Summary
In November 2006, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2006, and 2005, and on the effectiveness of its internal controls as of September 30, 2006. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2006, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2006 audit report, they all warrant management's consideration. This report contains 21 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards.
During our audit of IRS's fiscal year 2006 financial statements, we identified a number of internal control issues that adversely affected tax data, tax receipts, tax refunds, taxpayer penalties and fees, tax liens, and property and equipment. These issues concern: (1) encryption of off-site taxpayer data files, (2) placement of security cameras at tax return processing facilities, (3) manual refund policies and procedures, (4) refunds to taxpayers who owe payroll taxes, (5) assessment of taxpayer penalties, (6) timeliness of tax lien releases, (7) processing of Installment Agreement fees, and (8) procurement and security of property and equipment. The issues noted increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) erroneous tax refunds could be issued; (3) taxpayers could be charged excess penalties or incorrect user fees; (4) tax liens may not be released promptly; and (5) physical assets could be stolen.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Steven J. Sebastian
Government Accountability Office: Financial Management and Assurance
(202) 512-9521
Recommendations for Executive Action
Recommendation: IRS should enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reports evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost benefit analysis to determine the best solution. The tentative date for completion of the cost benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing personally identifiable information (PII), IRS plans to incorporate specific guidelines in the calendar year 2008 Lockbox Security Guidelines (LSG) to clearly require that all lockbox bank sites store back-up media containing PII in locked containers. The calendar year 2008 LSG was issued on December 19, 2007. During our fiscal year 2007 audit, we identified instances at all four lockbox banks we visited where backup data tapes containing federal taxpayer information were not encrypted. We will evaluate IRS's planned corrective actions during our ongoing fiscal year 2008 audit.
Recommendation: IRS should ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 Lockbox Security Guidelines.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reports evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost benefit analysis to determine the best solution. The tentative date for completion of the cost benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing PII, IRS plans to incorporate specific guidelines in the calendar year 2008 LSG to clearly require that all lockbox sites store back-up media containing personally identifiable information (PII) in locked containers. The calendar year 2008 LSG was issued in December 19, 2007. During our fiscal year 2007 audit, we identified instances at all four lockbox banks we visited where backup media containing federal taxpayer information was not stored at an off-site location. We will evaluate IRS's planned corrective actions during our ongoing fiscal year 2008 audit.
Recommendation: IRS should revise instructions for its annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reports evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost benefit analysis to determine the best solution. The tentative date for completion of the cost benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing PII, IRS plans to incorporate specific guidelines in the calendar year 2008 LSG to clearly require all lockbox sites store back-up media containing personally identifiable information (PII) in locked containers. The calendar year 2008 LSG was issued in December 19, 2007. For the Lockbox Electronic Network (LEN), it electronically transmits all transactional data, including federal taxpayer information, from the lockbox banks to IRS via the Martinsburg Computing Center, which is currently going to the Tennessee Computing Center. The electronic transmission securely transmits the data through the use of Virtual Private Network devices like the devices used at the computing centers which will encrypt the data as it is being transmitted. Effective March 2008, the LEN is being utilized to transmit the data to the Submission Processing Centers. Cartridges will only be used in the event of an emergency or contingency situation where the LEN transmission fails. We will continue to evaluate IRS's corrective actions in this area during our ongoing fiscal year 2008 audit.
Recommendation: IRS should develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstruction.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reports SCCs conducted an assessment of the CCTV systems concerning unobstructed views of fence lines and perimeters, and identified problems that were documented in an action plan developed in May 2007 and completed by February 2008. During our fiscal year 2007 audit, we identified instances at three of five SCCs we visited where security cameras did not provide an unobstructed view of the entire perimeter of the facility. We will evaluate IRS's corrective actions in this area during our ongoing fiscal year 2008 audit.
Recommendation: IRS should revise instructions for quarterly physical security reviews to require analysts to (1) document any issues identified as well as planned implementation dates of corrective actions to be taken and (2) track the status of corrective actions identified during the quarterly assessments to ensure they are promptly implemented.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported implementing procedures requiring Physical Security analysts to document issues/problems during quarterly reviews, establish corrective action due dates, and track progress to ensure implementation of all corrective actions. The new procedures and reporting formats were implemented in June 2007. Compliance with the procedures is monitored during Physical Security Area Director operational reviews and random sampling by the Program, Planning, and Policy Office. We verified that IRS revised its procedures and reporting formats to require its Physical Security Analysts to (1) document concerns identified during quarterly physical security reviews, (2) establish corrective action implementation dates, and (3) track those actions to ensure and monitor implementation.
Recommendation: IRS should revise procedures contained in the Manual Refund Desk Reference to reflect the Internal Revenue Manual (IRM) requirements for manual refund initiators to (1) monitor the manual refund accounts in order to prevent duplicate refunds, and (2) document their monitoring actions.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS satisfied the intent of this recommendation by issuing instructions for its employees to follow the official authoritative guidelines when processing manual refunds.
Recommendation: IRS should provide to all the IRS units responsible for processing manual refunds the same and most current version of the Manual Refund Desk Reference.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: Based on our review, we verified IRS satisfied the intent of this recommendation by instructing its employees to follow the official authoritative guidelines when processing manual refunds.
Recommendation: IRS should require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) managers and supervisors report taking steps to develop and provide refresher training programs to the manual refund initiators. We will review the effectiveness of IRS's corrective actions during our fiscal year 2008 financial statement audit.
Recommendation: IRS should enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary social security numbers shown on a joint tax return and apply credits to those balances before issuing any refund.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reported implementing the programming change after our fiscal year 2007 audit was completed. We will evaluate the effectiveness of IRS's corrective action during our ongoing fiscal year 2008 audit.
Recommendation: IRS should instruct revenue officers making the Trust Fund Recovery Program assessments to research whether the responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account until the computer programming change can be completed.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: Based on our review of the IRS interim guidance issued on July 23, 2007, we verified that IRS instructed Revenue Officers making TFRP assessments to research whether responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account.
Recommendation: IRS should correct the penalty calculation programs in its master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reported implementing system changes to correct the penalty calculation program. We will evaluate the effectiveness of IRS's corrective action during our fiscal year 2008 audit.
Recommendation: IRS should research each of the taxpayer accounts that may have been affected by the programming errors to determine whether they contain overassessed penalties and correct the accounts as needed.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: IRS reported implementing a system change which corrected outstanding taxpayer accounts affected by the programming error. We will evaluate the effectiveness of IRS's corrective action during our ongoing fiscal year 2008 audit.
Recommendation: IRS should establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: During our fiscal year 2007 audit, we identified similar issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our ongoing fiscal year 2008 audit.
Recommendation: IRS should establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: During our fiscal year 2007 audit, we identified issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our ongoing fiscal year 2008 audit.
Recommendation: IRS should issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: During our fiscal year 2007 audit, we identified similar issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our ongoing fiscal year 2008 audit.
Recommendation: IRS should issue a memorandum to employees in the Centralized Lien Processing Unit reiterating the IRM requirement to date stamp and maintain the billing support voucher as evidence of timely processing by IRS.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: Based on our review of IRS's fiscal year 2007 OMB circular A-123 lien testing results, we verified that IRS obtained date stamped billing vouchers.
Recommendation: IRS should monitor installment agreement (IA) user fee activity on a regular basis.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) agreed with our recommendation to monitor IA user fee activity on a regular basis in commenting on our draft report. IRS indicated that it currently uses the Installment Agreement Accounts Listings report to identify and resolve user fee errors, and that in January 2008 it will implement enhancements to this report. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2008 audit.
Recommendation: IRS should adjust errors in recorded IA user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) agreed with our recommendation to adjust errors in recorded IA user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers in commenting on our draft report. IRS stated that it currently utilizes a quarterly process to reconcile installment agreement payments and adjusts those with discrepancies or errors, but that it will increase the frequency of this reconciliation process from quarterly to weekly beginning in January 2008. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2008 audit.
Recommendation: IRS should establish sufficient review procedures to help ensure that adjustments to IA user fees collected from taxpayers are accurately and timely recorded.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) agreed with our recommendation to establish sufficient review procedures to help ensure that adjustments to IA user fees collected from taxpayers are accurately and timely recorded. In commenting on our draft report, IRS indicated it will update the section of the IRM dealing with IA user fee review procedures by January 2008. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2008 audit.
Recommendation: IRS should establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) agreed with our recommendation to establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory in commenting on our draft report. IRS stated that it is identifying locations that need additional secured storage space and will obtain the necessary space as appropriate. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2008 audit.
Recommendation: IRS should develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: Internal Revenue Service (IRS) agreed with our recommendation to develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered in commenting on our draft report. IRS stated that it has policies and procedures in place regarding the separation of receipt and acceptance duties but will reissue communications to remind those with procurement authority about the specific IRS acquisition procedure which provides this guidance. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2008 audit.
