This is the accessible text file for GAO report number GAO-09-514 entitled 'Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations' which was released on June 25, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Commissioner of Internal Revenue: United States Government Accountability Office: GAO: June 2009: Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations: GAO-09-514: GAO Highlights: Highlights of GAO-09-514, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: In its role as the nation’s tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation’s tax laws. Since its first audit of IRS’s financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS’s financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS’s financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS’s efforts to address the weaknesses GAO identified in previous years’ audits. The purpose of this report is to (1) provide the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations relate to control activities central to IRS’s mission and goals. What GAO Found: IRS has made significant progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 9 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 200 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO’s audit of IRS’s fiscal year 2008 financial statements, 81 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2008 financial audit, IRS took actions that GAO considered sufficient to close 35. At the same time, GAO identified additional internal control issues resulting in 16 new recommendations. In total, 62 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 62 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. Table: Summary of Open Recommendations by Control Category: Safeguarding of assets and security activities: Open at the beginning of 2008: 21; Closed during 2008 audit: 7; New from 2008 audit: 6; Total remaining open: 20. Proper recording and documenting of transactions: Open at the beginning of 2008: 33; Closed during 2008 audit: 13; New from 2008 audit: 4; Total remaining open: 24. Effective management review and oversight: Open at the beginning of 2008: 27; Closed during 2008 audit: 15; New from 2008 audit: 6; Total remaining open: 18. Total: Open at the beginning of 2008: 81; Closed during 2008 audit: 35; New from 2008 audit: 16; Total remaining open: 62. Source: GAO analysis of financial management recommendations made to IRS. [End of table] The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO’s recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning IRS’s automated systems, are complex and will require several more years to effectively address. What GAO Recommends: GAO is not making any recommendations in this report. In commenting on this draft report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/products/GAO-09-514]. For more information, contact Steven J. Sebastian at (202)512-3406 or sebastians@gao.gov. [End of section] Contents: Letter: Background: Scope and Methodology: IRS's Progress on Financial Management Recommendations: Open Recommendations Grouped by Control Activity: Open Recommendations Arranged by Related Material Weakness, Significant Deficiency, Compliance Issue, or Other Control Issue: Concluding Observations: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: Appendix II: Open Recommendations Arranged by Control or Compliance Issue: Financial Reporting: Unpaid Tax Assessments: Information Security: Tax Revenue and Refunds: Release of Federal Tax Liens: Other Control Issues: Appendix III: Comments from the Internal Revenue Service: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of Open Recommendations: Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: Table 3: Recommendations to Improve IRS's Segregation of Duties: Table 4: Recommendation to Improve IRS's Controls over Information Processing: Table 5: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: Table 6: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: Table 8: Recommendations to Improve IRS's Execution of Transaction and Events: Table 9: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: Table 10: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: Table 11: Recommendations to Improve IRS's Management of Human Capital: Table 12: Material Weakness: Controls over Financial Reporting: Table 13: Material Weakness: Controls over Unpaid Assessments: Table 14: Significant Deficiency: Controls over Revenues and Issuing Refunds: Table 15: Compliance with Laws and Regulations: Timely Release of Liens: Table 16: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: Abbreviations: CCTV: closed circuit television: CDDB: Custodial Detail Data Base: FFMIA: Federal Financial Management Improvement Act of 1996: FISCAM: Federal Information System Controls Audit Manual: FMFIA: Federal Managers' Financial Integrity Act of 1982: IDRS: Integrated Data Retrieval System: IRACS: Interim Revenue and Accounting Control System: IRM: Internal Revenue Manual: IRS: Internal Revenue Service: LMSB: Large and Mid-sized Business: NFC: National Finance Center: OMB: Office of Management and Budget: P&E: property and equipment: SCC: service center campus: SETS: Security Entry and Tracking System: TAC: taxpayer assistance center: TE/GE: Tax Exempt and Government Entities: TFRP: Trust Fund Recovery Penalty: [End of section] United States Government Accountability Office: Washington, DC 20548: June 25, 2009: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Dear Mr. Shulman: In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. In fiscal year 2008, IRS collected about $2.7 trillion in tax payments, processed hundreds of millions of tax and information returns, and paid about $426 billion in refunds to taxpayers. Because of its role and overall mission, IRS's activities affect virtually all of the nation's citizens. It is therefore critical that the agency strive to maintain sound financial management practices. IRS has made much progress in improving its financial management since it was first required to prepare a set of financial statements and have them in fiscal year 1992. This progress was reflected in its ability to obtain and maintain a clean audit opinion on its financial statements each year beginning in fiscal year 2000, to correct several material internal control weaknesses over the years, and to make many other improvements in internal control. At the same time, more remains to be done to address long-standing internal control issues that continue to exist at the agency. IRS continues to have weak or ineffective internal controls over fundamental elements of its operations that leave it vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has the potential to affect the lives of the nation's taxpayers, as our audits over the years have demonstrated. For example, IRS's continued failure to promptly release federal tax liens could cause undue hardship and burden to taxpayers who are attempting to sell property or apply for commercial credit. An agency's internal control environment serves as the first line of defense in safeguarding its assets and in preventing and detecting errors and fraud, as well as in helping to effectively manage its stewardship over public resources.[Footnote 1] Unfortunately, IRS continues to be challenged with several long-standing material weaknesses in internal control that are at the heart of IRS's operations.[Footnote 2] During our audit of IRS's fiscal year 2008 financial statements, we continued to find material weaknesses in controls over: * financial reporting, * unpaid tax assessments, and: * information systems security. In addition to the material weaknesses, we continued to identify a significant deficiency involving IRS's control over tax revenue and refunds, which hampers IRS's ability to optimize the use of its resources to collect unpaid taxes and minimize payments of improper refunds. This significant deficiency was downgraded from a material weakness in fiscal year 2008 because IRS took significant steps to address the deficiencies comprising the material weakness, such as enhancing its cost accounting capabilities and performance measures. To assist IRS in strengthening its internal controls and improving its operations, we have made numerous recommendations as part of our annual financial statement audits and other financial management-related work at IRS. This report is being provided to you to (1) provide the status of financial audit and financial management-related recommendations and the actions needed to address them and (2) demonstrate how the recommendations relate to control activities central to IRS's mission and goals. We are not making any recommendations in this report. Our work was performed from December 2008 through May 2009 in accordance with generally accepted government auditing standards. For further details regarding our approach to this audit, see the Scope and Methodology section. Background: Internal control is not one event, but a series of activities that occur throughout an entity's operations and on an ongoing basis. Internal control should be recognized as an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency. In this sense, internal control is management control that is built into the entity as a part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis. Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, provides the implementing guidance for FMFIA, and sets out the specific requirements for assessing and reporting on internal controls consistent with the internal control standards issued by the Comptroller General of the United States. [Footnote 3] The circular defines management's responsibilities related to internal control and the process for assessing internal control effectiveness, and provides specific requirements for conducting management's assessment of the effectiveness of internal control over financial reporting. The circular requires management to annually provide assurances on internal control in its performance and accountability report, and for each of the 24 Chief Financial Officers Act agencies to include a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.[Footnote 4] The circular also emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities. FMFIA requires GAO to issue standards for internal control in the federal government. The Standards for Internal Control in the Federal Government (i.e., internal control standards) provides the overall framework for establishing and maintaining effective internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. As summarized in the internal control standards, internal control in the government is defined by the following five elements, which also provide the basis against which internal controls are to be evaluated: * Control environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. * Risk assessment: Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. * Control activities: Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and communications: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring: Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. A key objective in our annual audits of IRS's financial statements is to obtain reasonable assurance that IRS maintained effective internal controls with respect to financial reporting, including safeguarding of assets, and compliance with laws and regulations. While we use all five elements of internal control as a basis for evaluating the effectiveness of IRS's internal controls, our ongoing evaluations and tests have focused heavily on control activities to identify internal control weaknesses and offer recommendations for corrective action. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives. In other words, they are the activities conducted in the everyday course of business that are intended to accomplish a control objective, such as ensuring IRS employees successfully complete background checks prior to being granted access to taxpayer information and receipts. As such, control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of effective results. Scope and Methodology: To accomplish our objectives, we evaluated the effectiveness of corrective actions IRS implemented during fiscal year 2008 in response to open recommendations as part of our fiscal years 2008 and 2007 financial audits. To determine the current status of the recommendations, we (1) obtained IRS's reported status of each recommendation and corrective action taken or planned as of April 2009, (2) compared IRS's reported status to our fiscal year 2008 audit findings to identify any differences between IRS's and our conclusions regarding the status of each recommendation, and (3) performed additional follow-up work regarding IRS's actions taken to address the open recommendations. In order to determine how these recommendations fit within IRS's management and internal control structure, we compared the open recommendations and the issues that gave rise to them, to the control activities listed in the internal control standards and to the list of major factors and examples outlined in our Internal Control Management and Evaluation Tool.[Footnote 5] We also considered how the recommendations and the underlying issues were categorized in our prior reports; whether IRS had addressed, in whole or in part, the underlying control issues that gave rise to the recommendations; and other legal requirements and implementing guidance, such as OMB Circular No. A-123; FMFIA; and the Federal Information System Controls Audit Manual (FISCAM).[Footnote 6] Our work was performed from December 2008 through May 2009 in accordance with generally accepted government auditing standards. Further details on our audit scope and methodology are included in our report on the results of our audits of IRS's fiscal years 2008 and 2007 financial statements.[Footnote 7] We requested comments on a draft of this report from the Commissioner of Internal Revenue or his designee on May 26, 2009. We received comments from the Commissioner on June 11, 2009. We have reprinted IRS's written comments in appendix III. IRS's Progress on Financial Management Recommendations: IRS continues to make progress addressing its significant financial management challenges. Over the years since we first began auditing IRS's financial statements in fiscal year 1992, IRS has taken actions that enabled us to close over 200 of our financial management-related recommendations. This includes 35 recommendations we are closing based on actions IRS took during the period covered by our fiscal year 2008 financial audit. At the same time, however, our audits continue to identify additional internal control issues, resulting in further recommendations for corrective action, including 16 new financial management-related recommendations resulting from our fiscal year 2008 financial audit. These internal control issues, and the resulting recommendations, can be directly traced to the control activities in the internal control standards. As such, it is essential that they be fully addressed and resolved to strengthen IRS's overall financial management to efficiently and effectively achieve its goals and mission. Status of Recommendations Based on the Fiscal Year 2008 Financial Statement Audit: In July 2008, we issued a report on the status of IRS's efforts to implement corrective actions to address financial management recommendations stemming from our fiscal year 2007 and prior year financial audits and other financial management-related work.[Footnote 8] In that report, we identified 81 audit recommendations that remained open and thus required corrective action by IRS. A significant number of these recommendations had been open for several years, either because IRS had not taken corrective action or because the actions taken had not yet effectively resolved the issues that gave rise to the recommendations. IRS continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our fiscal year 2008 financial audit, we identified numerous actions IRS took to address many of its internal control issues. On the basis of IRS's actions, which we were able to substantiate through our audit, we are able to close 35 of these prior years' recommendations. IRS considers another 18 of the prior years' recommendations to be effectively addressed. However, we still consider them to be open either because we have not yet been able to verify the effectiveness of IRS's actions or because, in our view, the actions taken did not fully address the issue that gave rise to the recommendation. Forty-six recommendations from prior years remain open, a significant number of which have been outstanding for several years. During our audit of IRS's fiscal year 2008 financial statements, we identified additional issues that require corrective action. In a recent management report to IRS,[Footnote 9] we discussed these issues, and made 16 new recommendations to address them. Consequently, 62 financial management-related recommendations need to be addressed. While most of these can be addressed in the short term,[Footnote 10] a few, particularly those concerning IRS's automated systems, are complex and will require several more years to fully and effectively address. We consider 52 recommendations to be short-term and 10 to be long-term. In addition to the 62 open recommendations from our financial audits and other financial management-related work, there are 74 open recommendations stemming from our assessment of IRS's information security controls over key financial systems, information, and interconnected networks. Those 74 primarily relate to lack of an agencywide information security program, which was a key reason for the material weakness in IRS's information systems security controls over its financial and tax processing systems. Unresolved, previously reported recommendations and newly identified recommendations related to information security increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer data. Recommendations resulting from the information security issues identified in our annual audits of IRS's financial statements are reported separately because of the sensitive nature of these issues. Appendix I presents a list of (1) the 81 recommendations based on our financial statement audits and other financial management-related work that we had not previously reported as closed, (2) IRS-reported corrective actions taken or planned as of April 2009, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed based primarily on the work performed during our fiscal year 2008 financial statement audit. Appendix I includes recommendations based on our fiscal year 2008 financial statement audit. The appendix lists the recommendations by the date on which the recommendation was made and by report number. Appendix II presents the open recommendations arranged by related material weakness, significant deficiency, compliance issue, or other control issue as described in our opinion report on IRS's financial statements. [Footnote 11] Open Recommendations Grouped by Control Activity: Linking the open recommendations from our financial audits and other financial management-related work, and the issues that gave rise to them, to internal control activities that are central to IRS's tax administration responsibilities provides insight regarding their significance. The internal control standards define 11 control activities grouped into three broad categories as shown in table 1.[Footnote 12] The open recommendations from our financial audits and financial management- related work, and the underlying issues that gave rise to them, can be traced to one of the control activities. Table 1: Summary of Open Recommendations: Control category/control activity: Safeguarding of assets and security activities: Physical control over vulnerable assets; Open at the beginning of 2008: 9; Closed during 2008 audit: 4; New from 2008 audit: 6; Total remaining open: 11; Percentage: 18. Control category/control activity: Safeguarding of assets and security activities: Segregation of duties; Open at the beginning of 2008: 3; Closed during 2008 audit: 0; New from 2008 audit: 0; Total remaining open: 3; Percentage: 5. Control category/control activity: Safeguarding of assets and security activities: Controls over information processing; Open at the beginning of 2008: 1; Closed during 2008 audit: 0; New from 2008 audit: 0; Total remaining open: 1; Percentage: 1. Control category/control activity: Safeguarding of assets and security activities: Access restrictions to and accountability for resources and records; Open at the beginning of 2008: 8; Closed during 2008 audit: 3; New from 2008 audit: 0; Total remaining open: 5; Percentage: 8. Control category/control activity: Safeguarding of assets and security activities: Subtotal; Open at the beginning of 2008: 21; Closed during 2008 audit: 7; New from 2008 audit: 6; Total remaining open: 20; Percentage: 32. Control category/control activity: Proper recording and documenting of transactions: Appropriate documentation of transactions and internal controls; Open at the beginning of 2008: 12; Closed during 2008 audit: 3; New from 2008 audit: 0; Total remaining open: 9; Percentage: 15. Control category/control activity: Proper recording and documenting of transactions: Accurate and timely recording of transactions and events; Open at the beginning of 2008: 18; Closed during 2008 audit: 9; New from 2008 audit: 3; Total remaining open: 12; Percentage: 19. Control category/control activity: Proper recording and documenting of transactions: Proper execution of transactions and events; Open at the beginning of 2008: 3; Closed during 2008 audit: 1; New from 2008 audit: 1; Total remaining open: 3; Percentage: 5. Control category/control activity: Proper recording and documenting of transactions: Subtotal; Open at the beginning of 2008: 33; Closed during 2008 audit: 13; New from 2008 audit: 4; Total remaining open: 24; Percentage: 39. Control category/control activity: Effective management review and oversight: Reviews by management at the functional or activity level; Open at the beginning of 2008: 19; Closed during 2008 audit: 9; New from 2008 audit: 3; Total remaining open: 13; Percentage: 21. Control category/control activity: Effective management review and oversight: Establishment and review of performance measures and indicators; Open at the beginning of 2008: 3; Closed during 2008 audit: 3; New from 2008 audit: 3; Total remaining open: 3; Percentage: 5. Control category/control activity: Effective management review and oversight: Management of human capital; Open at the beginning of 2008: 5; Closed during 2008 audit: 3; New from 2008 audit: 0; Total remaining open: 2; Percentage: 3. Control category/control activity: Effective management review and oversight: Subtotal; Open at the beginning of 2008: 27; Closed during 2008 audit: 15; New from 2008 audit: 6; Total remaining open: 18; Percentage: 29. Control category/control activity: Total; Open at the beginning of 2008: 81; Closed during 2008 audit: 35; New from 2008 audit: 16; Total remaining open: 62; Percentage: 100. Source: GAO analysis of the status of financial management recommendations made to IRS. [End of table] As table 1 indicates, 20 recommendations (32 percent) relate to issues associated with IRS's lack of effective controls over safeguarding of assets and security activities. Another 24 recommendations (39 percent) relate to issues associated with IRS's inability to properly record and document transactions. The remaining 18 open recommendations (29 percent) relate to issues associated with the lack of effective management review and oversight. On the following pages, we group the 62 open recommendations under the control activity to which the condition that gave rise to them most appropriately fits. We first define each control activity as presented in the internal control standards and briefly identify some of the key IRS operations that fall under that control activity. Although not comprehensive, the descriptions are intended to help explain why actions to strengthen these control activities are important for IRS to efficiently and effectively carry out its overall mission. For each recommendation, we also indicate whether it is a short-term or long- term recommendation. For those characterized as short-term, we believe that IRS has the capability to implement solutions within 2 years. Safeguarding of Assets and Security Activities: Given IRS's mission, the sensitivity of the data it maintains, and its processing of trillions of dollars of tax receipts each year, one of the most important control activities at IRS is the safeguarding of assets. Internal control in this important area should be designed to provide reasonable assurance regarding prevention or prompt detection of unauthorized acquisition, use, or disposition of an agency's assets. We have grouped together the four control activities in the internal control standards that relate to safeguarding of assets (including tax receipts) and security activities (such as limiting access to only authorized personnel): (1) physical control over vulnerable assets, (2) segregation of duties, (3) controls over information processing, and (4) access restrictions to and accountability for resources and records. Physical Control over Vulnerable Assets: Internal control standard: An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. IRS collects trillions of dollars in taxes each year, a significant amount of which is collected in the form of checks and cash accompanied by tax returns and related information. IRS collects taxes both at its own facilities as well as at lockbox banks that operate under contract with the Department of the Treasury's (Treasury) Financial Management Service. IRS acts as custodian for (1) the tax payments it receives until they are deposited in the General Fund of the U.S. Treasury and (2) the tax returns and related information it receives until they are either sent to the Federal Records Center or destroyed. IRS is also charged with controlling many other assets, such as computers and other equipment, but IRS's legal responsibility to safeguard tax returns and the confidential information taxpayers provide on tax returns makes the effectiveness of its internal controls with respect to physical security essential. While effective physical safeguards over receipts should exist throughout the year, such safeguards are especially important during the peak tax filing season. Each year during the weeks preceding and shortly after April 15, an IRS service center campus (SCC) or lockbox bank may receive and process daily over 100,000 pieces of mail containing returns, receipts, or both. The dollar value of receipts each SCC and lockbox bank processes increases to hundreds of millions of dollars a day during the April 15 time frame. The following 11 recommendations are designed to improve IRS's physical controls over vulnerable assets. We consider all of them to be correctable on a short-term basis. (See table 2.) Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: ID no.: 04-08; Recommendations: Enforce policies and procedures to ensure that service center campus security guards respond to alarms. (short-term) ID no.: 06-05; Recommendations: Equip all Taxpayer Assistance Centers (TACs) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short-term) ID no.: 06-08; Recommendations: Enforce the requirement that all security or other responsible personnel at service center campuses (SCC) and lockbox banks record all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation. (short-term) ID no.: 07-04; Recommendations: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term) ID no.: 07-20; Recommendations: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term) ID no.: 09-03; Recommendations: Document in the Internal Revenue Manual (IRM) minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off- site surveillance of couriers. (short-term) ID no.: 09-04; Recommendations: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term) ID no.: 09-06; Recommendations: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term) ID no.: 09-07; Recommendations: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date. (short-term) ID no.: 09-08; Recommendations: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term) ID no.: 09-09; Recommendations: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Segregation of Duties: Internal control standard: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event. IRS employees process trillions of dollars of tax receipts each year, of which hundreds of billions are received in the form of cash or checks, and for processing hundreds of billions of dollars in refunds to taxpayers.[Footnote 13] Consequently, it is critical that IRS maintain appropriate separation of duties to allow for adequate oversight of staff and protection of these vulnerable resources so that no single individual would be in a position of causing an error or irregularity, potentially converting the asset to personal use, and then concealing it. For example, when an IRS field office or lockbox bank receives taxpayer receipts and returns, it is responsible for depositing the cash and checks in a depository institution and forwarding the related information received to an SCC for further processing. In order to adequately safeguard receipts from theft, the person responsible for recording the information from the taxpayer receipts on a voucher should be different from the individual who prepares those receipts for transmittal to the SCC for further processing. Also, for procurement of goods and services, the person who places an order for goods and services should be different from the person who receives the goods and services. Such separation of duties will help to prevent the occurrence of fraud, theft of IRS assets, or both. Implementing the following three recommendations would help IRS improve its separation of duties, which will in turn strengthen its controls over tax receipts and refunds and procurement activities. All are short- term in nature. (See table 3.) Table 3: Recommendations to Improve IRS's Segregation of Duties: ID no.: 02-16; Recommendations: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term) ID no.: 05-32; Recommendations: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term) ID no.: 07-21; Recommendations: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Controls over Information Processing: Internal control standard: A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, and comparing file totals with control totals. There are two broad groupings of information systems control--general control (for hardware such as mainframe, network, end-user environments) and application control (processing of data within the application software). General controls include entitywide security program planning, management, and backup recovery procedures and contingency and disaster planning. Application controls are designed to help ensure completeness, accuracy, authorization, and validity of all transactions during application processing. IRS relies extensively on computerized systems to support its financial and mission-related operations. To efficiently fulfill its tax processing responsibilities, IRS relies extensively on interconnected networks of computer systems to perform various functions, such as collecting and storing taxpayer data, processing tax returns, calculating interest and penalties, generating refunds, and providing customer service. As part of our annual audits of IRS's financial statements, we assess the effectiveness of IRS's information security controls over key financial systems, data, and interconnected networks at IRS's critical data processing facilities that support the processing, storage, and transmission of sensitive financial and taxpayer data.[Footnote 14] From that effort over the years, we have identified information security control weaknesses that impair IRS's ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data. As of January 2009, there were 74 open recommendations from our information security work designed to improve IRS's information security controls.[Footnote 15] As discussed previously, recommendations resulting from our information security work are reported separately and are not included in this report primarily because of the sensitive nature of these issues. However, the following short-term recommendation is related to systems limitations and IRS's need to enhance its computer programs. (See table 4.) Table 4: Recommendation to Improve IRS's Controls over Information Processing: ID no.: 02-18; Recommendations: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Access Restrictions to and Accountability for Resources and Records: Internal control standard: Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. Because IRS deals with a large volume of cash and checks, it is imperative that it maintain strong controls to appropriately restrict access to those assets, the records that track those assets, and sensitive taxpayer information. Although IRS has a number of both physical and information systems controls in place, some of the issues we have identified in our financial audits over the years pertain to ensuring that those individuals who have direct access to these cash and checks are appropriately vetted before being granted access to taxpayer receipts and information and to ensuring that IRS maintains effective access security control. The following five short-term recommendations were intended to help IRS improve its access restrictions to assets and records. (See table 5.) Table 5: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: ID no.: 08-12; Recommendations: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term) ID no.: 08-13; Recommendations: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term) ID no.: 08-15; Recommendations: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term) ID no.: 08-16; Recommendations: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles. (short-term) ID no.: 08-17; Recommendations: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Recording and Documenting of Transactions: IRS has a number of internal control issues that relate to recording transactions, documenting events, and tracking the processing of taxpayer receipts or information. We have grouped three control activities together that relate to proper recording and documenting of transactions: (1) appropriate documentation of transactions and internal controls, (2) accurate and timely recording of transactions and events, and (3) proper execution of transactions and events. Appropriate Documentation of Transactions and Internal Control: Internal control standard: Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. IRS collects and processes trillions of dollars in taxpayer receipts annually both at its own facilities and at lockbox banks under contract to process taxpayer receipts for the federal government. Therefore, it is important that IRS maintain effective controls to ensure that all documents and records are properly and timely recorded, managed, and maintained both at its facilities and at the lockbox banks. IRS must adequately document and disseminate its procedures to ensure that they are available for IRS employees. IRS must also document its management reviews of controls, such as those regarding refunds and returned checks, credit card purchases, and reviews of taxpayer assistance centers (TAC). Finally, to ensure future availability of adequate documentation, IRS must ensure that its systems, particularly those now being developed and implemented, have appropriate capability to trace transactions. Resolving the following nine recommendations would assist IRS in improving its documentation of transactions and internal control procedures. Eight of these recommendations are short-term, and one is long-term. (See table 6.) Table 6: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: ID no.: 05-39; Recommendations: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term) ID no.: 06-01; Recommendations: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term) ID no.: 06-02; Recommendations: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term) ID no.: 06-04; Recommendations: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term) ID no.: 06-07; Recommendations: Document supervisory visits by offsite managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term) ID no.: 07-15; Recommendations: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the Internal Revenue Manual (IRM) requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System. (short-term) ID no.: 08-01; Recommendations: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term) ID no.: 08-02; Recommendations: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term) ID no.: 08-07; Recommendations: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Accurate and Timely Recording of Transactions and Events: Internal control standard: Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. IRS maintains taxpayer records for tens of millions of taxpayers in addition to maintaining its own financial records. To carry out this responsibility, IRS often has to rely on outdated computer systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping difficulties we have reported on over the years will not be addressed until it can replace its aging systems, an effort that is long-term and partly depends on future funding. Implementation of the following 12 recommendations would strengthen IRS's recordkeeping abilities. (See table 7.) Seven of these recommendations are short-term, and 5 are long-term regarding requirements for new systems for maintaining taxpayer records. Several of the recommendations listed deal with financial reporting processes, such as maintaining subsidiary records, recording budgetary transactions, and tracking program costs. Some of the issues that gave rise to several of our recommendations directly affect taxpayers, such as those involving duplicate assessments, errors in calculating and reporting manual interest, errors in calculating penalties, and recovery of trust fund penalty assessments. Seven of these recommendations have remained open at least 5 years and one over 10 years, reflecting the complex nature of the underlying systems issues that must be resolved to fully address some of these issues. Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: ID no.: 94-02; Recommendations: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term) ID no.: 99-01; Recommendations: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term) ID no.: 99-03; Recommendations: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term) ID no.: 99-20; Recommendations: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (long-term) ID no.: 99-36; Recommendations: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term) ID no.: 01-17; Recommendations: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term) ID no.: 01-39; Recommendations: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term) ID no.: 06-22; Recommendations: Direct Facilities Management Branch managers to research and resolve the aging reports. (short-term) ID no.: 08-06; Recommendations: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term) ID no.: 09-01; Recommendations: Correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure-to-pay penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement. (short-term) ID no.: 09-12; Recommendations: Reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts. (short-term) ID no.: 09-13; Recommendations: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Execution of Transactions and Events: Internal control standard: Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of ensuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees. Each year, IRS pays out hundreds of billions of dollars in tax refunds, some of which are distributed to taxpayers manually.[Footnote 16] IRS requires that all manual refunds be approved by designated officials. However, weaknesses in controls for authorizing such refunds expose the federal government to losses because of the issuance of improper refunds. Likewise, the failure to ensure that employees obtain appropriate authorizations to use purchase cards or initiate travel similarly leave the government open to fraud, waste, or abuse. Dealing with the following three short-term recommendations would improve IRS's controls over its manual refund, travel, and purchase card transactions. (See table 8.) Table 8: Recommendations to Improve IRS's Execution of Transaction and Events: ID no.: 05-37; Recommendations: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term) ID no.: 08-24; Recommendations: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term) ID no.: 09-10; Recommendations: Develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of noncompliance with required approval timeframes. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Effective Management Review and Oversight: All personnel within IRS have an important role in establishing and maintaining effective internal controls, but IRS's managers have additional review and oversight responsibilities. Management must set the objectives, put control activities in place, and monitor and evaluate controls to ensure that they are followed. Without adequate monitoring by managers, there is a risk that internal control activities may not be carried out effectively and in a timely manner. We have grouped three control activities related to effective management review and oversight: (1) reviews by management at the functional or activity level, (2) establishment and review of performance measures and indicators, and (3) management of human capital. Although we also include the control activity "top-level reviews of actual performance" in this grouping, we do not have any open recommendations to IRS related to this internal control activity. Reviews by Management at the Functional or Activity Level: Internal control standard: Managers need to compare actual performance to planned or expected results throughout the organization and analyze significant differences. IRS employs over 100,000 full-time and seasonal employees. In addition, as discussed earlier, Treasury's Financial Management Service contracts with banks to process tens of thousands of individual receipts, totaling hundreds of billions of dollars. Management oversight of operations is important at any organization, but is imperative at IRS given its mission. Implementing the following 11 short-term and 2 long-term recommendations would improve IRS's management oversight of courier services, contractor facilities, penalty calculations, timely release of liens, issuance of manual refunds, and use of appropriated funds. (See table 9.) These recommendations were made because an internal control activity either did not exist or the existing control was not being adequately or consistently applied. Table 9: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: ID no.: 99-22; Recommendations: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term) ID no.: 01-06; Recommendations: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term) ID no.: 05-33; Recommendations: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term) ID no.: 05-38; Recommendations: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term) ID no.: 07-24; Recommendations: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short-term) ID no.: 07-25; Recommendations: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term) ID no.: 07-27; Recommendations: Begin devising appropriate A-123 follow-up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved. (short-term) ID no.: 08-04; Recommendations: To address the inconsistency in assigning the effective date of an accuracy-related penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any associated accuracy- related penalty. (long-term) ID no.: 08-08; Recommendations: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers. (short-term) ID no.: 08-14; Recommendations: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term) ID no.: 09-02; Recommendations: Add specific requirements to the IRM to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time. (short-term) ID no.: 09-05; Recommendations: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. (long-term) ID no.: 09-11; Recommendations: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Establishment and Review of Performance Measures and Indicators: Internal control standard: Activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators. IRS's operations include a vast array of activities encompassing educating taxpayers, processing of taxpayer receipts and data, disbursing hundreds of billions of dollars in refunds to millions of taxpayers, maintaining extensive information on tens of millions of taxpayers, and seeking collection from individuals and businesses that fail to comply with the nation's tax laws. Within its compliance function, IRS has numerous activities, including identifying businesses and individuals that underreport income, collecting from taxpayers who do not pay taxes, and collecting from those receiving refunds for which they are not eligible. Although IRS has at its peak over 100,000 employees, it still faces resource constraints in attempting to fulfill its duties. It is vitally important for IRS to have sound performance measures to assist it in assessing its performance and targeting its resources to maximize the government's return on investment. However, in past audits we have reported that IRS did not capture costs at the program or activity level to assist in developing cost-based performance measures for its various programs and activities. As a result, IRS is unable to measure the costs and benefits of its various collection and enforcement efforts to best target its available resources. The following short-term and two long-term recommendations are designed to assist IRS in (1) evaluating its operations, (2) determining which activities are the most beneficial, and (3) establishing a good system for oversight. (See table 10.) These recommendations call for IRS to measure, track, and evaluate the costs, benefits, or outcomes of its operations--particularly with regard to identifying its most cost- effective tax collection activities. Table 10: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: ID no.: 09-14; Recommendations: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. (short-term) ID no.: 09-15; Recommendations: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed and should include both personnel costs based on time spent on specific activities as well as all associated non- personnel costs and be drawn from or reconcilable to IRS's financial accounting system. (long-term) ID no.: 09-16; Recommendations: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Management of Human Capital: Internal control standard: Effective management of an organization's workforce--its human capital--is essential to achieving results and an important part of internal control. Management should view human capital as an asset rather than a cost. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. Performance evaluation and feedback, supplemented by an effective reward system, should be designed to help employees understand the connection between their performance and the organization's success. As a part of its human capital planning, management should also consider how best to retain valuable employees, plan for their eventual succession, and ensure continuity of needed skills and abilities. IRS's operations cover a wide range of technical competencies with specific expertise needed in tax-related matters; financial management; and systems design, development, and maintenance. Because IRS has tens of thousands of employees spread throughout the country, it is imperative that management keeps its guidance up-to-date and its staff properly trained. Putting the following two short-term recommendations into effect would assist IRS in its management of human capital. (See table 11.) Table 11: Recommendations to Improve IRS's Management of Human Capital: ID no.: 07-08; Recommendations: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short- term) ID no.: 08-03; Recommendations: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term) Source: GAO analysis of financial management recommendations made to IRS. [End of table] Open Recommendations Arranged by Related Material Weakness, Significant Deficiency, Compliance Issue, or Other Control Issue: For several years, we have reported material weaknesses, significant deficiencies, noncompliance with laws and regulations, and other control issues in our annual financial statement audits and related management reports.[Footnote 17] To assist IRS in addressing those control issues, appendix II provides summary information regarding the primary issue to which each open recommendation is related. To compile this summary, we analyzed the nature of the open recommendations to relate them to the material weaknesses, significant deficiency, compliance issue, and other control issues not associated with a material weakness or significant deficiency identified as part of our financial statement audit. Concluding Observations: Increased budgetary pressures and an increased public awareness of the importance of internal control require IRS to carry out its mission more efficiently and more effectively while protecting taxpayers' information. Sound financial management and effective internal controls are essential if IRS is to efficiently and effectively achieve its goals. IRS has made substantial progress in improving its financial management since its first financial audit, as evidenced by unqualified audit opinions on its financial statements for the past 9 years, resolution of several material internal control weaknesses and significant deficiencies, and actions taken resulting in the closure of hundreds of financial management recommendations. This progress has been the result of hard work by many individuals throughout IRS and sustained commitment of IRS leadership. Nonetheless, more needs to be done to fully address the agency's continuing financial management challenges. Further efforts are needed to address the internal control deficiencies that continue to exist. Effective implementation of the recommendations we have made and continue to make through our financial audits and related work could greatly assist IRS in improving its internal controls and achieving sound financial management. While we recognize that some actions--primarily those related to modernizing automated systems--will take a number of years to resolve, most of the open recommendations can be addressed in the short term. Agency Comments and Our Evaluation: In commenting on a draft of this report, IRS expressed its appreciation for our acknowledgment of the agency's progress in addressing its financial management changes as evidenced by our closure of 35 open financial management recommendations from prior GAO reports. IRS also commented that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. We will review the effectiveness of further corrective actions IRS has taken or will take to address all open recommendations as part of our audit of IRS's fiscal year 2009 financial statements. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of OMB; the Chairman of the IRS Oversight Board; and other interested parties. The report is also available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions concerning this report, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: [End of section] Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: This appendix presents a list of (1) the 81 recommendations that we had not previously reported as closed, (2) Internal Revenue Service (IRS) reported corrective actions taken or planned as of April 2009, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed. It also includes recommendations based on our fiscal year 2008 financial statement audit. The appendix lists the recommendations by the date on which the recommendation was made and by report number. ID no.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions (short-term); Source report: Financial Management: Important IRS Revenue Information Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); Status per IRS: Open. The Deputy Commissioner, Services and Enforcement issued a memorandum in July 2008 emphasizing the need to use training modules and on-site assistance from the Servicewide Interest Program to ensure accurate calculations. Interest-related training was provided to personnel by January 2009, and additional guidance will be issued to Collection field personnel. SB/SE updated Internal Revenue Manual provisions and made upgrades to the commercial software program utilized to compute manual interest. SB/SE is developing a random sampling process to be completed by October 2009 to measure the accuracy of interest computations; Status per GAO: Open. During our fiscal year 2006 audit, we tested a statistical sample of manual interest transactions and estimated that 18 percent of IRS's manual interest population contains errors. We concluded that IRS controls over this area was still ineffective. The ineffectiveness of these controls contributes to errors in taxpayer records, which is a major component of the material weakness in IRS's management of unpaid assessments. While IRS has undertaken several actions to strengthen controls over this area, such as updating guidance and providing training related to manual interest calculations, it has yet to develop a sampling methodology to monitor the accuracy of its manual interest computation and assess the effectiveness of its corrective actions. Consequently, we did not test IRS controls in this area as part of our fiscal year 2008 audit, as both we and IRS believed that the actions taken by IRS thus far would not improve the accuracy of the manual interest calculations. We will continue to monitor IRS's actions to address this recommendation during future audits. ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Open. Small Business/Self-Employed (SB/SE) continues to request programming changes to increase Automated Trust Fund Recovery systemic processing to reduce the number of accounts requiring manual intervention. IRS reviews Trust Fund Recovery Penalty (TFRP) transactions to ensure accurate and timely recording, including Performance Assurance System reviews by a daily random selection of closed cases, management reviews of a random selection of both closed and open casework, and Headquarters Operational Reviews. In addition to the above reviews, Campus Compliance Services is exploring the development and implementation of a statistically valid sampling plan to monitor the accuracy and timeliness of the cross-referencing of payments and credits to TFRP accounts. The frequency and process for performing these internal reviews will be considered during development; Status per GAO: Open. IRS has made significant progress in this area over the past several years. For example, IRS established procedures to more clearly link each penalty assessment against a responsible corporate officer to a specific tax period of the business account and began phasing in the use of the Automated Trust Fund Recovery system intended to properly cross-reference payments received. IRS also enhanced the Automated Trust Fund Recovery system in fiscal year 2008 to begin automatically reducing the amounts owed on all related accounts when a payment is received from one related party. However, the system is currently unable to process all payments related to such cases. Consequently, IRS must continue to manually reduce the account balance on related accounts for some payments. Thus, the opportunity for errors and omissions continues to exist. Our most recent test indicates that IRS's controls in this area are still not effective in ensuring that all TFRP payments are correctly credited to all related parties in a timely manner. We will continue to monitor IRS's actions to address this recommendation during future audits. ID no.: 99-03; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Open. IRS is developing the Custodial Detailed Data Base (CDDB), which it believes will ultimately address many of the outstanding financial management recommendations. IRS implemented the first phase of the CDDB during fiscal year 2006. In fiscal year 2008, IRS enhanced CDDB to record unpaid assessments, including accrued penalties and interest in the general ledger by the various financial reporting categories. The Chief Financial Officer's (CFO) office continues to ensure the accuracy of the TFRP cross-referencing using weekly CDDB reports. The CFO provides SB/SE with identified errors so SB/SE can correct the taxpayers account and CDDB can correctly classify the transactions. CDDB is now classifying approximately 80 percent of the TFRP inventory where TFRP assessments are appropriately tracked for all taxpayers liable but counted only once for reporting purposes; Status per GAO: Open. During fiscal year 2008, IRS enhanced CDDB to begin regularly recording unpaid assessments, including accrued penalties and interest, from its master files to its general ledger by the various financial reporting categories (taxes receivable, compliance assessments, and write-offs). These enhancements established CDDB's capability to function as a subsidiary ledger for unpaid tax debt. However, due to inherent limitations in CDDB programs for classifying unpaid assessments into the correct financial reporting categories and inaccuracies in taxpayer records, IRS is still unable to use CDDB as its subsidiary ledger for external reporting of its unpaid assessments, and must continue to use a labor-intensive, manual compensating process to estimate the year-end balances of the various categories of unpaid tax assessments to avoid material misstatements to its financial statements. Specifically, IRS had to make over $28 billion in adjustments to the fiscal year-end 2008 gross taxes receivable balance produced by CDDB as part of its manual estimation process for financial reporting. Full operational capability of CDDB depends on the successful implementation of future system releases planned through 2009 and the ability of these releases to address current limitations in accurately classifying all of IRS's unpaid assessments. The lack of a fully functioning subsidiary ledger capable of producing accurate, useful, and timely information with which to manage and report externally is a major component of the material weakness in IRS's management of unpaid assessments. We will continue to monitor IRS's development of CDDB during our fiscal year 2009 and future audits. ID no.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting TFRP assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance (long-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Open. SB/SE completed the Control Point Monitor (CPM) pilot in May 2008 and prepared a CPM manual. The CPM serves as a conduit from the Area Office to the Campus for assessment. The CPM manual establishes specific timeframes in which the CPM must process/complete required TFRP actions. Implementation of the manual is currently being negotiated with the National Treasury Employees Union to address impact and implementation issues resulting from the changes to the CPM process. SB/SE has created a suite of managerial reports to provide oversight of the TFRP process. SB/SE continues to submit Work Requests and Information Technology Assets Management System tickets to enhance the assessment process to provide greater efficiencies in the processing and posting of TFRP assessments; Status per GAO: Open. During our fiscal year 2008 audit, we continued to identify long delays in processing and posting TFRP assessments. Although IRS has developed a draft of the CPM manual to provide better guidance for the timely processing of TFRP assessments, the manual is currently undergoing internal reviews and awaiting final approval for official use. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2009 audit. ID no.: 99-22; Recommendation: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls (short-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Closed. All IRS field offices continue to provide training and to perform reviews to strengthen controls over remittances. SB/SE conducts reviews with each territory manager. Headquarters staff ensures Territory managers are enforcing the requirement for group managers to randomly sample remittance packages for review. Each area director receives a report with any findings and recommendations for implementation. All Tax Exempt and Government Entities (TE/GE) Division Directors continue to perform operational reviews to ensure their subordinate groups are properly processing all checks. TE/GE provides training and notices on these procedures. During fiscal year 2008, all managers certified in their 2008 Annual Assurance Review that vulnerable assets, such as cash, securities, and equipment, are physically secured and access to them is controlled. TE/GE will also implement by September 2009 requirements to verify that control procedures are in place during operational reviews, and include information on proper check handling procedures during training for new hires and Revenue Agents. Large and Mid-sized Business (LMSB) has incorporated instructions on the use of the U.S. Treasury Stamp in training given to new hires as part of their on the job training and periodically in group meetings. The use of the U.S. Treasury Stamp has also been incorporated into the Internal Revenue Manual (IRM) and is part of IRS's standard operating procedure used for processing payments; Status per GAO: Open. The objective of this recommendation was to create a mechanism for IRS to monitor the status of pervasive weaknesses in controls over taxpayer receipts and information that we have found at IRS's field offices over the years. The purpose of this monitoring is to facilitate the timely detection and effective resolution of issues and to verify the effectiveness of new and existing policies and procedures on an ongoing basis. During our fiscal year 2008 audit, we identified instances at (1) four SB/SE units where there was no segregation of duties between preparation of the payment posting vouchers and subsequent preparation of the related document transmittals and transmittal package; (2) four SB/SE units where a document transmittal form was not prepared when transmitting multiple Daily Report of Collection Activity forms to the Submission Processing (SP) Center; (3) three SB/SE units where there was no system in place to monitor acknowledged/unacknowledged transmittals to the submission processing center; (4) five SB/SE units where there was no evidence of managerial review of document transmittals; and (5) all 10 field offices where there were no procedures in place to verify that names on the duress alarm contact list were current and that appropriate first responders were contacted in the event of an emergency. Had IRS periodically reviewed the effectiveness of these controls in field offices as we recommended, these issues might have been detected and corrected. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 99-25; Recommendation: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes (short- term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Closed. IRS augmented its Modernization & Information Technology Services staff, and cross-trained employees to increase the appropriate depth of experience to perform the master file extractions and other ad hoc procedures for financial reporting purposes. Modernization & Information Technology Services reduced the Assembler Language Code programmer shortages and increased contractor support by 17 percent. IRS also continues to expand the use of CDDB during the annual audit, and the addition of trained Modernization & Information Technology Services and contractor staff ensures development of reliable balances for financial reporting purposes on a continuing basis; Status per GAO: Closed. IRS hired additional staff in the Custodial Accounting Branch, which has responsibility for the custodial financial statements. Also, employees were cross-trained and current systems expanded to better support the financial reporting of revenue, refunds, and unpaid assessments. In addition, IRS reduced its shortage of assembly language programmers by holding training classes for employees. ID no.: 99-29; Recommendation: Develop the data to support meaningful cost information categories and cost-based performance measures (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Status per IRS: Closed. IRS developed a cost accounting policy that provides guidance on managerial cost concepts for the agency, established an Office of Cost Accounting within the CFO, and completed several cost pilot projects to demonstrate the viability of its full cost methodology at the program level. Performance measures were enhanced, and the return on investment for the Earned Income Tax Credit program was completed with full cost information. As demonstrated by the cost pilots, IRS has the capability to use the cost data within the Integrated Financial System (IFS) and the associated workload and production data from IFS and its business unit systems to calculate the full costs of its products, services, and programs. The IFS contains 4 years of fully allocated cost data; Status per GAO: Closed. IRS has taken several actions to address this recommendation and improve its cost accounting capability. For example, in fiscal year 2007, IRS developed and issued its first cost accounting policy to provide guidance on the concepts and requirements for managerial cost accounting within IRS. In addition, in fiscal year 2008, IRS (1) established an Office of Cost Accounting within its CFO, (2) completed several cost pilots to demonstrate its capability to use the cost data within IFS and the associated workload and production data from its business unit systems to calculate the full costs of its products, services, and programs, and (3) completed development of the return on investment for the Earned Income Tax Credit program that includes full cost information. However, IRS has not extended the cost pilot methodology to develop full cost information on the full range of IRS's programs. Nevertheless, in order to provide recommendations more closely aligned with the current status, we have agreed with IRS to close this recommendation based on IRS's progress to date and have reported the remaining issues, along with related recommendations for corrective action, in our June 2009 management report. See GAO-09-513R and recommendations 09-14 and 09-15 in this report. ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Status per IRS: Open. IRS has established strong internal controls and procedures to enhance its ability to account for property and equipment in IFS. IRS is looking at enhancing its asset-tracking system to more closely reconcile physical asset records to the financial records. This would enable targeted reconciliations to occur; Status per GAO: Open. Our fiscal year 2008 property and equipment valuation testing revealed problems with the linking of the purchase of assets recorded in the general ledger system to the P&E inventory system, which indicates that IRS's detailed P&E records do not fully reconcile to the financial records. We will continue to monitor IRS's strategy in addressing these financial management systems issues. ID no.: 01-04; Recommendation: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, administrative support), as well as the expected additional tax collections generated (Short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Closed. IRS is using a workload delivery model in the development and monitoring of an Enterprise Collection Plan that aligns performance measures across all collection organizations to match results against the corporate measures. Results of the model are used to project inventory receipt patterns by function and category of work, allowing for improved management of corporate collection inventory and resource allocation. New models were implemented in the Inventory Delivery System on January 12, 2009. The use of a rules engine has also been incorporated in the Inventory Delivery System to systemically make changes to case routing based on modeling predictions and rules. Collection Case Selection continues to provide ad hoc case assignments for testing case routing. Cases are selected based on a set of criteria and routed to different treatments to determine where like cases should be routed in the future. The CFO also included return on investment calculations for its collection initiatives in the 2007, 2008, and 2009 Budget Submissions; Status per GAO: Closed. IRS has taken significant steps to address this recommendation. IRS built sophisticated computer modeling and risk assessment techniques with increased predictive power to improve IRS's ability to route unpaid tax cases to the appropriate enforcement resource. IRS estimated that those changes have resulted in several billion dollars in additional tax collections. IRS has also established governance councils for IRS's examination and collection activities. Finally, IRS has completed several actions to improve its ability to develop full cost information for its enforcement programs. Although IRS's actions taken to date are important, they have not fully addressed the objectives of our recommendation, such as completing the development of full cost methodologies for IRS's programs and activities. In order to provide recommendations more closely aligned with the current status, we have agreed with IRS to close this recommendation based on IRS's progress to date and have reported the remaining issues, along with related recommendations for corrective action, in our June 2009 management report. See GAO-09-513R and recommendations 09-14, 09-15, and 09-16 in this report. ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS continues to address issues that cause late lien releases through an internal Lien Release Action Plan and by conducting reviews as a part of its A-123 controls assessment process. Based on the annual sample of lien releases, the results of seven errors (liens released in an untimely manner) in 59 observations, yield a net most likely error of 12 percent, and (at greater than 95 percent confidence level), an upper error limit that could be as high as 21 percent. IRS added corrective actions to address issues found during the review. SB/SE is re-evaluating the fiscal years 2009 and 2010 overall lien release error rate goals and will submit changes to the Lien Release Action Plan; Status per GAO: Open. IRS has taken a number of actions over the past several years to address this issue. However, during our fiscal year 2008 audit, we continued to find that IRS did not always release liens in a timely manner. In IRS's own Office of Management and Budget (OMB) A-123 testing of lien releases, it identified 7 instances out of 59 cases tested in which it did not release the applicable federal tax lien within the statutory 30-day period. The time between the satisfaction of the liability and release of the lien ranged from 33 days to more than 494 days. Based on these results, IRS estimated that for about 12 percent of unpaid tax assessment cases that were resolved in fiscal year 2008, in which it had filed a tax lien, it did not release the lien within 30 days of the resolution of the case. IRS is 95 percent confident that the percentage of cases in which the lien was not released within 30 days does not exceed 21 percent. IRS's ineffective controls over this area results in its noncompliance with Internal Revenue Code Section 6325 which requires IRS to release its tax liens within 30 days of the date the related tax liability is fully satisfied. We will continue to monitor IRS's actions to address this recommendation in future audits. ID no.: 01-12; Recommendation: For (1) IRS's Automated Underreporter and Combined Annual Wage Reporting programs, (2) screening and examination of Earned Income Tax Credit claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities, and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Closed. IRS has taken steps to examine Earned Income Tax Credit claims, and to address the collection of Automated Underreporter and Combined Annual Wage Reporting as part of the workload delivery model. IRS updated the Earned Income Tax Credit error estimates and identified root causes of non-compliance. Additionally, in fiscal year 2008, IRS calculated a full-cost return on investment for Earned Income Tax Credit and completed an Automated Underreporter cost accounting pilot using IFS cost data. This pilot calculated the return on investment of Automated Underreporter case closures, which represented those cases that were closed after a notice was sent to the taxpayer. IRS established Exam and Collection governance bodies to improve collection efforts and implemented a modeling tool to better target collection efforts; Status per GAO: Closed. IRS has taken significant steps to address this recommendation, including those listed in the "status per IRS" column. IRS's cost pilot projects completed in fiscal year 2008, demonstrated IRS's ability to determine the full cost of its programs. Although IRS's actions taken to date are important, they have not fully addressed the objectives of our recommendation. For example, IRS's cost pilot project methodology is time-consuming and requires intensive manual intervention, and IRS has not completed the task of developing methodologies for its programs and activities. In order to provide recommendations more closely aligned with the current status, we have agreed with IRS to close this recommendation based on IRS's progress to date and have reported the remaining issues, along with related recommendations for corrective action, in our June 2009 management report. See GAO-09-513R and recommendations 09-14, 09-15, and 09-16 in this report. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS will continue to pursue alternative approaches to enhance its ability to account for leasehold improvements; Status per GAO: Open. We will continue to monitor IRS's development of alternative approaches to enhance its ability to account for P&E assets. ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities (long-term); Source report: Management Letter: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 2001); Status per IRS: Closed. The IRS is tracking and reporting the actual costs associated with reimbursable agreements through various business unit work load management tracking systems and IFS. The IRS Reimbursable Operating Guidelines established the procedures and processes for capturing direct and indirect costs associated with reimbursable agreements; Status per GAO: Open. IRS has improved its methodology for allocating its costs of operations at the business unit level. However, further actions are needed for it to accumulate and report actual costs associated with specific reimbursable projects. We confirmed that IRS's workload management tracking systems now capture details of time worked; however, these systems do not capture the full costs associated with specific reimbursable projects and do not interface with the general ledger (IFS) to capture all costs. We also noted that the fiscal year 2008 Reimbursable Operating Guidelines provide detail on determining the costs that should be included in the cost projection for a reimbursable agreement. However, the guidelines do not describe a process for determining the total actual costs incurred at the end of the agreement term, determining the difference between actuals and the original cost estimate, and refunding or billing for the difference. We will continue to monitor IRS's efforts to fully implement its cost accounting system and, once it has been fully implemented, evaluate the effectiveness of IRS's procedures for developing cost information for its reimbursable agreements. ID no.: 02-08; Recommendation: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Status per IRS: Closed. Employees itemize how their time is spent on specific projects/tasks in various workload management systems, and this information is utilized in the development of cost information which is used in resource allocation decisions; Status per GAO: Closed. IRS has taken action to address our recommendation. We confirmed that IRS currently uses 24 separate functional tracking (workload management) systems for various categories of employees to itemize and track their time charges. Collectively, these systems now capture details of time worked by project for all employees. ID no.: 02-09; Recommendation: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Status per IRS: Closed. IFS allocates nonpersonnel costs to programs monthly and makes available cost data to managers, including the full cost of operating business units, and details on the allocated costs (i.e., building rent, depreciation, support costs, etc.). All business units can run cost reports as needed; Status per GAO: Closed. IRS has taken actions to address this recommendation. We confirmed that IRS has improved its cost accounting capabilities by developing and implementing a methodology for allocating its costs of operations to its business units and to the cost categories on the Statement of Net Cost on a monthly basis. However, the cost categories on the Statement of Net Cost are at a higher level than specific programs and activities. Although IRS has developed full cost information on several IRS programs, IRS has not developed such information on the full range of IRS programs. However, in order to provide recommendations more closely aligned with the current status, we have agreed with IRS to close this recommendation based on IRS's progress to date and have reported the remaining issues, along with related recommendations for corrective action, in our June 2009 management report. See GAO-09-513R and recommendations 09-14 and 09-15 in this report. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments (short- term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Closed. Wage and Investment (W&I) has taken a number of actions to address this recommendation. Field Assistance emphasizes the requirement for including a document transmittal form listing the Daily Report of Collection Activity forms in transmittal packages, and ensuring that they are reconciled and reviewed. Territory managers review and discuss monthly reports with the group manager. Results of the reviews are forwarded to the area director. Operational reviews at all levels are conducted annually to ensure that field offices comply with the requirement to prepare Form 3210, which lists all Forms 795 being shipped to the SP Center. W&I completed its annual Filing Season Readiness Workshop for all taxpayer assistance center (TAC) managers, which addressed remittance and data security. New managers will attend the "Managing a TAC" course during fiscal year 2009, which provides ongoing training on payment processing and managerial reviews. Operational reviews completed for fiscal year 2008 revealed that the TAC managers are validating employee profiles to ensure restricted command codes were used according to guidelines; Status per GAO: Open. While IRS has cited that it is taking a number of actions to ensure existing receipt control policy requirements for segregation of duties are followed, one of the main mechanisms it uses to enforce this policy is training. IRS conducts an annual Filing Season Readiness Workshop for TAC managers and provides training for new TAC managers on collecting taxpayer receipts and conducting managerial reviews. During our review of the handouts provided for the annual readiness workshop we noted several sections that discussed IRS's policies related to segregation of duties. In contrast, we found that the "Managing a TAC" course for new TAC managers did not specifically address those policies. From our discussions with IRS officials, the Filing Season Readiness Workshop is conducted annually during the first quarter of the fiscal year. Consequently, new TAC managers assigned after the first quarter of the fiscal year will not receive the same level of training regarding segregation of duties. In addition, during our recent visits to selected TACs in March 2009, we found instances where segregation of duties related to accepting and recording walk-in payments were not implemented. ID no.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors (short-term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Open. Agency-Wide Shared Services (AWSS) Personnel Security has taken several short and long term measures to reduce the instance of SETS errors. The short-term measures include (1) publishing instructions on the Personnel Security intranet site for SETS users to follow while reviewing bi-weekly SETS reports, (2) issuing bi-weekly emails to all SETS users with the most current reports to be used in identifying and reporting errors to NFC, and (3) compiling weekly extracts of all enter-on-duty dates where there were no fingerprint results or where the results were after the enter-on-duty date and sending those to each employment office for updates and feedback. The long-term measures included requesting revisions to SETS; Status per GAO: Open. During our fiscal year 2008 audit, we continued to identify technical limitations and weaknesses with the SETS database. In addition, we found 248 instances where SETS was not updated in a timely manner or correctly for new-hire employees resulting in errors in the database. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 04-08; Recommendation: Enforce policies and procedures to ensure that service center campus security guards respond to alarms (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); Status per IRS: Closed. IRS performs monthly unannounced testing of guard response to alarms and test results are reviewed by the Security Programs Office to enforce and ensure compliance. Test results on guard response to alarms are consistently 98 percent or higher, indicating substantial compliance with IRS guidelines. Test procedures were formalized in IRM 10.2.14 Methods of Providing Protection, issued on October 1, 2008. In addition, the Guard Program Specialists from the Security Programs Office conduct unannounced alarm tests whenever they visit a site to do a Quality Assurance check of security posture and programs. Physical Security and Emergency Preparedness (PSEP) continues to utilize the Audit Management Checklist as a repeatable process where service center campuses (SCC) quarterly validate the performance and documentation of monthly unannounced alarm testing; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at two of the three SCCs we visited in which security guards did not respond to alarms within the time limit outlined in the IRM. In addition, at another SCC we visited, we identified an instance in which security guards did not fully investigate the source of an alarm. We will continue to evaluate IRS's enforcement of these policies and procedures during our fiscal year 2009 audit. ID no.: 05-11; Recommendation: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at service center campuses selected for significant reductions in their submission processing functions (short- term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar 10, 2005); Status per IRS: Closed. W&I Accounts Management continues to enforce the restricted area access through periodic training. Candling procedures are reinforced through monthly internal control reviews of the process. In January 2008, Accounts Management increased management oversight of internal controls by implementing formal monthly internal control reviews at the former Submission Processing rampdown sites. A revised review template was developed to evaluate the quality of IRS's internal control performance, identify potential deficiencies, and allow corrective actions to be taken immediately. The monthly results from each field director are forwarded to the Director, Accounts Management, and GAO. AWSS provides training when notified by W&I that a new monitor has been selected or when an existing monitor requires refresher training. Each campus badge office provides training to the restricted area door monitors as it pertains to the control, issuance, and inventory of the non-photo badges that are assigned at each site; Status per GAO: Closed. Accounts Management implemented a monthly review to monitor internal controls over taxpayer receipts and information at campuses selected for reductions in their submission processing functions. ID no.: 05-13; Recommendation: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. The Program, Planning, and Policy Office finalized and issued IRM 10.2.5 Identification Card on September 30, 2008. Section 10.2.5.6.2(2)a specifies that red photo ID cards may be issued to IRS contract employees who have a daily need on a continuing basis to be on site at a facility over a period of time, and who have been granted interim or final staff-like access to a facility/work area with sensitive systems or information. Before a red photo ID card may be issued, the contracting officer's technical representative must provide the Physical Security Office with a copy of the Personnel Security & Investigation background investigation letter approving interim or final staff-like access. PSEP continues to utilize the Audit Management Checklist as a repeatable process where SCCs quarterly validate the filing of contractor background investigation documentation; Status per GAO: Closed. We verified that IRS finalized and issued IRM 10.2.5 and continues to utilize the Audit Management Checklist to ensure that proper documentation is received and on file for contractors before they are granted staff-like access to service centers. During our fiscal year 2008 audit, we found no exceptions relating to SCCs granting contractors staff-like access before appropriate background investigations were completed. ID no.: 05-14; Recommendation: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. The Program, Planning, and Policy Office finalized and issued IRM 10.2.5 Identification Card on September 30, 2008. IRM 10.2.5.6.2(2)a specifies that the Form 5519, 13716-A or similar identification request Form 13760, and the interim or final background investigation letter must be retained and filed in the identification media file for each contractor for the life of the identification card. PSEP continues to utilize the Audit Management Checklist as a repeatable process where SCCs quarterly validate the filing of contractor background investigation documentation; Status per GAO: Closed. We verified that IRS finalized and issued IRM 10.2.5 and continues to utilize the Audit Management Checklist to ensure that proper documentation is received and on file for contractors before they are granted staff-like access to service centers. During our fiscal year 2008 audit, we found no exceptions. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Open. IRS revised IRM 5.1.2.4, Daily Report of Collection Activity-Form 795/795A, to establish segregation of duties procedures with respect to the preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages in the Collection Field function; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at four SB/SE units we visited where duties involving the preparation of payment posting vouchers, document transmittal forms, and transmittal packages were not segregated. Employees informed us that they were unaware of a related requirement in the IRM. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. W&I Field Assistance continues to take actions to emphasize the requirement for including a document transmittal form listing the Daily Report of Collection Activity forms in transmittal packages. Operational reviews were conducted at all levels during fiscal years 2007 and 2008 to ensure that field offices comply with the requirement to prepare Form 3210, which lists all Forms 795 shipped to the SP Center. Further, IRM 1.4.11-11 was revised on October 7, 2008, to include the purpose, frequency, and documentation required for managerial reviews, which includes a review of Form 3210s, and trends and error reports. The outcome of the operational reviews revealed that managers are complying with the IRM procedures outlined for document transmittal; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at four SB/SE units where a document transmittal form was not prepared when transmitting multiple Daily Report of Collection Activity forms to the SP Center. We will continue to evaluate this issue during our fiscal year 2009 audit. ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. The IRS enforces documentation requirements relating to authorizing officials charged with approving manual refunds. IRS created a standard authorization memorandum in September 2008 for all offices to use. This will negate the disparity among the campuses in creating local authorization forms. IRS issued its annual solicitation memorandum for authorizing officials charged with approving manual refunds in August 2008 and received the annual list of authorized signatures by October 31, 2008, per IRM 3.17.79.3.5(4) (d). SP completed a sample review as part of the Monthly Security Review Checklist per IRM 3.17.79.3.5(3), and completed a 100 percent review of the new annual list by December 31, 2008; Status per GAO: Open. During our fiscal year 2008 audit, we continued to find that the documentation requirements on memorandums, which are submitted to the manual refund units listing officials authorized to approve manual refunds, were not always complete. For example, some of the memorandums did not contain the signatures of the Heads of Office that delegated officials the authority to approve manual refunds while others did not contain the authorizing official's campus or field office organization information as required by the IRM. We verified that IRS created a standard authorization memorandum in September 2008. However, IRS implemented this corrective action and completed its review of the new annual list subsequent to our fiscal year 2008 field work. We will evaluate IRS's corrective actions during our fiscal year 2009 audit. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Open. IRS continued to enforce the requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds in fiscal year 2008. SB/SE Campus Compliance Services covered this topic in both Filing & Payment Compliance and Campus Reporting Compliance Operations during fiscal year 2008 reviews to ensure compliance with all IRM provisions for manual refunds. Submission Processing conducted refresher training at all sites by September 30, 2008, in team meetings and annual continuing professional education classroom training using IRM 21.4.4 and 3.17.79 as reference materials to reinforce the monitoring requirements. As a result of recent findings and quarterly review of the manual refund process in Accounts Management, both the monitoring and supervisory review process are being examined to identify means for improvement. Once the review is complete, consideration will be given to implementing any recommendations. Accounts Management continues its quarterly reviews of the manual refund process; Status per GAO: Open. During our fiscal year 2008 audit, we found instances where the manual refund initiators did not monitor accounts to prevent duplicate refunds and supervisors did not review the monitoring of accounts. IRS's review of the monitoring and supervisory review process for manual refunds has not been completed. We will continue to evaluate IRS's corrective actions during our fiscal year 2009 audit. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Open. IRS continued to enforce the requirements for documenting monitoring actions and supervisory review for manual refunds in fiscal year 2008. SB/SE Campus Compliance Services covered this topic in both Filing & Payment Compliance and Campus Reporting Compliance Operations during their fiscal year 2008 campus reviews to ensure all campuses continue to comply with all IRM provisions for manual refunds. Submission Processing conducted refresher training at all sites by September 30, 2008, in team meetings and annual continuing professional education classroom training using IRM 21.4.4 and 3.17.79 as reference materials to reinforce the monitoring requirements. As a result of recent findings and quarterly review of the manual refund process in Accounts Management, both the monitoring and supervisory review process are being examined to identify means for improvement. Once the review is complete, consideration will be given to implementing any recommendations. Accounts Management continues its quarterly reviews of the manual refund process; Status per GAO: Open. During our fiscal year 2008 audit, we continued to find instances where the manual refund initiators did not document their monitoring of accounts to prevent duplicate refunds. IRS's review of the monitoring and supervisory review process for manual refunds has not been completed. We will continue to evaluate IRS's corrective actions during our fiscal year 2009 audit. ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. Accounts Management has procedures in place for the periodic supervisory review and documentation of the Form 3210 reconciliation process, which is designed to follow up on unacknowledged forms. This process is designed to provide a timely account of any discrepancy between the documents listed on the Form 3210 and those received. For the last 3 years, conference calls have been conducted with each directorate to reinforce the correct processing of Form 3210s. Recent actions to address the recommendation include having "Form 3210 Processing" as an agenda item on the Refund Inquiry Units' conference call. In addition, the quarterly Accounts Management internal control Form 3210 review now requires that the Refund Inquiry Unit be included in the review; Status per GAO: Open. During our fiscal year 2008 audit, we identified an instance at one SCC where the Refund Inquiry Unit manager did not perform or document periodic reviews of forms used to transmit returned refund checks. We will continue to evaluate IRS's actions during our fiscal year 2009 audit. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. IRS has procedures in place to ensure compliance with tracking acknowledgement copies of document transmittals. W&I Account Management continues to analyze the results of its quarterly reviews. Field Assistance revised the IRM provisions during 2007 to provide procedures for requiring TACs to follow up with SP Centers when acknowledgments are not received within 10 days. Field Assistance revised other IRM provisions to include more detail for processing Form 3210. The IRM provides guidance to maintain centralized files for acknowledged Form 3210 for three years, and provides guidance for handling unacknowledged Form 3210. Offices transmitting receipts have a system to track acknowledged copies of document transmittals. All TE/GE Division Directors continue to use the Quick Reference Guide for Processing Checks, including a check sheet and flowchart developed for the TE/GE Exam Managers to use when performing operational reviews to ensure their subordinate groups are properly processing all checks. TE/GE will also implement by September 2009 requirements for each Examination Area Manager to verify tracking measures are in place in all their groups. LMSB has completed all its planned actions with regard to this recommendation and will continue to issue an annual executive memorandum on Form 3210 procedures around July 2009; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at three SB/SE units and two TACs where there was no system in place to monitor acknowledged/unacknowledged transmittals to the SP Center. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. IRS revised the IRM on October 1, 2008, to include more detail for processing Form 3210. IRM 1.4.11.19.1 provides guidance to maintain centralized files for acknowledged Form 3210 for 3 years. Operational Reviews revealed that managers are in compliance with conducting and documenting the document transmittal review that includes the reconciliation process of Forms 3210 and 795. All managers were reminded to conduct these reviews at the Filing Season Readiness Workshop completed by December 15, 2008. The Refund Inquiry Unit continues to be included in the Accounts Management quarterly internal control review of document transmittal procedures. The review checklist includes the timely follow-up and documentation of Form 3210 acknowledgements as well as the required periodic managerial review. For TE/GE, each front line Examination group manager will ensure they complete reviews of document transmittals, and TE/GE is adding an additional question to TE/GE's 2009 Annual Assurance Review to certify all managers addressed this issue by June 2009; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at five SB/SE units and eight TACs where there was no evidence of managerial review of document transmittals and one instance at a SCC where the Refund Inquiry Unit manager did not perform or document periodic reviews of forms used to transmit returned refund checks. Moreover, the corrective actions cited by IRS were implemented after our fiscal year 2008 fieldwork. We will continue to evaluate IRS's corrective actions during our fiscal year 2009 audit. ID no.: 06-05; Recommendation: Equip all TACs with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. IRS continues to work to improve security and control access issues in the TACs. Of the 401 TAC locations, 183 have been built to design standard, with another 14 scheduled for completion by the end of January 2009. Forty-five projects have been approved to implement the TAC model in 2009, with another 30 projects pending final approval and funding. Forty-four projects are in development for implementation from 2010 through 2014. IRS will work to address any concerns with the space design/layout of TAC space and continue to roll out the TAC Design Model in the remaining locations. While implementation of the TAC Model Design is the ideal solution, implementation of compensating controls such as theater ropes or other barriers, signage and minor alterations/reconfigurations have been incorporated in many TAC locations as an interim measure. Using a variety of criteria including security, safety and health concerns, IRS has identified priority locations for the implementation of the TAC Design Model; Status per GAO: Open. We will continue to evaluate IRS's actions during our fiscal year 2009 audit. ID no.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. Field Assistance uses the TAC Security Remittance Review Database, which requires managers to conduct and document their reviews to ensure the protection of data and compliance with remittance and security procedures. Field Assistance implemented the TAC Security Remittance Review Database during the first quarter of fiscal year 2007. Since implementation, IRS has had numerous problems with the system due to technological limitations. Some of the problems IRS encountered include erroneously deleted information and an inability to save and transmit reports. IRS has attempted to secure funding and assistance to convert the database to a user-friendly Web version. The system was converted to a Web-modified application effective the second quarter of fiscal year 2009. This is only a temporary resolution until funding is secured. While the database was being revised, the area offices were still responsible for completing the reviews using Data Collection Instruments for the first quarter. In addition, IRS also tested the Web design prior to its implementation and has initiated a review process to engage headquarters, areas and territory management staff to identify and correct the database entries. The process will include sampling and conducting operational reviews as assurance of the database integrity. To enhance everyone's understanding of the process, talking points will be developed for discussions between the territory and group managers; Status per GAO: Open. IRS continues to implement its new process for providing oversight of TACs not having a manager permanently on-site during our fiscal year 2008 audit. Because the process was not fully functional, we were unable to test its implementation during our audit fieldwork. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. IRM 10.2.14 Methods of Providing Protection will be revised by September 30, 2009, to state: "A record of all instances involving the activation of any alarm regardless of the circumstances that may have caused the activation, must be documented in a Daily Activity Report/Event Log, or other log book and maintained for 2 years;" Status per GAO: Open. During our review and evaluation, we found that IRS's corrective actions relating to the recordation of all instances involving alarm activations in the Daily Activity Report/Event Log, or other log book, were not included in the final version of the IRM. We will continue to assess IRS's corrective actions during our fiscal year 2009 audit. ID no.: 06-15; Recommendation: Revise the physical security procedures in the IRM to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. IRS performs monthly unannounced testing of guard response to alarms, and test results are reviewed by the Security Programs Office to enforce and ensure compliance. According to IRS, test results on guard response to alarms are consistently 98 percent or higher, indicating substantial compliance with IRS guidelines. Test procedures were formalized in IRM 10.2.14 Methods of Providing Protection issued on October 1, 2008. PSEP continues to utilize the Audit Management Checklist as a repeatable process, and SCCs validate quarterly the performance and documentation of monthly unannounced alarm testing; Status per GAO: Closed. IRS revised IRM 10.2.14 to include requirements to perform and document monthly tests of intrusion detection alarms, including guard responses to alarms. Also, IRS's Audit Management Checklist contains review steps for physical security analysts to determine whether SCCs and respective annex facilities that process taxpayer receipts and/or information perform and document monthly tests of intrusion alarms. ID no.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. This item remains closed since fiscal year 2006, with AWSS continuing to regularly follow up on disposal actions. During fiscal year 2008, IRS implemented a new wizard tool that caused a system glitch which prevented IRS from updating all disposals within 10 work days. Several IRS staff were aware of the glitch and were working on the issue. As a result, the disposal action that should have been updated in 10 days was actually updated in 15 work days; Status per GAO: Open. In fiscal year 2006, IRS re-engineered the P&E asset retirement and disposal process to generate exception reports that enable management to regularly monitor the aging of transactions during the disposal process. However, our testing in fiscal years 2007 and 2008 noted that disposals shown on the exception report were not always being recorded in a timely manner. During our fiscal year 2009 audit, we will verify that the new software enhancement is operating as intended. ID no.: 07-01; Recommendation: Enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS revised the language in Lockbox Security Guidelines (LSG) 2.17.8 (9) to mitigate the risk as outlined in the Lockbox Electronic Bulletin issued on July 17, 2008. As of September 1, 2008, all lockbox sites use file encryption, and are in compliance with the requirements as outlined in the Lockbox Electronic Bulletin; Status per GAO: Closed. IRS revised its LSG to require lockbox banks to encrypt backup media containing taxpayer information. IRS has included this issue as one of the areas tested during its annual reviews of information technology security at its lockbox banks. During our fiscal year 2008 internal control testing, we did not identify any instances where lockbox banks were not encrypting backup media containing federal taxpayer information. ID no.: 07-02; Recommendation: Ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 LSG (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS revised the language in LSG 2.17.8 (9) to mitigate the risk as outlined in the Lockbox Electronic Bulletin issued on July 17, 2008. As of September 1, 2008, all lockbox sites store backup media containing federal taxpayer information at an off-site location and are in compliance with the requirements as outlined in the Lockbox Electronic Bulletin; Status per GAO: Closed. IRS revised its LSG to require lockbox banks to store backup media containing taxpayer information at an off-site location. IRS has included this issue as one of the areas tested during its annual information technology security reviews at lockbox banks. ID no.: 07-03; Recommendation: Revise instructions for the annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS revised the Information Technology Data Collection Instruments, which are used during the annual reviews of lockbox banks, and the related instructions (1) to ensure that the data/image transmissions sent through the Lockbox Electronic Network are encrypted prior to transmission and (2) to validate that all backup media containing personally identifiable information is stored and protected as required in the Lockbox Electronic Bulletin; Status per GAO: Closed. IRS revised its Information Technology Data Collection Instrument to test whether lockbox banks are (1) encrypting personally identifiable information prior to transmission and (2) storing backup media containing personally identifiable information at an appropriate off-site location. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. PSEP developed and implemented an action plan requiring all SCCs to (1) perform and validate completion of an assessment of their CCTV to ascertain if it provided an unobstructed view of the exterior of the campus perimeter, and (2) identify problems and planned corrective actions to mitigate the identified problems. All SCCs validated completion of the CCTV assessment and a total of 16 problems were identified. Progress on corrective actions was monitored and reported to PSEP management on a monthly basis. All corrective actions were addressed: 14 were resolved by the installation of CCTV cameras and/or removal of obstructions, and 2 were determined by management to meet an acceptable level of risk. PSEP continues to utilize the Audit Management Checklist as a repeatable process where SCCs quarterly validate CCTV coverage of the campus fence line and perimeter. The reported corrective actions were completed January 10, 2008. PSEP will continue to place emphasis on CCTV camera coverage, as well as perform regularly scheduled risk assessments of IRS facilities; Status per GAO: Open. On January 10, 2008, IRS completed an assessment of its CCTVs in all SCCs to ascertain whether they provided an unobstructed view of its campuses' exterior perimeter. However, IRS's assessment did not account for the CCTV weaknesses that were reported in the Fresno SCC's January 2007 risk assessment, which continued to exist during our April 2009 visit. During our visit, we found that the CCTVs did not provide an unobstructed view of the building exterior or fence line, many of the CCTVs were not wired properly and could not be used to their full potential. While these weaknesses were reported in the January 2007 risk assessment, Fresno was one of the four SCCs that did not report any specific weaknesses to the PSEP management that requested the assessment of the CCTVs. In view of the weaknesses we observed, it is unclear how the Fresno campus reached its conclusion that no CCTV problems were reportable to the PSEP requestors performing the assessment. We will continue to assess IRS's actions during our fiscal year 2009 audit. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. All W&I functions, except Accounts Management, conducted training during 2007 and 2008 for manual refund initiators to ensure they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. W&I Compliance completed its training for manual refund initiators in the W&I campuses in April 2008. SP conducted refresher training during fiscal years 2007 and 2008 (continuing professional education) and will include again in the fiscal year 2009 continuing professional education. SP management reviews history sheets annotated with taxpayer identification numbers, tax period, transaction code, date, and initials of initiator. Accounts Management manual refund training has been delayed due to the Economic Stimulus Package workload. Accounts Management is re-examining manual refund monitoring procedures and will reschedule the training in fiscal year 2009 once the review is complete and any changes implemented; Status per GAO: Open. During our fiscal year 2008 audit, we found instances where the manual refund initiators did not receive training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds. We will continue to evaluate IRS's corrective actions during our fiscal year 2009 audit. ID no.: 07-09; Recommendation: Enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary Social Security numbers shown on a joint tax return and apply credits to those balances before issuing any refund (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. On January 20, 2008, SB/SE implemented the programming to check for outstanding liabilities associated with both the primary and secondary Social Security numbers on a joint tax return for offsetting to any outstanding TFRP liability before issuance of a refund; Status per GAO: Closed. We verified that IRS implemented the programming change to check for outstanding liabilities associated with both the primary and secondary Social Security numbers on a joint tax return for offsetting to any outstanding TFRP liability before issuance of a refund. We reviewed the accounts of a number of taxpayers who (1) were assessed a TFRP, (2) filed a joint personal income tax return with a spouse, (3) listed her or his Social Security number as the second one on the tax return, and (4) had credits on the personal income tax account. In each of these cases, we verified that IRS's computer program identified the outstanding TFRP and applied the credits to the TFRP balance before sending any refund to the taxpayer. Additionally, according to IRS, their analysis identified over $10 million of refund offsets that have occurred from January 2008 to March 2009 as a result of this corrective action. ID no.: 07-11; Recommendation: Correct the penalty calculation programs in the master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. SB/SE implemented a system change in January 2007 to correct the failure-to-pay (FTP) penalty calculation program. In June 2008, SB/SE conducted a review of the programming change and determined the program is correctly charging the reduced rate on subsequent assessments. There was a small subpopulation of accounts that the system change did not correct. IRS worked on an additional system change to correct penalty calculation programming affecting the remainder of the cases and completed its corrective action in August 2008; Status per GAO: Closed. We verified that IRS's system corrected the FTP penalty calculation program. We reviewed the accounts of a number of taxpayers for whom: (1) IRS increased the FTP penalty rate assessed against the taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent when the taxpayer failed to pay following repeated notification of the taxes due, (2) the taxpayer subsequently paid off the balance for the specific tax period, and (3) following its system change, IRS assessed the taxpayer additional taxes owed for the same tax period and a related FTP penalty. In each of these cases, we verified that the FTP penalties were calculated in accordance with the applicable IRM guidance. ID no.: 07-12; Recommendation: Research each of the taxpayer accounts that may have been affected by the penalty programming errors to determine whether they contain overassessed penalties and correct the accounts as needed (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS implemented in January 2007 and August 2008 the change to the FTP penalty calculation program and also recalculated the FTP amount using the correct rate on all open taxpayer accounts with this penalty; Status per GAO: Closed. We verified that IRS's system change resulted in FTP penalties being calculated in accordance with the applicable IRM guidance on open taxpayer accounts. We reviewed the accounts of a number of taxpayers from IRS's unpaid assessment inventory for whom: (1) IRS had increased the FTP penalty rate assessed against the taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent when the taxpayer failed to pay following repeated notification of the taxes due, (2) the taxpayer subsequently paid off the balance for the specific tax period, and (3) IRS assessed the taxpayer additional taxes owed for the same tax period, with related FTP penalties. In each of these cases, we verified that the total recorded FTP penalty assessments on the account were in accordance with the applicable IRM guidance. ID no.: 07-13; Recommendation: Establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008 with revisions to 5.1.2.5.3.1(1) through (7) directing employees to make the specific determinations and to take the specific actions contained in this recommendation; Status per GAO: Closed. IRS revised its IRM in September 2008 to include instructions specifically addressing this recommendation. The IRM now instructs IRS employees to (1) determine if the payment is sufficient to cover the tax liability of the tax period specified on the payment, (2) perform additional research and resolve any outstanding issues on the account, including determining if there are any freeze codes that will delay credit posting, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. ID no.: 07-14; Recommendation: Establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008 with revisions to 5.1.2.5.3.1(1) through (7) directing employees to make the specific determinations and to take the specific actions contained in this recommendation; Status per GAO: Closed. IRS revised its IRM in September 2008 to include instructions specifically addressing this recommendation. The IRM now instructs IRS employees to (1) determine if the payment is sufficient to cover the tax liability of the tax period specified on the payment, (2) perform additional research and resolve any outstanding issues on the account, including determining if there are any freeze codes that will delay credit posting, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. ID no.: 07-15; Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. SB/SE has requested Counsel guidance related to lien releases after discharge to determine if a memorandum is needed. SB/SE will issue a memorandum to employees by May 2009, if necessary; Status per GAO: Open. As part of its own fiscal year 2008 OMB A-123 testing of lien releases, IRS tested a statistical sample of taxpayer accounts requiring a lien release during 2008. In its testing, IRS again identified a case in which it did not release the applicable federal tax lien within the statutory 30-day period because it did not update the taxpayer's account in a timely manner to reflect that the taxpayer had been discharged of the taxes in a bankruptcy court. The untimely recording of bankruptcy discharges results in the untimely release of tax liens and is directly related to IRS's noncompliance with Internal Revenue Code Section 6325 which requires IRS to release its tax liens within 30 days of the date the related tax liability is fully satisfied. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2009 audit. ID no.: 07-17; Recommendation: Monitor installment agreement user fee activity on a regular basis (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. W&I Compliance continues to use the Installment Agreement Account Listings (IAAL) report to monitor user fee activity. In January 2008, IRS implemented enhancements to the report and increased the frequency of the sweep process from quarterly to weekly; Status per GAO: Closed. IRS runs edit checks to test the validity of recorded installment agreements, including the user fees, which results in the identification of potential errors that are then listed on the IAAL. We verified that IRS improved its IAAL report process by grouping items that appear on the IAAL into tiers based on priority and establishing time frames by tier for investigating and resolving these potential errors. In addition, we confirmed that IRS now performs managerial reviews on IAAL cases processed by its collection operations. IRS also increased the frequency of its computer sweep recovery process, which is intended to identify unrecorded user fees, from a few times a year to once a week, thus increasing the timeliness and accuracy of recorded individual taxpayer user fees. ID no.: 07-18; Recommendation: Adjust errors in recorded installment agreement user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. W&I Compliance uses a weekly sweep process to reconcile installment agreement payments and adjusts those with discrepancies or errors to ensure that fees are accurately posted to the user fee account; Status per GAO: Closed. W&I Compliance's weekly sweep process is designed to identify and correct for unrecorded user fees collected with the initial installment agreement payment. We verified that IRS's improvements to its installment agreement user fees monitoring process will help ensure that errors in recorded installment agreement user fees are identified and corrected in a more timely manner. Additionally, we did not identify any instances of errors in recorded installment agreement user fees during our fiscal year 2008 audit. ID no.: 07-19; Recommendation: Establish sufficient review procedures to help ensure that adjustments to installment agreement user fees collected from taxpayers are accurately and timely recorded (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. W&I Compliance uses the Installment Agreement Account Listings report to identify accounts with user fee errors, underpayments, and overpayments that require adjustments. W&I consolidated the report listing at one location to provide improved oversight of the process. Both W&I and SB/SE program analysts, managers, operations management, and headquarters staff conduct reviews of the report listing. In January 2008, IRS implemented enhancements to the report and increased the frequency of the sweep process used to correct accounts from quarterly to weekly. IRS also updated IRM 5.19.1 in January 2008 to include requirements for case analysis and documentation; Status per GAO: Closed. We verified that IRS conducts managerial and operational reviews on its W&I Compliance Service Collection Operations, the division responsible for making the appropriate adjustments for errors in recorded installment agreement user fees. Additionally, we did not identify any errors in recorded installment agreement user fees tested during our fiscal year 2008 audit. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. The IRS plans to implement the following procedures to ensure that sufficient secured space is maintained for Automated Data Processing (ADP) and Non-ADP assets: Requesters needing space are to initiate an Employee Resource Center ticket requesting "Property Consultation" services, which initiates Real Estate and Facilities Management (REFM) activity to work with the requester on obtaining the needed secured storage space. When Modernization & Information Technology Services property managers need secure storage, narrative associated with the Employee Resource Center work ticket must state: "Need to consult with local REFM staff on providing a secure storage alternative for ADP equipment." This procedure is to be used for asset distribution staging or when assets are to be excessed. This policy is effective March 30, 2009; Status per GAO: Open. IRS completed its corrective action plan after the end of our fiscal year 2008 audit. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 07-21; Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. AWSS Procurement issued policy Change Notice 07- 08, which contains a revision to Policy and Procedure Memorandum 46.5, Receipt, Quality Assurance and Acceptance. The revision limits situations in which contracting officers may perform receipt and acceptance. In addition to the Policy and Procedure Memorandum 46.5, the IRS Acquisition Procedure Subpart 1003.90--Separation of Duties and Management Controls--requires separation of duties for requisition approval, certification of funds, contract award, and receipt and acceptance. Procurement runs Web Request Tracking System reports to review the instances where contracting officers performed receipt and acceptance to ensure that the receipt and acceptance falls within exceptions/procedures outlined in the Policy and Procedure Memorandum 46.5; Status per GAO: Open. During our fiscal year 2008 audit, we noted that IRS revised its policy to reflect the situations under which contracting officers may perform receipt and acceptance functions. In addition, the IRS Acquisition procedures require that no employee shall perform more than one of the following four functions: (1) requisition approval for supplies and/or services, (2) certify the availability of funds, (3) conduct the procurement and execute the contractual document, and (4) receive the supplies or services. However, during our fiscal year 2008 audit testing, we continued to find instances where individuals were performing incompatible functions. We will continue to review actions taken by IRS during our fiscal year 2009 audit. ID no.: 07-22; Recommendation: Document the results of internal control tests conducted in a manner sufficiently clear and complete to explain how control procedures were tested, what results were achieved, and how conclusions were derived from those results, without reliance on supplementary oral explanation (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. IRS revised its A-123 guidance to include templates and procedures for compiling, referencing, and reviewing audit working papers to ensure that the results of internal control tests are clear and complete to explain how control procedures were tested, what results were achieved, and how conclusions were derived from those results. During the fiscal year 2008 cycle, the Office of Corporate Planning and Internal Control assigned test team leaders and independent Office of Corporate Planning and Internal Control reviewers to examine workpapers to ensure the test team sufficiently documented their work to support their conclusions. The A-123 guidance requires that each set of work papers include a summary of findings statement setting out the conclusion reached after performing the transaction testing; Status per GAO: Closed. During our fiscal year 2008 IRS financial audit, we verified that IRS revised its A-123 guidance to include templates that clearly outline how to document and explain what control tests were performed, the scope of control tests, and the results of internal control tests performed. IRS's A-123 guidance also requires that each set of workpapers include a summary of findings statement that clearly concludes on results of test procedures performed by staff. We verified that IRS's workpapers documenting A-123 testing substantially conformed to the A-123 guidance. ID no.: 07-23; Recommendation: Clearly document how IRS considered existing reviews and audits in determining the nature, scope, and timing of procedures it planned to conduct under its OMB Circular No. A-123 process (short- term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. During the development of fiscal year 2008 A- 123 internal control test plans, IRS analyzed and documented open recommendations related to the internal control process/transaction being tested. IRS considered the open recommendation findings while developing the process/transaction test plan. IRS will continue to incorporate the open recommendation findings while planning A-123 testing; Status per GAO: Closed. During fiscal year 2008, we verified that IRS included a requirement in its A-123 guidance to determine the adequacy and value of management actions taken in response to audits performed by GAO and the Treasury Inspector General for Tax Administration relating to financial reporting. We also verified that IRS review staff followed the A-123 guidance in performing internal control reviews. ID no.: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS will continue to work with Treasury and Modernization & Information Technology Services to fully implement A- 123 requirements for evaluating controls over information technology relating to financial statement reporting. IRS will identify areas where the work conducted under FISMA does not meet A-123 requirements and consider information security findings and recommendations to ensure testing procedures meet A-123 requirements; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing this recommendation. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS revised a limited set of fiscal year 2008 test plans to pilot the requirement to include an analysis of the design for each transaction control set tested. This project is planned for completion during the fiscal year 2009 A-123 cycle; Status per GAO: Open. We verified that IRS revised a limited number of A-123 test plans to include an analysis of the design of internal controls tested. During our fiscal year 2009 audit, we will continue to review the remaining test plans as IRS revises them. ID no.: 07-26; Recommendation: Work with Treasury to identify laws and regulations that are significant to financial reporting, test controls over compliance with those laws and regulations, and evaluate and report on the results of such control reviews (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. In fiscal year 2007, IRS established an internal crosswalk between A-123 tests and laws and regulations significant to financial reporting. In fiscal year 2008, IRS updated the crosswalk to a listing of laws and regulations which were expanded to include all specific public laws and took the additional step of incorporating GAO audit methodology into the linkage; Status per GAO: Closed. We obtained and reviewed IRS's laws and regulations crosswalk and verified that IRS had identified and planned appropriate procedures to test controls over laws and regulations considered significant to financial reporting. ID no.: 07-27; Recommendation: Begin devising appropriate A-123 follow-up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS is considering alternative procedures for testing transactions to provide assurance for the last 3 months of the fiscal year. Although implementation of such procedures is not necessary until elimination of the outstanding material weaknesses, IRS intends to propose follow-up procedures before the end of the fiscal year; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing this recommendation. ID no.: 07-28; Recommendation: Provide A-123 review staff appropriate training, such as that available for financial auditors, to enhance their skills in workpaper documentation, identification and testing of internal controls, and evaluation and documentation of results (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Closed. Members of the IRS A-123 workgroup completed the United States Department of Agriculture Graduate School course, Audit Evidence and Working Papers, covering methods for collecting and documenting types of evidence needed to support audit reports and to meet professional standards, during the fall of 2007. IRS used concepts from this course and best practices from previous cycles to improve the curriculum over previous years for the annual IRS A-123 Training Workshop to improve proficiency in documentation and analysis in the transactional testing. The training also covers the process to be followed when reviewing or performing tests of internal controls, developing a determination as to whether or not the controls are functioning properly, and evaluating the materiality of errors. The Office of Corporate Planning and Internal Control is currently developing an IRM provision for reference to reinforce the A-123 guidance provided during the training; Status per GAO: Closed. We verified that IRS developed an appropriate annual training workshop designed to ensure that their A-123 review staff enhance their skills in workpaper documentation, identification and testing of internal controls, and evaluation and documentation of test results. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA) (long- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. IRS instituted the use of trace identification numbers for revenue and refund transactions in fiscal year 2008 to provide traceability from the general ledger for tax transactions back to source documentation and throughout IRS financial management systems. IRS is currently developing additional internal controls for tax revenue transactions processed outside of the Electronic Federal Tax Payment System, and for transactions recorded into IRACS requiring manual transcription. IRS is working to revise each appropriate IRM provision and requested programming to implement system controls in payment systems to prevent, detect, and correct such transcription and input errors by fiscal year 2010. IRS is also developing the Redesign Revenue Accounting Control System, an enhancement of IRACS that will incorporate the United States Standard General Ledger. IRS plans to implement Redesign Revenue Accounting Control System in January 2010; Status per GAO: Open. During our future audits, we will continue to evaluate IRS's progress in achieving transaction traceability for tax revenues processed outside of the Electronic Funds Transaction Payment System and taxes receivable transactions. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. Revenue Financial Management documented the procedures the statistician performs in each step of the unpaid assessments estimation process by June 2008. Revenue Financial Management is enhancing each of these procedures to include additional steps based on the fiscal year 2008 audit. Revenue Financial Management will provide the new procedures by May 2009; Status per GAO: Open. During our fiscal year 2008 audit, we continued to find errors in IRS's unpaid assessment estimates that were not detected by IRS's internal reviews. IRS corrected these errors after we brought them to its attention. However, until IRS fully documents the specific procedures performed by its statistician in each step of the unpaid assessment estimation process and the specific procedures for reviewers to follow in their reviews, IRS faces increased risk that errors in this process will not be prevented or detected and corrected. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2009 audit. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. In June 2008, Revenue Financial Management documented the procedures reviewers should follow during their review of the statistical estimates. Revenue Financial Management is adding additional levels of review and oversight for fiscal year 2009 and is finalizing a Memorandum of Understanding with the Office of Program Evaluation and Risk Analysis to perform an independent review; Status per GAO: Open. During our fiscal year 2008 audit, we continued to find errors in IRS's unpaid assessment estimates that were not detected by IRS's internal reviews. IRS corrected these errors after we brought them to its attention. However, until IRS fully documents the specific procedures performed by its statistician in each step of the unpaid assessment estimation process and the specific procedures for reviewers to follow in their reviews, IRS faces increased risk that errors in this process will not be prevented or detected and corrected. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2009 audit. ID no.: 08-04; Recommendation: To address the inconsistency in assigning the effective date of an accuracy-related penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any associated accuracy-related penalty (long- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. In January 2009, IRS implemented programming changes to the Business Master File computer program where accuracy- related penalties assessed subsequent to the programming change will carry the same date as the related deficiency assessment; Status per GAO: Open. IRS completed its corrective action after the end of our fiscal year 2008 audit. We will review IRS's corrective action to address this recommendation during our fiscal year 2009 audit. ID no.: 08-05; Recommendation: Complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the IRM (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. IRS assembled a team of interest and penalty subject matter experts to perform a review of master file programming of penalty and interest computations. The review included a general random sample of open modules as well as a sample of modules impacted by recent implementation of programming changes. SB/SE performed the review the week of May 19, 2008. SB/SE will continue to perform these reviews periodically and implement any necessary changes to programming as a result; Status per GAO: Closed. We confirmed that IRS completed its review of existing master file computer programs that affect penalty calculations and documented a listing of instances in which programs are not functioning in accordance with the intent of the IRM. ID no.: 08-06; Recommendation: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. IRS formed a cross-functional working group to address penalty and interest programming issues in August 2007. This group meets biweekly and continues to identify and assess penalty and interest issues. When issues that need correction are identified, programming changes are requested and IRS performs subsequent testing to ensure that the programming change resolved the issue. Resolutions of these identified issues are in various stages. Other issues are being discussed with Modernization & Information Technology Services to determine the most effective way to implement programming changes, and on certain cases an impact analysis determined correction is not cost effective at this time. Solutions to identified systemic differences between IRS systems that cannot be fixed under the current processing system are being addressed by modernization efforts; Status per GAO: Open. Although IRS completed its review of master file computer programs that affect penalty calculations and has planned a series of corrective actions, it has not yet completed all of the required programming corrections. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2009 and future audits. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. Managers follow IRM 1.4.11 as comprehensive guidance for conducting reviews at all TACs. TAC managers use the one- day receipt per TAC per quarter process to ensure at least once per quarter, the manager performs a one day review of all payment receipts as well as the documents associated with the receipts for all employees with payment receipts on the date chosen for review. Area directors are responsible for the oversight of all TAC activities including outlying post of duties. IRM 1.4.11.6.2 outlines the scheduled routine visit requirement for each TAC and Exhibit 1.4.11-11 gives a description of all required reviews for each TAC, including the frequency. Validation of completion is documented through operational reviews. The results of the operational reviews indicate a summary of findings, which included a corrective action report, completed annually; Status per GAO: Open. IRM 1.4.11 provides guidance for managerial reviews and frequency of these reviews at outlying TACs. Also, the IRM outlines the TAC Security Remittance Review Database process and requires managers to input the results of their reviews into the database. However, the database was not fully implemented in fiscal year 2008. As a result, we were unable to fully test its implementation during our audit fieldwork. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 08-08; Recommendation: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. The Director of Field Assistance issued a quarterly reminder to managers to conduct required reviews on September 30, 2008. Field Assistance continues to review the monthly reports received from field offices, including the status of corrective actions noted during operational reviews, to ensure completion of needed improvements; Status per GAO: Open. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 08-09; Recommendation: Establish a mechanism to monitor compliance with existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. IRM 1.4.11.19.4.1.1 was revised in April 2008 to mandate the use of the "restrict" command code in all cases. Group managers will continue to be reminded of the existing requirements to restrict command codes as part of the Form 809 Annual Reconciliation Review. During this review, group managers use a check sheet as shown in IRM 3.8.45.29.15, which includes this validity check. The result of the review is sent to territory managers and Submission Processing. Furthermore, restricted IDRS command codes are addressed in ongoing operational reviews. IRM 1.4.11.19.4 guidance is provided to restrict the 809 book holders profile when ordering the initial 809 receipt book. IRM 1.4.11.19.4.1.1 establishes the requirement for group managers to use restrict command codes from an 809 book holders profile. IRM 1.4.11-15 TAC Payment Processing Checklist is completed as part of the payment processing review conducted quarterly, which includes a question addressing restrict command codes. Finally, IRM 1.4.11.19.4.1.1.1 covers the annual reconciliation of official receipts, which managers can use as an annual monitoring process in addition to operational reviews; Status per GAO: Closed. IRS mandated the use of the restrict command codes to TAC employees accepting cash payments to limit their IDRS access rights and ability to adjust taxpayer accounts. These procedures are monitored during operational reviews conducted by area and territory managers, at which time group managers are reminded of the existing requirements to restrict command codes. ID no.: 08-10; Recommendation: Establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. Guidance concerning armed first responders to TAC duress alarms was reissued via email to area directors for distribution on August 19, 2008, and subsequently finalized in IRM 10.2.14, Methods of Providing Protection, issued October 1, 2008. The IRM specifies, "An armed 'First Responder' (guard police) must be listed as the first responder, as the shortest possible response time is critical with priority notification. The alarm notification priority protocols are: (1) First Priority: on-site guards are notified; (2) Second Priority, Federal Protective Service is notified, and (3) Third Priority, local police who will be notified last." The TAC Scheduled Duress Alarm Test Report was revised to include a section to indicate the date the notification list for first responders was last updated. The reports are rolled up from the Areas/Territories to the Security Programs office quarterly. The revised report was instituted via e-mail on July 24, 2008. PSEP continues to utilize the Audit Management Checklist as a repeatable process where Territory offices validate that proper first responders are listed for notification; Status per GAO: Closed. IRS established procedures in the IRM requiring quarterly verification that individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner. ID no.: 08-11; Recommendation: Modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. IRS finalized and issued IRM 10.2.14, Methods of Providing Protection on October 1, 2008. IRM 10.2.14.9.2(7)a specifies: "An armed 'First Responder' (guard police) must be listed as the first responder, as the shortest possible response time is critical with priority notification. The alarm notification priority protocols are: (1) First Priority: on-site guards are notified; (2) Second Priority, Federal Protective Service is notified, and (3) Third Priority, local police who will be notified last." The TAC Scheduled Duress Alarm Test Report was revised to include a section to indicate the date the notification list for first responders was last updated. The reports are rolled up from the Areas/Territories to the Security Programs office quarterly. The revised report form was instituted via e- mail on July 24, 2008. PSEP continues to utilize the Audit Management Checklist as a repeatable process where Territory offices validate that proper first responders are listed for notification; Status per GAO: Closed. IRS revised the IRM to specify the qualifications and geographical proximity requirements for individuals designated as first responders and included a provision for PSEP to conduct quarterly reviews of this issue. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. AWSS has been working with the General Services Administration (GSA) since March 2008 to implement a process for procuring services from GSA to perform contractor background investigations. AWSS prepared and submitted a draft interagency agreement to GSA for consideration in June 2008. IRS received and reviewed the GSA comments, and is finalizing the interagency agreement for pricing and services. GSA has submitted a draft three-phase schedule for completion of the background investigations that would complete enter-on-duty determinations for all facilities by November 2009. Implementation is contingent upon GSA successfully completing its actions; Status per GAO: Open. During our fiscal year 2008 audit, we identified instances at three TACs where IRS did not have documentary evidence demonstrating the completion of favorable background investigations for contractors performing janitorial services during non-operating hours. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 08-13; Recommendation: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. IRS developed a Performance Work Statement for a National Document Destruction Contract. IRS expects full contract implementation by October 1, 2009. Implementing a national contract will standardize these requirements and ensure consistency. In the interim, the current contracts require a review of contractor performance through site visits and to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. AWSS distributed a message to the Real Estate and Facilities Management Territory Managers and Logistics Chiefs on January 23, 2009, reinforcing the requirement to review their existing shred contracts to ensure they comply with the security requirements stated in their respective contracts; Status per GAO: Open. As stated in IRS's response, the Performance Work Statement for a National Document Destruction Contract will not be fully implemented until the first quarter of fiscal year 2010. We will review IRS's corrective actions during future audits. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. IRS developed a Performance Work Statement for a National Document Destruction Contract. IRS expects full contract implementation by October 1, 2009. Implementing a national contract will standardize these requirements and ensure consistency. In the interim, the current contracts require a review of contractor performance through site visits and to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. IRS distributed a message on January 23, 2009, reinforcing the requirement to review their existing shred contracts to ensure they comply with the security requirements stated in their respective contracts; Status per GAO: Open. As stated in IRS's response, the Performance Work Statement for a National Document Destruction Contract will not be fully implemented until the first quarter of fiscal year 2010. We will review IRS's corrective actions during future audits. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Open. IRS developed a Performance Work Statement for a National Document Destruction Contract. IRS expects full contract implementation by October 1, 2009. Implementing a national contract will standardize these requirements and ensure consistency. In the interim, the current contracts require a review of contractor performance through site visits, in order to ensure that contractors comply with all security requirements for employee clearance prior to performing the work. IRS distributed a message on January 23, 2009, reinforcing the requirement to review their existing shredding contracts to ensure they comply with the security requirements stated in their respective contracts; Status per GAO: Open. As stated in IRS's response, the Performance Work Statement for a National Document Destruction Contract will not be fully implemented until the first quarter of fiscal year 2010. In addition, during our fiscal year 2008 audit, we identified an instance at one of three SCCs we visited where shredding service contractor employees did not go through background investigations before they were granted access to taxpayer or other sensitive information. We will review IRS's corrective actions during future audits. ID no.: 08-16; Recommendation: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. The Human Capital Office issued a notice in September 2007 to each Employment Branch Chief to reinforce this policy; and the office also sends periodic reminders to the Employment Offices during monthly calls with the employment staffs. The Human Capital Office also issued Alert 731-2 on September 29, 2008, to all Employment Offices clarifying the guidance provided in Policy No. 15. In October 2008, Policy and Programs received written confirmation from every Employment Office that Policy No. 15 was being followed and that the correct Form 13094 was being used; Status per GAO: Open. During our fiscal year 2008 audit, we identified four juveniles hired in fiscal year 2008 who were not provided a revised Form 13094. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. The Human Capital Office revised Form 13094 in December 2007 and provided the form and accompanying instructions to the employment staff in January 2008. The Human Capital Office also issued Alert 731-2 on September 29, 2008, to all Employment Offices clarifying the guidance provided in Policy No. 15. In October 2008, Policy and Programs received written confirmation from every Employment Office that Policy No. 15 was being followed and that the correct Form 13094 was being used; Status per GAO: Open. During our fiscal year 2008 audit, we identified five instances where the IRS employment office staff did not verify the information on Form 13094 by contacting the reference directly and documenting the details of that contact. We will review IRS's corrective actions during our fiscal year 2009 audit. ID no.: 08-18; Recommendation: Issue a memorandum to Receipt Control Operations Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits and (2) key documentation to be signed and dated by the supervisor as evidence of that review (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. W&I Submission Processing issued a memorandum in April 2008 to the operations manager of Receipt and Control, reiterating the requirement to follow procedures in IRM 3.45.1 to conduct supervisory reviews of the deposit encoding tapes and the recapitulation of remittances, deposit tickets, and to sign or initial the documents as evidence that the reviews were completed. Receipt and Control is also following IRM 3.45.1 to conduct and document supervisory reviews of the TE/GE deposits; Status per GAO: Closed. We verified that IRS issued a memorandum to its operations manager of Receipt and Control to reinforce procedures in its IRM requiring signed supervisory review of TE/GE user fee deposits. Additionally, during our fiscal year 2008 audit, we did not identify any instances where IRS did not document supervisory review of the TE/GE user fee deposits tested. ID no.: 08-19; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. The electronic Purchase Card Module eliminated the paper statement of accounts being mailed to purchase cardholders using the Purchase Card Module. The purchase cardholder and approving official electronically reconcile and approve the transactions, which is evidence of their signature approving the transactions. The system maintains history on the user login name and date of the action; Status per GAO: Closed. We confirmed that IRS modified its existing guidelines and fully implemented the Purchase Card Module. During our fiscal year 2008 audit, we noted that the purchase card approving official's signature attesting to the review and reconciliation of the monthly statement is now captured electronically by the Purchase Card Module. However, we also noted that the purchase card approving officials were not always electronically reconciling and approving transactions within the required timeframes documented in IRS's existing guidelines. Timely reconciliation and approval of transactions is necessary to help ensure that purchase card transactions are valid and appropriate. Thus, we are closing this recommendation and opening a new recommendation to address this additional issue in our June 2009 management report. See GAO-09-513R and recommendation 09-10 in this report. ID no.: 08-20; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. IRS provides purchase cardholders with funding approval requirements during initial and refresher training. The guidelines outlining funding requirements are also available online in the Purchase Card Guide and on the program specific Web site. As IRS converted purchase cardholders to the Purchase Card Module, it highlighted this requirement in the transition guidelines; Status per GAO: Closed. We confirmed that IRS modified its existing guidelines and fully implemented the Purchase Card Module. During our fiscal year 2008 audit, we noted that purchase cardholders obtained funding approval electronically through the Purchase Card Module prior to making a purchase. The Purchase Card Module directly interfaces with the funding requisition function of IRS's Web-based Requisition Tracking System to verify funds availability. ID no.: 08-21; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. Citibank reports previously received by purchase card approving officials were eliminated with implementation of the Purchase Card Module. All documentation for purchase card activity is maintained electronically in the Purchase Card Module with the exception of packing slips/receipts, which are maintained by the cardholder. The documentation is available for review by the approving official, but approving officials are not required to maintain copies of documentation already maintained by the cardholder; Status per GAO: Closed. Even though IRS did not modify its existing guidelines to require the purchase card approving official to maintain copies of the purchase cardholder's supporting documentation, we confirmed that IRS now has compensating internal control procedures in place to close this recommendation. IRS's existing guidelines require the purchase cardholder to maintain the supporting documentation and for approving officials to ensure that the cardholders have all required documentation. During our fiscal year 2008 audit, we noted that the purchase cardholders maintained appropriate supporting documentation. ID no.: 08-22; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as 3 years (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. The requirement to maintain supporting documentation for all purchase card activity for 3 years is outlined in current guidance and training material provided to cardholders. The documentation is available for review by the approving official, but is maintained by the cardholder; Status per GAO: Closed. Even though IRS did not modify its existing guidelines, we confirmed that the current guidelines require cardholders to maintain supporting documentation for 3 years. IRS's existing guidelines require the purchase cardholder to maintain the supporting documentation and for approving officials to ensure that the cardholders have all required documentation. During our fiscal year 2008 audit, we noted that the purchase cardholders maintained appropriate supporting documentation. ID no.: 08-23; Recommendation: Issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS's existing policy requiring that new assets be inputted into the inventory system within 10 days of receipt (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. Modernization & Information Technology Services issued a memorandum dated September 5, 2008, and Directive (Asset Management Policy Directive AM 034) dated August 18, 2008, to all organizations reiterating the IRS policy that new assets must be inputted into the inventory system within 10 days of receipt; Status per GAO: Closed. During our fiscal year 2008 audit, IRS's Associate Chief Information Officer for End User Equipment Services, in response to our recommendations, issued a memorandum to all personnel responsible for updating inventory. The memorandum reiterated IRS's existing policy requiring that new assets be inputted into the inventory system within 10 days of receipt. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Closed. AWSS issued communications to all employees reiterating the policy requiring all employees to obtain approval of travel authorizations before the initiation of travel through periodic notices on the IRS intranet with links to Travel Times. In Travel Times, IRS has issued: Travel Authorization Reminders (October 2007 and February 2008) and Travel Authorization Reminder News from the business units (December 2007, February 2008, and May 2008). Furthermore, IRS is continuing to implement GovTrip and as of January 1, 2009, has 25,775 GovTrip users. All users must file a travel authorization before travel begins, and GovTrip will not allow a voucher to be created without a signed/approved authorization; Status per GAO: Open. We confirmed that IRS issued communications to staff reiterating the policy that all employees receive travel authorization before commencing travel, and that IRS continues to implement its GovTrip system with full implementation expected by approximately July 2009. However, during our fiscal year 2008 audit, we continued to identify instances where IRS staff did not obtain approval of travel authorizations in advance of travel. We will continue to review actions being taken by IRS to address this recommendation during our fiscal year 2009 audit. ID no.: 09-01; Recommendation: Correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure-to-pay penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-02; Recommendation: Add specific requirements to the IRM to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-10; Recommendation: Develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of non-compliance with required approval timeframes (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-12; Recommendation: Reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed and should include both personnel costs based on time spent on specific activities as well as all associated non- personnel costs and be drawn from or reconcilable to IRS's financial accounting system (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. ID no.: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 2009); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will verify IRS's corrective actions during future audits. Source: IRS updates detailing actions to address GAO's recommendations and GAO's analysis of IRS's actions. [End of table] [End of section] Appendix II: Open Recommendations Arranged by Control or Compliance Issue: Financial Reporting: The Internal Revenue Service (IRS) does not have financial management systems adequate to enable it to accurately generate and report, in a timely manner, the information needed to both prepare financial statements and manage operations on an ongoing basis. To overcome these systemic deficiencies with respect to preparation of its annual financial statements, IRS was compelled to employ compensating procedures. Specifically, IRS (1) did not have an adequate general ledger system for tax-related transactions, and (2) was unable to readily determine the costs of its activities and programs and did not have cost-based performance information to assist in making or justifying resource allocation decisions. As a result, IRS does not have data to assist in managing operations on a day-to-day basis and to provide an informed basis for making or justifying resource allocation decisions. Table 12: Material Weakness: Controls over Financial Reporting: ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities (long-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA) (long- term); Control activity: Appropriate documentation of transactions and internal controls. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Unpaid Tax Assessments: IRS has serious internal control issues that affected its management of unpaid tax assessments. Specifically, IRS (1) lacked a subsidiary ledger for unpaid tax assessments that would allow it to produce accurate, useful, and timely information with which to manage and report externally, and (2) experienced errors and delays in recording taxpayer information, payments, and other activities. Table 13: Material Weakness: Controls over Unpaid Assessments: ID No.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions (short-term); Control activity: Accurate and timely recording of transactions and events. ID No.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received (short-term); Control activity: Accurate and timely recording of transactions and events. ID No.: 99-03; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability (short-term); Control activity: Accurate and timely recording of transactions and events. ID No.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance (long-term); Control activity: Accurate and timely recording of transactions and events. ID No.: 09-01; Recommendation: Correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure-to-pay penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement (short-term); Control activity: Accurate and timely recording of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Information Security: Significant information security weaknesses continue to jeopardize the confidentiality, availability, and integrity of information processed by IRS's key systems, increasing the risk of material misstatement for financial reporting. For example, sensitive information, such as user identification and passwords for mission-critical applications, continued to be readily available to any user on IRS's internal network. These IDs and passwords could be used by a malicious user to compromise data flowing to and from IFS. Other continuing weaknesses included the existence of passwords that were not complex enough to avoid being guessed or cracked. In addition, although IRS had improved its application of vendor-supplied system patches that protect against known vulnerabilities, it still had not patched systems in a timely manner. The agency's procurement system, which processed approximately $1.8 billion of obligations in fiscal year 2008, also remained at risk because previously reported weaknesses had not been corrected. These weaknesses included (1) not restricting user's ability to bypass application controls, (2) continuing to use unencrypted protocols, and (3) not removing separated employees' access in a timely manner. These outstanding weaknesses increase the risk that data processed by the agency's financial management systems are not reliable. Material Weakness: Controls over Information Systems Security: Although IRS has made some progress in addressing previous weaknesses we identified in its information systems security controls and physical security controls, these and new weaknesses in information systems security continue to impair IRS's ability to ensure the confidentiality, integrity, and availability of financial and tax- processing systems. As of January 2009, there were 74 open recommendations from our information systems security work designed to help IRS improve its information systems security controls. Those recommendations are reported separately and are not included in this report primarily because of the sensitive nature of some of the issues. Tax Revenue and Refunds: Weaknesses in control over tax revenue and refunds continue to hamper IRS's ability to optimize the use of its limited resources to collect unpaid taxes and minimize payment of improper refunds. Specifically, IRS has not (1) developed performance metrics and goals on the cost of, and the revenue collected from, IRS's various enforcement programs and activities, with the exception of the Earned Income Tax Credit program; or (2) fully established and implemented the financial management structure and processes to provide IRS key financial management data on costs and enforcement tax revenue. These deficiencies inhibit IRS's ability to appropriately assess and routinely monitor the relative merits of its various enforcement initiatives and adjust its strategies as needed. This, in turn, can significantly affect both the level of enforcement tax revenue collected and improper refunds disbursed. Table 14: Significant Deficiency: Controls over Revenues and Issuing Refunds: ID no.: 09-02; Recommendation: Add specific requirements to the Internal Revenue Manual (IRM) to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated (short-term); Control activity: Establishment and review of performance measures and indicators. ID no.: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed and should include both personnel costs based on time spent on specific activities as well as all associated non- personnel costs and be drawn from or reconcilable to IRS's financial accounting system (long-term); Control activity: Establishment and review of performance measures and indicators. ID no.: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities (long-term); Control activity: Establishment and review of performance measures and indicators. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Release of Federal Tax Liens: IRS did not always release the applicable federal tax lien within 30 days of the tax liability being either paid off or abated, as required by the Internal Revenue Code (section 6325). The Internal Revenue Code grants IRS the power to file a lien against the property of any taxpayer who neglects or refuses to pay all assessed federal taxes. The lien serves to protect the interest of the federal government and as a public notice to current and potential creditors of the government's interest in the taxpayer's property. Table 15: Compliance with Laws and Regulations: Timely Release of Liens: ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 07-15; Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System (short-term); Control activity: Appropriate documentation of transactions and internal controls. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Other Control Issues: The recommendations listed below pertain to issues that do not rise individually or in the aggregate to the level of a significant deficiency or a material weakness. However, these issues do represent weaknesses in various aspects of IRS's control environment that should be addressed. Table 16: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: ID no.: 99-22; Recommendation: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records (long-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur (long-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments (short- term); Control activity: Segregation of duties. ID no.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors (short-term); Control activity: Controls over Information processing. ID no.: 04-08; Recommendation: Enforce policies and procedures to ensure that service center campus security guards respond to alarms (short-term); Control activity: Physical control over vulnerable assets. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages (short- term); Control activity: Segregation of duties. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds (short- term); Control activity: Proper execution of transactions and events. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses (SCC), taxpayer assistance centers (TAC), and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals (short- term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 06-05; Recommendation: Equip all TACs with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers such as locked doors marked with signs barring entrance by unescorted customers (short-term); Control activity: Physical control over vulnerable assets. ID no.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACs not having a manager permanently on site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation (short-term); Control activity: Physical control over vulnerable assets. ID no.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions (short-term); Control activity: Physical control over vulnerable assets. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds (short-term); Control activity: Management of human capital. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out (short-term); Control activity: Physical control over vulnerable assets. ID no.: 07-21; Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered (short-term); Control activity: Segregation of duties. ID no.: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of Office of Management and Budget (OMB) Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 07-27; Recommendation: Begin devising appropriate A-123 follow-up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct (short-term); Control activity: Management of human capital. ID no.: 08-04; Recommendation: To address the inconsistency in assigning the effective date of an accuracy-related penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any associated accuracy-related penalty (long- term); Control activity: Reviews by management at the functional or activity level. ID no.: 08-06; Recommendation: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM (long-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID no.: 08-08; Recommendation: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices (short-term); Control activity: Access restrictions to and accountability for resources and records. ID no.: 08-13; Recommendation: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements (short-term); Control activity: Access restrictions to and accountability for resources and records. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information (short-term); Control activity: Access restrictions to and accountability for resources and records. ID no.: 08-16; Recommendation: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles (short-term); Control activity: Access restrictions to and accountability for resources and records. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact (short-term); Control activity: Access restrictions to and accountability for resources and records. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel (short- term); Control activity: Proper execution of transactions and events. ID no.: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide (long-term); Control activity: Reviews by management at the functional or activity level. ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts (short-term); Control activity: Physical control over vulnerable assets. ID no.: 09-10; Recommendation: Develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of noncompliance with required approval timeframes (short-term); Control activity: Proper execution of transactions and events. ID no.: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability (short-term); Control activity: Reviews by management at the functional or activity level. ID no.: 09-12; Recommendation: Reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts (short-term); Control activity: Accurate and timely recording of transactions and events. ID no.: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process (short-term); Control activity: Accurate and timely recording of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] [End of section] Appendix III: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Commissioner: Washington, D.C. 20224: June 11, 2009: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft report titled, IRS: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-09-514). As GAO noted in the report, IRS continues to make significant progress in improving our internal controls and financial management as evidenced by nine consecutive years of clean audit opinions on our financial statements. We are pleased that you acknowledged our progress in addressing our financial management challenges and agreed to close 35 prior year financial management recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact Alison Doone, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made major contributions to this report: William J. Cordrey, Assistant Director; Ray Bush; Stephanie Chen; Nina Crocker; Oliver Culley; Charles Ego; Doreen Eng; Charles Fox; Valerie Freeman; Ted Hu; Richard Larsen; Delores Lee; Gail Luna; Julie Phillips; John Sawyer; Christopher Spain; Cynthia Teddleton; Lien To; LaDonna Towler; and Gary Wiggins. [End of section] Footnotes: [1] Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. See 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA); see [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], Standards for Internal Control in the Federal Government, at 4-5 (November 1999). The actions required by agencies and individual federal managers includes taking proactive measures to develop and implement appropriate, cost-effective internal control for results- oriented management; to assess the adequacy of internal control in federal programs and operations; to identify needed improvements; and to take corresponding corrective actions. [2] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a control deficiency, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. A control deficiency exists when the design or operation of a control does not allow management or employees, in the course of performing their assigned functions, to prevent or detect misstatements on a timely basis. [3] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [4] The circular requires agencies and individual federal managers to take systematic and proactive measures to (1) develop and implement appropriate, cost-effective internal control for results-oriented management; (2) assess the adequacy of internal control in federal programs and operations; (3) separately assess and document internal control over financial reporting consistent with the process defined in appendix A of the circular; (4) identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal control through management assurance statements. [5] GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 2001). [6] GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009). FISCAM contains guidance for reviewing information system controls that affect the security of computerized data. [7] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008). [8] GAO, Internal Revenue Service: Status of Financial Audit and Related Financial Management Report Recommendations, [hyperlink, http://www.gao.gov/products/GAO-08-693] (Washington, D.C.: July 2, 2008). [9] GAO, Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 2009). [10] We define short-term recommendations as those that we believe could be addressed within 2 years at the time we made the recommendation. We define long-term recommendations as those we expected to require 2 years or more to implement at the time we made the recommendation. [11] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [12] Table 1 does not include the 11th control activity, "top-level reviews of actual performance," because we do not have any recommendations related to this internal control activity. [13] The vast majority of federal tax payments are made for both businesses and individuals via the Electronic Federal Tax Payment System. [14] Information security controls include electronic access controls, software change controls, physical security, segregation of duties, and service continuity. These controls are designed to ensure that access to data is appropriately restricted, only authorized changes to computer programs are made, physical access to sensitive computing resources and facilities is protected, computer security duties are segregated, and backup and recovery plans are adequate to ensure the continuity of essential operations. [15] GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [16] Most refunds are generated automatically. However, under certain circumstances, IRS processes refunds manually to expedite payment. Such refunds include those over $10 million, those requested by taxpayers for immediate payment due to hardship or emergency, those to beneficiaries of deceased taxpayers, and those that need to be expedited because IRS is in jeopardy of paying interest for exceeding the 45-day limit for processing a return. [17] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: