Financial Audit: Examination of IRS' Fiscal Year 1996 Administrative
Financial Statements (Letter Report, 08/29/97, GAO/AIMD-97-89).

Pursuant to a legislative requirement, GAO audited the Administrative
Financial Statements for the Internal Revenue Service (IRS) for fiscal
year 1996.

GAO noted that: (1) these Administrative Financial Statements did not
report on activities related to IRS' custodial responsibilities for
implementing federal tax legislation, including collecting federal tax
revenues, refunding overpayments of taxes, and pursuing collection of
amounts owed; (2) the annual financial results relating to IRS'
custodial responsibilites were reported separately in IRS' Custodial
Financial Statements; (3) the Statement of Administrative Financial
Position was reliable in all material respects, except that evidence
about the composition and validity of administrative accounts receivable
as of September 30, 1996, was not available; (4) GAO could not determine
the reliability of the accounts receivable balances shown and the effect
any adjustment required to correct the accounts receivable balances
might have on net position; (5) GAO could not determine the effect
capitalization would have on net position because property and equipment
have not been capitalized and reported; (6) GAO was unable to give an
opinion on the Statement of Administrative Operations and Changes in Net
Position because of limitations on the scope of GAO's work; (7) GAO was
unable to determine the effect on the Statement of Administrative
Operations and Changes in Net Position of IRS' not recording
depreciation; thus, the statement may be unreliable; (8) GAO agreed with
management's assertion that internal controls were ineffective in: (a)
safeguarding assets from material loss; (b) assuring material compliance
with laws governing the use of budget authority and with other relevant
laws and regulations; and (c) assuring that there were no material
misstatements in amounts reported in the financial statements, such as
administrative accounts receivable and operating revenues and expenses;
and (9) material weaknesses in internal control and recordkeeping
systems precluded the test necessary to provide a basis for any report
on compliance with pertinent laws and regulations.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-97-89
     TITLE:  Financial Audit: Examination of IRS' Fiscal Year 1996 
             Administrative Financial Statements
      DATE:  08/29/97
   SUBJECT:  Financial statement audits
             Federal agency accounting systems
             Internal controls
             Administrative costs
             Financial management systems
             Accounts payable
             Accounts receivable
             Computer security

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Report to the Congress

August 1997

FINANCIAL AUDIT - EXAMINATION OF
IRS' FISCAL YEAR 1996
ADMINISTRATIVE FINANCIAL
STATEMENTS

GAO/AIMD-97-89

IRS Financial Audit

(901702)


Abbreviations
=============================================================== ABBREV

  ADP - automated data processing
  APF - Authorized Program Facility
  BCA - budget clearing account
  CFO - Chief Financial Officer
  DCC - Detroit Computing Center
  FMFIA - Federal Managers' Financial Integrity Act of 1982
  IRS - Internal Revenue Service
  OMB - Office of Management and Budget
  RACF - Resource Access Control Facility
  SFFAS - Statement of Federal Financial Accounting Standard

Letter
=============================================================== LETTER


B-276920

August 29, 1997

To the President of the Senate and the
Speaker of the House of Representatives

In accordance with the Chief Financial Officers (CFO) Act of 1990, as
expanded by the Government Management Reform Act of 1994, this report
presents the results of our audit of the Administrative Financial
Statements of the Internal Revenue Service (IRS) for fiscal year
1996.  The IRS Administrative Financial Statements report the
financial position and results of operations related solely to the
administration of IRS as funded by appropriations and reimbursements
from other agencies, state and local governments, and the public. 

Accordingly, these Administrative Financial Statements do not report
on activities related to IRS' custodial responsibilities for
implementing federal tax legislation, including collecting federal
tax revenues, refunding overpayments of taxes, and pursuing
collection of amounts owed.  The annual financial results relating to
these custodial responsibilities are reported separately in IRS'
Custodial Financial Statements.  We will report the results of our
audit of those financial statements for fiscal year 1996 at a later
date. 

Our report contains our opinions on (1) IRS' Administrative Financial
Statements and (2) IRS management's assertion about the effectiveness
of internal controls, along with information regarding our efforts to
test compliance with laws and regulations and a description of our
audit objectives, scope, and methodology.  Also, appendix I describes
the status of IRS' efforts to implement our prior recommendations
related to the Administrative Financial Statements. 

We are sending copies of this report to the Acting Commissioner of
Internal Revenue; the Secretary of the Treasury; the Director of the
Office of Management and Budget; the Chairmen and Ranking Minority
Members of the Senate Committee on Governmental Affairs, the House
Committee on Government Reform and Oversight and its Subcommittee on
Government Management, Information and Technology; and other
interested congressional committees.  Copies will be made available
to others upon request. 

This report was prepared under the direction of Gregory M.  Holloway,
Director, Governmentwide Audits, with the support of IRS' Internal
Audit staff and staff from the Accounting and Information Management
Division's Governmentwide Audits Group and Audit Support and Quality
Assurance Group.  If you have any questions, please contact Mr. 
Holloway at (202) 512-9510. 

James F.  Hinchman
Acting Comptroller General
of the United States


Letter
=============================================================== LETTER


B-276920

To the Acting Commissioner of Internal Revenue

In accordance with the Chief Financial Officers (CFO) Act of 1990, as
expanded by the Government Management Reform Act of 1994, this report
presents the results of our audit of the Administrative Financial
Statements of the Internal Revenue Service (IRS) for fiscal year
1996.  The IRS Administrative Financial Statements report the
financial position and results of operations related solely to the
administration of IRS as funded by appropriations and reimbursements
from other agencies, state and local governments, and the public. 

