Management Report: Improvements Needed in IRS's Internal Controls
(27-APR-05, GAO-05-247R).					 
                                                                 
In November 2004, we issued our report on the results of our	 
audit of the Internal Revenue Service's (IRS) financial 	 
statements as of, and for the fiscal years ending, September 30, 
2004 and 2003, and on the effectiveness of its internal controls 
as of September 30, 2004. We also reported our conclusions on	 
IRS's compliance with significant provisions of selected laws and
regulations and on whether IRS's financial management systems	 
substantially comply with requirements of the Federal Financial  
Management Improvement Act of 1996. A separate report on the	 
implementation status of recommendations from our prior IRS	 
financial audits and related financial management reports,	 
including this one, will be issued shortly. The purpose of this  
report is to discuss issues identified during our fiscal year	 
2004 audit regarding internal controls that could be improved for
which we do not currently have any recommendations outstanding.  
Although not all of these issues were discussed in our fiscal	 
year 2004 audit report, they all warrant management's		 
consideration.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-247R					        
    ACCNO:   A22797						        
  TITLE:     Management Report: Improvements Needed in IRS's Internal 
Controls							 
     DATE:   04/27/2005 
  SUBJECT:   Background investigations				 
	     Contingency plans					 
	     Contractor personnel				 
	     Contractors					 
	     Financial management				 
	     Financial management systems			 
	     Financial statement audits 			 
	     Financial statements				 
	     Internal audits					 
	     Internal controls					 
	     Reporting requirements				 
	     Strategic planning 				 
	     Tax administration 				 
	     Tax administration systems 			 
	     Tax refunds					 
	     Taxpayers						 
	     Bank services					 
	     Liens						 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-247R

United States Government Accountability Office Washington, DC 20548

April 27, 2005

The Honorable Mark W. Everson Commissioner of Internal Revenue

Subject: Management Report: Improvements Needed in IRS's Internal Controls

Dear Mr. Everson:

In November 2004, we issued our report on the results of our audit of the
Internal Revenue Service's (IRS) financial statements as of, and for the
fiscal years ending, September 30, 2004 and 2003, and on the effectiveness
of its internal controls as of September 30, 2004.1 We also reported our
conclusions on IRS's compliance with significant provisions of selected
laws and regulations and on whether IRS's financial management systems
substantially comply with requirements of the Federal Financial Management
Improvement Act of 1996. A separate report on the implementation status of
recommendations from our prior IRS financial audits and related financial
management reports, including this one, will be issued shortly.

The purpose of this report is to discuss issues identified during our
fiscal year 2004 audit regarding internal controls that could be improved
for which we do not currently have any recommendations outstanding.
Although not all of these issues were discussed in our fiscal year 2004
audit report, they all warrant management's consideration. This report
contains 30 recommendations that we are proposing IRS implement to improve
its internal controls. We conducted our audit in accordance with U.S.
generally accepted government auditing standards. We requested and
received written comments on a draft of this report from the Commissioner
of Internal Revenue.

Results in Brief

During our fiscal year 2004 audit, we identified a number of internal
control issues that adversely affected safeguarding of tax receipts and
information, refunds to taxpayers, and lien resolutions. These issues
concern (1) enforcement of IRS contractor background investigation
policies, (2) omission of certain provisions

1GAO, Financial Audit: IRS's Fiscal Years 2004 and 2003 Financial
Statements, GAO-05-103 (Washington, D.C.: Nov. 10, 2004).

related to contingency plans and taxpayer privacy in lockbox bank2 service
contracts, (3) verification of lockbox bank deposits, (4) procedures for
handling taxpayer receipts and information by couriers, (5) safeguarding
sensitive systems and equipment in lockbox banks, (6) candling procedures,
(7) monitoring and verifying recording and transmittal of taxpayer
receipts and information, (8) controls over automated refund
disbursements, (9) controls over authorization of manual refunds, and (10)
resolution of liens with manually calculated interest or penalties.

Specifically, we found the following:

o  	At three IRS service centers we visited, some contractors who had not
undergone background investigations and, in some cases, for whom
background investigation requests had not been submitted, were granted
staff-like access3 to restricted areas. In addition, at one service center
we visited, the security office did not maintain files onsite that
documented the status of background investigations for contractors with
staff-like access to restricted areas.

o  	At three lockbox banks we visited, courier contingency plans did not
cover all the contingencies specified in the "Lockbox Processing
Guidelines" (LPG),4 and at another lockbox bank we visited, there was no
courier contingency plan on file. In addition, at one of the lockbox banks
we visited, the courier contract did not contain the language set out in
the LPG related to privacy laws applicable to handling taxpayer
information, and at three of the lockbox banks we visited, shredding
contracts did not include required privacy provisions.

o  	At three lockbox banks we visited, we found that receipts for deposits
delivered by courier services to depositories did not always indicate the
time and date the deposits were received. We also found that two of these
lockbox banks did not obtain deposit receipts from their couriers.

o  	For several courier services transporting taxpayer receipts and
information, we found that procedures for handling taxpayer receipts and
information at lockbox banks, service centers, or both were not always
followed. This included (1) couriers not always transporting taxpayer
receipts and information directly to their destination, (2) a courier
vehicle containing a pickup that was left unattended, (3) transfer of
taxpayer receipts and information from one courier vehicle to another, (4)
solo couriers transporting taxpayer receipts and information, and (5)
couriers not wearing required uniforms.

2Lockbox banks are financial institutions designated as depositories and
financial agents of the U.S. government to perform certain financial
services, including processing tax documents, depositing the receipts, and
then forwarding the documents and data to IRS's service center campuses,
which update taxpayers' accounts.

3Staff-like access consists of unescorted access to IRS-owned or
controlled facilities, information systems, security items and products,
or sensitive but unclassified information.

4Internal Revenue Service, "2004 Lockbox Processing Guidelines"
(Washington, D.C: January 2004), and subsequent 2004 updates. The 2004 LPG
provides guidelines for processing work at lockbox banks serving IRS for
the 2004 tax processing year.

o  	At one lockbox bank we visited, the electrical and water shutoff
valves were in an area where janitors kept their supplies and which they
accessed daily, and the shutoff valves were not locked to prevent
tampering. The security system control panel was located in the same area,
and the keys to the panel were left on top of the panel. There were no
surveillance cameras monitoring this room.

o  	At one lockbox bank we visited, a high-speed machine was used to
extract checks from and candle5 envelopes, but no visual inspection or
second candling was performed on envelopes opened by this machine. In
addition, at one service center we visited, the candling tables in the
final candling area did not provide sufficient light to enable personnel
to ensure that all contents had been removed from envelopes.

o  	At the two IRS field offices we visited, we found that internal
controls were not always properly followed to ensure that recording and
transmittal of taxpayer receipts and information were adequately monitored
and verified.

o  	At one of the service centers we visited to review refund procedures,
IRS did not have adequate controls in place to prevent automated
disbursements of improper refunds related to taxpayer accounts under
investigation for potential unreported taxes.

o  	At the two service centers we visited to review refund procedures,
controls over authorization of manual refunds were not effective.

o  	At the five lien units6 we visited, personnel were not properly
verifying manual interest and penalty calculations for taxpayer accounts
with liens with manually calculated interest or penalties.

