Management Report: Improvements Needed in IRS's Internal Controls
(12-MAY-06, GAO-06-543R).					 
                                                                 
In November 2005, we issued our report on the results of our	 
audit of the Internal Revenue Service's (IRS) financial 	 
statements as of, and for the fiscal years ending, September 30, 
2005 and 2004, and on the effectiveness of its internal controls 
as of September 30, 2005. We also reported our conclusions on	 
IRS's compliance with significant provisions of selected laws and
regulations and on whether IRS's financial management systems	 
substantially comply with requirements of the Federal Financial  
Management Improvement Act of 1996. A separate report on the	 
implementation status of recommendations from our prior IRS	 
financial audits and related financial management reports,	 
including this one, will be issued shortly. The purpose of this  
report is to discuss issues identified during our audit of IRS's 
financial statements as of, and for the fiscal year ending	 
September 30, 2005, regarding internal controls that could be	 
improved for which we do not currently have any recommendations  
outstanding. Although not all of these issues were discussed in  
our fiscal year 2005 audit report, they all warrant management's 
consideration.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-543R					        
    ACCNO:   A53900						        
  TITLE:     Management Report: Improvements Needed in IRS's Internal 
Controls							 
     DATE:   05/12/2006 
  SUBJECT:   Data destruction					 
	     Data transmission					 
	     Facility security					 
	     Financial management				 
	     Financial statement audits 			 
	     Financial statements				 
	     Hiring policies					 
	     Internal controls					 
	     Physical security					 
	     Policy evaluation					 
	     Property disposal					 
	     Reporting requirements				 
	     Tax administration 				 
	     Remittances					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-543R

     

     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

May 12, 2006

The Honorable Mark W. Everson

Commissioner of Internal Revenue

Subject: Management Report: Improvements Needed in IRS's Internal Controls

Dear Mr. Everson:

In November 2005, we issued our report on the results of our audit of the
Internal Revenue Service's (IRS) financial statements as of, and for the
fiscal years ending, September 30, 2005 and 2004, and on the effectiveness
of its internal controls as of September 30, 2005.1 We also reported our
conclusions on IRS's compliance with significant provisions of selected
laws and regulations and on whether IRS's financial management systems
substantially comply with requirements of the Federal Financial Management
Improvement Act of 1996. A separate report on the implementation status of
recommendations from our prior IRS financial audits and related financial
management reports, including this one, will be issued shortly.

The purpose of this report is to discuss issues identified during our
audit of IRS's financial statements as of, and for the fiscal year ending
September 30, 2005, regarding internal controls that could be improved for
which we do not currently have any recommendations outstanding. Although
not all of these issues were discussed in our fiscal year 2005 audit
report, they all warrant management's consideration. This report contains
22 recommendations that we are proposing IRS implement to improve its
internal controls. We conducted our audit in accordance with U.S.
generally accepted government auditing standards.

Results in Brief

During our fiscal year 2005 audit, we identified a number of internal
control issues that adversely affected safeguarding of tax receipts and
information, and the reliability of expense, and property & equipment
(P&E) records. These issues concern (1) taxpayer receipts and data
transmittal documents, (2) physical security controls at taxpayer
assistance centers, (3) the roles and responsibilities of security guards,
(4) candling procedures, (5) timely processing of large remittances at
lockbox banks, (6) access to tax return processing facilities, (7)
juvenile hiring policy, (8) classification of procurement transactions as
P&E or expense, and (9) recording P&E disposals.

1GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005).

Specifically, we found the following:

           o  At three of the four service center campuses (SCCs), seven of
           the eight Taxpayer Assistance Centers (TACs),2 and two of the six
           field offices we visited, we found no evidence of managerial
           review of the transmittal documents and acknowledgment forms used
           to transmit and monitor taxpayer receipts and information shipped
           from one IRS location to another. Additionally, at five TACs and
           both field offices, we found no evidence of follow-up on the
           overdue unacknowledged transmittals we reviewed.

           o  At four TAC sites, physical security controls were not adequate
           to preclude individuals from entering controlled areas and gaining
           access to taxpayer receipts and information. At three of these
           TACs, we found that individuals were able to enter controlled
           areas3 of the TAC or other IRS office space unnoticed. In
           addition, one of the four TACs did not have an operable emergency
           alarm and at another of the four TACs, the door separating the
           customer area from the controlled area was not locked nor marked
           with a sign alerting customers that they were not permitted to
           enter unescorted.

           o  At one SCC, one TAC, and one lockbox bank4 we visited, we found
           that security guard personnel did not always effectively fulfill
           their responsibilities in (1) controlling access to IRS tax return
           facilities, (2) responding to intrusion alarms, and (3) recording,
           maintaining, and reporting security incidents or violations.

           o  At three SCCs we visited, we found that IRS did not always
           ensure that envelopes were opened and candled5 twice before
           destruction, as required by its procedures, to provide assurance
           that all contents have been extracted.

           o  At two lockbox banks, we found that large dollar checks were
           not always immediately processed and deposited according to IRS's
           guidelines.

           o  At two SCCs and one lockbox bank, controls over access to
           facilities were not adequate to provide reasonable assurance that
           unauthorized personnel would not be admitted. Credentials of
           persons entering one SCC and one lockbox bank were not always
           validated before admission and, at one SCC, (1) alarms were not
           always functional and (2) gaps existed in perimeter security.

           o  Limitations in IRS's juvenile6 hiring policy increased the risk
           of unsuitable candidates being hired and permitted access to
           taxpayer receipts and data. For juvenile employee candidates, IRS
           (1) only required references for those individuals hired to work
           in receipt processing functions although taxpayer receipts and
           data are also accessible in other functions, and (2) accepted
           written references that were hand delivered to IRS by the
           candidates themselves without independently verifying their
           source.

           o  IRS did not always ensure that it properly classified its
           procurement transactions as P&E and recognized assets when they
           met its capitalization criteria or classified these transactions
           as expense when they did not. Of 267 sample transactions we tested
           from IRS's non-payroll expenses and P&E acquisitions recorded
           during the first 9 months of fiscal year 2005 and accounts payable
           as of September 30, 2005, six were incorrectly classified and
           reported.

           o  Disposals of property and equipment were not recorded in a
           timely manner at five IRS locations, resulting in inventory
           records that were inaccurate and out-of-date.