Accordingly, these Administrative Financial Statements do not report
on activities related to IRS' custodial responsibilities for
implementing federal tax legislation, including collecting federal
tax revenues, refunding overpayments of taxes, and pursuing
collection of amounts owed.  The annual financial results relating to
these custodial responsibilities are reported separately in IRS'
Custodial Financial Statements.  We will report the results of our
audit of those statements for fiscal year 1996 at a later date. 

In our audit of IRS' fiscal year 1996 Administrative Financial
Statements, we found the following: 

  -- The Statement of Administrative Financial Position was reliable
     in all material respects, except that evidence about the
     composition and validity of administrative accounts receivable
     as of September 30, 1996, was not available.  Accordingly, we
     could not determine the reliability of the accounts receivable
     balances shown and the effect any adjustment required to correct
     the accounts receivable balances might have on net position.  In
     addition, because property and equipment have not been
     capitalized and reported, we cannot determine the effect
     capitalization would have on net position. 

  -- We are unable to give an opinion on the Statement of
     Administrative Operations and Changes in Net Position because of
     limitations on the scope of our work.  Specifically, IRS did not
     attempt to fully restate its fiscal year 1996 opening account
     balances to address problems identified in our prior year audit,
     and inadequacies in the recordkeeping and control systems
     affected our ability to determine whether reported fiscal year
     1996 operating expenses and revenues related to services that
     were actually provided in fiscal year 1996.  Furthermore, in the
     absence of reliable information on property and equipment, we
     are unable to determine the effect on the Statement of
     Administrative Operations and Changes in Net Position of IRS'
     not recording depreciation.  Thus, the Statement of
     Administrative Operations and Changes in Net Position may be
     unreliable. 

  -- We agree with management's assertion that internal controls were
     ineffective in (1) safeguarding assets, such as administrative
     accounts receivable and fund balances with Treasury, from
     material loss, (2) assuring material compliance with laws
     governing the use of budget authority and with other relevant
     laws and regulations, and (3) assuring that there were no
     material misstatements in amounts reported in the financial
     statements, such as administrative accounts receivable and
     operating revenues and expenses.  However, in its assertion, IRS
     failed to report the material weaknesses we found in its
     computer security controls at its Detroit Computing Center. 

  -- Material weaknesses in internal control and recordkeeping
     systems, which are discussed later in this report, precluded the
     test necessary to provide a basis for any report on compliance
     with pertinent laws and regulations. 


   QUALIFIED OPINION ON STATEMENT
   OF ADMINISTRATIVE FINANCIAL
   POSITION
------------------------------------------------------------ Letter :1

Because IRS could not provide us with supporting documentation for
its reported administrative accounts receivable balances, we cannot
determine if the Statement of Administrative Financial Position's
presentation of accounts receivable and net position is reliable.  In
addition, because property and equipment have not been capitalized
and reported, we cannot determine the effect capitalization would
have on net position.  Otherwise, in our opinion, the Statement of
Financial Position, including the related accompanying notes,
presents fairly, in all material respects, in conformity with a
comprehensive basis of accounting other than generally accepted
accounting principles, as described in note 1, IRS' administrative
assets, liabilities, and net financial position. 

Without key documentation concerning the basis for IRS' accounts
receivables, including whether IRS had provided the specific services
by fiscal year-end, we could not determine whether the amounts
reported represent valid unpaid claims for reimbursement for services
provided to other entities during or prior to fiscal year 1996.  In
addition, we could not determine the effect any adjustment required
to correct the reported balances might have on net position.  Most of
IRS' administrative accounts receivable represent amounts due from
other federal agencies for services provided to them by IRS.  Proper
accounting and reporting of intergovernmental accounts receivable and
payable is a problem across the federal government. 

Department of the Treasury and IRS policies require capitalization of
property and equipment.  However, because of inherent weaknesses in
IRS' systems, which are discussed later in this report, IRS did not
capitalize its property and equipment and report it on the Statement
of Administrative Financial Position for fiscal year 1996.  IRS
stated that it is developing procedures which will enable it to
capitalize and depreciate its property and equipment. 

In August 1993, we reported that IRS officials had concluded that the
information in IRS' automated data processing system was so
unreliable that it could not be used for the fixed asset balance in
its fiscal year 1992 financial statements.\1 We noted in our report
on our audit of IRS' fiscal year 1993 financial statements that as a
result of its first nationwide physical inventory of automated data
processing property and equipment, IRS had made significant
improvements in the recording and valuation of its property and
equipment.\2 However, we also reported that IRS did not have an
interface between the general ledger and the property and equipment
systems or reconcile the two.  In IRS' notes to its fiscal years 1993
through 1996 financial statements, IRS reported that because of this
nonintegration of its systems, the acquisition cost of all property
and equipment is expensed in the Statement of Administrative
Operations and Changes in Net Position rather than capitalized and
depreciated.  IRS' plans for addressing this issue are discussed
later in this report. 


--------------------
\1 Financial Management:  IRS Lacks Accountability Over Its ADP
Resources (GAO/AIMD-93-24,
August 5, 1993). 

\2 Financial Audit:  Examination of IRS' Fiscal Year 1993 Financial
Statements (GAO/AIMD-94-120, June 15, 1994). 


   DISCLAIMER OF OPINION ON
   STATEMENT OF ADMINISTRATIVE
   OPERATIONS AND CHANGES IN NET
   POSITION
------------------------------------------------------------ Letter :2

We are unable to give an opinion on the Statement of Administrative
Operations and Changes in Net Position for fiscal year 1996 because
of limitations on the scope of our work.  Specifically, IRS did not
attempt to fully restate its fiscal year 1996 opening account
balances to address problems identified relative to the prior year. 
In addition, the following inadequacies in the recordkeeping and
control systems affected our ability to determine whether reported
fiscal year 1996 operating expenses and revenues related to services
that were actually provided in fiscal year 1996.  Furthermore, in the
absence of reliable information on property and equipment, we are
unable to determine the effect on the Statement of Administrative
Operations and Changes in Net Position of IRS not recording
depreciation. 

  -- As noted above, IRS was unable to provide us with documentation
     to support its reported administrative accounts receivables. 
     Consequently, we could not determine whether the related revenue
     for fiscal year 1996 attributable to reimbursable work
     agreements was correct and reported in the period the services
     were actually provided to other entities. 

  -- IRS' financial management system, as implemented, records
     accounts payable only when both an invoice has been received and
     the goods or services have been received and accepted. 
     Therefore, liabilities for goods or services received and
     accepted are not routinely recorded until an invoice has also
     been received and processed.  This practice, along with internal
     control weaknesses for the receipt and acceptance of goods and
     services, affected our ability to audit the fiscal year 1996
     Statement of Administrative Operations and Changes in Net
     Position in two ways.  First, we could not determine the
     reliability of the reported fiscal year 1996 operating expenses
     because IRS did not determine what portion of these expenses
     pertained to goods or services actually received in the previous
     fiscal year.  Thus, the reported balance for operating expenses
     is overstated to the extent that it includes such amounts. 
     Second, in order to establish an accounts payable amount as of
     September 30, 1996, special procedures were used, including
     statistical sampling techniques, to estimate the amount.  While
     this effort resulted in a reasonable estimate for the liability,
     it did not enable IRS to identify all of the specific
     transactions and the related operating expense classifications
     (tax law enforcement, information systems, etc.) relating to
     this estimated balance. 

  -- Although IRS was able to reconcile its September 30, 1996, Fund
     Balance with Treasury accounts to Treasury's records within an
     immaterial amount, IRS did not attempt to completely determine
     what portion of the adjustments made as a result of the
     reconciliation process pertained to goods or services actually
     received in prior fiscal years.  Consequently, we could not
     determine the reliability of the reported fiscal year 1996
     operating expenses, since they are overstated to the extent they
     include such amounts. 


   OPINION ON MANAGEMENT'S
   ASSERTION ABOUT THE
   EFFECTIVENESS OF INTERNAL
   CONTROLS
------------------------------------------------------------ Letter :3

We evaluated management's assertion about the effectiveness of its
internal controls designed to

  -- safeguard assets against loss from unauthorized acquisition,
     use, or disposition;

  -- assure the execution of transactions in accordance with laws
     governing the use of budget authority and with other laws and
     regulations that have a direct and material effect on the
     Administrative Financial Statements or are listed in Office of
     Management and Budget (OMB) audit guidance and could have a
     material effect on the Administrative Financial Statements; and

  -- properly record, process, and summarize transactions to permit
     the preparation of reliable financial statements and to maintain
     accountability for assets. 

IRS management fairly stated that because of the material weaknesses
in internal controls described later in this section, internal
controls do not provide reasonable assurance that the following would
be prevented or detected on a timely basis for amounts material in
relation to the financial statements: 

  -- unauthorized acquisition, use, or disposition of assets, such as
     administrative accounts receivable and fund balances with
     Treasury, that could lead to losses;

  -- noncompliance with laws governing the use of budget authority
     and with other relevant laws and regulations; and

  -- misstatements in amounts reported in the financial statements,
     such as administrative accounts receivable and operating
     revenues and expenses. 

However, in its assertion, IRS failed to report the material
weaknesses found in its computer security controls at its Detroit
Computing Center. 

Management made this assertion based upon criteria established under
the Federal Managers' Financial Integrity Act of 1982 (FMFIA) and the
Office of Management and Budget Circular A-123, Management
Accountability and Control.  A material weakness is a condition in
which the design or operation of one or more of the internal control
structure elements does not reduce to a relatively low level the risk
that errors or irregularities in amounts that would be material to
the financial statements may occur and not be detected promptly by
employees in the normal course of performing their duties.  Our
internal control work would not necessarily disclose material
weaknesses not reported by IRS. 

The following material weaknesses, most of which we also found in our
prior audits of IRS, were reported in IRS' FMFIA report for fiscal
year 1996.  These deficiencies in internal controls may adversely
affect any decision by management that is based, in whole or in part,
on information that is inaccurate because of the deficiencies. 
Unaudited financial information reported by IRS, including budgetary
information, may also contain misstatements resulting from these
deficiencies. 


      FUND BALANCES WITH TREASURY
---------------------------------------------------------- Letter :3.1

Treasury regulations and prudent cash management practices require an
agency to periodically reconcile its fund balance with Treasury
accounts to Treasury's records.  Such reconciliations allow agencies
to promptly detect and resolve any differences between agency and
Treasury records.  Significant unreconciled accounts make it
impossible, or at best difficult, for an agency or anyone else to
know whether operating funds have been properly spent and call into
question the accuracy of reported operating expenses, assets, and
liabilities.  Also, such unreconciled accounts affect an auditor's
ability to render an opinion. 

Prior to the advent of the CFO Act, IRS' fund balance with Treasury
accounts historically were not being reconciled.  For the most part,
IRS' personnel were only tracking the gross differences between IRS'
accounting records and what Treasury (the equivalent of its bank)
reported to them for its administrative receipts and disbursements. 
This material weakness resulted in years of accumulated unreconciled
amounts that were not regularly researched and were difficult to
research and resolve when the amounts were required to be audited. 
In addition, this problem contributed significantly to our inability
to render an opinion on IRS' financial statements for fiscal years
1992 through 1995. 

Over the past 3 years, IRS has developed and implemented procedures
for reconciling and reducing the backlog of hundreds of millions of
dollars posted to budget clearing accounts (BCAs) and suspense
accounts.\3 These procedures included hiring a contractor to assist
in identifying the reason amounts were posted to the BCA or suspense
account and determining adjustments necessary to post amounts to the
appropriate disbursement or collection account for those transactions
that could be verified.  At the completion of our fieldwork, IRS had
reconciled its September 30, 1996, fund balance with Treasury
accounts to Treasury's records within an immaterial amount. 

For the future, it will be important that IRS ensure that (1)
reconciliations are prepared monthly on a timely basis (a goal of 30
to 60 days from month-end is a reasonable target), (2) sufficient
resources are available to perform the necessary research for any
differences, and (3) it identifies and corrects any underlying
systems problems. 


--------------------
\3 Budget clearing accounts include items that are more than 6 months
old that remain unreconciled.  Suspense accounts are used as holding
accounts for transactions that are pending decisions by IRS as to
their validity. 


      ADMINISTRATIVE ACCOUNTS
      RECEIVABLE
---------------------------------------------------------- Letter :3.2

Most of IRS' administrative accounts receivable represent amounts due
from other federal agencies for services IRS provided to them. 
Information recorded in IRS' core financial management system for
these receivables is maintained by the specific project being worked
on and not by federal agency.  As such, this system cannot readily
provide a detailed record of the amounts by debtor constituting the
recorded administrative accounts receivable balances.  In an effort
to identify specific unpaid items constituting its reported
administrative gross accounts receivables, IRS performed ad hoc
routines to match recorded billed reimbursable services with
collections.  However, IRS was unable to readily support the unpaid
claims making up its reported balances.  When information
underpinning significant amounts reported in the financial statements
is not available for audit, neither the auditor nor management can
determine whether (1) the information presented in the financial
statements is correct, (2) all significant internal controls through
which the information was managed and processed were effective, and
(3) the agency complied with laws and regulations. 

IRS stated that it has efforts underway to address this financial
management problem.  These efforts will be assessed in connection
with the audit of IRS' fiscal year 1997 Administrative Financial
Statements. 


      ACCOUNTS PAYABLE
---------------------------------------------------------- Letter :3.3

IRS' financial management system, as implemented, records accounts
payable only when both an invoice has been received and the goods or
services have been received and accepted.  Therefore, liabilities
were routinely not recorded for goods or services received and
accepted until an invoice was also received and processed.  In
addition, the invoice is submitted directly by the vendor to IRS
payment processing offices, while receipt and acceptance are
performed by personnel located throughout the country.  As a result,
IRS is unable to readily determine its accounts payable at any given
point.  Consequently, trying to accurately determine year-end
accounts payable and the related operating expense accounts requires
an extremely labor-intensive process to identify the goods and
services received prior to fiscal year-end but paid for subsequent to
that date.  IRS' problems accounting for its accounts payable did not
materially affect the propriety of its budgetary accounting for its
obligated balances. 

In addition to this weakness, IRS continues to experience
documentation problems for receipt and acceptance of goods and
services for significant portions of its nonpayroll operating
expenses.  We reported in our prior year audit report\4 that IRS'
lack of effective control over receipt and acceptance of goods and
services, combined with its problems in linking the controls over
goods and services purchased to the payment for them, makes IRS
vulnerable to vendors, both federal and commercial, billing it for
goods and services not provided or for amounts in excess of what was
provided.  IRS has improved its internal controls over receipt and
acceptance of goods and services from commercial vendors to reduce
the risk of loss.  However, IRS still cannot readily identify amounts
owed to commercial vendors at any given point in time for goods or
services received and accepted but not yet invoiced.  Further, IRS'
vulnerability to loss from federal vendors persists. 

IRS stated that it has efforts underway to address these financial
management problems.  These efforts will be assessed in connection
with the audit of IRS' fiscal year 1997 Administrative Financial
Statements. 


--------------------
\4 Financial Audit:  Examination of IRS' Fiscal Year 1995 Financial
Statements (GAO/AIMD-96-101, July 11, 1996). 


      PROPERTY AND EQUIPMENT
---------------------------------------------------------- Letter :3.4

IRS has historically been unable to reliably account for its property
and equipment because the systems containing its detailed subsidiary
records for fixed assets and its summary-level general ledger
accounts are not integrated.  In its fiscal year 1996 FMFIA report,
IRS reported that property management procedures and controls over
the accountability for its automated data processing (ADP) and
non-ADP property need improvement.  IRS also reported that without a
reliable system of accounting for property, it is unable to determine
if property is being properly used or misappropriated. 

IRS has taken or is taking steps to address this weakness.  For
instance, it implemented a property tracking system for non-ADP
property and plans to conduct agencywide physical inventories for
both ADP and non-ADP property.  In addition, IRS stated that it is
developing procedures that will enable it to comply with the
Statement of Federal Financial Accounting Standard (SFFAS) No.  6,
Accounting for Property, Plant, and Equipment.  SFFAS No.  6 requires
the capitalization and depreciation of certain property and equipment
and becomes effective in fiscal year 1998. 


