balance in their TFRP account.[Footnote 13] In one of these cases, IRS recorded a TFRP assessment against the officer in 2001. The officer then filed joint individual tax returns with the officer's spouse in subsequent years and received three computer-generated refunds totaling approximately $6,700. According to the IRM, IRS is required to apply any overpayment of taxes from one tax period[Footnote 14] against outstanding tax liabilities from other tax periods before issuing a refund to the taxpayer. If a taxpayer made payments that exceeded the balance owed for one tax period (i.e., credits), IRS relies on its automated processes to check the taxpayer's account for outstanding balances in other tax periods or subaccounts and to apply these credits to outstanding balances before issuing a refund. However, IRS's computer program only checks for outstanding tax liabilities associated with the social security number (SSN) of the first person listed on joint tax returns and does not check for outstanding tax liabilities associated with the secondary SSN listed on the return. In the cases we identified, the officer owing the TFRP was the second person (secondary SSN) indicated on the joint tax return. Consequently, IRS's automated process failed to detect that the second person associated with the joint return owed the outstanding penalty assessment. This control deficiency cost IRS the opportunity to recover at least some of the outstanding balances owed on these accounts. Recommendations: We recommend that IRS: * enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary SSNs shown on a joint tax return and apply credits to those balances before issuing any refund; and: * instruct revenue officers making the TFRP assessments to research whether the responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account until the computer programming change can be completed. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning refunds to tax debtors with Trust Fund Recovery Penalties. IRS stated that the IRM instructs revenue officers to request entering a transaction code into its systems to freeze any potential refunds for all individuals liable for the TFRP. IRS noted that it has requested an IRS Counsel opinion on whether it would be acceptable for revenue officers to also freeze the refund of a liable taxpayer's spouse at the time of approval of the TFRP assessment or at the time the assessment is made. IRS stated that it would implement this change by August 2007 if the IRS Counsel determines that this action is appropriate. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. Assessment of Penalties: IRS's controls over its process for assessing penalties against taxpayers who owe outstanding taxes did not always ensure that the correct amounts of penalties were assessed. Under the Internal Revenue Code (IRC), IRS has the authority to assess penalties against taxpayers for a variety of reasons, such as the failure to pay taxes owed. IRS largely uses automated processes and systems to assess both interest and penalties using the parameters contained in the IRC, as stipulated in the IRM.[Footnote 15] For example, if the tax debtor fails to pay the taxes owed, IRS is required to assess penalties at one-half of 1 percent of the outstanding tax liability. IRS then increases this penalty rate from one-half of 1 percent to 1 percent if the taxpayer does not comply after repeated notifications. If the taxpayer pays off the outstanding balance, IRS is then required to reduce the penalty rate back to one-half of 1 percent on any subsequent tax assessment associated with this specific tax period. In our testing of a statistical sample of IRS interest and penalty calculations on 59 taxpayer accounts in IRS's master file from the first 9 months of fiscal year 2006, we found 2 instances where IRS's computer programs incorrectly calculated and assessed the failure to pay the penalty amount. In each case, IRS's computer program appropriately increased the penalty rate assessed against the taxpayer for failing to pay taxes owed from one-half of 1 percent to 1 percent when the taxpayer failed to pay following repeated notification of the taxes due. The taxpayer eventually paid the outstanding balance for the specific tax period. IRS then later assessed additional taxes against the taxpayer for the same tax period. However, the penalty calculation program did not reset the penalty rate back to one-half of 1 percent and continued to assess penalties related to the subsequent tax assessment at the higher 1 percent rate. As a result, IRS overassessed penalties against these taxpayers. After we brought this issue to its attention, IRS researched its master files and determined that the program errors would have affected taxpayer accounts where (1) the penalty rate had increased to 1 percent, (2) the taxpayer had subsequently paid off the balance for the tax period, and (3) IRS later assessed the taxpayer additional taxes owed for the same tax period. Its research indicated that the programming errors may have affected about 62,000 taxpayers with about 69,000 accounts in its current inventory of unpaid assessments.[Footnote 16] The total outstanding balance associated with these accounts was approximately $745 million. Although IRS was able to identify taxpayers who may have been affected by this error, its research did not determine whether any of these taxpayers may have already paid any overassessed penalties. Recommendations: We recommend that IRS: * correct the penalty calculation programs in its master file so that penalties are calculated in accordance with the applicable IRC and implementing IRM guidance; and: * research each of the taxpayer accounts that may have been affected by the programming errors to determine whether they contain overassessed penalties and correct the accounts as needed. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the overassessment of tax penalties. IRS stated that it implemented system changes in January 2007 to correct the penalty calculation program and the taxpayer accounts that were affected by the programming error. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. Timeliness of Lien Releases: Under the IRC, IRS has the power to file a lien against the property of any taxpayer who neglects or refuses to pay all assessed federal taxes. The lien serves to protect the interest of the federal government and as a public notice to current and potential creditors of the government's interest in the taxpayer's property.[Footnote 17] IRS uses its Automated Lien System (ALS)[Footnote 18] to process the initial filing of the lien as well as the lien release upon satisfaction of the tax liability. ALS generates the physical lien document, which IRS mails to the taxpayer's local courthouse to officially file the lien.[Footnote 19] Concurrent with generating the lien document, ALS electronically updates the taxpayer's account in IRS's master file to show that a lien was filed. The lien becomes effective when it is filed with a designated office, such as a courthouse, in the county where the taxpayer's property is located. Under section 6325 of the IRC, IRS is required to release federal tax liens within 30 days of the date the tax liability is satisfied or becomes legally unenforceable. The failure to promptly release tax liens could cause undue hardship and burden to taxpayers who are attempting to sell property or apply for commercial credit. In each year beginning with our audit of IRS's fiscal year 1999 financial statements, we found that IRS did not always release the applicable tax lien within 30 days of the tax liability being either paid off or abated as required by the IRC. During our fiscal 2006 financial audit, we continued to find weaknesses in the IRS lien release process that contributed to liens not being timely released. These weaknesses resulted from IRS relying too heavily on automated processes and employees who did not follow established procedures. Specifically, IRS did not (1) have procedures to promptly research and apply credits[Footnote 20] that were available in one tax period against the taxpayers' outstanding tax liabilities in other tax periods, (2) follow its procedures to promptly record bankruptcy discharges of tax liabilities, and (3) follow its procedures to maintain stamped billing support vouchers to document IRS's timely issuance of lien releases to the local courthouse. Timely Application of Credits: IRS's lien release process relies heavily upon its automated systems and the information that resides within these systems. Within its master file database, IRS records collection actions and the current status of tax debts through a series of codes. The codes, referred to as status and transaction codes, display a host of information, including whether the account is paid in full or otherwise satisfied. Consequently, the status and transaction codes in each taxpayer's account in IRS's database are critical to the timely release of liens. IRS's automated lien release process begins when a taxpayer's account is paid in full or otherwise relieved. Each week, the master file database automatically downloads to ALS all the satisfied taxpayer accounts with liens. When notified via the master file download that a taxpayer account with a lien has been fully paid or otherwise satisfied, ALS generates a lien release document. Since liens can cover tax debt arising from one or more tax periods,[Footnote 21] ALS will not generate a lien release document until all the tax periods covered by the lien are satisfied. In fiscal year 2006, IRS tested the effectiveness of its lien release process as part of implementing the requirements of OMB Circular No. A- 123,[Footnote 22] and we validated these test results. In reviewing IRS's test results for 84 statistically selected tax cases with liens in which the taxpayers' total outstanding liabilities were either paid off or abated, we identified 6 cases in which IRS did not release the liens within 30 days because it did not promptly apply tax credits available in one of the taxpayers' tax periods against the outstanding balances the taxpayers owed in other tax periods.[Footnote 23] In these 6 cases, the time between the point at which the taxpayer had credits available to satisfy all of their outstanding tax liabilities and release of the lien ranged from 37 days to 183 days. In one case, IRS recorded the taxpayer's entire payment against the outstanding tax liability in one tax period of the taxpayer's master file account and relied on the system to automatically transfer the amounts paid that exceeded the balance owed for that tax period (i.e., credits) to pay off the balances in other tax periods. In another case, IRS partially abated the tax assessed against the taxpayer for one tax period, creating a credit, and waited for its automated systems to transfer the credits or to generate a refund to the taxpayer. In each of these six cases, IRS relied on its automated systems to automatically transfer the credits. However, the automatic transfers did not occur within 30 days because the taxpayers' accounts contained freeze codes[Footnote 24] that prevented the automatic transfers. The presence of these freeze codes required IRS personnel to manually review and, as needed, resolve issues with the taxpayer's account before the credits could be applied to other outstanding tax period balances owed by the taxpayer. IRS eventually resolved the issues on the accounts of each of these six taxpayers and did not assess additional taxes against any of them. However, because IRS did not have procedures in place to promptly research and properly apply the credits, it did not release the liens against these taxpayers within the statutorily required 30 days. Timely Recording of Discharge by Bankruptcy Court: Taxpayers may have their tax liability fully discharged through bankruptcy filings. When a taxpayer is discharged of his or her tax liability by the bankruptcy court and the court notifies IRS, employees in IRS's Centralized Insolvency Office (CIO) are responsible for recording the discharge on the taxpayer's master file account or to manually record the lien release in ALS. As mentioned earlier, IRS's lien release process relies heavily upon its automated computer systems. Consequently, the Centralized Insolvency Office must record this information timely in order for IRS to complete the lien release process within 30 days. In reviewing IRS's lien release test results, we identified five cases in which IRS did not timely release the lien because it did not timely record that the taxpayer had been fully discharged of his or her tax liability by the bankruptcy courts.