Management Report: Improvements Needed in IRS's Internal Controls
and Accounting Procedures (26-APR-04, GAO-04-553R).		 
                                                                 
In November 2003, we issued our report on the results of our	 
audit of the Internal Revenue Service's (IRS) financial 	 
statements as of and for the fiscal years ending September 30,	 
2003 and 2002, and on the effectiveness of its internal controls 
as of September 30, 2003. We also reported our conclusions on	 
IRS's compliance with significant provisions of selected laws and
regulations and on whether IRS's financial management systems	 
substantially comply with requirements of the Federal Financial  
Management Improvement Act of 1996. A separate report on the	 
implementation status of recommendations from our prior IRS	 
financial audits and related financial management reports	 
including this one will be issued shortly. The purpose of this	 
report is to discuss issues identified during our fiscal year	 
2003 audit regarding internal controls and accounting procedures 
that could be improved for which we do not presently have any	 
recommendations outstanding. Although not all of these issues	 
were discussed in our fiscal year 2003 audit report, they all	 
warrant management's consideration.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-553R					        
    ACCNO:   A09861						        
  TITLE:     Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures				 
     DATE:   04/26/2004 
  SUBJECT:   Audit reports					 
	     Auditing standards 				 
	     Financial statement audits 			 
	     Performance measures				 
	     Internal controls					 
	     Accounting procedures				 
	     Contractors					 
	     Personnel management				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-553R

United States General Accounting Office Washington, DC 20548

April 26, 2004

The Honorable Mark W. Everson Commissioner of Internal Revenue

Subject: 	Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures

Dear Mr. Everson:

In November 2003, we issued our report on the results of our audit of the
Internal Revenue Service's (IRS) financial statements as of and for the
fiscal years ending September 30, 2003 and 2002, and on the effectiveness
of its internal controls as of September 30, 2003.1 We also reported our
conclusions on IRS's compliance with significant provisions of selected
laws and regulations and on whether IRS's financial management systems
substantially comply with requirements of the Federal Financial Management
Improvement Act of 1996. A separate report on the implementation status of
recommendations from our prior IRS financial audits and related financial
management reports including this one will be issued shortly.

The purpose of this report is to discuss issues identified during our
fiscal year 2003 audit regarding internal controls and accounting
procedures that could be improved for which we do not presently have any
recommendations outstanding. Although not all of these issues were
discussed in our fiscal year 2003 audit report, they all warrant
management's consideration. This report contains 15 recommendations that
we are proposing IRS implement in order to improve its internal controls
and accounting procedures. We conducted our audit in accordance with U.S.
generally accepted government auditing standards.

Results in Brief

During fiscal year 2003, we identified a number of internal control issues
that adversely affected safeguarding of tax receipts, budgeting, operating
costs, and financial reporting. These issues concern (1) enforcement of
lockbox bank2 contractor policies, (2) courier service requirements, (3)
lockbox bank management

1U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years 2003
and 2002 Financial

Statements, GAO-04-126 (Washington, D.C.: Nov. 13, 2003).

2Lockbox banks are financial institutions designated as depositories and
financial agents of the U.S.

government to perform certain financial services, including processing tax
documents, depositing the

receipts, and then forwarding the documents and data to IRS's service
center campuses, which update

taxpayers' accounts.

                       GAO-04-553R IRS Management Report

3

reviews, (4) candling, (5) safeguarding of taxpayer receipts and
information at IRS field offices and service center campuses, (6) physical
security, (7) deobligation of funds, (8) overpayments to employees' Thrift
Savings Plan (TSP) accounts, (9) financial statement disclosures, and (10)
interim performance measures.

Specifically, we found the following:

o  	IRS did not require lockbox banks to maintain information on the
employment start dates of their contractors4 who have access to taxpayer
receipts and related information. As a result, there is no evidence that
lockbox managers are adhering to IRS's criterion that contractors receive
favorable fingerprint results prior to having access to taxpayer receipts
and information.

o  	IRS allowed immediate family members to serve as couriers together,
thereby undermining the intent of IRS's requirements that two-person
courier teams transport taxpayer receipts to depositories. Allowing
two-person courier teams to consist of related individuals or individuals
in close relationships increases the risk of collusion and consequently
the theft of taxpayer receipts.

o  	IRS did not require documentary evidence that lockbox management
performed required reviews of certain control logs and transmittal
documents. At the lockbox banks we visited, there were several instances
for which no evidence of required reviews was available. The lack of such
evidence reduces IRS's assurance that the reviews are performed, in turn
increasing the risk of untimely detection of theft of, loss of, or
unauthorized access to taxpayer information and receipts.

o  	Automated mail extraction machines used to perform candling were not
checked prior to use to ensure that they were operating properly. As a
result, IRS's risk of loss of receipts and taxpayer information was
increased.

o  	IRS did not always follow the required procedures to safeguard
taxpayer receipts and information in its facilities. We found (1) taxpayer
receipts and information kept in unsecured containers and areas at field
offices and (2) discovered remittances5 stored in unsecured containers and
areas at a service center campus. The reduced level of protection given to
these taxpayer receipts and data increases the risk of their theft, loss,
or misuse.