2 TACs are field assistance units designed to serve taxpayers who choose
to seek help from the IRS in person. Services provided include
interpreting tax laws and regulations, preparing some tax returns,
resolving inquiries on taxpayer accounts, receiving payments and
forwarding those payments to their respective SCC for deposit and further
processing, and performing other services designed to minimize the burden
on taxpayers in satisfying their tax obligations. These offices are
typically much smaller facilities than SCCs or lockbox banks with staff
sizes ranging from 1 to about 35 employees.

3IRS defines controlled areas as space to which access is limited to IRS
employees with a valid business purpose. Within such controlled space,
certain areas are designated as restricted and are subject to a further
elevated level of security to safeguard such sensitive assets as hardcopy
taxpayer receipts and computer facilities.

4 Lockbox banks are financial institutions designated as depositories and
financial agents of the U.S. government to perform certain financial
services, including processing tax documents, depositing the receipts, and
then forwarding the documents and data to their respective SCC, which
update taxpayers' accounts.

5 Candling is a process used by IRS to determine if any contents remain in
open envelopes, which is often achieved by passing the envelopes over a
light source.

The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed, and (2) physical
assets could be stolen or valued incorrectly.

At the end of our discussion of each of these issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into conformance
with its own policies and with the internal control standards that all
federal agencies are required to follow.7

6IRS defines juvenile as a person who is not yet eighteen years of age.

7GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

In its comments, IRS agreed with our recommendations and described actions
it had taken or planned to take to address the control weaknesses
described in this report. At the end of our discussion of each of the
issues in this report, we have summarized IRS's related comments and
provide our evaluation.

Scope and Methodology

As part of our audit of IRS's fiscal years 2005 and 2004 financial
statements, we tested IRS's internal controls and its compliance with
selected provisions of laws and regulations. We designed our audit
procedures to test relevant controls, including those for proper
authorization, execution, accounting, and reporting of transactions. This
report addresses issues we observed during our fiscal year 2005 audit. For
issues related to safeguarding taxpayer receipts and information, we
visited four SCCs, four lockbox banks, eight TACs, and six other IRS field
offices; and for issues related to procurement and property and equipment
(P&E), we performed our testing at 22 IRS offices and at the IRS Finance
Center.

Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2005 and 2004
financial statements8 and are reproduced in enclosure II. We requested
comments on a draft of this report from the Commissioner of IRS or his
designee. We received written comments from the Commissioner, which we
have incorporated as appropriate and have reprinted them as Enclosure 1.

Transmission of Taxpayer Receipts and Information

IRS's controls over transmissions of taxpayer receipts and information
between offices did not always ensure that transmissions were reviewed to
make certain that potential errors were promptly identified and corrected
and that transmissions were timely received and acknowledged. When IRS
transmits taxpayer receipts and/or information between locations, IRS
personnel are required to use either a Daily Report of Collection Activity
(form 795) or a Document Transmittal (form 3210) to record and document
the items being transmitted.9 However, during our fiscal year 2005 audit,
we found that these forms were not always (1) subject to a documented
supervisory review prior to submitting the documents for final processing,
or (2) tracked to ensure that recipients timely acknowledged receipt of
the transmitted documents. Specifically, we found:

           o  at three of the four SCCs we visited, managers or supervisors
           within the Refund Inquiry Unit did not document their review of
           forms used to record and transmit returned refund checks before
           they were mailed to the Austin Regional Finance Center for final
           processing.

           o  at five of the eight TACs and at three Large and Mid-Size
           Business (LMSB) and three Tax-Exempt and Government Entities
           (TEGE) field units, 10 document transmittals were not always
           acknowledged by the recipient within the timeframe required by
           IRS. In addition, there was no evidence that the originators of
           the transmittals contacted the recipient to follow-up on the
           status of the unacknowledged transmittals.

           o  at seven of the eight TACs, four LMSB units, and one TEGE unit,
           there was no evidence that managers periodically reviewed the
           logbooks used to track acknowledged transmittals.

8GAO-06-137.

9 The Daily Report of Collection Activity is generally used to transmit
taxpayer receipts from an IRS facility to a SCC. A Document Transmittal is
used interchangeably to transmit (1) taxpayer receipts or several form
795s from an IRS facility to a SCC for final processing or (2) non-payment
related taxpayer information (e.g., case files and other sensitive tax
related data) between IRS facilities.

GAO's Standards for Internal Control in the Federal Government11 require
agencies to establish controls to enforce adherence to management policies
and procedural requirements, such as management reviews, to create and
maintain records providing evidence that these controls are executed, and
to appropriately safeguard assets. Additionally, the Internal Revenue
Manual (IRM)12 requires that area offices take responsibility for the
security and accountability of taxpayer receipts and information during
transit. Specifically, the IRM requires senders to establish a control to
ensure timely delivery of taxpayer receipts and information and to follow
up with the recipient if the acknowledgement has not been received within
10 workdays. The lack of documentation of review and follow-up on overdue
acknowledgements increases the risk that these procedures are not in place
and operating effectively and that, consequently, errors, theft, or loss
of taxpayer receipts and information may occur and not be timely detected.

Recommendations

We recommend that IRS

           o  require that Refund Inquiry Unit managers or supervisors
           document their review of all forms used to record and transmit
           returned refund checks prior to sending them for final processing;

           o  enforce compliance with existing requirements that all IRS
           units transmitting taxpayer receipts and information from one IRS
           facility to another, including SCCs, TACs, and units within LMSB
           and TEGE, establish a system to track acknowledged copies of
           document transmittals;

           o  provide instructions to document the follow-up procedures
           performed in those cases where transmittals have not been timely
           acknowledged; and

           o  require that managers or supervisors document their reviews of
           document transmittals to ensure that taxpayer receipts and/or
           taxpayer information mailed between IRS locations are tracked
           according to guidelines.

10 LMSB units are field office units charged with administering taxes for
corporations and partnerships with assets over $10 million. TEGE units are
field office units that serve a wide range of customers including small
local community organizations, municipalities, major universities, pension
funds, state governments, Indian tribal governments, and tax exempt bond
issuers. All other corporations, partnerships, small businesses, and
individuals with certain types of non-salary income with assets under $10
million are serviced by IRS's Small Business and Self-Employed (SB/SE)
units. We addressed similar monitoring weaknesses within several SB/SE
units in our management report from our fiscal year 2004 audit, see GAO,
Management Report: Improvements Needed in IRS's Internal Controls,
GAO-05-247R (Washington, D.C.: April 2005).

11GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

12The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct its operations and contains policy,
direction, and delegations of authority necessary to carry out IRS's
responsibilities to administer tax law and other legal provisions.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning its documentation of
controls over transmission of taxpayer receipts and information between
offices. IRS indicated it will remind all SCCs of the requirement to
conduct periodic reviews of the document transmittal form and that
verifying this will be included as part of the site review process by
March 2007. IRS also indicated it had conducted an education effort to
ensure that all managers in Examination are familiar with existing IRMs
related to check processing procedures and provided their personnel
additional instruction on requirements for transmitting taxpayer receipts,
checks, and taxpayer information in order to ensure their personnel comply
with policy. Specifically, IRS stated that it had conducted an information
presentation for Examination managers, developed a flowchart to document
the process, and developed a quick reference guide for processing checks
in TEGE. IRS stated it also developed training materials to provide
additional guidance on handling transmittals and will perform periodic
reviews to ensure transmittals are handled appropriately. IRS also
indicated that it will revise the IRM to require documentation of
follow-up actions with SCCs when transmittal documents are not
acknowledged timely. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2006 financial audit.

Physical Security at Taxpayer Assistance Centers

During our fiscal year 2005 audit, we found that physical security
controls at several TAC sites we visited were not adequate to prevent
unauthorized individuals from accessing areas which contained taxpayer
receipts and information. For example:

           o  At one TAC, upon entering the facility at the time of our
           audit, we were able to repeatedly walk from the public entrance to
           a controlled area without being noticed or challenged. The only
           obstacle was a door which was not locked nor marked with a sign
           alerting individuals that they were not permitted to enter
           unescorted. This area was also accessible through a separate door
           that was also not locked nor marked.

           o  Another TAC was staffed by two Technical Research
           Representatives (TRRs),13 whose responsibilities included
           monitoring the public reception area of the TAC and preventing
           customers from venturing into controlled areas of the office that
           were shared by other IRS business units. However, TRRs sometimes
           found it necessary to leave their desks and the public reception
           area to perform their other duties, thereby leaving the area
           unattended and potentially allowing individuals to enter
           controlled areas of the TAC unchallenged. We were informed that
           individuals had on occasion been found in the other business
           units' office space seeking assistance. Additionally, there were
           no signs posted in the TAC informing individuals that access
           within the office beyond a certain point was not permitted unless
           escorted by an employee.

IRS is currently in the process of reconfiguring the space at several of
its TACs, and refers to the reconfigured TAC sites as the "new TAC"
models.14 The IRM requires that layouts of the new TACs should incorporate
certain security features to meet a controlled area requirement to protect
taxpayer receipts and information from disclosure and prevent unauthorized
access to both information and property. However, during our visits to two
of the new TAC models, we found similar security problems as discussed
above. For example, at one new TAC that was often staffed by 1 or 2 TRRs,
the TRRs responsible for monitoring the entrance of the TAC at times would
leave their workstations to perform other duties. Based on our
observations and inquiries, we found that unauthorized individuals could
access and had occasionally been found to have entered the controlled area
of the TAC and offices shared by other IRS business units. At the same
TAC, we noted that emergency alarms (known as duress alarms) were not
connected to a central monitoring station or the local police department.
We were informed that the contractor had not completed installing the
duress alarm at the time the new TAC was opened to the public. At another
new TAC, we found that a door separating the customer waiting area from
the secured area was not equipped with a locking device nor marked with a
sign to inform customers that they were not permitted to enter unescorted.
We also found that three of the TAC sites discussed above were not
supervised by an on-site manager. IRS policy requires that in such cases,
designated responsible offsite TAC managers are required to make routine
supervisory visits to ensure that operations are performed according to
standards. However, IRS did not have documentation to demonstrate if or
how often such supervisory visits to these locations actually occurred or
what was accomplished during these visits. Without appropriate supervisory
oversight, the risk is significantly increased that the physical security
issues we identified may not be timely detected and corrected.

The IRM requires that access to assets be limited to those employees with
a valid business need to access the information. GAO's Standards for
Internal Control in the Federal Government requires physical controls to
limit access to vulnerable assets and records to authorized individuals.
Such controls may include an appropriate combination of locks, duress
alarms, warning signs, and other measures. Not adequately implementing
such measures to restrict access to taxpayer receipts and information
increases the risk that loss, theft, and/or misuse of taxpayer receipts
and information may occur and not be timely detected.

13One of the TRRs at this location worked a part-time schedule.

14As of March 2006, IRS had reconfigured 115 of its 400 TACs located
throughout the United States, has an additional 29 such projects underway,
and plans on reconfiguring the remaining TACs by 2014.

Recommendations

We recommend that IRS

           o  equip all TACs with adequate physical security controls to
           deter and prevent unauthorized access to controlled areas or
           office space occupied by other IRS units, including those TACs
           that are not scheduled to be reconfigured to the "new TAC" model
           in the near future . This includes appropriately separating
           customer service waiting areas from controlled areas by physical
           barriers such as locked doors marked with signs barring entrance
           by unescorted customers;

           o  connect duress alarms to a central monitoring station or local
           police department or institute appropriate compensating controls
           when these alarm systems are not operable or in place; and

           o  document supervisory visits by offsite managers to TACS not
           having a manager permanently onsite. This documentation should be
           signed by the manager and should (1) record the time and date of
           the visit, (2) identify the manager performing the visit, (3)
           indicate the tasks performed during the visit, (4) note any
           problems identified, and (5) describe corrective actions planned.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning physical security at the
TACs. IRS indicated that it will identify those TACs that lack adequate
physical barriers, evaluate this issue, and determine corrective actions
by June 2006. IRS noted that its Field Assistance staff have developed
procedures to canvass TACs twice a year for security, safety, health, and
space concerns. IRS also stated that its Field Assistance staff have
developed testing requirements to ensure that the alarms are appropriately
monitored and working properly. In addition, IRS indicated that it will
connect duress alarms to a central monitoring station or local police
departments in TACs based on criticality and funding availability, and
implement compensating controls when alarm systems are inoperable. IRS
also stated that it had developed a checklist for managers to use to
document their visits to TACs, which is scheduled to be added to the IRM
by June 2006. We will evaluate the effectiveness of IRS's efforts during
our fiscal year 2006 financial audit.

Security Guards' Roles and Responsibilities

IRS relies heavily on security guards to (1) control access to IRS
facilities and lockbox banks to safeguard taxpayer receipts and
information from theft, loss, or abuse; (2) respond to intrusion alarms
and other emergencies as needed; and (3) record, maintain, and report
security incidents or violations to IRS for review or, when necessary, for
corrective action. However, during our fiscal year 2005 audit, we found
that security guards did not always effectively fulfill these
responsibilities. Specifically, we found the following:

           o  Security guard personnel at one SCC and one lockbox bank did
           not document a tripped door alarm in their respective security
           logs. At the SCC, it took security guard personnel nearly 10
           minutes to respond to an alarm and they later did not deem it
           necessary to document the incident as required by IRS policy
           because the door was malfunctioning and there was an
           "understanding" that such documentation was not necessary. The
           security personnel at the lockbox bank did not provide an
           explanation for why they did not record the tripped alarm.

           o  Security guards stationed at one TAC often left their assigned
           post of duty to escort customers to the workstations of IRS
           representatives. While the guards were absent from their post,
           customers were, at times, left unsupervised in the
           customer/visitor waiting area that was accessible to controlled
           space through a door that was unlocked at the time of our visit.

           o  Incident reports15 prepared by security guards at one lockbox
           bank did not include corrective follow-up actions as required by
           the lockbox processing guidelines (LPG).16 Additionally, we found
           that the lockbox bank security review checklist used by IRS to
           periodically monitor whether all incidents and alarms are recorded
           and reported does not ask whether corrective actions were included
           in the incident reports. Without documentation of the corrective
           action taken on each incident, IRS management does not have a
           record of what, if any, corrective actions the bank took and,
           consequently, will be unable to evaluate the appropriateness of
           these actions or analyze whether other actions are needed to
           minimize the incident from occuring at other lockbox banks.

GAO's Standards for Internal Control in the Federal Government require
that management establish physical controls to secure and safeguard
vulnerable assets and that access to resources and records, such as IRS
receipts and taxpayer information, be limited to authorized individuals to
reduce the risk of unauthorized use or loss to the government. Further,
the IRM requires that access to assets be limited to those employees with
a need due to their official duties and/or responsibilities. The IRM and
LPG also require security guards to report and record significant
conditions or situations to appropriate authorities. IRS relies heavily on
security guards to control entry into all of its SCCs and lockbox banks
and several of the TACs we visited, and to protect taxpayer receipts and
information from theft, loss, or abuse. However, when they do not perform
their duties in accordance with IRS policy, their effectiveness in
achieving these objectives is impaired, thus increasing the risk that
unauthorized individuals may access IRS offices and compromise taxpayer
records and data and/or disrupt operations.

15Incident reports are used by security guards to document and record
their response to suspicious events, incidents, and activities. In
addition, lockbox banks are required to maintain a log of incident
reports, noting the action that the lockbox bank took to correct the
incident.

16Internal Revenue Service, "2005 Lockbox Processing Guidelines"
(Washington, D.C.: January 2005), and subsequent 2005 updates. The 2005
LPG provides guidelines for processing work at lockbox banks serving IRS
for the 2005 filing season.

Recommendations

We recommend that IRS

           o  enforce the requirement that all security or other responsible
           personnel at SCCs and lockbox banks record all instances involving
           the activation of intrusion alarms regardless of the circumstances
           that may have caused the activation;

           o  reemphasize the need for the security guards at all TACs to
           ensure that key posts of duty, such as entrances to facilities,
           are not left unattended; and

           o  revise its lockbox bank's security review checklist to ensure
           that it encompasses reviewing security incident reports to
           validate whether security personnel are providing corrective
           actions related to the incidents cited.

IRS Comments and Our Evaluation

IRS substantially agreed with our recommendations concerning security
guards' roles and responsibilities. Regarding our recommendation that IRS
enforce the requirement that personnel responsible for security at SCCs
and lockbox banks record all instances of activation of intrusion alarms,
IRS stated that it had revised

the Lockbox Security Guidelines in January 2006 to require documentation
of such events. IRS also noted that field security analysts were advised
to enforce this requirement. In addition, IRS indicated that it would
prepare a memorandum to reemphasize security guards' duties and
responsibilities and the importance of meeting security requirements, and
provide it to all TACs by October 2006. IRS also stated that it would
revise its physical security review checklist to ensure that it
encompasses reviewing security incident reports to validate whether
security personnel are providing corrective actions related to the
incidents cited. We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2006 financial audit.

Candling Reviews

In previous audits, we found weaknesses in IRS's controls over candling
and made several recommendations to IRS for improving its candling
procedures at SCCs and lockbox banks.17 Generally, we recommended that IRS
revise candling procedures to specify the precise candling methods to be
used for various types of envelopes received, require management to ensure
that envelopes are properly candled, and monitor adherence to these
requirements. In response, IRS revised its candling procedures to (1)
specify the precise candling method to be used for the first and final
candling based on the dimensions of envelopes received, (2) require that
all envelopes, including those manually extracted (e.g., non letter-size
envelopes), be subject to initial and final candling prior to destruction,
(3) require that non letter-size envelopes be sliced on three sides and
opened flat to assure no contents are left inside the envelope, (4)
require that envelopes opened on three or more sides manually or by
machine still be candled, and (5) require that managers review and
document evidence of their review of items found during candling every day
for each work shift. Additionally, IRS modified the LPG and IRM, as
applicable, to (1) require recording of receipts discovered during
candling in a control log, (2) prohibit a single, isolated employee from
performing candling, and (3) require that all envelopes opened on three or
more sides including those opened by machine, be candled one more time on
a candling table.

17GAO-05-247R.

Despite these actions, during our fiscal year 2005 audit, we continued to
find deficiencies in IRS's oversight and implementation of candling
procedures at three of the four SCCs we visited. At these SCCs, IRS
management did not always enforce the requirement that opened envelopes
receive at least two candlings before they are made available for
destruction. Specifically, we found the following:

           o  At one SCC, we observed that an extractor did not perform
           initial candling of regular letter-size envelopes by placing the
           envelope over a light source. The employee indicated that there
           was no need to place the envelope over the light source because
           they "knew" the envelope was empty.  We also found several non
           letter-size envelopes18 that were not slit open on all three sides
           as required by IRS policy.  In each instance, the envelopes had
           not received initial candling or been properly candled before
           being made available for destruction.

           o  At another SCC, we observed extractors splitting non
           letter-size envelopes on three sides and placing them in the bin
           for shredding without the benefit of a final candling. Also, we
           observed that employees performing final candling did not
           immediately record the items found upon discovery. After further
           inquiry, we found that there was no candling log available at the
           candling table for employees to record the discovered items.

           o  At two SCCs, we found non letter-size envelopes that had been
           slit only once in a bin scheduled for final destruction.  This
           indicates that these envelopes were either only candled once or
           not properly candled before being made available for destruction.

Over the past several years IRS has conducted monthly security reviews of
its receipt and control function responsible for opening and candling
envelopes. While these reviews address various controls designed to
safeguard taxpayer receipts and information, including candling, they do
not address the effectiveness of the candling procedures performed. For
example, there are no questions on the checklist designed to test the
usefulness of the candling procedures or discussions and observations with
employees performing initial and final candling to assess their awareness
of the required candling procedures. GAO's Standards for Internal Control
in the Federal Government requires that management establish physical
controls to secure and safeguard vulnerable assets and provide qualified
and continuous supervision to ensure that control objectives are
achieved.19 Candling is a key control employed by IRS to ensure that
taxpayer receipts are not inadvertently overlooked and destroyed. The lack
of adherence to the prescribed candling procedures limits the
effectiveness of this control and increases the risk of inadvertent loss
or destruction of taxpayer receipts.

18Non letter-size envelopes refer to envelopes that are either larger or
smaller than the standard white business-size envelopes that are used for
mailing such items as personal or business mail (e.g., utility bills, tax
returns, general correspondences).

Recommendation

We recommend that IRS refine the scope and nature of its periodic reviews
of candling processes at SCCs to ensure they (1) encompass tests of
whether envelopes are properly candled through observation of candling in
process and inquiry of employees who perform initial and final candling,
and (2) document the nature and scope of the test and observation results.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated it will revise its Internal
Control Checklist used for the monthly security reviews by January 2007 to
address the effectiveness of the candling procedures performed. We will
evaluate the effectiveness of IRS's efforts during future audits.

Processing of Remittances

During our fiscal year 2005 audit, we found that lockbox banks were not
always timely processing large dollar remittances.20 Specifically, at two
of the lockbox banks we visited, we found large dollar checks that were
not processed immediately. At one of the lockbox banks, six large checks
totaling $1.25 million had been extracted from envelopes but were left in
the extraction area; bank management informed us that the checks were not
immediately processed because they were extracted by an earlier shift and
that the current shift leaders were not aware of them. At the other bank,
we found similar large checks in the extraction area that were not
immediately processed but rather were left in bins while the extraction
team went on a break.

GAO's Standards for Internal Control in the Federal Government require
that transactions be promptly recorded to maintain their relevance and
value to management in controlling operations and making decisions. This
includes the timely processing of transactions. In addition, the LPG
requires that remittances of $50,000 or more be immediately processed and
deposited as part of the first available deposit. IRS conducts periodic
performance and operational reviews of lockbox banks to ensure compliance
with guidelines over processing and securing taxpayer receipts and
information. However, the review process does not assess controls designed
to ensure whether large checks are immediately processed and deposited as
part of the first available deposit, as required by the LPG. By not always
processing high dollar remittances immediately, IRS increases the risk of
loss, theft, or misappropriation of such checks.

19GAO/AIMD-00-21.3.1.

20In the LPG, IRS defines large dollar remittances as those with amounts
$50,000 or greater.

Recommendations

We recommend that IRS

           o  enforce its existing policies and procedures at lockbox banks
           to ensure that all remittances of $50,000 or more are processed
           immediately and deposited at the first available opportunity; and

           o  refine the scope and nature of its periodic reviews of lockbox
           banks to include high dollar remittances to better monitor
           adherence to the requirement that they are processed immediately
           and deposited at the first available opportunity.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning controls over processing
high dollar remittances. IRS stated that it will add appropriate language
to the LPG to enforce its existing policies and procedures at lockbox
banks for handling remittances of $50,000 or more. IRS also stated that by
May 2006, it will add a review checkpoint for high dollar remittances to
the Processing Internal Controls Data Collection Instrument used by
Lockbox Field Coordinators during on-site reviews. We will evaluate the
effectiveness of IRS's efforts during our fiscal year 2006 financial
audit.

Physical Access Controls at Tax Return Processing Facilities

As the U.S. government's principal revenue-collecting agency, IRS collects
more than two trillion dollars in taxes each year, accounting for more
than 95 percent of the U.S. government's total revenues. This includes
hundreds of millions of dollars in hardcopy tax payments and related
information which is submitted to IRS tax processing facilities by
millions of taxpayers. IRS has a responsibility to safeguard these
payments and the related information entrusted to it by the nation's
taxpayers. To fulfill this responsibility, it is essential that IRS have
effective physical security controls to prevent unauthorized access to its
tax return processing facilities. However, we found deficiencies in
several of these controls during our fiscal year 2005 audit. Specifically,
at two of the SCCs and at one of the lockbox banks we visited as part of
our audit, we found weaknesses in controls over access to the facility
and/or surrounding perimeter that increase the risk of penetration by
unauthorized individuals. For example:

           o  At one SCC, we observed flaws in the security over the
           facility's perimeter that could allow unauthorized individuals to
           bypass security guards and enter the grounds unobserved. These
           flaws included (1) unguarded entrances to perimeter grounds, (2)
           gaps in the security fence, and (3) overgrown shrubbery which
           obstructed the view of security personnel.

           o  At the same SCC, we observed that employees entering the
           facility were not always subject to verification of their
           credentials. At the SCC, we observed employees closely following
           an employee who had opened a secure door with their proximity
           access card; these individuals were able to enter without
           presenting credentials of their own (a practice known as
           "piggybacking"). In testing another entrance, we found the same
           weakness by entering via piggybacking on IRS employees who had
           presented access cards.

           o  At the second SCC's annex facility, we found two loading dock
           door alarms that were both inoperable. IRS officials at the
           facility informed us that they had been inoperable since they had
           been inadvertently deactivated while performing maintenance on an
           adjacent door three weeks earlier.

           o  At the lockbox bank, we found that couriers from two different
           mail delivery services were allowed to enter the facility without
           first presenting proper identification.

GAO's Standards for Internal Control in the Federal Government requires
that agencies establish physical controls to limit access to vulnerable
assets and records to authorized individuals. To help ensure that its
physical security controls are effective, IRS routinely reviews the
security at all SCCs and lockbox banks, identifies weaknesses, and pursues
corrective actions. However, at SCCs, these reviews do not encompass
reviewing controls over access to the grounds through the outer perimeter.
Additionally, at both SCCs and lockbox banks, the reviews do not encompass
testing the effectiveness of controls intended to prevent individuals
without proper credentials from entering the facility. Also, while the IRM
requires that SCC intrusion alarm systems be tested, it only requires that
the testing be conducted annually. Consequently, an alarm could
potentially be dysfunctional for an extended period and remain undetected
for several months. Also, the IRM does not offer guidance as to how these
tests should be conducted and the results documented. These weaknesses
increase the risk that unauthorized individuals may enter these tax return
processing facilities and potentially disrupt operations or compromise the
taxpayer receipts or information they process.

Recommendations

We recommend that IRS

           o  refine the scope and nature of its periodic security reviews to
           encompass (1) testing the effectiveness of controls intended to
           ensure that only individuals with proper credentials are permitted
           access to SCCs and lockbox banks, and (2) reviewing the integrity
           of perimeter security at SCCs; and

           o  revise the physical security procedures contained in the IRM to
           require that all SCCs and any respective annex facilities
           processing taxpayer receipts and/or information perform and
           document monthly tests of the facility's intrusion detection
           alarms. At a minimum, these procedures should (1) outline the type
           of test to be conducted, (2) include criteria for assessing
           whether the controls used to respond to the alarm were effective,
           and (3) require that a logbook be maintained to document the test
           dates, results, and response information.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning physical access controls at
tax processing facilities. In response to our recommendation that IRS
refine the nature of its periodic security reviews, IRS stated that the
lockbox bank site discussed in the audit report that did not restrict
access of unauthorized employees was instructed to immediately prohibit
entry and acceptance of deliveries from these and similar unauthorized
employees in the loading dock area. IRS stated that its review team will
add this requirement as a specific review item in their physical security
review process. Additionally, IRS indicated that it had updated its
Security Review Procedures and Checklist for SCCs and lockbox banks and
conducted quarterly reviews with the new procedures/checklist to assess
employee piggybacking attempts, fence lines, landscaping, and alarm
testing. IRS noted that it will update the IRM and LPG related to the SCCs
alarm testing procedures to include a description of the types of tests to
be conducted, criteria for assessing controls, and the logging of
requirements by August 2007. We will evaluate the effectiveness of IRS's
efforts during future audits.

Hiring Juveniles for Access to Taxpayer Receipts and Information

IRS requires background investigations on every prospective contract or
non-contract employee prior to granting them access to taxpayer receipts
and information. However, legal restrictions limit the scope of background
investigations for juvenile applicants. Specifically, title 18 of the
United States Code, section 5038, prevents the release of criminal records
on juveniles when the request is related to an application for employment.
To compensate, IRS policy requires that juveniles hired to perform receipt
and control processing functions submit a Recommendation for Juvenile
Employment (form 13094) or an equivalent document from an individual
recommending the juvenile for employment in a position of trust.21
However, during our fiscal year 2005 audit, we found limitations in IRS's
design and implementation of its policy. Specifically, we found the
following:

           o  IRS policy requiring the completed form 13094 only applies to
           juveniles hired to perform receipt processing functions. However,
           access to taxpayer information is not limited to staff assigned to
           receipt processing functions. Thus, this policy may allow
           juveniles access to taxpayer information without providing any
           references.

           o  The form 13094s are provided directly to IRS by the juvenile as
           part of the application package, and IRS personnel officials do
           not verify the source of the information submitted.
           Consequentially, IRS does not have adequate assurance that the
           individual whose name appears on the form actually exists and that
           they completed the form as represented.

           o  The form does not require that the reference describe his or
           her relationship with the juvenile, including the number of years
           known and the nature of the relationship, in order to allow IRS to
           assess whether the reference has sufficient basis to recommend the
           juvenile for employment.

           o  IRS did not obtain form 13094s for three juveniles hired in the
           receipt and control processing function during fiscal year 2005.
           According to IRS officials, they decided not to request the form
           from these three individuals because they graduated from high
           school prior to attaining the age of 18 and did not have a current
           or former employer or a current teacher, counselor, or principal
           as required by the form's instructions. As a result, these three
           juveniles were given access to taxpayer receipts and information
           without an independent assessment of their character, as required
           by IRS policy.

21The Recommendation for Juvenile Employment form asks the reference
provider to check off whether he or she feels that the juvenile is
suitable for a position of trust or to disclaim his/her knowledge of the
juvenile. Other data captured includes the name of the reference and
information related to the school and current/former employer of the
juvenile.

GAO's Standards for Internal Control in the Federal Government requires
that access to resources and records, such as IRS receipts and taxpayer
data, be limited to authorized individuals to reduce the risk of
unauthorized use or loss to the government.22 By not (1) always obtaining
a character reference for juveniles to be permitted access to taxpayer
receipts and information and (2) independently verifying the source of the
information on the form, IRS increases the risk that juveniles with
inappropriate backgrounds may obtain access to sensitive taxpayer receipts
and information.

Recommendations

We recommend that IRS

           o  amend its policy to require that a completed form 13094 with a
           positive recommendation be provided for every juvenile hired to
           any position that will allow access to taxpayer receipts and/or
           taxpayer information;

           o  require IRS personnel to verify the information on the form
           13094 by contacting the reference directly;

           o  revise the form 13094 to require the reference to describe
           his/her relationship with the juvenile, including extent of
           first-hand contact, to allow IRS to review the forms and assess
           whether the referencer has sufficient basis to recommend that
           juvenile to a position of trust; and

           o  establish procedures for hiring juveniles who do not have a
           current teacher, principal, counselor, employer or former
           employer, and clarify that IRS's current policies and procedures
           should not be interpreted to mean that such juveniles should be
           allowed access to taxpayer receipts and information without a form
           13094 or its equivalent. These procedures could include a list of
           acceptable alternatives that may serve as references for juveniles
           who do not have a current teacher, principal, or guidance
           counselor.

22GAO/AIMD-00-21.3.1.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning controls over hiring
juveniles. To address these recommendations, IRS stated that (1) it will
amend its policy to require that a completed Recommendation for Juvenile
Employment (form 13094) with a positive recommendation be provided for
every juvenile hired to any position allowing access to taxpayer receipts
and/or taxpayer information; (2) once the Office of Management and Budget
(OMB) approves the revised form 13094, it will, by August 2006, issue a
new policy requiring IRS personnel to verify the information on the form
13094 by contacting the reference directly; (3) it will make appropriate
revisions to the form 13094 to require the reference to describe his/her
relationship with the juvenile; and (4) after OMB approves the revised
form 13094, it will issue a new policy establishing procedures for hiring
juveniles who do not have a current teacher, principal, counselor,
employer or former employer, and clarify that IRS's current policies and
procedures should not be interpreted to mean that such juveniles should be
allowed access to taxpayer receipts and information without a form 13094
or its equivalent.  We will evaluate the effectiveness of IRS's efforts
during our fiscal year 2006 financial audit.