The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed; (2) improper
refunds to taxpayers could be disbursed; and (3) liens could be released
before taxpayers have paid the full amount of interest or penalties due.

At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into conformance
with its own policies and with the internal control standards that all
federal agencies are required to follow.7

5Candling is a process used by IRS to determine if any contents remain in
open envelopes, which is often achieved by passing the envelopes over a
light source.

6Lien units are separate offices established by IRS to handle lien
processing, including release of tax liens. As of June 1, 2004, IRS had 33
lien units located throughout the United States. IRS is currently
reorganizing the physical structure and management of its lien units and
by mid-2005 plans to have consolidated them into one physical location,
called the Central Lien Processing Unit, at its Cincinnati campus.

7GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

In its comments, IRS substantially agreed with our recommendations and
described actions it had taken or planned to take to address the control
weaknesses described in this report. At the end of our discussion of each
of the issues in this report, we have summarized IRS's related comments
and provided our evaluation.

Scope and Methodology

As part of our audit of IRS's fiscal years 2004 and 2003 financial
statements, we tested IRS's internal controls and its compliance with
selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions. This
report addresses issues we observed during our fiscal year 2004 audit. For
issues related to safeguarding tax receipts, we visited four lockbox
banks, four IRS service centers, and two IRS field offices; for issues
related to tax refunds, we visited two IRS service centers; and for issues
related to liens, we visited five IRS lien units.

Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2004 and 2003
financial statements8 and are reproduced in enclosure II.

Enforcement of IRS Contractor Background Investigation Policies

During our fiscal year 2004 audit, we found control deficiencies related
to contractor employee background investigations at three of the four
service centers we visited. Specifically, at one of these three service
centers, IRS had not submitted paperwork for new clearances for 10
contractors with staff-like access even though their background
investigations did not meet requirements that took effect in July 2000,
including the requirement that such investigations be conducted by IRS's
National Background Investigation Center. IRS did not submit paperwork for
new clearances for these contractors until January 29, 2004-several years
after they had been granted access. At another of these three service
centers, one contractor who had not undergone the required background
investigation-and for whom there was no evidence that a background
investigation had been requested-had had staff-like access to restricted
areas at the center for more than a year and a half. At the third of the
three service centers, two contractors, one with access to restricted
areas and the other with staff-like access to the service center, had not
had the required background investigation. In addition, at one of the
service centers we visited, the security office responsible for granting
contractors unescorted access to restricted areas did not maintain files
onsite that documented the status of background investigations for
contractors with access to restricted areas.

IRS requires that all contractors have successfully completed a background
investigation conducted by the National Background Investigation Center
before being granted access to taxpayer receipts and information. Further,
GAO's Standards for Internal Control in the Federal Government requires
agencies to establish

8GAO-05-103.

controls to safeguard vulnerable assets. Until IRS ensures that only
contractors who have successfully met background investigation
requirements have access to taxpayer receipts and sensitive information
and that service center security offices can verify that these
requirements have been met, the federal government will be unnecessarily
exposed to the risk of loss, theft, or abuse of taxpayer receipts and
information.

Recommendations

We recommend that IRS

o  	enforce its existing requirement that appropriate background
investigations be completed for contractors before they are granted
staff-like access to service centers and

o  	require that background investigation results for contractors (or
evidence thereof) be on file where necessary, including at contractor
worksites and security offices responsible for controlling access to sites
containing taxpayer receipts and information.

IRS Comments and Our Evaluation

IRS agreed with our recommendation that background investigation results
for contractors (or evidence thereof) be on file, where necessary, and
stated that the Physical Security Program Office will work with the
Business Operating Divisions and Procurement staff to determine if the
interagency agreement with the Financial Management Service (FMS) should
be modified to include a requirement for lockbox banks to maintain
background investigation files. IRS stated that it has addressed the
issues that gave rise to our recommendation that it enforce its existing
requirement that appropriate background investigations be completed for
contractors before they are granted staff-like access to service centers.
IRS indicated that it has implemented steps to monitor and enforce
existing requirements related to background checks for contractors. We
will evaluate the effectiveness of IRS's efforts during our fiscal year
2005 financial audit.

Required Provisions in Lockbox Bank Service Contracts

Lockbox banks enter into contracts with service providers for a variety of
services, including transport of taxpayer receipts and information by
couriers and shredding of taxpayer information prior to its disposal.

During our fiscal year 2004 audit, we found that the contract for courier
services at one of the four lockbox banks lacked the language set out in
the LPG that would acknowledge the legal restrictions on a courier's
handling of taxpayer information. These legal restrictions are imposed by
the Privacy Act of 19749 and certain provisions of the Internal Revenue
Code. We also found that contracts for shredding

9Privacy Act of 1974, 5 U.S.C. S: 552a.

services at three of the four lockbox banks failed to include the
mandatory provisions required for complying with federal law related to
safeguarding taxpayer information. The LPG requires that the contracts
include the safeguard provisions required by the Internal Revenue Code.
Omission of privacy-related provisions from lockbox courier or shredding
contracts increases the risk of unauthorized disclosure of taxpayer
information.

In addition to the omission of contract provisions, we found problems in
contract implementation during our fiscal year 2004 audit. We found that
courier contract disaster contingency plans for three of the four lockbox
banks we visited did not address all required contingencies. The other
lockbox bank we visited did not have a courier disaster contingency plan
on file. The LPG requires that before a contractor provides courier
services to a lockbox bank, the contractor is to provide the lockbox bank
with a disaster contingency plan. The plan must cover labor disputes,
employee strikes, inclement weather, natural disasters, traffic accidents,
and unforeseen events. Incomplete or inaccessible courier contingency
plans increase the risk that courier service could be disrupted and that
taxpayer receipts might not be timely deposited and taxpayer accounts
might not be timely updated.

Recommendations

We recommend that IRS

o  	require that courier contracts call for couriers to submit contingency
plans to lockbox banks,

o  	review lockbox bank courier contingency plans to help ensure that they
incorporate all contingencies specified in the LPG,

o  	revise the LPG to specify that courier contingency plans be available
at the lockbox banks, and

o  	review lockbox bank courier and shredding contracts to ensure that
they address all privacy-related criteria and include clear reference to
privacy-related laws and regulations.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning lockbox bank courier
contingency plans and adherence to requirements for inclusion of
privacy-related requirements in lockbox bank courier and shredding
contracts. To address these recommendations, IRS stated that (1) the LPG
has been updated to require that courier services provide lockbox banks
with a disaster contingency plan before their contract is implemented; (2)
lockbox bank courier contingency plans have been reviewed by Lockbox
Coordinators to ensure that the plans address all contingencies specified
in the LPG; (3) the LPG would be updated by April 15, 2005, to require all
lockbox banks to have the courier contingency plan available on site; and
(4) the LPG had been updated on January 1, 2005, to specifically address
privacy-related criteria, including references to pertinent sections of
the Internal Revenue Code and the Privacy Act of 1974. We

have verified the above-noted enhancements to the LPG during our ongoing
fiscal year 2005 audit, and we will evaluate their effectiveness as we
proceed with the audit. During the fiscal year 2005 financial audit, we
will also evaluate the effectiveness of IRS's efforts with respect to
reviewing lockbox bank courier contingency plans for completeness.

Verification of Lockbox Bank Deposits

During our fiscal year 2004 audit, in reviewing deposit receipts-receipts
for deposits delivered by courier services to depositories-maintained by
courier services under contract to lockbox banks, we found that deposit
receipts for three of the lockbox banks we visited did not always indicate
the time and date deposits were received by depositories. In addition, we
found that two of these lockbox banks did not obtain the deposit receipts
from their courier services to verify that the depositories had in fact
received the deposits in a timely manner.

GAO's Standards for Internal Control in the Federal Government requires
that all transactions be clearly documented and that documentation be
readily available for examination. Although the LPG requires that lockbox
bank couriers, upon delivery of packages to designated sites, annotate
time of delivery, it does not require that deposit receipts be time- and
date-stamped or that they be returned to the lockbox bank. Unless receipts
bear evidence of time and date of deposit and are promptly returned,
lockbox banks cannot expeditiously verify timely deposit of receipts,
thereby increasing the risk of theft or loss of taxpayer receipts and the
risk that such theft or loss might not be promptly detected.

Recommendations

We recommend that IRS

o  	revise the LPG to require that (1) lockbox couriers promptly return
deposit receipts to the lockbox banks following delivery of taxpayer
remittances to depositories and (2) lockbox banks promptly review the
returned deposit receipts;

o  	revise the LPG to require that deposit receipts for taxpayer
remittances be timeand date-stamped; and

o  	better enforce the LPG requirement that lockbox bank couriers annotate
the time of delivery on receipts for deposits of taxpayer remittances.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning revisions to the LPG to
require prompt return and review of deposit receipts and time- and
date-stamping of deposit receipts. IRS also agreed with our recommendation
that it better enforce the LPG requirement that lockbox bank couriers
annotate the time of delivery on receipts for

deposits of taxpayer remittances. To address these recommendations, IRS
stated that it had updated the LPG on January 1, 2005, to require that
lockbox bank sites (1) receive back by the next business day the original
completed Receipt for Transport of IRS Lockbox Bank Deposit form with the
bank representative's name and signature, date, and time the deposit was
received by the depository and (2) daily reconcile the Receipt for
Transport of IRS Lockbox Bank Deposit form(s) to ensure receipt of
dedicated service (i.e., that the time between the lockbox bank's release
of the deposit to the courier and the courier's release of the deposit to
the depository bank is not excessive). We have verified during our ongoing
fiscal year 2005 financial audit that IRS updated the LPG, and we will
evaluate the effectiveness of these enhancements as we proceed with the
2005 audit.

Procedures for Handling Taxpayer Receipts and Information by Couriers

We have previously reported on various security weaknesses related to
courier services at IRS service centers, field offices, and lockbox
banks.10 IRS has made an effort to address such weaknesses by adopting
more stringent security standards for the couriers who transport IRS's
daily deposits to depository institutions. For example, IRS implemented a
new lockbox courier policy requiring that more stringent background
investigations of couriers be satisfactorily completed before granting
them access to taxpayer receipts and information.

During our fiscal year 2004 audit, however, we found that IRS did not have
controls in place to ensure that the courier requirements were effectively
enforced. Specifically, we found the following:

o  	Couriers for two of the lockbox banks we visited did not always
transport taxpayer receipts and information directly to their destination.
In one case, we observed a courier vehicle make a pickup and then drive to
and park at another location, where the vehicle and its contents remained
for the rest of the day. In the other case, we observed a courier vehicle
stop at an industrial park before proceeding to the depository
institution.

o  	A courier van containing the morning pickup from one lockbox bank we
visited was left unattended for approximately 30 minutes at the courier
service office.

o  	Couriers for one lockbox bank made an unauthorized stop and
transferred the contents of the courier vehicle to a pick-up truck.

o  	Solo couriers were permitted to transport taxpayer receipts and
information for one service center and two lockbox banks we visited. At
the service center, during our review of deposit receipts for the 2 months
prior to our visit, we found that in one instance the center's management
permitted a solo courier to transport $47 million in receipts to the
depository institution. Management informed us that it permitted this solo
delivery because (1) the second courier was sick and the

10See, e.g., GAO, Management Report: Improvements Needed in IRS's Internal
Controls and Accounting Procedures, GAO-04-553R (Washington, D.C.: Apr.
26, 2004), and Management Report: Improvements Needed in IRS's Internal
Controls, GAO-03-562R (Washington, D.C.: May 20, 2003).

courier company was unable to provide another courier; (2) the deposit was
large; and (3) it was a Friday, and delaying deposit until the following
Monday would have resulted in loss of interest on the $47 million over the
weekend. With respect to the two lockbox banks, in one case we observed a
courier vehicle depart the courier company with only one courier in the
vehicle; in the other case, we observed a courier vehicle with two
couriers make a pickup at the lockbox bank and then drop off one of the
couriers before completing the delivery.

o  	Couriers were not wearing required uniforms at one service center and
one lockbox bank we visited. At the service center, we observed that
neither courier transporting deposits to the depository institution was
wearing the required company logo shirt. In addition, one courier was not
wearing an identification badge, which had instead been placed on the
rearview mirror of the transport vehicle. Although lockbox banks have
other ways to identify couriers, at the lockbox bank on two separate
occasions, we observed couriers-two couriers in one case and one courier
in the other case-who were not wearing company uniforms pick up taxpayer
receipts and information.