3Candling is a process used by IRS to determine if any contents remain in
open envelopes. This is often
achieved by passing the envelopes over a light source.
4For the purpose of this report, the term "lockbox bank contractors"
refers to all individuals in a
contractual relationship with a lockbox bank who are granted staff-like
access to the lockbox bank but
are not involved in the extraction and posting of receipts. This would
include couriers and janitorial
and equipment maintenance personnel.
5Discovered remittances are cash and noncash taxpayer receipts that
instead of being identified and
processed during the initial mail extraction phase are found later during
further processing of mail.

o  	Security guards did not respond to alarms at two of the four service
center campuses we visited. The lack of timely response to alarms
increases the risk of theft of taxpayer receipts and information as well
as untimely detection of such incidents.

o  	IRS did not always timely identify and deobligate outstanding
obligations, hindering its ability to use the funds for other programs and
initiatives.

o  	IRS did not have controls in place to provide reasonable assurance
that payroll calculations made on its behalf by the National Finance
Center (NFC) were not adversely affected by control weaknesses at NFC,
resulting in inaccurate contributions to employee TSP accounts.

o  	IRS's controls over the calculation and reporting of Other Claims for
Refunds in the supplemental information to its financial statements were
not effective in preventing errors from occurring in the reporting of
those amounts.

o  	IRS lacked adequate controls over the preparation of interim period
performance management data. As a result, IRS reported inaccurate or
outdated interim performance data, and program managers lacked consistent
and reliable information to make informed decisions on interim program
performance.

At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into conformance
with the internal

6

control standards that federal agencies are required to follow.

In its comments, IRS agreed with our recommendations and described actions
it was taking or planned to take to address the control weaknesses
described in this report. At the end of our discussion of each of the
issues in this report, we have summarized IRS's related comments and
provided our evaluation.

Scope and Methodology

As part of our audit of IRS's fiscal years 2003 and 2002 financial
statements, we evaluated IRS's internal controls and its compliance with
selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions.

We requested comments on a draft of this report from the Commissioner of
Internal Revenue. We received written comments from the Commissioner and
have reprinted the comments in enclosure I. Further details on our audit
scope and methodology are

6U.S. General Accounting Office, Standards for Internal Control in the
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

included in our report on the results of our audits of IRS's fiscal years
2003 and 2002

7

financial statements and are reproduced in enclosure II.

Enforcement of Lockbox Contractor Background Investigation Policies

In previous years, we found that IRS allowed lockbox bank employees and
contractors access to cash, checks, and other taxpayer data at lockbox
banks before lockbox management had received satisfactory results of the
individuals' background investigations, thereby subjecting IRS to an
increased risk of theft or misuse of taxpayer receipts and data.8 During
our fiscal year 2003 audit, we found that IRS had made substantial
progress in this area with regard to lockbox bank employees and, as a
result, had substantially reduced its exposure related to the risks of
hiring individuals prior to receiving the results of satisfactory
background investigations. Additionally, IRS procedures require lockbox
bank managers to ensure that they have received satisfactory results of
fingerprint checks from the National Background Investigation Center
(NBIC) for lockbox bank contractors, such as couriers, before they are
granted staff-like access to the lockbox processing area or are entrusted
with taxpayer receipts and information. However, at two of the four
lockbox bank locations we visited this year, lockbox bank managers could
not provide the necessary data to demonstrate that they had not granted
contractors, such as couriers, access to taxpayer data without having
previously received satisfactory fingerprint check results from NBIC.

At one of the two locations where management was unable to demonstrate
that it had received satisfactory fingerprint check results before it had
granted couriers access to taxpayer receipts and data, the couriers' start
dates were inconsistent with data gathered from that same location during
the prior year's audit. As a result, we concluded that the lockbox bank's
data on contractor start dates were unreliable. At the second location,
lockbox bank management informed us that maintaining information on start
dates for contractors was not a requirement. From the information provided
by the lockbox bank managers, we were not able to verify the controls the
lockbox bank uses to validate its adherence to the fingerprinting
requirement for contractors. GAO's Standards for Internal Control in the
Federal Government requires agencies to establish controls to safeguard
vulnerable assets.9 Until IRS ensures that lockbox bank managers allow
only contractors who have successfully met the background investigation
requirements to have access to taxpayer receipts and data and sensitive
IRS information, the federal government will be unnecessarily exposed to
the risk of loss, theft, or misuse of taxpayer receipts and information.

7GAO-04-126.
8U.S. General Accounting Office, Internal Revenue Service: Progress Made,
but Further Actions
Needed to Improve Financial Management, GAO-02-35 (Washington, D.C.: Oct.
19, 2001).
9GAO/AIMD-00-21.3.1.

Recommendation

We recommend that IRS require lockbox bank managers to maintain
appropriate documentation on-site demonstrating that satisfactory
fingerprint results have been received before contractors are granted
access to taxpayer receipts and data.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and indicated that its current Lockbox
Processing Guideline (LPG) now requires appropriate documentation for
couriers and guards before they are granted access to taxpayer receipts.
Additionally, to ensure compliance with the LPG, IRS has included the
requirement in its security and administrative reviews. We will evaluate
the effectiveness of IRS's efforts during our fiscal year 2004 financial
audit.

Courier Requirements

In a number of reports, we have pointed out that IRS lacks effective
controls over various aspects of courier services used to transport
taxpayer receipts.10 We have made numerous recommendations to IRS to
strengthen related controls. IRS has made significant efforts to address
the courier security weaknesses we identified by adopting more stringent
security standards for couriers who transport IRS's daily deposits to
depositary institutions. In particular, IRS adopted a requirement that
courier service employees work in pairs to mitigate the risk of loss.

While this modification was well conceived, it does not satisfactorily
reduce risk in certain atypical situations we found at two service center
campuses and one lockbox bank location we visited. At the two campuses, we
found courier teams consisting of (1) a husband and wife and (2) a mother
and daughter. At the lockbox bank location, we found one team consisting
of a husband and wife11 and another team consisting of a father and son.
When courier team members have close relationships, the risk of collusion
is increased and the assurance provided by having two-person courier teams
is diminished.