Classifying and Reporting Expense and P&E Transactions

During our fiscal year 2005 audit, we found deficiencies in IRS's controls
over the classification and reporting of transactions relating to its
expenses and property and equipment (P&E) acquisitions. Specifically, IRS
did not always assure that it properly classified its procurement
transactions as P&E and recognized assets when they met its capitalization
criteria, or as expenses when they did not. IRS's property and equipment
capitalization policy, which is consistent with Statement of Federal
Financial Accounting Standards No. 623 and provides criteria on the
capitalization of P&E, requires the recognition of assets when its
capitalization criteria is met and the recognition of expense when it is
not. To implement this policy, IRS requires its staff to classify expense
and P&E acquisition transactions at the time orders are placed and assign
and record the classification and accounting codes in the general ledger
when they record the obligations. At the end of each month, IRS personnel
review the entries to expense and P&E accounts considered more susceptible
to error to determine if any classification errors occurred and, if so, to
make the necessary corrections to properly classify and record them. We
noted that IRS's established policy, if properly implemented, could help
its staff differentiate between expense and P&E transactions and, through
periodic reviews, detect and correct transactions improperly recorded in
the expense and P&E accounts. However, IRS's staff did not always follow
the capitalization policy effectively in fiscal year 2005.

23U.S. Federal Accounting Standards Advisory Board (FASAB), SFFAS No. 6,
Accounting for Property, Plant, and Equipment.

We tested a total of 267 sampled transactions from IRS's non-payroll
expenses and P&E acquisitions recorded during the first 9 months of fiscal
year 2005 and accounts payable as of September 30, 2005, and found that 6
of the transactions were classified and reported incorrectly.
Specifically:

           o  We found two instances where IRS initially recorded purchases
           of automated data processing equipment with a total cost of $7.8
           million correctly as P&E acquisitions but subsequently reviewed
           the initial accounting treatment, removed the transactions from
           P&E, and erroneously included them in the expense accounts. In
           another instance, IRS initially recorded a $266,000 purchase of
           information services correctly as an expense but, after one of its
           periodic reviews, removed it from expense and erroneously included
           it as capitalized P&E.

           o  In the remaining 3 instances, IRS initially misclassified
           procurement transactions totaling $1.7 million that should have
           been recorded as expenses and incorrectly recorded them as P&E.
           One transaction involved an operating lease payment that IRS
           capitalized as an asset instead of including it in expenses. The
           other 2 transactions involved charges for support services that
           IRS misclassified and incorrectly recorded as P&E instead of
           expenses. IRS did not detect and correct these misclassified
           transactions either when they were initially recorded or during
           its periodic review process.

GAO's Standards for Internal Control in the Federal Government require
that transactions and other events be accurately and timely recorded to
maintain their relevance and value to management in controlling operations
and making decisions. This applies to the entire process or life cycle of
a transaction or event from the initiation and authorization through its
final classification in summary records. In addition, control activities
help to ensure that all transactions are completely and accurately
recorded.

The errors we found occurred because IRS's controls over its property and
equipment capitalization process were not always effective. While these
errors did not result in a material misstatement to IRS's fiscal year 2005
financial statements, the control weaknesses that gave rise to these
errors precludes IRS from having assurance that its financial records for
expenses and capital assets are capable of generating reliable reports on
an ongoing basis throughout the year.

Recommendation

To assure proper accounting treatment of expense and P&E transactions and
reliable financial reporting, we recommend that IRS enforce its property
and equipment capitalization policy to ensure that it is properly
implemented to fully achieve management's objectives, including
recognizing assets when its capitalization criteria is met and recognizing
expenses when it is not.

IRS Comments and Our Evaluation

IRS agreed with our recommendation. IRS's stated that its Chief Financial
Officer and Procurement Office implemented new procedures for reviewing
the classification of P&E into its accounting system. The Procurement
Office will begin reviewing classification codes to ensure correctness and
will take all necessary steps to ensure end users correct errors prior to
entering the obligations. IRS expects these new procedures to be fully
operational for the fourth quarter of fiscal year 2006. IRS also stated
that it modified the scope of its monthly review of P&E transactions to
include only obligations above a pre-determined dollar threshold. IRS
indicated that these procedures were implemented in April 2006 for P&E
acquired in March 2006. We will evaluate the effectiveness of IRS's
efforts during our fiscal year 2006 financial statement audit.

Recording Disposals of Property and Equipment

In prior years, we identified deficiencies in IRS's process for recording
property and equipment (P&E) transactions in its inventory records. Over
the past several years, IRS has made substantial progress in improving the
accuracy and reliability of its inventory records. While we recognize
IRS's progress, our work performed as part of our fiscal year 2005 audit
indicates that further improvements are needed. During our audit, we found
that IRS staff did not always follow the agency's procedures requiring the
prompt recording of disposals of property and equipment in its inventory
records.

The P&E disposal process is initiated when the function utilizing P&E
notifies the local Single Point Inventory Function (SPIF) unit that they
have P&E to be excessed or retired. The local SPIF unit arranges to remove
the P&E, prepares the necessary paperwork, updates the inventory records
to reflect that the asset is pending disposal, and turns custody of the
P&E over to the Facilities Management Branch (FMB). FMB has responsibility
for physical disposition of the P&E and updating the inventory records to
reflect the final disposal. The IRM specifies that P&E inventory records
must be updated to reflect all disposals within ten days of the action.

During our fiscal year 2005 audit, we found that eight of 220 items
selected from IRS's inventory records could not be located.24 All of these
assets had been disposed of, but the inventory records reflected the
assets as pending disposal. FMB had not updated the inventory system to
change the disposal status from pending to final. For three of the
exceptions found at one location, the assets were retired on May 15, 2004,
but the disposals were still reflected as pending as of July 15, 2005,
more than one year after the date of disposal. IRS's property management
system does not generate aging reports to indicate the length of time
assets have remained in pending status.

GAO's Standards for Internal Control in the Federal Government require
agencies to implement internal control procedures to ensure the accurate
and timely recording of transactions and events. This standard further
states that transactions should be promptly recorded to maintain their
relevance and value to management in controlling operations and making
decisions. Property records that are out of date impede management's
ability to make sound operating decisions, monitor performance, and
allocate resources, and can result in undetected theft or loss of assets.

24For our book-to-floor sample, we selected a two-stage cluster sample of
P&E items. In the first stage, we selected a sample of 22 buildings in
probabilities proportionate to the number of P&E items in each building's
inventory records. In the second stage, we randomly selected a sample of
10 assets located at each of the 22 buildings.

Recommendation

We recommend that IRS

           o  generate aging reports when an asset remains in pending
           disposal status for longer than a specified period of time; and

           o  direct FMB managers to research and resolve the aging reports.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning recording disposals of
property and equipment. IRS indicated that issues raised in the fiscal
year 2005 financial statement audit were being addressed through an IRS
re-engineering effort focused on the entire asset retirement and disposal
process. IRS stated that it currently has reports available to monitor
aging transactions during the disposal life cycle. IRS also indicated that
it is (1) developing procedures to require reviews of aging reports to
streamline the process to ensure timely recording of disposal
transactions, and (2) modifying software to electronically record such
transactions. IRS intends to implement these modifications and review
procedures by August 2006. We will evaluate the effectiveness of IRS's
efforts during our fiscal year 2006 financial statement audit.

                                   - - - - -

This report contains recommendations to you. The head of a federal agency
is required by 31 U.S.C. S: 720 to submit a written statement on actions
taken on these recommendations. You should submit your statement to the
Senate Committee on Homeland Security and Governmental Affairs and the
House Committee on Government Reform within 60 days of the date of this
report. A written statement must also be sent to the House and Senate
Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of the report.

This report is intended for use by the management of IRS. We are sending
copies to the Chairmen and Ranking Minority Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate Committee
on Homeland Security and Governmental Affairs; and Subcommittee on
Taxation and IRS Oversight, Senate Committee on Finance. We are also
sending copies to the Chairmen and Ranking Minority Members of the House
Committee on Appropriations; House Committee on Ways and Means; the
Chairman and Vice-Chairman of the Joint Committee on Taxation, the
Secretary of the Treasury, the Director of the Office of Management and
Budget, the Chairman of the IRS Oversight Board, and other interested
parties. The report is available at no charge on GAO's Web site at
http://www.gao.gov .

We acknowledge and appreciate the cooperation and assistance provided by
IRS officials and staff during our audits of IRS's fiscal years 2005 and
2004 financial statements. Please contact me at (202) 512-3406 or
[email protected] if you or your staff have any questions concerning this
report. Contact points for our Offices of Congressional Relations and
Public Affairs may be found on the last page of this report. GAO staff who
made major contributions to this report are listed in enclosure III.

Steven J. Sebastian

Director

Financial Management and Assurance

Enclosures - 3

Enclosure I

Comments from the Internal Revenue Service

Enclosure II

Details on Audit Methodology

To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements, we did the following:

           o  Examined, on a test basis, evidence supporting the amounts and
           disclosures in the financial statements. This included testing
           selected statistical samples of unpaid assessment, revenue,
           refund, accrued expenses, payroll, nonpayroll, property and
           equipment, and undelivered order transactions. These statistical
           samples were selected primarily to substantiate balances and
           activities reported in IRS's financial statements. Consequently,
           dollar errors or amounts can and have been statistically projected
           to the population of transactions from which they were selected.
           In testing these samples, certain attributes were identified that
           indicated either significant deficiencies in the design or
           operation of internal control or compliance with provisions of
           laws and regulations. These attributes, where applicable, can be
           and have been statistically projected to the appropriate
           populations.
           o  Assessed the accounting principles used and significant
           estimates made by management.
           o  Evaluated the overall presentation of the financial statements.
           o  Obtained an understanding of internal controls related to
           financial reporting (including safeguarding assets), compliance
           with laws and regulations (including the execution of transactions
           in accordance with budget authority), and performance measures
           reported in the Management Discussion and Analysis.
           o  Tested relevant internal controls over financial reporting
           (including safeguarding assets) and compliance, and evaluated the
           design and operating effectiveness of internal controls.
           o  Considered the process for evaluating and reporting on internal
           controls and financial management systems under 31 U.S.C. S: 3512
           (c), (d), commonly referred to as the Federal Managers'  Financial
           Integrity Act of 1982.
           o  Tested compliance with selected provisions of the following
           laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C.
           S: 1341(a)(1) and 31 U.S.C. S: 1517(a)); Purpose Statute (31
           U.S.C. S: 1301); Release of lien or discharge of property (26
           U.S.C. S: 6325); Interest on underpayment, nonpayment, or
           extensions of time for payment of tax (26 U.S.C. S: 6601);
           Interest on overpayments (26 U.S.C. S: 6611); Determination of
           rate of interest (26 U.S.C. S: 6621); Failure to file tax return
           or to pay tax (26 U.S.C. S: 6651); Failure by individual to pay
           estimated income tax (26 U.S.C. S: 6654); Failure by corporation
           to pay estimated income tax (26 U.S.C. S: 6655); Prompt Payment
           Act (31 U.S.C. S: 3902(a), (b), and (f) and 31 U.S.C. S: 3904);
           Pay and Allowance System for Civilian Employees (5 U.S.C. S:S:
           5332 and 5343, and 29 U.S.C. S: 206); Federal Employees'
           Retirement System Act of 1986, as amended (5 U.S.C. S:S: 8422,
           8423, and 8432); Social Security Act, as amended (26 U.S.C. S:S:
           3101 and 3121 and 42 U.S.C. S: 430); Federal Employees Health
           Benefits Act of 1959, as amended (5 U.S.C. S:S: 8905, 8906, and
           8909); Transportation, Treasury, and Independent Agencies
           Appropriations Act, 2004, Pub. L. No. 108- 199, div. F, tit. II,
           118 Stat. 314 (Jan. 23, 2004); and Transportation, Treasury,
           Independent Agencies, and General Government Appropriations Act,
           2005, Pub. L. No. 108-447, div. H, tit. II, 118 Stat. 3235 (Dec.
           8, 2004).

           o  Tested whether IRS's financial management systems substantially
           comply with the three requirements of the Federal Financial
           Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A,
           S: 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996).

Enclosure III

Staff Acknowledgments

___________________________________________________________________________

The following individuals made major contributions to this report: Charles 
Fox-Assistant Director, Manmei Chen, John Davis, Paul Foderaro, Ted Hu,    
Jerrod O'Nelio, Theresa Patrizio, Robert Preshlock, John Sawyer, Angel     
Sharma, Peggy Smith, and Gary Wiggins.                                     

Acknowledgments

(196092)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
*** End of document. ***