Despite IRS's adoption of more stringent security standards for couriers
who transport IRS's daily deposits to depository institutions, the
findings above demonstrate that weaknesses continue to exist in IRS's
enforcement of courier service procedures-specifically, those that require
(1) courier service drivers to transport taxpayer receipts and information
directly to their destination, with no stops in between; (2) vehicles to
always be under the supervision of at least one courier and never left
unattended; (3) courier service drivers to travel in pairs when
transporting deposits; and (4) courier service drivers for lockbox banks
to wear company uniforms. Nonadherence by couriers to IRS procedures
increases the risk of loss, theft, or misuse of taxpayer receipts and
information.

Recommendations

We recommend that IRS

o  	provide a written reminder to courier contractors of the need to
adhere to all courier service procedures;

o  	periodically verify that contractors entrusted with taxpayer receipts
and information offsite adhere to IRS procedures; and

o  	develop alternative back-up plans that are consistent with IRS courier
policies and procedures to address instances in which only one courier
reports for transport of taxpayer receipts or information, such as
requiring that a service center or lockbox bank employee accompany the
courier to the depository.

IRS Comments and Our Evaluation

IRS agreed with our recommendations that it provide a written reminder to
courier contractors of the need to adhere to all courier service
procedures, periodically verify that contractors entrusted with taxpayer
receipts and information adhere to IRS

procedures, and develop alternative back-up plans to address instances in
which only one courier reports for transport of taxpayer receipts and
information. IRS stated that it (1) intends to provide lockbox banks with
a reminder to adhere to all courier service procedures, (2) has updated
the LPG to provide that contractor adherence to IRS procedures will be
monitored during periodic security reviews, and (3) intends to work with
FMS to develop a plan by June 30, 2005, to address instances in which only
one courier reports for transport of taxpayer receipts and information. We
will evaluate the effectiveness of IRS's efforts during our fiscal year
2005 financial audit.

Safeguarding Sensitive Systems and Equipment in Lockbox Banks

At one of the lockbox banks we visited during our fiscal year 2004
financial audit, we found that the electrical and water shutoff valves
were in an area where janitors kept their supplies and which they accessed
daily, and that the shutoff valves were not locked to prevent tampering.
In addition, the security system control panel was located in the same
area as the shutoff valves, and the keys to the security system control
panel were left on top of the panel in this room. At the same lockbox
bank, we also found that there were no surveillance cameras monitoring the
security system controls and the water and electrical shutoff valves that
were located in the janitors' supply room.

While the LPG does not address utility feeds located within the lockbox
facility, it does require that utility feeds at the perimeter of lockbox
banks be secured with locking devices and physically protected to prevent
tampering or destruction. According to GAO's Standards for Internal
Control in the Federal Government, agencies must establish physical
control to secure and safeguard vulnerable assets, including providing
security for, and limiting access to, equipment that might be vulnerable
to unauthorized use. In addition, the LPG requires that items that need a
higher level of security, including keys, be controlled and stored in
containers to prevent theft and fraud. With respect to security
closed-circuit television cameras, the LPG requires that they be deployed
both generally and at critical locations throughout lockbox bank
facilities to provide direct visual monitoring 24 hours a day. Location of
critical controls in frequently accessed areas and lack of effective
monitoring of sensitive systems and equipment at lockbox banks increase
the risk of unauthorized access, which in turn increases the risk of theft
and misuse of taxpayer receipts and information.

Recommendations

We recommend that IRS

o  	formulate a policy to require that critical utility or security
controls not be located in areas requiring frequent access,

o  	require lockbox bank management to position closed-circuit television
cameras to enable monitoring of secured areas containing sensitive systems
or controls, and

o  	periodically monitor lockbox banks' adherence to the LPG requirement
that keys be kept in secured containers within the secured perimeter.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning safeguarding of sensitive
systems and equipment in lockbox banks. To require that critical utility
or security controls not be located in areas requiring frequent access,
IRS stated its intent to (1) ensure that policy guidelines address
protection of critical or security controls and (2) work with the Business
Operating Divisions and Procurement to incorporate any revised
requirements into updated and future interagency agreements with FMS. With
respect to requiring lockbox bank management to position closed-circuit
television cameras to enable monitoring of secured areas containing
sensitive equipment or controls, IRS indicated that as part of its Mission
Assurance review process, it would review the use of closed-circuit
television at the banks and, within local constraints, expand surveillance
capabilities to include utility controls. With respect to periodically
monitoring lockbox banks' adherence to the LPG requirement that keys be
kept in secured containers within the secured perimeter, IRS stated that
Mission Assurance will include controls over keys as part of any and all
reviews. IRS also indicated that as part of the review process, it will
work with the lockbox banks and lessors to improve security for keys and
security panels, irrespective of ownership. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2005 financial
audit.

Candling Procedures

IRS uses and requires lockbox banks to use a candling process to determine
if any contents remain in open envelopes received from taxpayers before
the envelopes are disposed of. Candling is often performed by passing the
envelopes over a light source, although other methods mentioned in the
2004 LPG are also allowed, including opening an envelope on three sides
and flattening it. The purpose of candling is to prevent the accidental
destruction of taxpayer receipts and information.

As in previous years,11 we observed weaknesses in controls over candling
of envelopes. The weaknesses we observed during our fiscal year 2004 audit
are as follows:

o  	At one of the lockbox banks we visited, the OPEX System 150, a
high-volume machine that extracts checks from envelopes by opening them on
three sides, had been deemed by IRS to meet LPG candling requirements
because the envelopes were flattened and traveled a distance of 3 linear
feet inside the machine before dropping into a bin. The OPEX System 150
entails no visual inspection of opened envelopes. Because envelopes opened
by the OPEX System 150 are not visually inspected when they are laid flat,
there is no assurance that all their contents have been properly removed.
During our visit, we observed the envelopes falling into a

11See, e.g., GAO, Management Report: Improvements Needed in IRS's Internal
Control and Accounting Procedures, GAO-04-553R (Washington, D.C.: Apr. 26,
2004).

bin, with no one watching them as they dropped. Once the bin was full, the
envelopes were put into a garbage can to be shredded.

o  	At one service center we visited, we observed light bulbs in candling
tables in the final candling area that did not provide sufficient light
for staff to see whether contents remained in opened envelopes.

The 2004 LPG candling requirement was unclear with respect to the number
of candlings required for envelopes processed by OPEX equipment. Although
the LPG stated that "envelopes must be candled twice before destruction"
either through a light source or by splitting the envelopes on three sides
and flattening them, the same section of the LPG also stated that
splitting envelopes on three sides and flattening them "is sufficient to
meet candling requirements without further light source viewing." IRS has
no written guidelines for minimum wattage of bulbs in candling tables.
Weaknesses in candling procedures increase the potential for inadvertent
loss or destruction of taxpayer receipts.