Recommendation

We recommend that IRS revise its policy on two-person courier teams to
prohibit the use of courier teams consisting of closely related
individuals to further minimize the risk of collusion in the theft of
taxpayer receipts and data.

10U.S. General Accounting Office, Internal Revenue Service: Physical
Security Over Taxpayer
Receipts and Data Needs Improvement, GAO/AIMD-99-15 (Washington, D.C.:
Nov. 30, 1998); Internal
Revenue Service: Custodial Financial Management Weaknesses,
GAO/AIMD-99-193 (Washington,
D.C.: Aug. 4, 1999); Internal Revenue Service: Recommendations to Improve
Financial and
Operational Management, GAO-01-42 (Washington, D.C.: Nov. 17, 2000);
Management Report:
Improvements Needed in IRS's Accounting Procedures and Internal Controls,
GAO-02-746R
(Washington, D.C.: July 18, 2002); and GAO-02-35.
11This husband and wife team is the same husband and wife team we noted at
one of the service center
campuses.

IRS Comments and Our Evaluation

In response to our recommendation, IRS agreed to work with its Revenue and
Deposit Branch to assess the risks associated with its current courier
policy and determine if changes are needed. We will evaluate IRS's
conclusions and any corrective actions during our fiscal year 2004
financial audit.

Lockbox Management Reviews

During our fiscal year 2003 financial audit, we found instances in which
there was no evidence that lockbox management performed certain required
reviews. GAO's Standards for Internal Control in the Federal Government12
requires agencies to establish controls to enforce adherence to
requirements, such as management reviews, and to create and maintain
records providing evidence that these controls are executed.

We visited four lockbox banks during our fiscal year 2003 audit. We found
that at all four of these lockbox banks, there was no documentary or other
evidence that some required management reviews of control logs and
transmittal documents relating to transport of taxpayer receipts and
access to taxpayer receipts and data had been performed. The lack of such
evidence increases the risk that the reviews are not performed, thereby
increasing the risk of untimely detection of theft of, loss of, or
unauthorized access to taxpayer receipts and data.

As discussed above, lockbox banks use couriers to transport taxpayer
receipts and taxpayer information to depositories and to service center
campuses. Each lockbox bank is required to maintain a log showing the
courier driver's signature, date and time of pickup, and number of boxes
transported for all courier services, and lockbox bank managers are
required to review these control logs monthly. At three of the four
lockbox banks we visited, we found no evidence such as a reviewer's
signature or initial, date, or comment, that managers had reviewed these
logs. On two of the logs we reviewed, we noted that the courier drivers'
signatures were missing, and at one lockbox bank we noted that no log
existed for service center campus shipments or depository pickups. We also
noted that at one of the lockbox banks, the transmittal document that is
required to accompany all shipments of IRS- and taxpayer-related
information, including cartridges and microfilm, from any bank site to the
service center campus was frequently incomplete and often lacked a
complete count of the items shipped. This transmittal document is
extremely important since it is the only way assure that all packages
included in each shipment are properly and timely received and
acknowledged by the addressee at the service center campus.

IRS also requires that lockbox banks using automated entry systems (AES)
to the lockbox processing areas establish and maintain logs controlling
key, proximity, and swipe cards in order to provide an up-to-date audit
trail of employee access and to

12GAO/AIMD-00-21.3.1.

deter unauthorized access to restricted areas. Lockbox managers are
required to review these logs monthly. At two of four lockbox banks we
visited, managers either lacked evidence of their monthly review or did
not perform the review in accordance with established guidelines. At one
of these two lockbox banks, we noted that the AES control log did not list
the dates that proximity cards were enabled or disabled. The lack of
evidence of managerial reviews reduces IRS's assurance that such reviews
are performed, thereby increasing the risk of untimely detection of theft
of, loss of, or unauthorized access to taxpayer receipts and data.

Recommendation

We recommend that IRS develop procedures to require lockbox managers to
provide satisfactory evidence that managerial reviews are performed in
accordance with established guidelines. At a minimum, reviewers should
sign and date the reviewed documents and provide any comments that may be
appropriate in the event that their reviews identified problems or raised
questions.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated that it would (1) consider
the risk level of each document log, (2) assess each one to determine the
appropriate level of review, and (3) follow up with additional guidelines,
if necessary. We will evaluate the effectiveness of IRS's efforts in
future audits.

Automated Candling Procedures

In our previous audits, we reported that IRS did not always ensure that
opened envelopes were candled twice before destruction, as required by its
procedures to provide assurance that all contents have been extracted.
During our fiscal year 2003 financial audit, we continued to find
weaknesses in IRS candling procedures. GAO's Standards for Internal
Control in the Federal Government13 requires that management establish
physical controls to secure and safeguard vulnerable assets and provide
qualified and continuous supervision to ensure that control objectives are
achieved.

During our testing at one of the four lockbox banks we visited, we found
that machines were used to assist in the extraction of taxpayer
remittances. These machines, after the operator extracted the contents
from envelopes, subjected the envelopes to a light source and a sensor and
were designed to notify the operator in the event that envelopes had not
been fully emptied of their contents. We tested 4 of 14 such machines by
placing items in envelopes, and found that all four machines were not
notifying the operators that envelopes were not emptied. IRS's procedures
for the lockbox banks require managers to monitor equipment and personnel
for extraction accuracy and institute additional measures should trends
occur or discovered remittance volumes increase. However, no specific
guidance exists to

13GAO/AIMD-00-21.3.1.

help ensure that automated candling equipment is functioning as intended
throughout the process. In addition, no evidence exists documenting that
lockbox bank managers periodically reviewed the effectiveness of the
automated candling equipment. The lack of such guidance increases the risk
of loss of taxpayer receipts and data.

Recommendations

We recommend that IRS

o  	revise its candling procedures at lockbox banks to require testing of
automated candling machines at appropriate intervals, taking into account
such factors as use time, volume processed, machine requirements, and
shift cycles, and

o  	require lockbox managers to maintain logs of these tests and to
periodically review their logs.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and indicated that corrective actions
have been or will be implemented. Specifically, IRS stated that it now
requires an additional candling of all envelopes processed by extractors
using automated candling machines. In addition, IRS agreed to include our
recommendation on maintaining logs of the tests conducted as part of its
assessment of testing standards for machines with automated candling
equipment. We will evaluate the effectiveness of IRS's efforts in future
audits.

Safeguarding of Taxpayer Receipts and Information

During our fiscal year 2003 financial audit, we found instances in which
IRS was not following its procedures for safeguarding taxpayer receipts
and information in its facilities, thus increasing the risk that taxpayer
receipts and information could be lost, stolen, or destroyed. GAO's
Standards for Internal Control in the Federal Government requires agencies
to establish physical controls to secure and safeguard vulnerable
assets.14

We visited three IRS Taxpayer Assistance Centers (TAC) during our fiscal
year 2003 audit. All three centers were receiving and storing taxpayer
receipts and information in unsecured areas without properly securing
them. From our observations, taxpayers were greeted, upon entering a TAC,
by an IRS representative who was responsible for determining the type of
assistance needed, assigning taxpayers a service number, and receiving
drop-off payments. These functions were performed outside the secured area
of the TAC. We observed the IRS representatives receiving taxpayer
remittances and storing them in an unlocked drawer at the information
desk. When the representatives left the information desk to assist other
taxpayers waiting in the TAC, they did not secure or remove the
remittances from the desk. The

14GAO/AIMD-00-21.3.1.

failure to properly safeguard assets created an opportunity for
unauthorized access to and theft of taxpayer receipts and data.

In addition, at one of the service center campuses, we observed discovered
remittances outside a secured area and not stored in secured containers as
required by IRS procedures. Storing receipts in unsecured containers in an
unsecured area significantly increases the risk of theft of taxpayer
receipts because anyone with access to the service center could gain
access to the receipts. In our audits of IRS's financial statements for
fiscal years 1997 through 2001, we found similar weaknesses in controls
over receipts discovered outside of designated receipt processing areas
within IRS's service center campuses. We recommended that IRS correct the
weaknesses by providing secure containers in which service center
employees could immediately store and inventory discovered remittances. In
our May 2003 report following up on this and other issues,15 IRS officials
stated that locked containers had been provided to all services centers,
that instructions had been issued to service centers concerning proper
handling and recording of discovered remittances, and that monitoring
steps had been put in place. Our fiscal year 2003 audit finding, however,
raises concern about IRS's ability to effectively monitor its service
center campuses' implementation of sound controls over safeguarding
discovered remittances.

Recommendations

We recommend that IRS

o  	discontinue its practice of storing taxpayer receipts and data outside
TAC secured areas without storing the receipts in a secured locked
container and

o  	develop procedures to enhance adherence to existing instructions on
safeguarding discovered remittances at service center campuses.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and reiterated its Internal Revenue
Manual (IRM) guidance on both recommendations. In both instances, IRS
stated that it would continue to monitor adherence to the IRM guidance in
its operational reviews at TAC offices and its monthly reviews of the
service center campus revenue receipt and control process. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2004
and future financial audits.

15U.S. General Accounting Office, Internal Revenue Service: Status of
Recommendations from Financial Audits and Related Financial Management
Reports, GAO-03-665 (Washington, D.C.: May 29, 2003).

Response to Alarms

GAO's Standards for Internal Control in the Federal Government16 requires
that access to resources and records, such as IRS receipts and taxpayer
data, be limited to authorized individuals to reduce the risk of
unauthorized use or loss to the government. Tax receipts, such as cash and
checks, are highly susceptible to theft, and unauthorized use of taxpayer
data could result in identity theft and financial fraud.17 Due to the
large volume of receipts and the assembly-line nature of tax receipt
processing, taxpayer data and receipts are easily accessible to
individuals on the processing floor. This vulnerability underscores the
need for effective controls to deter and detect unauthorized access.

As part of our fiscal year 2003 financial audit of IRS, we conducted tests
of physical security controls at four IRS service center campuses,
including tests to determine the responsiveness of security guards to
activated building perimeter door alarms. We found that at two of four
service center campuses we visited, security guards did not respond to the
activated alarms. At one location, IRS officials told us that the exit
door we tested did not show up as a breach in security on the monitoring
equipment. However, a subsequent test of the same door resulted in a
prompt response by the guards. At the second location, IRS officials
informed us that the computer for the alarm system had gone down and was
in the process of being rebooted at the time of breach. Nonetheless, the
security guards' lack of response increases the risk of theft of taxpayer
receipts and information and reduces the possibility of timely detection
of such incidents.

Recommendations

We recommend that IRS

o  	enforce its policies and procedures to ensure that service center
campus security guards respond to alarms and

o  	establish compensating controls in the event that automated security
systems malfunction, such as notifying guards and managers of the
malfunction and immediately deploying guards to better protect the
processing center's perimeter.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that by August 30, 2004, it
would modify its IRM to include (1) the development, integration, and
review of selfassessments for guards' response capabilities to alarms; (2)
initial, periodic, and annual security exercises; and (3) written reports
to support the security exercises conducted. Also, IRS stated that its
Physical Security Program within Mission Assurance would develop, within
the same time frame, procedures to ensure that

16GAO/AIMD-00-21.3.1.
17Taxpayer data on tax forms could include taxpayer name, Social Security
number, and address.

local management is notified whenever there is a malfunction of alarms and
that guards are deployed or doors are secured, as necessary, either during
tests or when otherwise identified. We will evaluate the effectiveness of
IRS's efforts in future audits.

Timeliness of Deobligations

In prior years, we identified deficiencies in IRS's process for
deobligating funds that were no longer valid or needed.18 Over the past
several years, IRS has made substantial progress in addressing internal
control deficiencies related to deobligations. IRS issued policy
memorandums and implemented procedures to more frequently review
obligations that are no longer active and thus need to be deobligated.
These improvements have allowed IRS to better manage its financial
resources and improve its reporting on the status of budgetary resources.
While we recognize IRS's progress in reviewing outstanding obligations,
our work performed as part of our fiscal year 2003 financial audit
indicates that further improvements are needed.

During our fiscal year 2003 audit, we found instances in which IRS did not
timely identify and deobligate outstanding obligations. In our testing of
a statistical sample

19

of 110 undelivered orders as of August 31, 2003, we found four instances
in which IRS did not deobligate undelivered orders that were no longer
valid. These exceptions resulted primarily from (1) a system deficiency
that prevented IRS personnel responsible for reviewing inactive
obligations from having accurate information on when activity last
occurred against the obligation and (2) IRS personnel's failure to timely
review certain obligations. Consistent with GAO's Standards for Internal
Control in the Federal Government, 20agencies are required to properly
execute and accurately record transactions.

In fiscal year 2003, IRS issued a memorandum that provides financial plan
managers21 guidelines for reviewing and identifying obligations to be
deobligated. This memorandum supplemented existing guidance by providing
the business unit finance staff with more detailed direction for reviewing
outstanding obligations. For example, these guidelines state that IRS's
business units are required to review aging unliquidated obligations (AUO)
reports monthly and certify that all outstanding obligations with no
activity for more than 180 days have been reviewed and validated as either
(1) requiring deobligation or (2) valid obligations. IRS's Beckley Finance
Center (BFC) generates AUO reports by running a program to extract
information on outstanding obligations from the accounting system. AUO
reports provide lists of all open obligations, along with such information
as the outstanding obligation amount

18Deobligations are downward adjustments of previously recorded
obligations. Deobligations can
occur for a variety of reasons, such as if the actual expense was less
than the amount obligated, a
project or contract was canceled, an initial obligation was determined to
be invalid, or previously
recorded estimates were reduced.
19Undelivered orders represent the value of goods and services that were
ordered and for which funds
were obligated but have not been received.
20GAO/AIMD-00.21.3.1.
21Financial plan managers are responsible for managing the spending plans
under their control.

and the obligation's last activity date. The business units then review
the obligations and make entries in the reports indicating whether the
obligations are valid or should be deobligated.

We found that AUO reports did not capture the information necessary for
reviewers to correctly identify inactive obligations. IRS may issue an
obligation to purchase several types of equipment or services for various
units within the organization, each of which is reported as a separate
obligation line amount in the accounting system. However, when generating
an AUO report, the most recent date activity occurred against the
obligation is extracted and applied to all of the line amounts. For
example, in one of the cases, an AUO report for an obligation with five
obligation line amounts had a last activity date of June 9, 2003, recorded
for all five obligation line amounts. The last date on which any goods or
services were charged against the line item in our sample, however, was
September 25, 2002. Because the AUO reports did not capture the correct
activity date for each outstanding obligation line amount, IRS's business
units did not have accurate data with which to identify all the inactive
undelivered orders for possible deobligation.

For certain obligations, IRS's guidelines require concurrence between
business unit staff and procurement office staff before an obligation can
be deobligated. These are obligations that are processed through IRS's
Integrated Procurement System, such as interagency agreements and
large-dollar contracts. In order to respond to the business units,
procurement office staff perform research on the status of the contract,
contact the vendor, or obtain additional documentation to support a
deobligation. If the procurement office is silent as to whether the
obligations should be deobligated, the business units certify that the
obligations are valid.

We found three instances in which obligations were not properly
deobligated because the procurement office did not provide timely
responses to the business units. In one case, IRS had ordered computer
equipment and services at a cost of $334,910 on September 18, 2001. In
October 2001, IRS received all the equipment and services ordered at a
cost of $267,676. According to the documentation we reviewed, the vendor
provided preliminary notification to IRS in November 2001 that IRS did not
owe any additional funds because the vendor did not charge for goods and
services that were initially ordered at $67,234. When we performed our
testing, in August 2003, the procurement office had not yet confirmed with
the vendor that the remaining $67,234 was a no-charge item and thus had
not requested that this amount be deobligated. In another case, an
undelivered order for computer equipment and services totaling $28,268 had
not had activity since November 2000. As of August 2003, the business unit
had not received a response from the procurement office as to whether to
deobligate the funds. Based on our review of these two files, IRS followed
up on these cases and subsequently deobligated the funds.