[Footnote 25] According to IRS, the lien release was delayed because Centralized Insolvency Office employees did not follow procedures established in the IRM. The IRM requires Centralized Insolvency Office employees to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in ALS on bankruptcy cases assigned to the unit. This was not done, resulting in the delay of the release of the tax liens associated with these cases. The time between the bankruptcy discharge and release of the liens in these five cases ranged from 52 days to 298 days. Maintaining Documentation to Support Lien Release: In a prior audit, we noted instances of long delays between the time that IRS generated the ALS lien release document and the official release date recorded at the local courthouse.[Footnote 26] Although some of these delays may have been attributable to delays by the courthouse in legally releasing the liens, IRS did not have procedures to track the status of lien releases up to the point of delivery to the local courthouse. Consequently, neither IRS nor we could determine if the delays occurred at IRS, at the local courthouse, or both. For this reason, we recommended that IRS establish procedures to track the status of lien releases up to the point of delivery to the local courthouse. In response to our recommendation, in fiscal year 2003, IRS established and implemented procedures to date stamp billing support vouchers[Footnote 27] to document the date it sent the lien release to the local courthouse. In reviewing IRS's lien release test results, we found nine cases in which IRS could not produce a date stamped billing support voucher to document when it sent the lien release to the local courthouse.[Footnote 28] During fiscal year 2005, IRS completed consolidation of its lien processing into one Centralized Lien Processing/Case Processing Unit at the Cincinnati Service Center Campus. According to IRS officials, employees in the Centralized Lien Processing/Case Processing Unit did not follow the IRM procedures for date stamping and maintaining copies of the billing support vouchers. Without a stamped billing support voucher, IRS was unable to provide evidence that it had sent the lien release to the local courthouse within the statutorily required 30 days. Recommendations: We recommend that IRS: * establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods; * establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods; * issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in ALS; and: * issue a memorandum to employees in the Centralized Lien Processing Unit reiterating the IRM requirement to date stamp and maintain the billing support voucher as evidence of timely processing by IRS. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the timeliness of tax lien releases. IRS stated that it issued a memorandum to all functions in January 2007 that directed liens to be released manually when systemic processes do not release liens, including when credit transfers are necessary between accounts, and noted that it plans to update the IRM to include the information contained in the memorandum by the end of May 2007. IRS also stated that it developed a report to identify cases where a bankruptcy discharge was granted by the court and a lien was filed on dischargeable periods so that, when appropriate, manual lien releases are requested to ensure timely release of the tax liens. IRS indicated that it updated the IRM in March 2007 with instructions for the new report and conducted training on the new report and process prior to issuing the IRM. In addition, IRS stated that in November 2006 it began a new process of scanning billing support vouchers and associating these vouchers with Specific Lien Identification (SLID) numbers in order to ensure the voucher is retrievable and to show liens were timely released. IRS noted that it had trained its employees on this process as it was rolled out. According to IRS, it will complete its 2007 OMB Circular A-123 review on the timeliness of lien releases by the end of May 2007, and will issue additional guidance by November 2007 if the review indicates that untimely tax lien releases and BSV errors still exist. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. Installment Agreement User Fees: During our fiscal year 2006 audit, we found that IRS's control procedures did not always prevent or detect errors that occurred in the recording of installment agreement[Footnote 29] (IA) user fees that IRS collects from taxpayers. When IRS enters into an IA arrangement with taxpayers to satisfy tax debts, it charges a user fee for services provided, whether establishing a new agreement or reinstating a previous agreement.[Footnote 30] IRS requires taxpayers to pay the user fee with the first installment payment by designating, on the remittance coupon IRS provides to the taxpayer, the user fee and tax payment amounts and submitting it to a lockbox bank. Errors can occur when taxpayers do not make the proper designations on remittance coupons, and IRS records improper user fee amounts or incorrectly applies payments to the taxpayers' debts. To identify and correct payment errors, IRS runs periodic edit routines on its master file records to identify cases where it did not collect IA user fees when it was entitled to do so and executes actions to transfer such user fees from the taxpayers' tax accounts to user fee accounts. IRS also runs edit checks to test the validity of the user fees it records in the master file by identifying (1) fees for which there is no installment agreement on file, (2) inconsistent user fee codes used for recorded fees, (3) duplicate user fees recorded, and (4) fees paid with dishonored checks from taxpayers. These edit checks result in the generation of an Installment Agreement Accounts Listing which provides details of items requiring further action. However, IRS did not always timely follow up and resolve items that appeared on the listing. We tested 12 transactions in which IRS recorded IA user fees in amounts that exceeded the amount that IRS was authorized to charge and found that 9 were recorded in error. Specifically, we found the following: * In four instances, IRS personnel erroneously recorded tax payments as IA user fees when no user fee was due and the entire amount should have been recorded against the taxpayers' tax debt. In the most egregious of these instances, IRS recorded a $15,000 tax payment as an installment agreement user fee when the maximum amount it could charge as IA fees was $43. IRS did not detect or correct this error