Recommendations

We recommend that IRS

o  	assess technologies that may be exempt from the visual inspection
requirement to determine whether they are acceptable methods of satisfying
candling objectives and, if so, add such technologies to the LPG list of
accepted candling methods;

o  	conduct an assessment of the costs and benefits of relying on only one
candling when using certain automated equipment;

o  	clarify the LPG to eliminate confusion about the number of candlings
required for different extraction methods; and

o  	establish guidelines and a testing requirement to ensure satisfactory
lighting conditions for effective candling.

IRS Comments and Our Evaluation

IRS indicated that it has taken action to address issues that gave rise to
our recommendations to (1) assess technologies that may be exempt from the
visual inspection requirement to determine whether they are acceptable
methods of satisfying candling objectives and, if they are, add them to
the LPG list of accepted candling methods and (2) assess the costs and
benefits of relying on only one candling when using certain automated
equipment. IRS agreed with our recommendation to clarify the LPG to
eliminate confusion about the number of candlings required for different
extraction methods. IRS indicated that to address the issues raised by
these recommendations, it added a provision to the 2005 LPG specifying
that envelopes opened (either manually or by OPEX) on three or more sides
must be candled once on the candling tables. During our ongoing fiscal
year 2005 audit, we verified that IRS had made this change to the LPG, and
we will evaluate the effectiveness of this enhancement as the audit
progresses. IRS also

agreed with our recommendation to establish guidelines and a testing
requirement to ensure satisfactory lighting conditions for effective
candling. IRS stated that additional work is needed to strengthen the
current procedures in the Internal Revenue Manual (IRM) and that it is in
the process of reviewing and strengthening these procedures. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2005
financial audit.

Monitoring and Verifying Recording and Transmittal of Taxpayer Receipts
and Information

When an IRS field office receives taxpayer receipts and returns, it is
responsible for recording the information received and sending it to a
service center for further processing with a transmittal form listing the
documents included in the package. However, at the two IRS field offices
we visited, we found multiple instances in which internal controls were
not in place to ensure that recording and transmittal of taxpayer receipts
and information were adequately monitored and verified:

o  	At one field office, there was a lack of segregation of duties with
respect to handling taxpayer receipts. We observed in seven Small
Business/Self-Employed (SB/SE) units12 that the individuals responsible
for preparing Payment Posting Vouchers were the same individuals who
recorded the information from those vouchers on Document Transmittal
forms, which list the contents of a package sent from one IRS location to
another, and mailed those forms to the IRS service center. At the other
field office, we observed that there was no independent review of
documents or payments before they were mailed by their preparer to the
service center for processing, nor was there any independent
reconciliation of the information on the Document Transmittal forms to
those documents or payments. In addition, at the same field office, there
was no independent review or reconciliation of payments recorded on Daily
Report of Collection Activity forms, which are used to list and transmit
tax receipts and returns to service centers, to the actual payments that
accompanied the forms before the payments were sent to the service center
for processing.

o  	One of the field offices sent Daily Report of Collection Activity
forms to a service center without listing those forms on, and enclosing
with them, a Document Transmittal form, as required by the IRM.13 Only
packages containing a single Daily Report of Collection Activity form do
not require an accompanying Document Transmittal form.

o  	One of the field offices we visited did not use a logbook for filing
Document Transmittal forms, and two units at the other field office had no
system in place for maintaining and monitoring acknowledgments of Document
Transmittal forms.

12SB/SE units are field office units that serve partially or fully
self-employed individuals, individual
filers with certain types of nonsalary income, and small businesses.
13The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct
business and contains policy, direction, and delegations of authority
necessary to carry out IRS
responsibilities to administer tax law and other legal provisions.

o  	There was no evidence of management review of five units' Document
Transmittal form logbooks at one of the field offices.

GAO's Standards for Internal Control in the Federal Government requires
that key duties and responsibilities be segregated among different people
to reduce the risk of error or fraud. In addition, according to the IRM,
if a unit sends individually sealed envelopes in one package to the
service center, the package must contain a Document Transmittal form
listing the enclosed Daily Report of Collection Activity forms and the
respective tracking information. The IRM also requires that senders
establish a control to ensure delivery of tax receipts and information to
IRS service centers and follow up within 10 work days on packages not
acknowledged by the center. Not adequately accounting for taxpayer
receipts because of insufficient review, reconciliation, monitoring, and
segregation of duties increases the risk of error and fraud and,
therefore, the potential for loss, theft, and misuse of taxpayer receipts.

Recommendations

We recommend that IRS

o  	establish policies and procedures to require appropriate segregation
of duties in SB/SE units of field offices with respect to preparation of
Payment Posting Vouchers, Document Transmittal forms, and transmittal
packages;

o  	enforce the requirement that a Document Transmittal form listing the
enclosed Daily Report of Collection Activity forms be included in
transmittal packages, using such methods as more frequent inspections or
increased reliance on error reports compiled by the service center teller
units receiving the information;

o  	establish a procedure for SB/SE field office units to track Document
Transmittal forms and acknowledgements of receipt of Document Transmittal
forms; and

o  	require evidence of managerial review of recording, transmittal, and
receipt of acknowledgments of taxpayer receipts and information.

IRS Comments and Our Evaluation

IRS agreed with our recommendations. To establish policies and procedures
to require appropriate segregation of duties in SB/SE units of field
offices with respect to preparation of Payment Posting Vouchers, Document
Transmittal forms, and transmittal packages, IRS indicated that it will
(1) establish procedure for SB/SE field office units to track Document
Transmittal forms and acknowledgements of receipt of Document Transmittal
forms and (2) strengthen its guidance to revenue officers and develop
procedures specifically for field clerical staff. To enforce the
requirement that a Document Transmittal form listing the enclosed Daily
Report of Collection Activity forms be included in transmittal packages,
IRS stated that its procedures will clarify that (1) the designated
clerical contacts are responsible for bundling sealed envelopes into a
single package for overnight mail to Submission

Processing pursuant to the IRM and (2) the designated clerical contacts
are to prepare a Document Transmittal form and send the prepared package
to Submission Processing via overnight mail. IRS stated that these
procedures will direct the designated clerical contact to retain a control
copy of the Document Transmittal form and the overnight mail transmittal
until the receipted copy of the Document Transmittal form is returned from
Submission Processing. In addition, IRS said that it intends to require
that the transmittal and the acknowledgement be reconciled monthly, with
appropriate follow-up as required. IRS also stated its intent to issue a
memorandum to all Field Assistance employees reminding them to adhere to
these IRM requirements and to add this as a review item for operational
reviews conducted by Field Assistance headquarters and area personnel. To
establish a procedure for SB/SE field office units to track Document
Transmittal forms and acknowledgements of receipt of Document Transmittal
forms, IRS stated that it will clarify its procedures to require that
managers ensure continuous coverage of the designated clerical contact
duties so that absence due to illness or leave does not disrupt the
processing of remittances. With respect to a requirement for evidence of
managerial review of recording, transmittal, and receipt of
acknowledgements of taxpayer receipts and information, IRS indicated that
it will establish procedures to require documented evidence of such
review, but noted that it will not implement any procedure that requires
100 percent managerial review. We will evaluate the effectiveness of IRS's
efforts during our fiscal year 2005 financial audit.