Since the AUO reports did not capture the information necessary to ensure
that all outstanding obligations with more than one line amount had the
appropriate activity dates, IRS's financial plan managers did not identify
all the obligations that needed to be reviewed for possible deobligation.
Additional delays in deobligating funds were

caused by the procurement office staff's failure to provide responses to
business units in a timely manner. Based on our testing, we estimate that
$37 million of undelivered orders were not valid.22 By not promptly
deobligating funds, IRS affected its ability to use its financial
resources effectively. If IRS had deobligated the funds within their
periods of availability, the funds could have been used for other
initiatives and programs.

Recommendations

We recommend that IRS

o  	modify AUO reports to ensure that they report the last activity date
for each outstanding obligation line amount and

o  	require procurement office staff to review and sign off on whether
obligations are valid or require deobligation before business units
complete their quarterly certifications.

IRS Comments and Our Evaluation

IRS agreed with our recommendations. In its comments, IRS stated that its
BFC revised the AUO report in March 2004 to accurately report the last
activity date for each obligation line amount. Moreover, IRS stated that
it is currently evaluating its approach toward reviewing open obligations
and approving those obligations that require deobligation. This includes
studying the relative responsibilities of the procurement office, business
units, and BFC with respect to validating and certifying deobligations.
IRS will issue new guidelines at the conclusion of its internal review. We
will evaluate the effectiveness of IRS's efforts during our fiscal year
2004 financial audit.

Excess Contributions to Employees' Thrift Savings Plan Accounts

During fiscal year 2003, IRS did not have procedures in place to timely
detect mathematical errors in its payroll information made by the NFC.23
We found that while processing IRS's payroll in fiscal year 2003, NFC made
mathematical errors when it calculated the mandatory agency TSP
contribution for some IRS employees. IRS did not detect these errors
because, although it had control procedures in place to test certain
payroll information processed by NFC, these procedures did not include
verifying the accuracy of NFC's calculations. IRS relied on NFC to
accurately process the biweekly payroll for its employees. Consistent with
GAO's Standards for Internal Control in the Federal Government, IRS's
internal controls should provide reasonable assurance that its financial
transactions, including those processed by NFC, are accurately recorded.24
The errors we identified with respect to employee

22We are 95 percent confident that the amount of invalid undelivered
orders did not exceed $82 million.
23NFC is a component of the U.S. Department of Agriculture that provides
administrative and financial
services to many federal agencies, including IRS.
24GAO/AIMD-00.21.3.1.

contributions to TSP were not material to IRS's financial statements.
Nonetheless, because it did not have controls in place to verify NFC's
calculations, IRS had less assurance that government funds were used as
intended and that employee TSP accounts were accurate.

We found that in fiscal year 2003, a total of 131 IRS employees
erroneously received excess mandatory contributions to their TSP accounts
equaling 2 percent of their base pay, rather than the 1 percent required
by law. IRS must identify and recover amounts overpaid to TSP on behalf of
its employees within 1 year of the time of payment or forfeit the funds to
the Federal Retirement Thrift Investment Board or to the employees' TSP
accounts. IRS did not detect these errors through its review process but
became aware of them when we informed the agency about them. Some of these
errors related to overpayments that had exceeded the 1-year limitation for
recovery.

For the past several years, the Department of Agriculture's Office of
Inspector General has reported weaknesses in internal controls over NFC's
payroll operations. In addition, in a previous audit report,26 we stated
that any agency that uses a service organization, such as NFC, to process
its payroll transactions should establish adequate policies and procedures
to ensure that the services provided meet the objectives of agency
management. We further stated that adequate internal controls over input
and output data to prevent or detect material misstatements are
particularly critical when it has been determined that the service
organization's internal controls do not provide reasonable assurance that
payroll transactions were processed and reported accurately. In our
report, we recommended that IRS implement control procedures to compensate
for the weaknesses identified in NFC's payroll operations.

In response to our recommendation, IRS implemented compensating internal
control procedures to ensure that NFC accurately processed IRS's payroll
each pay period. Specifically, each pay period, IRS's Transactional
Processing Operations Division reviews a nonrepresentative selection of
employee Social Security numbers from a list of IRS employees paid that
pay period and compares key payroll information (e.g., hours worked, leave
taken, and payroll deductions) received from NFC to information that IRS
submitted to NFC (e.g., time and attendance data, employee health plan,
and life insurance election). Our findings during fiscal year 2003 also
indicate that the mathematical errors we detected in NFC's payroll
calculations occurred as a result of the NFC internal control weaknesses
identified. However, since IRS's compensating control procedures do not
include a test of the mathematical accuracy of NFC's calculations of
payroll amounts, they do not give IRS the capability to timely detect
errors in payroll calculations made by NFC during the processing of IRS
payroll transactions. Because IRS did not have controls in place to

25U.S. Department of Agriculture, Office of Inspector General, Fiscal Year
2003 National Finance
Center Review of Internal Control Structure, 11401-15-FM (Washington,
D.C.: Nov. 19, 2003), is the
most recently issued inspector general audit report on NFC's internal
controls.
26U.S. General Accounting Office, Management Letter: Suggested
Improvements in IRS' Accounting
Procedures and Internal Controls, GAO/AIMD-99-182R (Washington, D.C.: June
30, 1999).

verify NFC's calculations within the period allowed for recovery, it lost
the ability to recover the erroneously contributed funds and use them to
pay for its operations.

Recommendations

We recommend that IRS

o  	enhance its compensating internal controls by including tests or
recalculations of payroll computations performed by NFC for the IRS
employees selected for review each pay period and

o  timely investigate and resolve any identified errors.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that its Transactional
Processing Operations (TPO) division will expand its current random sample
payroll review and validation process to include the recalculation of
agency TSP contributions. IRS expects implementation of the review process
by June 2004. The TPO division will also be responsible for following up
immediately on any discrepancies found and ensuring that NFC responds
timely. We will evaluate the effectiveness of IRS's efforts during our
fiscal year 2004 financial audit.

Supplemental Information for Other Claims for Refund

During our audit of IRS's fiscal year 2003 financial statements, we found
that IRS reported incorrect information in the supplemental information to
the financial statements. Specifically, IRS incorrectly reported the total
estimated payout for refund claims pending review by IRS's Appeals
organization27 or federal courts. This error occurred because IRS's
controls over the calculation and reporting of estimated payouts for
refund claims were ineffective. GAO's Standards for Internal Control in
the Federal Government28 requires that transactions be properly executed
and accurately recorded. Because IRS did not have effective controls in
place to ensure proper calculation and reporting of estimates of Other
Claims for Refund, management did not have relevant, reliable, and timely
information to achieve its objectives, increasing the risk that these
amounts could be misstated.

During our audit, we found two errors relating to Other Claims for Refund
in the supplemental information contained in IRS's draft fiscal year 2003
financial statements.

o  	IRS's draft financial statements disclosed that the total estimated
payout for claims pending review by IRS's Appeals organization was $5.2
billion. However,

27The purpose of the Appeals organization is to resolve tax controversies
without litigation on a basis that is fair and impartial to both the
government and the taxpayer. Appeals provide an independent channel for
taxpayers who wish to dispute recommended enforcement actions.
28GAO/AIMD-00.21.3.1.

based on our review of the supporting documentation, we found that the
correct amount was $7.6 billion. This misstatement occurred because IRS
used the wrong amount for interest in its computation. As a result, the
supplemental information to the draft financial statements was misstated.
When we informed IRS of the error, IRS corrected the amount reported in
the supplemental information for the final financial statements.

o  	IRS's financial statements disclosed that the estimated amount of
claims pending review by federal courts was $6.5 billion. However, in its
November 7, 2003, update for contingencies as of September 30 through
November 1, 2003, IRS counsel reported estimated claims pending review by
federal courts as $6.2 billion. The updated data were not included in
IRS's final supplemental information because of weaknesses in controls
over reporting this information.

These misstatements did not materially affect IRS's financial statements,
but without effective controls in place to ensure that amounts estimated
for Other Claims for Refund are correctly reported, the risk of
misstatement increases, and the accuracy of information available to IRS
management for decision-making purposes is impaired.

Recommendation

We recommend that IRS establish review procedures for amounts being
reported in Supplemental Information to the financial statements for Other
Claims for Refund.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated that it would add a second
level of management review to its final financial statements to ensure
that changes are identified and reported before final print. In addition,
IRS stated that it would work closely with our financial audit team to
determine the last day of fieldwork, and notify its Chief Counsel's office
to determine if there are any material changes needed to its final
financial statements. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2004 financial audit.

Controls over Reporting Interim Performance Measures

During our audit of IRS's fiscal year 2003 financial statements, we found
that IRS's controls over its reporting of interim performance measurement
data were not effective throughout the year. Specifically, we found that
data reported at interim periods for certain performance measures were
either not accurate or were outdated. This occurred because of data entry
errors made in the reports generated from the performance data submitted
by IRS's divisions. We also found that review of the reports was not
documented. GAO's Standards for Internal Control in the Federal
Government29 requires the review of performance measurement data. Such
reviews

29GAO/AIMD-00.21.3.1.

should be designed to validate the propriety and integrity of performance
measurement data and indicators. IRS reviews the Monthly Summary of
Performance (MSP) reports from performance data submitted by IRS
divisions, but these reviews were undocumented and were not effective in
identifying the erroneous performance data reported. While we did not
identify any errors in the performance data IRS reported in its year-end
Management Discussion and Analysis, IRS management did not always have
reliable performance measurement data available at interim periods to
assist managers in making decisions.

IRS's Corporate Planning and Performance Division (CPPD) collects and
reports performance data for each of its 69 performance measures. Each
month and at yearend, CPPD compiles performance data submitted by
operating divisions in an MSP report. These reports contain records of tax
enforcement results that IRS uses for such purposes as forecasting,
financial planning, and resource management. Information reported for each
performance measure includes full-year performance, year-to-date
comparison of performance data, and current fiscal year actual and planned
performance data. Staff in CPPD review the data submitted by IRS's
operating divisions. To identify any anomalies, the CPPD review includes
comparisons of current-month data to prior-month data and current-year
data to prior-year data. Generally, the offices responsible for submitting
the data can explain any anomalies or, if data errors are found, will
correct them. CPPD staff, using the reviewed and corrected performance
data submissions, then manually prepare the MSP report. At the end of the
fiscal year, IRS uses the MSP report to prepare the performance measure
results reported in the Management and Discussion Analysis section of its
financial statements.

As part of our fiscal year 2003 audit, we reviewed a nonrepresentative
selection of five performance measures. For each measure, we obtained the
supporting documentation and compared the support to what was reported in
IRS's MSP reports for July and August 2003. In conducting our review, we
identified data that were not current or not accurate for two of the five
performance measures:

o  	The number reported for the "Criminal Investigations Completed"
performance measure as of July 2003 was the planned, rather than the
actual, amount.

o  	The number reported for the "Federal Tax Payment Transactions Paid
Electronically" performance measure in both July and August 2003 was
actually the April 2003 amount.