      COMPUTER SECURITY
---------------------------------------------------------- Letter :3.5

IRS relies on computerized information systems to process and account
for its administrative data.  These systems should include controls
to prevent or detect unauthorized access and intentional or
inadvertent unauthorized modifications to the data and related
computer programs.  We previously reported\5 that IRS continues to
have serious problems in the controls used to safeguard IRS computer
systems, facilities, and taxpayer data, including the controls at the
computing center that processes both administrative and tax data. 
Our review of controls over this computing center, done to support
our fiscal year 1996 audits, found that such controls were
ineffective.  Specifically, IRS did not adequately control access
authority given to computer support personnel or adequately monitor
their access to administrative and taxpayer data and related
programs.  Also, IRS did not adequately control external access to
its computer resources.  As a result, we consider computer security a
material weakness because data or programs at the computing center
could be added, altered, or deleted and not detected in a timely
manner. 

The more significant weaknesses include the following: 

  -- An excessive number of computer support personnel were granted
     the ability to read or change sensitive system files or
     resources.  This access gives them the ability to change, alter,
     or delete both administrative and taxpayer data and associated
     programs.  Access to such data files, which include the basic
     operating system software, should be limited to the minimum
     number of computer support personnel needed for maintenance and
     review.  For example, 88 computer support personnel have the
     ability to implement programs not controlled by the security
     software, 171 personnel have the ability to affect the system
     processing environment, and 103 have the ability to access the
     unencrypted security file containing passwords for staff
     authorized to record or alter financial data for IRS'
     administrative costs. 

  -- Computer support personnel were granted inappropriate access,
     including the ability to both obtain access to data or programs
     and alter the automated audit trail which identifies who entered
     or changed data.  The inherent risk in these privileges is that
     data or programs can be added, modified, or deleted and the
     related audit trail masked or deleted. 

  -- Computer support personnel's access to system resources was not
     adequately monitored.  Monitoring the access activities of
     employees, especially those who have the ability to alter
     sensitive programs and data, can help identify any significant
     problems and deter employees from inappropriate and unauthorized
     activities.  However, when thousands of transactions are
     involved, reviews cannot be effective unless reports are
     available to managers to highlight activity that is unusual or
     suspicious so that it can be investigated.  Proper supervision
     of employee actions, especially those having broader access
     privileges, requires routine assurance concerning the propriety
     of their activities. 

  -- An employee responsible for providing system programming support
     to the computer security function was also granted access to the
     security database, access that was not needed to perform the
     employee's routine duties.  As a result, this employee had
     unneeded access to sensitive system files and could make
     unauthorized changes as well as alter the related audit trail. 

  -- IRS did not adequately control external access to its systems. 
     IRS had previously identified this weakness and developed plans
     to address it.  This weakness, combined with the other
     weaknesses described above, could potentially allow access to
     IRS administrative and taxpayer data by other than authorized
     users. 

These computer security problems compounded the weaknesses previously
discussed in this report and could affect the security and
reliability of IRS' administrative accounting information, including
procurement, payroll, and property and equipment activity.  The
Office of the CFO advised us that in an attempt to mitigate the
effect of these control weaknesses, it has been frequently monitoring
certain data files used to control and prepare administrative
financial information reports.  However, this mitigating control
could be circumvented because of the nature of the weaknesses
identified in this report. 

Specifically related to the computing center, IRS has reduced the
access of the employee mentioned above and told us it is expanding
its monitoring of system activity by computer support personnel. 
Also, IRS has accelerated its plans to correct the external access
issue including encryption by moving the external access control
software implementation date from August 1998 to December 1997. 


--------------------
\5 IRS Systems Security:  Tax Processing Operations and Data Still at
Risk Due to Serious Weaknesses (GAO/AIMD-97-49, April 8, 1997). 


   COMPLIANCE WITH LAWS AND
   REGULATIONS
------------------------------------------------------------ Letter :4

Because of the limitations on the scope of our work in the
administrative accounts receivable, revenues and operating expenses
areas, as described above, we were unable to determine whether
operating expenses and revenues were valid and test for compliance
with laws deemed significant to the financial statements.\6
Accordingly, we are unable to report on IRS' compliance with laws and
regulations. 

When sufficient evidence to support information reported in the
financial statements is not available for audit, we cannot determine
whether IRS complied with laws and regulations deemed significant to
the financial statements.  For example, after several efforts to
research differences between its fund balance with Treasury accounts
and Treasury's records, IRS made millions of dollars of net
adjustments to its accounting records to write off unreconciled
amounts.  In addition, because of IRS' weaknesses in accounting for
accounts payable, the liability as of fiscal year-end was estimated
using statistical sampling techniques.  While this effort resulted in
a reasonable estimate for the liability, it did not enable IRS to
identify all of the specific transactions constituting this estimated
balance.  Thus, in both of these cases, neither we nor IRS could
examine supporting documentation to determine whether the
transactions recorded in IRS' accounting records complied with laws
and regulations. 


--------------------
\6 These laws govern the use of budget authority and other laws and
regulations that have a direct and material effect on the
Administrative Financial Statements or that are listed in OMB audit
guidance and could have a material effect on the Administrative
Financial Statements. 


   CONSISTENCY OF OTHER
   INFORMATION
------------------------------------------------------------ Letter :5

IRS' Overview contains various data, some of which are not directly
related to the Administrative Financial Statements.  We do not
express an opinion on this information. 


   IRS' PROGRESS IN IMPLEMENTING
   GAO RECOMMENDED IMPROVEMENTS
------------------------------------------------------------ Letter :6

In our prior reports, we made 29 recommendations aimed at improving
IRS' administrative accounting operations.\7 In our assessment this
year, we determined that, to date, IRS had completed action on 15 of
these recommendations, including 5 actions that were completed since
our audit of the fiscal year 1995 financial statements.  IRS has
actions planned or in progress to address all but 1 of the remaining
14 recommendations.  Appendix I details why no actions have been
taken on this 1 recommendation along with the status of IRS'
implementation efforts on the other recommendations. 