Controls over the Generation of Automated Refunds in Automated
Underreporter Program Cases

Most refunds are generated automatically by IRS when taxpayers file tax
returns reflecting a lower tax liability than the amount the taxpayer has
paid. Upon receipt of a tax return, IRS records the tax liability for the
appropriate tax period. If the taxpayer's payments and credits exceed the
tax liability, an automated refund is generated.

In July of each year, after the peak tax filing period,14 IRS matches data
submitted by taxpayers on their tax returns against data submitted to IRS
by third parties to report earnings such as wages, interest, and
dividends. This matching process is a key part of IRS's Automated
Underreporter Program (AUR). IRS follows up on selected discrepancies
identified as a result of the AUR to determine the reason for the
discrepancy and attempt to collect any taxes due. If a discrepancy can be
resolved by IRS based on review of available documentation, the case is
closed. Otherwise, an underreporter notice, which informs the taxpayer of
a proposed change to tax liability, is sent to the taxpayer. Because the
taxpayer has not yet agreed to an additional tax assessment at this point,
no tax liability is entered in the taxpayer's account. Instead, the
underreporter notice includes a Consent of Assessment form which the
taxpayer is asked to sign and return with his or her payment. When IRS
receives this form with the payment, the form alerts employees to route
the payment to the AUR unit, which is to record both the payment and the
tax assessment in the taxpayer's account.

14The peak tax filing season primarily occurs from January 1 to April 15
of each year.

Taxpayers who receive an underreporter notice can choose to agree with the
proposed additional assessment, disagree and provide reasons, or ask for
an appeal. Once IRS sends an underreporter notice to a taxpayer, an AUR
notice indicator is placed on the taxpayer's account within IRS's master
files.15 IRS typically places a different type of indicator-known as a
freeze code-on taxpayers' accounts that are undergoing examination or
investigation. Freeze codes temporarily prevent the automated issuance of
a refund until the issue is resolved and the freeze code is removed. An
AUR notice indicator, however, does not on its own prevent issuance of an
automated refund; rather, it serves as notice to other IRS units that AUR
has control of the case and should be notified before any action is taken.
Consequently, an automated refund may be improperly generated if a
taxpayer submits a payment in response to an AUR notice but does not
return a Consent of Assessment form with the payment.

At one of the two service centers we visited to review refund procedures
during our fiscal year 2004 audit, we found two instances in which IRS
generated refunds for taxpayers based on payments received in
consideration of unpaid taxes identified by AUR. Both taxpayers received
an AUR notice proposing a change in tax liability because of a discrepancy
in their tax return, and both submitted a payment to IRS indicating
agreement with IRS's finding. However, they did not enclose with their
payment the form that accompanied the underreporter notice they received.
As a result, IRS employees did not forward the payments to the AUR unit
and instead recorded them on the taxpayers' accounts. Since no form had
been received from these taxpayers and, consequently, the tax liabilities
related to the payments had not been recorded in the taxpayers' accounts,
the entire payment amounts were interpreted to be overpayments and refunds
were disbursed. Weaknesses in IRS's controls over automated refund
disbursements for accounts with AUR notice indicators unnecessarily expose
the federal government to losses due to issuance of improper refunds.

Recommendation

We recommend that IRS assess options to prevent the generation or
disbursement of refunds associated with accounts with unresolved AUR
discrepancies, including placement of a freeze or hold on all such
accounts, until the AUR review has been completed.

IRS Comments and Our Evaluation

IRS indicated that its existing procedures address the issue that gave
rise to this recommendation. However, IRS stated that AUR will partner
with Submissions Processing to ensure that employees receiving
unidentified remittances are aware of the need to conduct IDRS research
and how to properly post AUR remittances in these instances. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2005
financial audit.

      15IRS's master files contain detailed records of taxpayer accounts.

Controls over Authorization of Manual Refunds

During our fiscal year 2004 financial audit, we found weaknesses in IRS's
controls over the authorization of manual refunds at both of the service
centers we visited to review refund procedures during our fiscal year 2004
audit. These weaknesses resulted primarily from IRS employees not
consistently adhering to policies and

16

procedures intended to prevent disbursement of improper manual refunds.
Specifically, IRS employees did not always (1) comply with IRS
requirements when authorizing officials to approve manual refunds, (2)
monitor or review the monitoring of accounts to prevent duplicate refunds
or document that monitoring had been performed, or (3) review computer
system command code profiles of approving employees and officials who
certify that refund payments are proper to ensure that these officials did
not have access to inappropriate command codes that would allow them to
both process and approve or certify improper refunds.

Authorization to Approve Manual Refunds

The IRM requires that all manual refunds be approved by officials who are
designated by managers. To designate approving officials, managers are
required to submit documents to the Manual Refund Unit that include the
designated approving official's and manager's names and titles or
positions, their telephone numbers, their IRS campus or field service
organizations, their signatures, and a statement by the delegating manager
certifying that sensitive command codes are not authorized for the
approving official that would allow the official to both approve and
process manual refunds.

At both service centers we visited to review refund procedures, however,
we found that these controls were not always effective.

o  	At one service center, we found documents authorizing approving
officials that did not contain the delegating manager's signature and
others that did not contain the authorized approving official's signature.
We also found the name of an individual on the list of designated
approving officials that had been on the list for about 9 months even
though the delegating manager had included a statement on the document
requesting that the name remain on the list for only 90 days.

o  	At the other service center, we found documents that did not contain
the name and title or position of the manager submitting the document.

Improper authorization of approving officials for manual refunds exposes
the federal government to losses due to the increased risk of issuance of
improper refunds.

16Most refunds are generated automatically; under certain circumstances,
however, IRS processes refunds manually to expedite payment. Such refunds
include those over $10 million, those requested by taxpayers for immediate
payment due to hardship or emergency, those to beneficiaries of deceased
taxpayers, and those that need to be expedited because IRS is in jeopardy
of paying interest for exceeding the 45-day limit for processing a return.

Monitoring to Avoid Duplicate Refunds

As we have previously reported,17 the risk of issuance of duplicate
refunds is increased because (1) IRS's automated and manual refund systems
are not adequately coordinated to prevent the issuance of a duplicate
automated refund if a corresponding manual refund has already been
generated and (2) manual refunds may not be posted to the taxpayer's
account in the master file until up to 6 weeks after the refund has been
issued to the taxpayer, potentially allowing a duplicate automated refund
to be disbursed in the interim. To mitigate this risk, IRS has implemented
various procedures, such as a requirement for employees who have initiated
a manual refund to monitor the account to ensure that a duplicate
automated refund does not post in the interim as a pending transaction.
Supervisors are required to review the initiator's monitoring actions, and
both the initiators and supervisors are required to document their
monitoring or reviewing actions.