IRS agreed that the data were incorrect due to errors in data entry by
CPPD staff during preparation of the MSP report. However, IRS is in the
process of implementing a Business Performance Management System (BPMS)
that when fully operational, is intended to be able to accept performance
data directly from the operation divisions' reporting systems and would
eliminate the need for data entry by CPPD staff. BPMS is expected to
validate the accuracy of the data submitted by IRS's operating divisions.

Recommendation

Until BPMS is fully operational, we recommend that IRS implement
procedures to ensure that all performance data reported in MPS reports are
subject to effective, documented reviews to provide reasonable assurance
that the data are current at interim periods.

IRS Comments and Our Evaluation

IRS agreed with our recommendation. In its comments, IRS stated that it
has taken steps to ensure that performance measurement data are properly
reviewed before being published. IRS plans to increase control over data
by (1) increasing the number of measures reported through the automated
BPMS, (2) requiring the submitting divisions to certify that their data
are accurate, and (3) reducing the number of measures manually reported in
the monthly report. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2004 financial audit.

This report contains recommendations to you. The head of a federal agency
is required by 31 U.S.C. 720 to submit a written statement on actions
taken on these recommendations. You should submit your statement to the
Senate Committee on Governmental Affairs and the House Committee on
Government Reform within 60 days of the date of this report. A written
statement must also be sent to the House and Senate Committees on
Appropriations with the agency's first request for appropriations made
more than 60 days after the date of the report.

This report is intended for use by the management of IRS. We are sending
copies to Chairmen and Ranking Minority Members of the Senate Committee on
Appropriations; Senate Committee on Finance; Senate Committee on
Governmental Affairs; Senate Committee on the Budget; Subcommittee on
Treasury and General Government, Senate Committee on Appropriations;
Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance;
and the Subcommittee on Oversight of Government Management, Restructuring,
and the District of Columbia, Senate Committee on Governmental Affairs. We
are also sending copies to the Chairmen and Ranking Minority Members of
the House Committee on Appropriations; House Committee on Ways and Means;
House Committee on Government Reform; House Committee on the Budget;
Subcommittee on Treasury, Postal Service, and General Government, House
Committee on Appropriations; Subcommittee on Government Efficiency,
Financial Management, and Intergovernmental Relations, House Committee on
Government Reform; and the Subcommittee on Oversight, House Committee on
Ways and Means. In addition, we are sending copies of this report to the
Chairman and Vice-Chairman of the Joint Committee on Taxation, the
Secretary of the Treasury, the Director of the Office of Management and
Budget, the Chairman of the IRS Oversight Board, and other interested
parties. Copies will be made available to others upon request. The report
is also available at no charge on GAO's Web site at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided by
IRS
officials and staff during our audits of IRS's fiscal year 2003 and 2002
financial
statements. If you have any questions or need assistance in addressing
these matters,
please contact Larry Malenich, Assistant Director, at (202) 512-9399.

Sincerely yours,

Steven J. Sebastian
Director
Financial Management and Assurance

Enclosures - 3

Enclosure I

Comments from the Internal Revenue Service

Enclosure II

                          Details on Audit Methodology

To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:

o  Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, and undelivered
order transactions. These statistical samples were selected primarily to
substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which they
were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design or
operation of internal control or compliance with provisions of laws and
regulations. These attributes, where applicable, can be and have been
statistically projected to the appropriate populations.

o  Assessed the accounting principles used and significant estimates made
by management.

o  Evaluated the overall presentation of the financial statements.

o  Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in IRS' Management
Discussion and Analysis.

o  Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.

o  Considered the process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. S: 3512 (c),
(d), (commonly referred to as the Federal Managers' Financial Integrity
Act of 1982).

o  Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. S: 1341(a)(1) and
31 U.S.C. S: 1517(a)); Agreements for payment of tax liability in
installments (26 U.S.C. S: 6159); Purpose Statute (31 U.S.C. S: 1301);
Release of lien or discharge of property (26 U.S.C. S: 6325); Interest on
underpayment, nonpayment, or extensions of time for payment of tax (26
U.S.C. S: 6601); Interest on overpayments (26 U.S.C. S: 6611);
Determination of rate of interest (26 U.S.C. S: 6621); Failure to file tax
return or to pay tax (26 U.S.C. S: 6651); Failure by individual to pay
estimated income tax (26 U.S.C. S: 6654); Failure by corporation to pay
estimated income tax (26 U.S.C. S: 6655); Prompt Payment Act (31 U.S.C. S:
3902(a), (b), and (f) and 31 U.S.C. S: 3904); Pay and Allowance System for
Civilian Employees (5 U.S.C. S:S: 5332 and 5343 and

29 U.S.C. S: 206); Federal Employees' Retirement System Act of 1986, as
amended (5 U.S.C. S:S: 8422 and 8423 and 8432); Social Security Act, as
amended (26 U.S.C. S:S: 3101 and 3121 and 42 U.S.C. S: 430); Federal
Employees Health Benefits Act of 1959, as amended (5 U.S.C. S:S: 8905,
8906, and 8909); and Consolidated Appropriations Resolution, 2003 (Pub. L.
No. 108-7).

o  Tested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996.30

30Pub. L. No. 104-208, div. A., S: 101 (f), title VIII, 110 Stat. 3009,
3009-389 (Sept. 30, 1996).

Enclosure III

GAO Contacts and Staff Acknowledgments GAO Contacts J. Lawrence Malenich,
(202) 512-9399 John D. Sawyer, (202) 512-9566

Acknowledgments

Staff who made key contributions to this report were Nina Crocker, John
Davis, Alain Dubois, Valerie Freeman, Patrick McCray, Ryan Holden, Theresa
Patrizio, and Robert Preshlock.

(196013)
*** End of document. ***