Summary
In November 2004, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2004 and 2003, and on the effectiveness of its internal controls as of September 30, 2004. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2004 audit regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2004 audit report, they all warrant management's consideration.
During our fiscal year 2004 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, refunds to taxpayers, and lien resolutions. These issues concern (1) enforcement of IRS contractor background investigation policies, (2) omission of certain provisions related to contingency plans and taxpayer privacy in lockbox bank service contracts, (3) verification of lockbox bank deposits, (4) procedures for handling taxpayer receipts and information by couriers, (5) safeguarding sensitive systems and equipment in lockbox banks, (6) candling procedures, (7) monitoring and verifying recording and transmittal of taxpayer receipts and information, (8) controls over automated refund disbursements, (9) controls over authorization of manual refunds, and (10) resolution of liens with manually calculated interest or penalties. These issues increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) improper refunds to taxpayers could be disbursed; and (3) liens could be released before taxpayers have paid the full amount of interest or penalties due.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Steven J. Sebastian
Government Accountability Office: Financial Management and Assurance
(202) 512-9521
Recommendations for Executive Action
Recommendation: IRS should enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: During our fiscal year 2007 audit, we identified 4 contractors at one of five service center campuses (SCC) we visited that were granted staff-like access before background investigations had been completed. Also, we obtained and reviewed SCC contractor background investigation data from all 10 SCCs and found that 3 SCCs permitted 5 contractors staff-like access before their background investigations had been completed. In addition, IRM series 10.2 is currently in draft. We will evaluate IRS's corrective actions during our fiscal year 2008 audit.
Recommendation: IRS should require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: As of the time of our fiscal year 2007 financial audit, the IRM 10.2 series was in draft. We will monitor its final implementation and continue to evaluate IRS's policies and procedures related to background investigations for contractors during our fiscal year 2008 audit.
Recommendation: IRS should require that courier contracts call for couriers to submit contingency plans to lockbox banks.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that it updated the Lockbox Processing Guidelines (LPG) 4.2.3.1, Courier Contingency Plan, on January 1, 2005, to require that prior to implementation of the contract, the courier service must provide the lockbox with a disaster contingency plan. The contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that courier service contractors must provide the lockbox bank with a disaster contingency plan.
Recommendation: IRS should review lockbox bank courier contingency plans to help ensure that they incorporate all contingencies specified in the "Lockbox Processing Guidelines" (LPG).
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that contingency plans were provided by all lockbox sites by March 31, 2005, and were part of the Filing Season Readiness (FSR) Plan. The Lockbox Processing Guidelines (LPG) 4.2.3.1 states "the contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events." The lockbox coordinators reviewed the contingency plans to ensure that these issues were addressed. The lockbox coordinators interpreted the contingency plans to be complete; for example, the coordinators may have viewed contingencies covering natural disasters as sufficient to address inclement weather even though the term "inclement weather" was not specifically stated in the plan. GAO disagreed, citing continued areas of deficiencies. In September 2005, the Financial Management Service (FMS) and IRS security team conducted an additional review of each site's courier contingency plans to ensure compliance. Their review indicated that in order to increase consistency and ensure the plans are clearly documented, strengthening of the contingency plan requirements was necessary. The 2006 Lockbox Security Guidelines (LSG) 2.7 (1) and (2) includes clarification of the requirements for the courier contingency plans. Review of the contingency plans to ensure incorporation of all of the requirements is now assigned to the IRS/FMS security team as part of the on-site courier contingency review. GAO verified that IRS and FMS jointly reviewed the lockbox bank courier contingency plans and as a result included language in the LSG clarifying that before courier contracts are implemented, couriers must provide a disaster contingency plan to the lockbox bank addressing specific contingencies.
Recommendation: IRS should revise the LPG to specify that courier contingency plans be available at the lockbox banks.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3.1(1) was updated on June 30, 2005, to state that all banks must maintain a signed copy of the courier contingency plan on-site. During its fiscal year 2005 audit, GAO verified that IRS revised the LPG to specify that courier contingency plans be available at lockbox banks.
Recommendation: IRS should review lockbox bank courier and shredding contracts to ensure that they address all privacy-related criteria and include clear reference to privacy-related laws and regulations.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3(2)--Courier Services, which require lockbox banks to ensure all bonded courier/armored car agreements address all privacy-related criteria and include clear reference to privacy-related laws and regulations were updated on January 1, 2005. Effective January 1, 2006, in addition to the above requirement, the Lockbox Security Guidelines (LSG) 2.17.6 (2)(a) added the requirement that all lockbox banks ensure shred company contracts contain clear reference to the privacy-related laws and regulations. In October 2005, the Lockbox Policy and Procedures team reviewed and confirmed that all courier and shred contracts contained all privacy related criteria. Banks must submit their contracts to the Lockbox Policy and Procedures team for their review by October 1st of each year. The courier contract is also reviewed by the IRS and Financial Management Service security staff during the on-site courier security review. During its fiscal year 2005 audit, GAO verified that the courier and shredding contracts had the required privacy-related language and related provisions set forth in the Privacy Act of 1974. In addition, GAO verified that the LSG requires lockbox banks to ensure that all bonded courier agreements contain privacy-related language and reminds couriers of their responsibility to not disclose taxpayer information.
Recommendation: IRS should revise the LPG to require that (1) lockbox couriers promptly return deposit receipts to the lockbox banks following delivery of taxpayer remittances to depositories and (2) lockbox banks promptly review the returned deposit receipts.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that its Lockbox Policy and Procedures Section updated the Lockbox Processing Guidelines (LPG) on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form, which requires the lockbox site to receive back by the next business day the original completed Receipt for Transport of IRS Lockbox Bank Deposit Form with the bank representative's name and signature and date and time the deposit was received by the depository. Each day the lockbox site must reconcile the Receipt for Transport of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated service (e.g., the time between release to the courier and the release to the bank is not in excess). If discrepancies are found, the lockbox field coordinator should be notified immediately. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that (1) lockbox couriers return, on the next business day, deposit receipts to the lockbox banks following delivery of the taxpayer remittances to depositories and (2) lockbox banks promptly review, on a daily basis, the returned deposit receipts.
Recommendation: IRS should revise the LPG to require that deposit receipts for taxpayer remittances be time- and date-stamped.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Lockbox Processing Guidelines (LPG) was updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form--to require the courier service employee to return the form to the lockbox site on the next business day, ensuring the following information is completed on the form: the depository bank employee's name and signature, the date the deposit was received by the depository, and the time the deposit was received by the depository. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that deposit receipts for taxpayer remittances include the time and date of receipt by the depository institution.
Recommendation: IRS should better enforce the LPG requirement that lockbox bank couriers annotate the time of delivery on receipts for deposits of taxpayer remittances.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form, was updated on January 1, 2005, to require lockbox bank couriers to annotate the time of delivery of receipts for deposits of taxpayer remittances. New Security Performance Measures have been developed to measure and rate each site's overall adherence to security guidelines and provides incentives/disincentives accordingly. Mission Assurance and Financial Management Service security support the Lockbox Policy and Procedures Program Office in conducting security reviews. Reviews will rate each site's compliance to physical, personnel, courier, and Information Technology security. Security Performance Measures is scheduled to be fully implemented by January 2006. To further prepare for filing season each year, each bank is now required to certify that it is adhering to security guidelines. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that couriers annotate the time of delivery of receipts for deposits of taxpayer remittances. Further, GAO did not find any instance during its fiscal year 2005 testing in which the courier did not annotate the time the courier received the deposit from the bank personnel.
Recommendation: IRS should provide a written reminder to courier contractors of the need to adhere to all courier service procedures.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: Per IRS: In February 2007, Submission Processing issued an annual reminder memorandum to all courier contractors. In addition, the lockbox banks security team verified that all lockbox bank sites issued similar memorandums reminding them that they must adhere to all of the courier service security procedures in the Lockbox Security Guidelines (LSG). Per GAO: GAO verified that IRS issued reminder memorandums to the service center campus (SCC) and lockbox bank couriers.
Recommendation: IRS should periodically verify that contractors entrusted with taxpayer receipts and information offsite adhere to IRS procedures.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: Per IRS: Submission Processing revised the Lockbox Security Guidelines (LSG) in 2007 to require periodic verification that couriers adhere to IRS policy while transporting taxpayer receipts and information. Specifically, IRS stated that at service center campuses (SCC), IRS ensures couriers sign, date, and notate the time of pick up on form 10160, Receipt for Transport of IRS Deposit, and ensure the form is date and time stamped at the time of drop off at the financial institution. Each campus reviews the form and notates any time discrepancies. IRS stated that any discrepancies found will prompt the campus to (1) question the couriers, (2) record the finding in the Courier Incident Log, and (3) use their discretion to make a determination whether or not it is necessary to trail the couriers. Per GAO: GAO verified that IRS revised its LSG to include provisions for periodic verification that couriers adhere to IRS procedures for transporting taxpayer receipts and information. GAO also noted that procedures were established at the campuses involving the review of the returned Form 10160.
Recommendation: IRS should develop alternative back-up plans that are consistent with IRS courier policies and procedures to address instances in which only one courier reports for transport of taxpayer receipts or information, such as requiring that a service center or lockbox bank employee accompany the courier to the depository.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the 2005 Lockbox Processing Guidelines (LPG) 4.2.3.1 "Courier Contingency Plan" was updated on July 18, 2005, (effective Aug. 29, 2005) to include a plan that ensures the security of receipts if courier requirements are not met, or the courier contractor is unable to send suitable replacement couriers in time to meet the bank's deposit deadline. Submission Processing campuses submitted contingency plans in May 2005, which outline what deposit managers are to do in the event that couriers are unable to transport a deposit in the event of non-compliance with contract requirements, vehicle breakdown, or other reasons. In addition, the implementation of the Courier Daily Checklist in April 2005 has continued to work smoothly. During its fiscal year 2005 audit, GAO verified that IRS had updated its LPG for lockbox banks and submitted contingency plans for service center campuses, which outline what to do if couriers are unable to transport a deposit in the event of non-compliance with contract requirements.
Recommendation: IRS should formulate a policy to require that critical utility or security controls not be located in areas requiring frequent access.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS stated that its Mission Assurance (MA) and Security Services (SS) units worked with the Business Operating Divisions (BOD) and Procurement to formulate policy guidelines. The Lockbox Policy Guidelines, dated 01/10/06, have been revised. Lockbox Security Guide (LSG) 2.2.1 Main Utility Feeds, includes physical protection of all utilities against accidental or intentional disruption of services. Exterior utilities will be physically protected with bollards, fencing, or similar obstruction to prevent destruction. Where critical controls relative to utility feeds and security systems are located in rooms or areas frequented by contract employees, there must be continuous closed-circuit television (CCTV) coverage as well as tamper proof devices on those controls such as fencing, locks or other protections. LSG 2.2.2.12 page 18(5) has been revised to state that to prevent unauthorized access to control panels or critical systems, keys must be secured and controlled. We verified that the LSG requires physical protection of all main utility feeds against accidental or intentional disruptive of service. While the LSG does not require that critical utility or security controls not be located in areas requiring frequent access, the LSG does require that frequently accessed areas where utility feeds are present must be continuously monitored with CCTV coverage as well as tamper proof devices installed on those controls such as fencing, locks, or other protections. Therefore, we believe that IRS's corrective actions meet the objective of our recommendation.
Recommendation: IRS should require lockbox bank management to position closed-circuit television cameras to enable monitoring of secured areas containing sensitive systems or controls.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS stated that its Mission Assurance unit has developed and incorporated a close-circuit television (CCTV) evaluation matrix into the security review process ensuring that critical areas and assets are monitored. The January 1, 2007, Lockbox Security Guide (LSG) was revised under (CCTV Cameras) LSG 2.2.2.13.1 (6) and it states that Pan, Tilt, Zoom (PTZ) cameras shall be installed in mail sorting, mail delivery, mail extraction, exceptions processing and certified mail processing areas to ensure sites have the capability to observe, monitor, and record mail extraction activity and to assist in monitoring. Also, the LSG requires that the IRS security controls, equipment, and utilities must be locked to prevent tampering and that keys will be controlled and limited to authorized bank employees. Mission Assurance also included key and combination controls and management as part of its review process at the banks. We verified that the LSG requires physical protection of all main utility feeds against accidental or intentional disruption of service. While the LSG does not require that critical utility or security controls not be located in areas requiring frequent access, the LSG does require that frequently accessed areas where utility feeds are present must be continuously monitored with CCTV coverage, as well as tamper proof devices installed on those controls such as fencing, locks, or other protections. Therefore, we believe that IRS's corrective actions effectively address the issues that gave rise to our recommendation.
Recommendation: IRS should periodically monitor lockbox banks' adherence to the LPG requirement that keys be kept in secured containers within the secured perimeter.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Lockbox Security Guidelines (LSG) were revised and published on January 1, 2006. The LSG requires strict control of keys, panels, and access to rooms and areas that contain facility utilities and controls. Lockbox banks are monitored and reviewed to ensure compliance to the policy. The Lockbox Physical Security Checklist includes checks to verify compliance to the policy. Five lockbox reviews have been conducted subsequent to publication of the LSG, and IRS has not observed any instances of this finding at any of the sites reviewed. During its fiscal year 2005 audit, GAO verified that IRS periodically monitored adherence to this requirement during IRS's lockbox bank security reviews.
Recommendation: IRS should assess technologies that may be exempt from the visual inspection requirement to determine whether they are acceptable methods of satisfying candling objectives and, if so, add such technologies to the LPG list of accepted candling methods.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that its Lockbox Policy and Procedures staff determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) 3.2.8(1) that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. GAO noted that IRS's determination that current technologies are not exempt from the candling requirement, and the additional LPG guidelines added and verified by GAO during its fiscal year 2005 audit, meet the objective of this recommendation.
Recommendation: IRS should conduct an assessment of the costs and benefits of relying on only one candling when using certain automated equipment.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that Wage and Investment (W&I) determined that a cost benefit analysis was not necessary because it previously assessed the candling function on the automated equipment. To provide additional risk mediation, W&I revised the Lockbox Processing Guidelines (LPG) under section 3.2.8 (1) to require that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. W&I will monitor adherence during site reviews. IRS's determination that current technologies are not exempt from the candling requirement or the additional LPG guidelines added, verified during GAO's fiscal year 2005 audit, meets the objective of this recommendation.
Recommendation: IRS should clarify the LPG to eliminate confusion about the number of candlings required for different extraction methods.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that it updated the 2005 Lockbox Processing Guidelines (LPG) 3.2.8, Candling, to require that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. GAO verified that IRS updated the LPG to clarify requirements concerning the number of candlings.
Recommendation: IRS should establish guidelines and a testing requirement to ensure satisfactory lighting conditions for effective candling.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS reported that the Internal Revenue Manual (IRM) 3.10.72.6.2 (2) (a) requires that all candling equipment on both initial and final candling tables shall be adjusted as necessary to maintain maximum envelope recognition. Maximum envelope recognition is determined by the measurement of foot candles through use of a light meter. Minimum reading on the light meter should be 174. The testing of the candling equipment should be completed twice annually for Individual Master File sites and quarterly for Business Master File sites. Testing will be completed prior to peak time-frames. Management or a designated employee will complete the candling equipment review log to verify lights are meeting minimum requirements. Light meters are available and testing has been completed at all submission processing centers to ensure requirements are met. Sorting table vendors have been contacted and are aware of this requirement and are adjusting all new tables that are purchased to ensure they are in compliance. During its fiscal year 2005 audit, GAO verified that IRS revised its IRM to include guidelines for testing lighting conditions for candling equipment.
Recommendation: IRS should establish policies and procedures to require appropriate segregation of duties in Small Business/Self-Employed (SB/SE) units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: In conducting our reviews, we found that the status information provided by IRS did not clearly address segregation of duties within the SB/SE business units. We noted that (1) individuals responsible for preparing Payment Posting Vouchers were the same individuals who recorded the information from those vouchers on the Document Transmittal and mailed those forms to the IRS service center and (2) there was no independent review or reconciliation of documents or payments before they were mailed by their preparer. During our recent visits to selected SB/SE units in March 2008, we found that this condition continued to exist. Duties involving the preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages were not segregated. Employees informed us there was no related requirement in the IRM.
Recommendation: IRS should enforce the requirement that a Document Transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: During our visits to several SB/SE business units, we found that a document transmittal form was not being used to transmit multiple Daily Report of Collection Activity forms to the respective service center campus. We will continue to assess IRS's actions during our fiscal year 2008 audit.
Recommendation: IRS should establish a procedure for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS stated that procedures have been established, updated, and incorporated into its Internal Revenue Manual (IRM), and hard copies were shipped to all applicable employees on September 15, 2006. We verified that IRS has established procedures that require Small Business and Self-Employed employees to track document transmittal forms and the acknowledgement of receipt for these forms.
Recommendation: IRS should require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS stated that procedures have been established and incorporated into the latest revision of its Internal Revenue Manual. We verified that IRS has established procedures, which require Small Business and Self-Employed to review the recording, transmittal, and receipt of acknowledgements of the document transmittal forms.
Recommendation: IRS should assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved Automated Underreporter Program (AUR) discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: We verified that IRS issued a "Hot Topic" memorandum to its staff on January 25, 2007, which added procedures to check for cases that can be identified as an AUR payment and research the taxpayer's account on the Integrated Data Retrieval System (IDRS) for CP 2000 Indicators. During our fiscal year 2007 financial audit, we confirmed that IRS updated their procedures to prevent the generation or disbursement of refunds associated with AUR accounts. We also verified that the procedures requiring employees to conduct IDRS research after receiving an unidentified remittance to determine if there is an open account that allows for posting of the remittance.
Recommendation: IRS should enforce documentation requirements relating to authorizing officials charged with approving manual refunds.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: We verified that IRS issued a "Hot Topic" memorandum to its staff on January 25, 2007, which added procedures to check for cases that can be identified as an AUR payment and research the taxpayer's account on the Integrated Data Retrieval System (IDRS) for CP 2000 Indicators. During our fiscal year 2007 financial audit, we confirmed that IRS updated their procedures to prevent the generation or disbursement of refunds associated with AUR accounts. We also verified that the procedures requiring employees to conduct IDRS research after receiving an unidentified remittance to determine if there is an open account that allows for posting of the remittance.
Recommendation: IRS should enforce requirements for monitoring accounts and reviewing monitoring of accounts.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: We verified that IRS issued instructions, which included providing managers and the employees training to reinforce monitoring requirements. However, during our fiscal year 2008 audit, we continued to find instances where the manual refund initiators, leads, or both did not monitor accounts to prevent duplicate refunds. We also found that some of the supervisors did not review the initiators' or leads' work to ensure that the monitoring of accounts was performed. We will continue to review IRS's monitoring and review efforts during our ongoing audit.
Recommendation: IRS should enforce requirements for documenting monitoring actions and supervisory review.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: In process
Comments: We verified that IRS issued instructions, which included providing managers and employees training to reinforce the monitoring requirements. However, during our fiscal year 2008 audit, we continued to find instances where the requirement for documenting monitoring actions and documenting supervisory review were not enforced. We will continue to review IRS's monitoring and review efforts during our ongoing audit.
Recommendation: IRS should enforce the requirement that command code profiles be reviewed at least once annually.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: During our fiscal year 2007 audit, we verified that IRS issued a "Hot Topic" memorandum to its staff in January 2007 and again in March 2007, as a reminder to adhere to the existing process of enforcing the requirement that command code profiles be reviewed at least once annually. Additionally, during our visits to IRS sites as part of our fiscal year 2007 IRS audit, we found that at both of the IRS service centers we visited, the command code profiles were reviewed at least once annually. IRS's enforcement of the annual review of command code profiles reduces the risk of errors or fraud and the improper disbursement of manual refunds.
Recommendation: IRS should specify in the Internal Revenue Manual (IRM) that staff members are not to review their own command code profiles.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: We verified that IRS, in response to our recommendation, updated their procedures in September 2007 to prohibit employees from reviewing their own profile or any other report data pertaining to themselves. In addition, during our fiscal year 2007 audit, we found no instances of IRS staff members reviewing their own command codes.
Recommendation: IRS should specify in the IRM how to properly verify interest and penalties for accounts with liens with manually calculated interest or penalties.
Agency Affected: Department of the Treasury: Internal Revenue Service
Status: Implemented
Comments: IRS conducted a study of accounts containing manually calculated interest or penalties and determined that the manually calculated amounts were insignificant. Consequently, IRS reprogrammed its Automated Lien System (ALS) to automatically release liens once the taxpayer's account was full paid. During our fiscal year 2007 financial audit, we obtained and reviewed a computer extract showing that taxpayer accounts containing manually calculated interest or penalty are no longer being held up from automated lien release.