We have also previously reported that IRS employees did not always monitor
accounts to prevent duplicate refunds and that they were not required to
document their reviews. As a result of a previous recommendation we made,
IRS revised its procedures to require documentation of monitoring actions
and supervisory review of monitoring actions. However, at both service
centers we visited, we found that this control was not always
effective-IRS employees did not always monitor accounts to prevent
duplicate refunds, and their supervisors did not always review monitoring
actions to ensure that they were being properly conducted. We also found
that IRS employees and supervisors did not always document their
monitoring or reviewing actions. We interviewed nine manual refund
initiators and their supervisors at the two service centers we visited to
review refund procedures. During our review of documentation of their
monitoring and reviewing procedures, we found the following:

o  Two initiators did not monitor the accounts to prevent duplicate
refunds.

o  	Of the seven initiators who did monitor the accounts, three did not
sign and date their monitoring action.

o  Three initiators' supervisors did not review the monitoring actions.

o  	Of the six supervisors who did review monitoring actions, only one
documented, signed, and dated the review. Three of these supervisors
documented but did not sign and date their review, and two did not
document their review.

These weaknesses increase the risk that account monitoring and related
reviews may not be conducted on a consistent and timely basis, rendering
this control ineffective. As a result, IRS does not have adequate
assurance that accounts are being appropriately monitored to prevent
duplicate refunds from being paid.

17GAO, Internal Revenue Service: Recommendations to Improve Financial and
Operational Management, GAO-01-42 (Washington, D.C.: Nov. 17, 2002).

Review and Approval of Command Code Profiles

IRS uses IDRS, an online data retrieval and entry system, to process
manual refunds. Employees' level of access to IDRS is determined by their
specific role and responsibilities. Each employee who uses IDRS is
assigned a command code profile that determines the type of transactions
he or she can process. To ensure that approving officials do not have
sensitive command codes that would allow them to process manual refunds in
violation of segregation of duties requirements implemented to reduce the
risk of error or fraud, IRS requires service centers to review command
code profiles of approving officials. These individuals also review
command code profiles of certifying officials, who are responsible for
ensuring that refund payments are correct and proper.

At both service centers we visited to review refund procedures during our
fiscal year 2004 financial audit, however, we found that command code
profiles of approving and certifying officials were not always reviewed as
required by the IRM.

o  	At one service center, we found that the individual responsible for
the review did not review the command code profiles for all authorized
approving officials. Instead, only employees who had indicated or whose
manager had indicated that they had been assigned command codes were
selected for review. The reviewer did not verify that the employees who
had indicated they did not have assigned command codes had not in fact
been assigned command codes. In addition, no one at this service center
reviewed the command code profiles of certifying officials.

o  	At the other service center, we found that no review of command code
profiles for approving officials had been conducted since July 2000,
although the IRM requires that a review of the accounts and profiles of
all users of IRS's network be conducted at least annually. For certifying
officials at this service center, command code profiles had been reviewed
monthly. However, since it was a certifying official who conducted the
reviews, she also reviewed her own command code profile. The IRM does not
specify who should conduct the reviews.

Because IRS employees did not always adhere to IRM requirements specifying
control procedures over manual refunds and the IRM was not specific as to
the timing and assignment of responsibility for reviewing command code
profiles, the effectiveness of these controls was impaired. As a result,
the risk is increased that IRS could disburse improper manual refunds.

Recommendations

We recommend that IRS

o  	enforce documentation requirements relating to authorizing officials
charged with approving manual refunds,

o  	enforce requirements for monitoring accounts and reviewing monitoring
of accounts,

o  	enforce requirements for documenting monitoring actions and
supervisory review,

o  	enforce the requirement that command code profiles be reviewed at
least once annually, and

o  	specify in the IRM that staff members are not to review their own
command code profiles.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning controls over authorization
of manual refunds. With respect to the recommendations that call for
enforcement of existing documentation, review, and monitoring
requirements, IRS indicated its intent to remind management officials
annually of these requirements via memorandum, notice, or Alert. IRS noted
that as part of the reminder, checksheets will be included and a response
will be required confirming that these actions have been taken. IRS also
indicated that it will consider including these items in its Management
Accountability Review Process. With respect to the recommendation that the
IRM specify that staff members are not to review their own command code
profiles, IRS stated that IRM wording would be updated and annual
memorandums or notices would be sent to management officials reminding
them that the approver's manager is responsible for ensuring that the
approver's profiles have appropriate restrictions and have been reviewed.
We will evaluate the effectiveness of IRS's efforts during our fiscal year
2005 financial audit.

Resolution of Liens with Manually Calculated Interest or Penalties

During our fiscal year 2004 financial audit, we found that IRS did not
properly verify interest or penalties on taxpayers' accounts with manually
calculated interest or penalties to ensure that these taxpayers paid the
full amount of taxes due before IRS released tax liens associated with
their accounts. Specifically, none of the five lien units that we visited
properly verified manual interest and penalties. Personnel at these lien
units queried IDRS to see if it indicated that an account with a lien with
manually calculated interest or penalties had been paid in full. If IDRS
indicated that such an account had been paid in full, lien unit personnel
incorrectly interpreted this to mean that there were no outstanding
interest accruals or penalties and thus released the lien. However, IDRS
does not make the manual interest and penalty calculations. Consequently,
if IRS personnel do not verify that there are no unassessed interest or
penalty amounts, they could close an account as having been fully paid
when there are accumulated amounts of interest or penalties that are
legally due to the government but that have not been assessed or paid.

Interest on most taxpayer accounts is calculated automatically by IDRS.
However, IRS must manually calculate interest and penalties on some
taxpayers' accounts

because IDRS has not been programmed with the capability to calculate
interest and penalties in accordance with certain legal requirements. IRS
refers to such interest as "restricted interest" because IDRS is
restricted from making the interest computations. For these cases, IRS
officials must manually calculate the amount of interest or penalties due
as of a point in time and manually enter the result into IDRS. However,
these manually calculated interest or penalty amounts are not
automatically updated with the passage of time to reflect new accruals of
interest or penalties-subsequent calculations of additional interest or
penalties must also be done manually.

To help ensure that manually calculated interest and penalties are
determined properly and that all accruals of interest and penalties are
paid, IRS established a control to prevent the release of liens until the
amounts of manually calculated interest and penalties are verified. Before
releasing a lien, IRS automatically routes all accounts with manual
calculations to the lien units. IRS guidance18 calls for lien unit
personnel to verify the completeness of manual interest or penalty
calculations before releasing the lien but does not show how this is to be
done. Instead, it instructs lien unit personnel to "follow local
procedures." However, none of the lien unit personnel we interviewed had
local procedures for verifying the completeness of manual interest or
penalty calculations. If lien units do not properly verify that there are
no unassessed interest or penalty amounts for accounts with liens with
manually calculated interest or penalties, there is a risk of loss of
revenue to the federal government through the premature release of tax
liens.

Recommendation

We recommend that IRS specify in the IRM how to properly verify interest
and penalties for accounts with liens with manually calculated interest or
penalties.

IRS Comments and Our Evaluation

IRS stated that it has taken actions to address the issue that gave rise
to this recommendation. Specifically, IRS stated that it revised the IRM
to instruct employees to check IDRS to determine if restricted interest or
penalty is due. IRS noted that the IRM now clearly states that there are
only two instances for which restricted interest and penalty should not be
computed-offer-in-compromise and bankruptcy cases. In addition, IRS noted
that tax examiners hired to staff the Centralized Case Processing Lien
Processing Unit were provided hands-on training in the computation of
restricted interest and penalty and that resolution of these cases moved
to Centralized Case Processing effective February 2005. IRS also stated
that the centralized site has created a special group of employees who
were trained in the resolution of restricted interest and penalty cases
and that new hires for this group will also receive this training. We will
evaluate the effectiveness of IRS's efforts during our fiscal year 2005
financial audit.

18This guidance consists of a detailed manual distributed to lien unit
personnel at a February 2003 workshop.

This report contains recommendations to you. The head of a federal agency
is
required by 31 U.S.C. S: 720 to submit a written statement on actions
taken on these
recommendations. You should submit your statement to the Senate Committee
on
Homeland Security and Governmental Affairs and the House Committee on
Government Reform within 60 days of the date of this report. A written
statement
must also be sent to the House and Senate Committees on Appropriations
with the
agency's first request for appropriations made more than 60 days after the
date of the
report.

This report is intended for use by the management of IRS. We are sending
copies to
the Chairmen and Ranking Minority Members of the Senate Committee on
Appropriations; Senate Committee on Finance; Senate Committee on Homeland
Security and Governmental Affairs; Senate Committee on the Budget;
Subcommittee
on Transportation, Treasury, the Judiciary, Housing and Urban Development,
and
Related Agencies, Senate Committee on Appropriations; Subcommittee on
Taxation
and IRS Oversight, Senate Committee on Finance; and Subcommittee on
Oversight of
Government Management, the Federal Workforce, and the District of
Columbia,
Senate Committee on Homeland Security and Governmental Affairs. We are
also
sending copies to the Chairmen and Ranking Minority Members of the House
Committee on Appropriations; House Committee on Ways and Means; House
Committee on Government Reform; House Committee on the Budget;
Subcommittee
on Transportation, Treasury, and Housing and Urban Development, the
Judiciary,
District of Columbia, House Committee on Appropriations; Subcommittee on
Government Management, Finance, and Accountability, House Committee on
Government Reform; and Subcommittee on Oversight, House Committee on Ways
and Means. In addition, we are sending copies of this report to the
Chairman and
Vice-Chairman of the Joint Committee on Taxation, the Secretary of the
Treasury, the
Director of the Office of Management and Budget, the Chairman of the IRS
Oversight
Board, and other interested parties. The report is available at no charge
on GAO's
Web site at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided by
IRS
officials and staff during our audits of IRS's fiscal years 2004 and 2003
financial
statements. If you have any questions or need assistance in addressing
these matters,
please contact Chuck Fox, Assistant Director, at (202) 512-5261. Other
major
contributors are listed in enclosure III.

Sincerely yours,

Steven J. Sebastian
Director
Financial Management and Assurance

Enclosures - 3

                                  Enclosure I

                   Comments from the Internal Revenue Service

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

                                  Enclosure I

Enclosure II

Details on Audit Methodology

To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:

o  	Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included testing selected
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, property and equipment, and undelivered
order transactions. These statistical samples were selected primarily to
substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which they
were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design or
operation of internal control or compliance with provisions of laws and
regulations. These attributes, where applicable, can be and have been
statistically projected to the appropriate populations.

o  	Assessed the accounting principles used and significant estimates made
by management.

o  Evaluated the overall presentation of the financial statements.

o  	Obtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and performance measures reported in the Management
Discussion and Analysis.

o  	Tested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.

o  	Considered the process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. S: 3512 (c),
(d), commonly referred to as the Federal Managers' Financial Integrity Act
of 1982.

o  	Tested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. S: 1341(a)(1) and
31 U.S.C. S: 1517(a)); Agreements for payment of tax liability in
installments (26 U.S.C. S: 6159); Purpose Statute (31 U.S.C. S: 1301);
Release of lien or discharge of property (26 U.S.C. S: 6325); Interest on
underpayment, nonpayment, or extensions of time for payment of tax (26
U.S.C. S: 6601); Interest on overpayments (26 U.S.C. S: 6611);

Enclosure II Determination of rate of interest (26 U.S.C. S: 6621);
Failure to file tax return or to pay tax (26 U.S.C. S: 6651); Failure by
individual to pay estimated income tax (26 U.S.C. S: 6654); Failure by
corporation to pay estimated income tax (26 U.S.C. S: 6655); Prompt
Payment Act (31 U.S.C. S: 3902(a), (b), and (f) and 31 U.S.C. S: 3904);
Fair Labor Standards Act of 1938, as amended (29 U.S.C. S: 206); Civil
Service Retirement Act of 1930, as amended (5 U.S.C. S:S: 5332, 5343);
Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C.
S:S: 8422, 8423, and 8432); Social Security Act, as amended (26 U.S.C.
S:S: 3101 and 3121 and 42 U.S.C. S: 430); Federal Employees Health
Benefits Act of 1959, as amended (5 U.S.C. S:S: 8905, 8906, and 8909); and
Consolidated Appropriations Act, 2004, Pub. L. No. 108-199, 118 Stat. 3
(Jan. 23, 2004).

o  	Tested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996 (Pub. L. No. 104-208, div. A, S: 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996) (codified at 31 U.S.C. S:
3512 note).

Enclosure III

GAO Contacts and Staff Acknowledgments

GAO Contacts

Chuck Fox, (202) 512-5261 Alain Dubois, (202) 512-6365

Acknowledgments

Staff who made key contributions to this report were Esther Tepper,
Theresa Bowman, Gloria Cano, George Ogilvie, John Ryan, and Jeffrey Yoder.

(196035)
*** End of document. ***