in its normal course of operations. * In three instances, IRS was entitled to collect an IA user fee but deducted an incorrect user fee amount from the taxpayer's payment. For example, in one case, IRS recorded a taxpayer's payment of $200 as an IA user fee when only $43 should have been recorded as a user fee and the remaining $157 should have been recorded against the taxpayer's outstanding tax debt. * In the remaining two instances, IRS made erroneous adjustments to move payments from taxpayers' tax accounts to IA user fee accounts and thus recorded more user fees than it was entitled to receive. According to IRS, the errors we found that resulted in duplicate user fees, such as the fees recorded when none were due, appeared on the Installment Agreement Account Listing. The IRM requires that matters that appear on the listing be addressed within 5 business days. However, we found that IRS staff did not always timely and accurately resolve user fee errors that appeared on the listing as required in its IRM. The errors we found that appeared on the listing were not corrected until we brought them to IRS's attention. GAO's Standards for Internal Control in the Federal Government require agencies to (1) implement internal control procedures to ensure the accurate and timely recording of transactions and events, and (2) perform sufficient management review to detect and eliminate errors. By not properly recording IA user fees collected from taxpayers, IRS runs the risk of misstating its unpaid assessments and exchange revenue. Additionally, and most importantly, by not crediting taxpayer accounts with proper payments, IRS faces increased risk of charging interest and penalties to taxpayers who have satisfied their tax debts, or taking more stringent enforcement actions and overcollecting tax debts. Recommendations: We recommend that IRS: * monitor IA user fee activity on a regular basis, * adjust errors in recorded IA user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers, and: * establish sufficient review procedures to help ensure that adjustments to IA user fees collected from taxpayers are accurately and timely recorded. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the need for accurate and timely recording of installment agreement user fees and routing monitoring and review of this activity. IRS indicated that it currently uses the Installment Agreement Accounts Listings report to identify and resolve user fee errors, and that in January 2008 it will implement enhancements to this report. IRS stated that it currently utilizes a quarterly process to reconcile installment agreement payments and adjusts those with discrepancies or errors, but that it will increase the frequency of this reconciliation process from quarterly to weekly beginning in January 2008. IRS also indicated it will update the section of the IRM dealing with IA user fee review procedures by January 2008. Because IRS's planned actions in this area will not be completed for our fiscal year 2007 audit, we will evaluate the effectiveness of IRS's efforts during future audits. Property and Equipment: During our fiscal year 2006 audit, we found that internal controls were not adequate to ensure the security and safeguarding of property and equipment at one of five locations we visited. At this location, IRS's designated secured storage area was not large enough to store all of the property and equipment not currently in use. Consequently, IRS stored its overflow inventory items, including computer equipment, in an unlocked room. At the same location, IRS allowed one individual to both order property and equipment from vendors and perform receipt and acceptance when the assets were delivered. GAO's Standards for Internal Control in the Federal Government state that an agency must establish physical control to secure and safeguard vulnerable assets. In addition, the IRM requires Single Point Inventory Function (SPIF)[Footnote 31] personnel to have secured storage space where access is restricted to inventory personnel. GAO's standards further state that key duties and responsibilities should be divided or segregated among different people to reduce the risk of error or fraud. Such control activities are an integral part of an agency's accountability for stewardship of government resources. The storage of equipment in an unlocked room increases the risk that assets may be stolen or misplaced. Also, the lack of segregation of duties increases the risk that error, waste, or fraud may occur in the procurement process and not be detected and that IRS may pay for property and equipment that it did not receive. Recommendations: We recommend that IRS: * establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in- stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out; and: * develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning the secure storage of property and equipment and the separation of ordering and receipt duties. IRS stated that it is identifying locations that need additional secured storage space and will obtain the necessary space as appropriate. IRS also stated that it has policies and procedures in place regarding the separation of receipt and acceptance duties but will reissue communications to remind those with procurement authority about the specific IRS acquisition procedure which provides this guidance. We will evaluate the effectiveness of IRS's efforts in this area during our audit of IRS's fiscal year 2007 financial statements. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Minority Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation and IRS Oversight and Long-Term Growth, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Minority Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice-Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of the Office of Management and Budget; the Chairman of the IRS Oversight Board; and other interested parties. The report is available at no charge on GAO's Web site at http://www.gao.gov. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2006 and 2005 financial statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 3: [End of section] Enclosure I: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: Commissioner: May 2, 2007: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft of the Fiscal Year (FY) 2006 Management Report titled, Improvements Needed in IRS's Internal Controls (GAO-07-689R). As GAO noted in the report titled, Financial Audit. IRS's Fiscal Years 2006 and 2005 Financial Statements, we continue to make progress in addressing our financial management challenges and have substantially mitigated weaknesses in our internal controls. In FY 2006, we improved the reliability of our property and equipment (P&E) accounting records and streamlined our analysis of P&E transactions most susceptible to misclassification. These improvements along with the progress we made last year enabled you to conclude that P&E no longer constitutes a reportable condition. We believe our work this year in implementing corrective actions will further improve our financial management. I have enclosed a response which addresses all of your recommendations separately. We appreciate your recommendations to strengthen our controls over encryption of data files, facilities security, property and equipment, and improving financial management. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact Janice Lambert, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Mark W. Everson: Enclosure: GAO Recommendations and IRS Responses to GAO FY 2006 Management Report Improvements Needed in the IRS's Internal Controls GAO-07-689R: Recommendation: Enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information. Comments: We agree with this recommendation. We will ensure compliance with the policy of requiring all lockbox banks to encrypt backup media containing federal taxpayer information through the Information Technology Security Audit Process that will be implemented by July 2007. Recommendation: Ensure that lockbox banks store backup media containing federal taxpayer information at an offsite location as required by the 2006 Lockbox Security Guidelines (LSG). Comments: We agree with this recommendation. By July 2007, as part of our Information Technology Security Audit Process, we will validate that all backup media, including files that may need to be recovered, are stored offsite. By July 2007, we will modify the Lockbox Security Guidelines (LSG) to emphasize that all backup media, including files that may need to be recovered, will be stored offsite. Recommendation: Revise instructions for IRS annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate offsite location. Comments: We agree with this recommendation. We will ensure that the annual Information Technology Security Audit Process which will be implemented by July 2007 includes a review to ensure backup media containing personally identifiable information (PII) are encrypted and also stored at an appropriate offsite location. Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the service center campuses (SCC's) perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. Comments: We agree with this recommendation. Mission Assurance and Security Services (MA&SS) Physical Security & Emergency Preparedness (PS&EP) is developing a plan to assess all CCTVs and mitigate findings by December 30, 2007. Recommendation: Revise instructions for quarterly physical security reviews to require analysts (1) document any issues identified and planned implementation dates of corrective actions to be taken and (2) track the status of corrective actions identified during the quarterly assessments to ensure they are promptly implemented. Comments: We agree with this recommendation. By June 30, 2007, MA&SS will implement procedures requiring Physical Security Analysts to document concerns identified during quarterly reviews, establish corrective action implementation dates, and track corrective actions to ensure they are implemented. Recommendation: Revise procedures contained in the Manual Refund Desk Reference to reflect the Internal Revenue Manual (IRM) requirements for manual refund initiators to (1) monitor the manual refund accounts in order to prevent duplicate refunds, and (2) document their monitoring actions. Comments: We agree with this recommendation. We will replace the Manual Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official authoritative guidance for processing manual refunds. We will inform Submission Processing sites and other IRS staff of this change by the end of May 2007. Recommendation: Provide to all the IRS units responsible for processing manual refunds the same and most current version of the Manual Refund Desk Reference. Comments: We agree with this recommendation. We will replace the Manual Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official authoritative guidance for processing manual refunds. We will inform Submission Processing sites and other IRS staff of this change by the end of May 2007. Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. Comments: We agree with this recommendation. Wage and Investment (W&I) will ensure its managers and supervisors conduct training for manual refund initiators in its Submission Processing, Accounts Management, and Compliance operations to prevent the issuance of duplicate refunds. Submission Processing will issue an Information Alert to the campuses, directing them to provide refresher training to the areas responsible for initiating manual refunds. Accounts Management will also conduct classroom training for employees who initiate manual refunds. Compliance will ensure the Integrated Data Retrieval System (IDRS) Morning Message includes a reminder about Tax Examiners responsibility to monitor manual refunds to prevent the issuance of duplicate refunds and document monitoring accordingly. The IDRS Morning Message will refer Tax Examiners to the appropriate IRM, and this issue will also be discussed in follow-up unit meetings in all W&I Compliance campuses. We will complete all of these actions by the end of July 2007. Recommendation: Enhance IRS's computer program to check for outstanding tax liabilities associated with both the primary and secondary social security numbers (SSNs) shown on a joint tax return and apply credits to those balances before issuing any refund. Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs the revenue officer to prepare Form 3177, Notice of Action on the Master File, to request input of the transaction code (TC) 130 to freeze any potential refunds for all individuals liable for the Trust Fund Recovery Penalty (TFRP). While the systemic cross reference will occur when a joint return is filed, we have requested an IRS Counsel opinion to determine if it would be acceptable for the revenue officer to also freeze the refund of any spouse at the time of the approval of the Form 4183, Recommendation re: Trust Fund Recovery Penalty Assessment, or at the time the TFRP assessment is made because the TC 130 freeze would also freeze the refund of the non-liable spouse if a separate return was filed. If IRS Counsel determines that this action is appropriate, we will implement this change by August 2007. Recommendation: Instruct Revenue Officers making the TFRP assessments to research whether the responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account until the computer programming change can be completed. Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs the revenue officer to prepare Form 3177, Notice of Action on the Master File, to request input of the transaction code (TC) 130 to freeze any potential refunds for all individuals liable for the Trust Fund Recovery Penalty (TFRP). While the systemic cross reference will occur when a joint return is filed, we have requested an IRS Counsel opinion to determine if it would be acceptable for the revenue officer to also freeze the refund of any spouse at the time of the approval of the Form 4183, Recommendation re: Trust Fund Recovery Penalty Assessment, or at the time the TFRP assessment is made because the TC 130 freeze would also freeze the refund of the nonliable spouse if a separate return was filed. If IRS Counsel determines that this action is appropriate, we will implement this change by August 2007. Recommendation: Correct the penalty calculation programs in IRS's master file so that penalties are calculated in accordance with the applicable Internal Revenue Code (IRC) and implementing IRM guidance. Comments: We agree with this recommendation. We implemented a system change in January 2007 to correct the penalty calculation program. Recommendation: Research each of the taxpayer accounts that may have been affected by the programming errors to determine whether they contain over-assessed penalties and correct the accounts as needed. Comments: We agree with this recommendation. We implemented a system change in January 2007 that corrected debit balance taxpayer accounts affected by the programming error. Recommendation: Establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. Comments: We agree with this recommendation. The Deputy Commissioner for Services and Enforcement issued a memorandum to all functions titled, "Servicewide Action to Prevent Late Lien Releases" in January 2007. The memorandum directed manual lien releases when systemic processes do not release liens, including when credit transfers are necessary between accounts. The IRM will be updated to include the information contained in the Deputy Commissioner memorandum by the end of May 2007. Recommendation: Establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods. Comments: We agree with this recommendation. The Deputy Commissioner for Services and Enforcement issued a memorandum to all functions titled, "Servicewide Action to Prevent Late Lien Releases" in January 2007. The memorandum directed manual lien releases when systemic processes do not release liens, including when credit transfers are necessary between accounts. The IRM will be updated to include the information contained in the Deputy Commissioner memorandum by the end of May 2007. Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in master file or to manually release the liens in the Automated Lien System (ALS). Comments: We agree with this recommendation. The Centralized Insolvency Operation developed a report to identify cases where a discharge was granted by the court, and a lien was filed on dischargeable periods. When appropriate, manual lien releases are requested to ensure timely release of Notice of Federal Tax Liens. This report is generated and worked weekly, and quarterly reviews are conducted by Campus Compliance analysts to ensure that appropriate actions were taken. We included instructions in IRM 5.9 dated March 2007 and conducted training on the new report and process prior to the issuance of the IRM. IRS will complete its 2007 A-123 review on the timeliness of lien releases at the Centralized Lien Unit by the end of May 2007. We will determine if the new bankruptcy discharge guidance reduced the incidence of untimely releases, and if errors still exist, we will issue additional guidance by November 2007. Recommendation: Issue a memorandum to employees in the Centralized Lien Processing Unit reiterating the IRM requirement to date stamp and maintain the billing support voucher as evidence of timely processing by IRS. Comments: We agree with this recommendation. The IRM for the Centralized Lien Unit (CLU) contains direction to date stamp and maintain the billing support voucher (BSV) as evidence of timely release of the federal tax lien. In November 2006, the CLU began a new process of scanning BSVs, and associated BSVs with Specific Lien Identification (SLID) Numbers in order to ensure the BSV is retrievable and to show liens were timely released. We trained employees on this process as it was rolled out. IRS will complete the 2007 A-123 review on the timeliness of lien releases at the CLU by the end of May 2007. We will determine if new BSV procedures reduced the incidence of missing BSVs, and if we find BSV errors occurred after implementation of the new process, we will issue additional guidance by November 2007. Recommendation: Monitor installment agreement (IA) user fee activity on a regular basis. Comments: We agree with this recommendation. We currently use reports from the Collection Activity and Interim Revenue Accounting Control System (IRACS) to monitor and report on IA activity each month. We extract from these reports the number of IA's issued, number of user fees paid, and user fee dollar amounts. The Chief Financial Officer (CFO) and Small Business/Self-Employed (SB/SE) Headquarters offices use these reports to conduct trend analyses, such as month-to-month and year-to-year comparisons, and to identify potential issues related to the proper posting of user fee revenue. We also use the Installment Agreement Accounts Listings (IAAL) report to resolve user fee errors. In January 2008, we will implement enhancements to the IAAL, add it to Desktop Integration (DI), and will increase the frequency of the sweep process used to correct accounts from quarterly to weekly. Recommendation: Adjust errors in recorded