Progress has been made and actions are underway by IRS to try to
resolve the material weaknesses in internal controls and financial
management problems reported in our prior year audits, including
those identified previously.  Additional corrective actions are still
needed, and IRS continues to state its intention to commit the
necessary resources and management oversight to resolve these
weaknesses.  We will continue to advise IRS on how to resolve these
long-standing financial management problems. 


--------------------
\7 See Financial Audit:  Examination of IRS' Fiscal Year 1995
Financial Statements (GAO/AIMD-96-101, July 11, 1996); Financial
Audit:  Examination of IRS' Fiscal Year 1994 Financial Statements
(GAO/AIMD-95-141, August 4, 1995); Financial Audit:  Examination of
IRS' Fiscal Year 1993 Financial Statements (GAO/AIMD-94-120, June 15,
1994); and Financial Audit:  Examination of IRS' Fiscal Year 1992
Financial Statements (GAO/AIMD-93-2, June 30, 1993). 


   OBJECTIVES, SCOPE, AND
   METHODOLOGY
------------------------------------------------------------ Letter :7

Management is responsible for

  -- preparing the annual Administrative Financial Statements in
     conformity with the basis of accounting described in note 1;

  -- establishing, maintaining, and assessing the internal control
     structure to provide reasonable assurance that the broad control
     objectives of FMFIA are met; and

  -- complying with applicable laws and regulations. 

We are responsible for obtaining reasonable assurance about whether
(1) the Administrative Statement of Financial Position is reliable
(free of material misstatements and presented fairly, in all material
respects, in conformity with the basis of accounting described in
note 1), and (2) management's assertion about the effectiveness of
internal controls is fairly stated, in all material respects, based
upon criteria established under the Federal Managers' Financial
Integrity Act of 1982 and the Office of Management and Budget
Circular A-123, Management Accountability and Control. 

In order to fulfill these responsibilities, we

  -- examined, on a test basis, evidence supporting the amounts in
     the Administrative Statement of Financial Position and related
     disclosures;

  -- assessed the accounting principles used and significant
     estimates made by management in the preparation of the
     Administrative Statement of Financial Position;

  -- evaluated the overall presentation of the Administrative
     Statement of Financial Position;

  -- obtained an understanding of the internal control structure
     related to safeguarding assets, compliance with laws and
     regulations including execution of transactions in accordance
     with budget authority, and financial reporting, except in the
     above-noted areas for which there was a limitation on the scope
     of our work; and

  -- tested relevant internal controls over safeguarding, compliance,
     and financial reporting and evaluated management's assertion
     about the effectiveness of internal controls, except in the
     above-noted areas for which there was a limitation on the scope
     of our work. 

We did not evaluate all internal controls relevant to operating
objectives as broadly defined by FMFIA, such as those controls
relevant to preparing statistical reports and ensuring efficient
operations.  We limited our internal control testing to those
controls necessary to achieve the objectives outlined in our opinion
on management's assertion about the effectiveness of internal
controls. 

We attempted to perform audit procedures on the limited information
IRS provided; however, for the reasons stated above, we were unable
to perform the necessary audit procedures to opine on IRS'
Administrative Statement of Operations and Changes in Net Position,
Overview, or report on IRS' compliance with laws and regulations. 

We did our work in accordance with generally accepted government
auditing standards and OMB Bulletin 93-06, Audit Requirements for
Federal Financial Statements. 


   AGENCY COMMENTS AND OUR
   EVALUATION
------------------------------------------------------------ Letter :8

In commenting on a draft of this report, IRS generally agreed with
our specific findings directly related to its financial statements. 
It pointed out that progress had been made to minimize the risk of
loss posed by our earlier reported disbursement weaknesses involving
its direct relations with commercial vendors.  We have modified the
accounts payable section of the report to clarify that the continuing
weaknesses involving risk of loss at the end of fiscal year 1996
involved IRS' contractual obligations with other federal agencies,
which comprise the majority of its payments for goods and services. 

Concerning our internal control findings related to its ADP
environment, IRS acknowledged certain of our findings but stated that
it did not agree with the significance we placed on them,
specifically, that computer security is a material weakness.  We
disagree.  As discussed with IRS throughout this audit, the Detroit
Computing Center has a number of control weaknesses, each of which is
a vulnerability and, considered together, they result in an
ineffective control environment.  Our report discusses examples of
the major weaknesses identified during our assessment; we did not
attempt to offer a comprehensive itemization of each weakness noted. 

We believe the nature of the ADP control weaknesses places IRS at an
unacceptable level of risk of unauthorized and undetected
modifications to data or programs at the Detroit Computing Center. 
The Detroit IRS computing environment (hardware, software, and
personnel) allows computer support personnel, who are sophisticated
users with strong technical data processing skills, the opportunity
to access, review, alter, delete, or make unauthorized changes to all
data and programs on the system.  Further, the record of these
actions, which management would normally use as a control, could also
be altered or deleted to obscure who had accessed the system or data. 
This represents a substantial risk to management.  Data that
management relies on for financial reporting and management
information could be manipulated in a way that would be very
difficult to detect.  Further, the original data would be potentially
unrecoverable. 

Gregory M.  Holloway
Director
Governmentwide Audits

April 11, 1997


PRINCIPAL FINANCIAL
STATEMENTS--ADMINISTRATIVE
=========================================================== Appendix 0



   (See figure in printed
   edition.)

   Overview to the Financial
   Statements

   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)

   Statement of Financial Position

   (See figure in printed
   edition.)

   Statement of Operations and
   Changes in Net Position

   (See figure in printed
   edition.)

   Notes to Principal Financial
   Statements

   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)



   (See figure in printed
   edition.)


REPORTS ISSUED AS A RESULT OF
GAO'S AUDITS OF IRS' FISCAL YEARS
1992 THROUGH 1995 FINANCIAL
STATEMENTS AND STATUS OF
ADMINISTRATIVE RECOMMENDATIONS
=========================================================== Appendix I

The results of our efforts to audit IRS' fiscal years 1992, 1993,
1994, and 1995 Administrative Financial Statements were presented in
our reports entitled Financial Audit:  Examination of IRS' Fiscal
Year 1992 Financial Statements (GAO/AIMD-93-2, June 30, 1993),
Financial Audit:  Examination of IRS' Fiscal Year 1993 Financial
Statements (GAO/AIMD-94-120, June 15, 1994), Financial Audit: 
Examination of IRS' Fiscal Year 1994 Financial Statements
(GAO/AIMD-95-141, August 4, 1995), and Financial Audit:  Examination
of IRS' Fiscal Year 1995 Financial Statements (GAO/AIMD-96-101, July
11, 1996). 

In these prior reports, we made numerous recommendations to improve
IRS' administrative accounting operations.  We determined the status
of these recommendations based on our audit work on IRS' fiscal year
1996 Administrative Financial Statements and on our discussions with
IRS officials.  Our assessments of IRS' actions for the most
significant recommendations are discussed in the report.  However, we
have not fully assessed the effectiveness of all of the responses
identified in the following table. 

                                                             Action
                                                             in
                                                             planning   No
                                                   Action    or         specific
                                         Action    in        planning   action
Reports/recommendations                  complete  progress  complete   planned
---------------------------------------  --------  --------  ---------  --------
Financial Management: IRS' Self-
Assessment of Its Internal Control and
Accounting Systems Is Inadequate
(GAO/AIMD-94-2, October 13, 1993)

The Senior Management Council should     X
coordinate, monitor, or oversee
activities to (1) establish and
implement proper written procedures
that provide for the identification,
documentation, and correction of
material weaknesses, (2) provide
classroom training and guidance
materials to all review staff, (3)
develop effective corrective action
plans that address the fundamental
causes of the weaknesses, and (4)
verify the effectiveness of corrective
actions before removing reported
weaknesses from IRS' records.

Financial Management: IRS Does Not
Adequately Manage Its Operating Funds
(GAO/AIMD-94-33, February 9, 1994)

Monitor whether IRS' new administrative  X
accounting system effectively provides
managers up-to-date information on
available budget authority.

Promptly resolve differences between               X
IRS and Treasury records of IRS' cash
balances and adjust accounts
accordingly.

Promptly investigate and record                    X
suspense account items to appropriate
appropriation accounts.

Perform periodic reviews of                        X
obligations, adjusting the records for
obligations to amounts expected to be
paid, and removing expired
appropriation balances from IRS records
as stipulated by the National Defense
Authorization Act for Fiscal Year 1991.

Monitor compliance with IRS policies     X
requiring approval of journal vouchers
and enforcing controls intended to
preclude data entry errors.

Review procurement transactions to       X
ensure that accounting information
assigned to these transactions
accurately reflects the appropriate
fiscal year, appropriation, activity,
and sub-object class.

Provide (1) detailed written guidance    X
for all payment transactions, including
unusual items such as vendor credits,
and (2) training to all personnel
responsible for processing and
approving payments.

Revise procedures to require that        X
vendor invoices, procurement orders,
and receipt and acceptance
documentation be matched prior to
payment and that these documents be
retained for 2 years.

Revise procedures to incorporate the               X
requirements that accurate receipt and
acceptance data on invoiced items be
obtained prior to payment and that
supervisors ensure that these
procedures are carried out.

Revise document control procedures to              X
require IRS units that actually receive
goods or services to promptly forward
receiving reports to payment offices so
that payments can be promptly
processed.

Monitor manually computed interest on    X
late payments to determine whether
interest is accurately computed and
paid.

Enforce existing requirements that       X
early payments be approved in
accordance with OMB Circular A-125.

Require payment and procurement                                         X\a
personnel, until the integration of AFS
and the procurement system is completed
as planned, to periodically (monthly or
quarterly) reconcile payment
information maintained in AFS to
amounts in the procurement records and
promptly resolve noted discrepancies.

Require the description and period of    X
service for all invoiced items to be
input in AFS by personnel responsible
for processing payments, and enhance
the edit and validity checks in AFS to
help prevent and detect improper
payments.

Establish procedures, based on budget    X
categories approved by OMB, to develop
reliable data on budget and actual
costs.

Use AFS' enhanced cost accumulation                X
capabilities to monitor and report
costs by project in all appropriations.

Financial Management: IRS Lacks
Accountability Over Its ADP Resources
(GAO/AIMD-93-24, August 5, 1993)

Provide the agency's CFO with the        X
authority to ensure that data
maintained by IRS' ADP inventory system
meet its management and reporting
needs.

Provide that any software purchases,     X
development, or modifications related
to this system are subject to the CFO's
review and approval.

Develop and implement standard                     X
operating procedures that incorporate
controls to ensure that inventory
records are accurately maintained. Such
controls should include
--establishing specific procedures to
ensure the prompt and accurate
recording of acquisitions and disposals
in IRS' ADP fixed asset system,
including guidance addressing the
valuation of previously leased assets;
--reconciling accounting and inventory
records monthly as an interim measure
until the successful integration of
inventory and accounting systems is
completed as planned; and
--implementing mechanisms for ensuring
that annual physical inventories at
field locations are effectively
performed, that discrepancies are
properly resolved, and that inventory
records are appropriately adjusted.

Oversee IRS efforts for ensuring that              X
property and equipment inventory data,
including telecommunications and
electronic filing equipment, is
complete and accurate.

Determine what information related to              X
ADP resources, such as equipment
condition and remaining useful life,
would be most useful to IRS managers
for financial management purposes and
develop a means for accounting for
these data.

Develop an interim means to capture                X
relevant costs related to in-house
software development.

Financial Audit: Examination of IRS'
Fiscal Year 1993 Financial Statements
(GAO/AIMD-94-120, June 15, 1994)

Monitor its systems and controls to      X
regularly identify problems as they
occur by establishing clear lines of
responsibility and communication from
top management to the lowest staff
levels,

Develop action plans that are agreed     X
upon by all affected groups and
individuals to correct problems
identified, and

Continuously monitor corrective actions            X
to ensure that progress is achieved.

Periodically compare information in      X
payroll records to supporting personnel
information,

Use current information to periodically            X
update estimated future TSM costs, and

Develop reliable detailed information              X
supporting its reported accounts
payable balances.
--------------------------------------------------------------------------------
\a IRS officials stated that IRS does not plan to manually reconcile
its existing procurement and payment systems as an interim measure
since they expect implementation of an integrated procurement system
by October 1997.  These officials believe that this new system will
ensure payment amounts recorded in the procurement and accounting
systems are equal. 




(See figure in printed edition.)Appendix II
COMMENTS FROM THE INTERNAL REVENUE
SERVICE
=========================================================== Appendix I



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)


The following are GAO's comments on the Internal Revenue Service's
letter dated August 19, 1997. 

GAO'S COMMENTS

1.  Report modified to clarify the reduced risk of loss related to
IRS' commercial vendors. 

2.  We continue to conclude that access is excessive considering the
broad privileges authorized and the inadequate monitoring of those
privileges.  IRS should perform and document a detailed review of
job-related access needs for each computer support person.  This will
help ensure that each member of an IRS-designated group has only the
level of access required to adequately perform his or her job duties. 
According to Detroit Computing Center (DCC) personnel, the mitigating
control IRS cited is an automated reporting system for security
violations that records unsuccessful access attempts.  However, this
system was under development and had not yet been implemented when we
conducted our fieldwork (January 1997).  Also, according to DCC
personnel, supervisors or management do not review authorized access
to confirm that personnel are acting within the scope of their
assigned duties. 

IRS stated that ALTER access was not granted to SYS1 Authorized
Program Facility (APF) libraries.  However, not all APF libraries
reside in SYS1 libraries.  Specifically, APF libraries for the BMC
and Landmark products reside in the SP libraries, which have ALTER
access.  ALTER access only needs to be available to one APF library
for a user with this access to modify sensitive programs and data. 
This would be done by adding a new program or programs that, when
executed, have the ability to bypass security controls to make such
changes. 

According to IRS comments "All programmers' access to the production
environment by GAO is being removed." We have never had access to the
IRS production or test systems.  IRS' reference must be to our
comment regarding the need to remove IRS programmer access to the
production environment.  While this matter was not specifically
mentioned in our report, we are pleased that IRS has taken action to
remove such programmer access. 

IRS stated that our specific counts of computer support personnel
(i.e., 88, 171, and 103) included some individuals more than once. 
Because some computer support personnel have the opportunity to
exploit more than one weakness, we believe it is appropriate to
identify both the weakness and the number of individuals who can
exploit the weakness.  Further, we believe that having the ability to
exploit more than one weakness exacerbates the problem. 

Regarding the unencrypted password file, IRS stated that Resource
Access Control Facility (RACF) protection, and the fact that the file
is a VSAM file are mitigating controls.  However, due to the APF
weaknesses noted above, computer support personnel can bypass RACF
controls.  In addition, to perform administrative data processing IRS
uses a commercial off-the-shelf financial system for which
documentation is available.  Some computer support personnel who have
access to this system are highly skilled, would routinely perform
maintenance on VSAM files, and would have little difficulty obtaining
appropriate documentation. 

3.  As stated previously, the aggregate of the weaknesses when
considered together results in a material weakness.  We acknowledge
that computer support personnel must be able to create new audit
files when existing files have reached capacity.  However, the same
individuals who are authorized to create new files can also delete or
modify existing files to mask an unauthorized activity.  Detroit
computer personnel advised us that such activity is not monitored. 

4.  As noted above, the automated tool cited by IRS is an automated
reporting system for security violations that records unsuccessful
access attempts.  No automated tools are present to assist in the
reviews of the use of special privileges and attributes or
sensitive/powerful utilities.  Unsynthesized RACF or SMF audit logs
are too voluminous to be used effectively for this purpose.  Also,
according to DCC personnel, supervisors or management do not review
authorized access to confirm that personnel are acting within the
scope of their assigned duties. 

5.  At the time of our review, the individual had unneeded access. 
As we stated in our report, IRS agreed and has reduced his access. 

6.  We have not acknowledged, nor do we believe, as evidenced by the
above discussion of weaknesses in the IRS computer control
environment, that RACF controls are adequate.  The absence of a
specific control over dial-in modems further exacerbates the
exposure. 


*** End of document. ***