IA user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers. Comments: We agree with this recommendation. We currently use a quarterly sweep process that reconciles installment agreement payments and adjusts those with discrepancies or errors to ensure that fees are accurately posted to the user fee account. In January 2008, we will increase the frequency of the sweep process from quarterly to weekly. Recommendation: Establish sufficient review procedures to help ensure that adjustments to IA user fees collected from taxpayers are accurately and timely recorded. Comments: We agree with this recommendation. We currently use the Installment Agreement Accounts Listings (IAAL) to identify accounts with user fee errors, underpayments, and overpayments that require adjustments. W&I consolidated the IAAL at one location to provide improved oversight of the process. The IAAL is reviewed by W&I and SB/ SE program analysts, managers, operations management, and headquarters staff. In January 2008, we will implement enhancements to the IAAL, add it to Desktop Integration (DI), and will increase the frequency of the sweep process used to correct accounts from quarterly to weekly. We will update IRM 5.19.1 to include DI requirements for case analysis and documentation by the January 2008 implementation. Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard IRS property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. Comments: We agree with this recommendation. We are identifying locations that need additional secured storage space and will obtain the necessary space as appropriate. Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. Comments: We agree with this recommendation. Policy and procedures are in place regarding separation of receipt and acceptance duties. We will reissue communications to remind those with procurement authority about IRS Acquisition Procedure, dated December 2002, which provides this guidance. Also, we will reference Policy and Procedures Memorandum No. 46.5, "Receipt, Quality Assurance and Acceptance," issued by the Office of Procurement Policy, which reiterates the separation of duties requirement. [End of section] Enclosure II: Details on Audit Methodology: To fulfill our responsibilities as the auditor of the Internal Revenue Service's (IRS) financial statements for fiscal years 2006 and 2005, we took the following actions: ² Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included selecting statistical samples of unpaid assessment, revenue, refund, accrued expenses, payroll, nonpayroll, property and equipment, accounts payable, and undelivered order transactions. These statistical samples were selected primarily to substantiate balances and activities reported in IRS's financial statements. Consequently, dollar errors or amounts can and have been statistically projected to the population of transactions from which they were selected. In testing these samples, certain attributes were identified that indicated either significant deficiencies in the design or operation of internal control or compliance with provisions of laws and regulations. These attributes, where applicable, can be and have been statistically projected to the appropriate populations. ² Assessed the accounting principles used and significant estimates made by management. ² Evaluated the overall presentation of the financial statements. ² Obtained an understanding of internal controls related to financial reporting (including safeguarding assets), compliance with laws and regulations (including the execution of transactions in accordance with budget authority), and the existence and completion assertions related to performance measures reported in the Management Discussion and Analysis. ² Tested relevant internal controls over financial reporting (including safeguarding assets) and compliance, and evaluated the design and operating effectiveness of internal controls. ² Considered IRS's process for evaluating and reporting on internal controls and financial management systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act of 1982, and Office of Management and Budget (OMB) Circular No. A- 123, Management's Responsibility for Internal Control. ² Tested compliance with selected provisions of the following laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. § 1301); Release of lien or discharge of property (26 U.S.C. § 6325); Interest on underpayment, nonpayment, or extensions of time for payment of tax (26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611); Determination of rate of interest (26 U.S.C. § 6621); Failure to file tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31 U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C. § 206); Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26 U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909); Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit. II, 118 Stat. 2809, 3199 (Dec. 8, 2004); and Department of the Treasury Appropriations Act, 2006, Pub. L. No. 109-115, div. A, tit. II, 119 Stat. 2396, 2432 (Nov. 30, 2005). Tested whether IRS's financial management systems substantially comply with the three requirements of the Federal Financial Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996): [End of section] Enclosure III: Staff Acknowledgments: Acknowledgments: The following individuals made major contributions to this report: John Davis, Assistant Director, Gloria Cano, Stephanie Chen, Nina Crocker, Oliver Culley, Chuck Fox, John Gates, Ted Hu, Richard Larsen, Olivia Lopez, Joshua Marcus, George Ogilvie, Jerrod O'Nelio, John Sawyer, Angel Sharma, Peggy Smith, LaDonna Towler, and Gary Wiggins. (196152): FOOTNOTES [1] GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006). [2] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government to perform certain financial services, including processing tax documents, depositing the receipts, and then forwarding the documents and data to IRS service center campuses, which update taxpayers' accounts. During fiscal year 2006, there were eight lockbox banks processing taxpayer receipts on behalf of IRS. [3] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982). [4] GAO-07-136. [5] The IRM outlines business rules and administrative procedures and guidelines IRS uses to conduct its operations and contains policy, direction, and delegations of authority necessary to carry out IRS's responsibilities to administer tax law and other legal provisions. [6] The LSG outlines security guidelines for lockbox bank managers to use so that they adhere to IRS's physical, personnel, and data protection requirements to ensure protection of taxpayer receipts and information. [7] OMB, Protection of Sensitive Agency Information, M-06-16 (Washington, D.C.: June 23, 2006). [8] U.S. Department of Commerce, National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems (Washington, D.C.: December 2006). [9] 26 U.S.C. § 7501(a) The law further provides that withheld income and employment taxes are to be held in a separate bank account considered to be a special fund in trust for the federal government. 26 U.S.C. § 7512(b). [10] FICA provides for a federal system of old-age, survivors, disability, and hospital insurance benefits. Payments to trust funds established for these programs are financed by payroll taxes on employee wages and tips, employers' matching payments, and a tax on self-employment income. [11] See 26 U.S.C. § 6672 and implementing IRS guidance in the Internal Revenue Manual at § 4.23.9.13, Trust Fund Recovery Penalty (Mar. 1, 2003). [12] GAO-06-137. [13] The primary purpose of our test was to determine whether IRS properly recorded the sample payment to all related parties. However, we also performed other tests of IRS's controls using this same sample. Although we identified officers with outstanding balances on their TFRP accounts that received refunds from IRS, we are unable to project these results to IRS's population of TFRP accounts because the sampling unit was payments rather than accounts. [14] A "tax period" varies by tax type. For example, the tax period for individual income or corporate tax is 1 year. In contrast, a tax period for payroll and excise taxes is generally one quarter of a year. [15] See 26 U.S.C. § 6651 and implementing IRS guidance in the Internal Revenue Manual at § 20.1.2, Failure to File/Failure to Pay Penalties (July 31, 2001). [16] We reviewed IRS's criteria for identifying the affected taxpayers and concur that the problem was confined to those identified by IRS. Consequently, we did not project these errors to IRS's population of penalty assessments. [17] 26 U.S.C. §§ 6321, 6323. [18] ALS is a comprehensive database that prints federal tax liens and lien releases, stores taxpayer information, and documents lien activity. [19] The local courthouse is the courthouse in the county where the taxpayer's property is located. Liens can also be filed elsewhere as determined by state law. 26 U.S.C. § 6323. [20] Tax credits can result from taxpayer payments in excess of the tax liability owed for a specific tax period or from IRS's abatement of taxes in a specific tax period which the taxpayer had previously paid. Abatements are reductions to taxpayers' tax liabilities. In cases where the taxpayer had already paid the tax liability, the abatement would result in a credit that could be applied against other outstanding tax liabilities owed by the taxpayer or if none exist, would be refunded to the taxpayer. [21] IRS can file a lien on the taxpayer's property for one or multiple tax periods that contain an outstanding tax liability. [22] OMB revised Circular A-123, Management's Responsibility for Internal Control, in December 2004. The revised OMB Circular No. A-123, which first became effective in fiscal year 2006, included a new appendix, Appendix A, which prescribed a strengthened management process for assessing internal control over financial reporting for the 24 major executive branch departments and agencies. Circular A-123 also required a new management assurance statement specifically addressing the effectiveness of the internal control over financial reporting based on the results of management's assessment. [23] The primary purpose of IRS's test was to determine whether it released liens filed against taxpayers whose liability had either been paid off or abated in a timely manner. However, the sample was not designed to specifically identify the causes for any instances in which IRS did not release liens timely. Consequently, while we were able to determine the causes for those sampled cases in which liens were not timely released, we are unable to project each cause to the total population. We reviewed IRS's test procedures and concurred with its results. [24] IRS records "freeze codes" onto taxpayer accounts in the master file to prevent certain automated processes from occurring because these accounts may require additional manual review. [25] As noted earlier, the primary purpose of IRS's test was to determine whether it released liens filed against taxpayers whose liability had either been paid off or abated in a timely manner. The sample was not designed to specifically identify the causes for any instances in which IRS did not release liens timely. Consequently, while we were able to determine the causes for those sampled cases in which liens were not timely released, we are unable to project each cause to the total population. [26] GAO, Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls, GAO-02-746R (Washington, D.C.: July 18, 2002). [27] IRS uses the "billing support voucher" to support its payment for recording fees to the local courthouse. The billing support voucher lists all the lien releases sent to the local courthouse for processing on a given date. [28] Again, as the primary purpose of IRS's test was to determine whether it released liens filed against taxpayers whose liability had either been paid off or abated in a timely manner, the sample was not designed to specifically identify the causes for any instances in which IRS did not release liens timely. Consequently, we are unable to project each cause to the total population. [29] IRS is authorized by 26 U.S.C. § 6159 to allow taxpayers to enter into installment agreement arrangements to satisfy their tax debts. Under such arrangements, IRS agrees to let taxpayers pay their tax liabilities in installments over a specified period of time instead of immediately paying the amount in full. [30] IRS charges taxpayers IA user fees under the authority of 31 U.S.C. § 9701. For fiscal year 2006, the fee to establish a new IA was $43 and the fee to reinstate an old IA was $24. [31] Single Point Inventory Function units are responsible for the management and control of all computer equipment at all IRS offices. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: