Internal Revenue Service: Status of Recommendations from
Financial Audits and Related Financial Management Reports
(06-JUN-06, GAO-06-560).
In its role as the nation's tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility in annually
collecting over $2 trillion in taxes, processing hundreds of
millions of tax and information returns, and enforcing the
nation's tax laws. Since its first audit of IRS's financial
statements in fiscal year 1992, GAO has identified a number of
weaknesses in IRS's financial management operations. In related
reports, GAO has recommended corrective action to address those
weaknesses. Each year, as part of the annual audit of IRS's
financial statements, GAO not only makes recommendations to
address any new weaknesses identified but also follows up on the
status of weaknesses GAO identified in previous years' audits.
The purpose of this report is to (1) assist IRS management in
tracking the status of audit recommendations and actions needed
to fully address them and (2) demonstrate how the recommendations
fit into IRS's overall management and internal control structure.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-560
ACCNO: A55199
TITLE: Internal Revenue Service: Status of Recommendations from
Financial Audits and Related Financial Management Reports
DATE: 06/06/2006
SUBJECT: Financial management
Financial management systems
Financial statement audits
Internal controls
Tax administration systems
Audit recommendations
Corrective action
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-560
* Results in Brief
* Background
* Objectives, Scope, and Methodology
* IRS's Progress on Financial Management Recommendations
* Status of Recommendations Based on the Fiscal Year 2005 Fina
* Relation of Open Recommendations to IRS's Control Environmen
* Open Recommendations Grouped by Control Activity
* Safeguarding of Assets and Security Activities
* Proper Recording and Documenting of Transactions
* Effective Management Review and Oversight
* Concluding Observations
* Agency Comments and Our Evaluation
* Appendix I: Status of GAO Recommendations from IRS Financial
* Appendix II: Comments from the Internal Revenue Service
* Appendix III: Staff Acknowledgments
* Order by Mail or Phone
Report to the Commissioner of Internal Revenue
United States Government Accountability Office
GAO
June 2006
INTERNAL REVENUE SERVICE
Status of Recommendations from Financial Audits and Related Financial
Management Reports
GAO-06-560
Contents
Letter 1
Results in Brief 3
Background 3
Objectives, Scope, and Methodology 6
IRS's Progress on Financial Management Recommendations 7
Open Recommendations Grouped by Control Activity 12
Concluding Observations 27
Agency Comments and Our Evaluation 27
Appendix I Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports 29
Appendix II Comments from the Internal Revenue Service 89
Appendix III Staff Acknowledgments 90
Tables
Table 1: Summary of Open Recommendations 11
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets 13
Table 3: Recommendations to Improve IRS's Segregation of Duties 15
Table 4: Recommendations to Improve IRS's Controls over Information
Processing 17
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records 18
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control 19
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events 21
Table 8: Recommendation to Improve IRS's Execution of Transactions and
Events 22
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level 24
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators 26
Table 11: Recommendation to Improve IRS's Management of Human Capital 27
Abbreviations
ALS Automated Lien System
ATFR Automated Trust Fund Recovery
AUR Automated Under Reporter
AWSS Agency-Wide Shared Services
BMF Business Master File
BPMS Business Performance Management System
CAP Custodial Accounting Project
CCP Centralized Case Processing
CCTV closed-circuit television
CDDB Custodial Detail Data Base
CFO chief financial officer
CIO chief information officer
CIQMS complex interest quality measurement system
COTR contracting officer's technical representative
CPE continuing professional education
DCI data collection instrument
FMFIA Federal Managers' Financial Integrity Act of 1982
FMIS Financial Management Information System
FMS Financial Management Service
FRB Federal Reserve Bank
IDRS Integrated Data Retrieval System
IFS Integrated Financial System
IMF Individual Master File
IRM Internal Revenue Manual
IRS Internal Revenue Service
IT information technology
LEM Security Law Enforcement Manual
LMSB Large and Mid-sized Business
LPG Lockbox Processing Guidelines
LSG Lockbox Security Guide
MOU memorandum of understanding
NBIC National Background Investigation Center
NFC National Finance Center
OMB Office of Management and Budget
P&E property and equipment
POD post of duty
PSEP office of Physical Security and Emergency Preparedness
SATMOD satisfied module
SB/SE Small Business/Self-Employed
SCC service center campus
SERP Service-wide Electronic Research Program
SETS Security Entry and Tracking System
SP Submission Processing
SPC submission processing center
TAC taxpayer assistance center
TE/GE Tax Exempt and Government Entities
TFRP Trust Fund Recovery Penalty
TGA Treasury's General Account
W&I Wage and Investment
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 6, 2006 June 6, 2006
The Honorable Mark W. Everson Commissioner of Internal Revenue The
Honorable Mark W. Everson Commissioner of Internal Revenue
Dear Mr. Everson: Dear Mr. Everson:
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2005, IRS
collected about $2.3 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $267 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices. In its role as the nation's tax collector, the
Internal Revenue Service (IRS) has a demanding responsibility to collect
taxes, process tax returns, and enforce the nation's tax laws. In fiscal
year 2005, IRS collected about $2.3 trillion in tax payments, processed
hundreds of millions of tax and information returns, and paid about $267
billion in refunds to taxpayers. Because of its role and overall mission,
IRS's activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.
IRS has made much progress in improving its financial management since it
was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress has led to its ability to
obtain and maintain a clean audit opinion on its financial statements each
year beginning in fiscal year 2000, and to correct several material
internal control weaknesses over the years. Despite these considerable
improvements, however, more remains to be done to address long-standing
internal control issues that continue to plague the agency. IRS continues
to have weak or ineffective internal controls over fundamental elements of
its operations that leave it vulnerable to a greater risk of fraud, waste,
abuse, and mismanagement. This, in turn, has the potential to impact the
lives of the nation's taxpayers, as our audits over the years have
demonstrated. IRS has made much progress in improving its financial
management since it was first required to prepare and have audited a set
of financial statements in fiscal year 1992. This progress has led to its
ability to obtain and maintain a clean audit opinion on its financial
statements each year beginning in fiscal year 2000, and to correct several
material internal control weaknesses over the years. Despite these
considerable improvements, however, more remains to be done to address
long-standing internal control issues that continue to plague the agency.
IRS continues to have weak or ineffective internal controls over
fundamental elements of its operations that leave it vulnerable to a
greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has
the potential to impact the lives of the nation's taxpayers, as our audits
over the years have demonstrated.
An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting errors
and fraud, as well as in helping to effectively manage its stewardship
over public An agency's internal control environment serves as the first
line of defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.1 Unfortunately, IRS continues to be
challenged with several long-standing material weaknesses in internal
control that are at the heart of IRS's operations.2 During our audit of
IRS's fiscal year 2005 financial statements, we continued to find material
weaknesses in controls over
o financial reporting (including safeguarding of assets),
o unpaid tax assessments,
o identifying and collecting tax revenues due and issuing tax
refunds, and
o information systems security.
In addition to the material weaknesses, we continued to identify
two reportable conditions, including deficiencies in controls over
(1) hard-copy tax receipts and taxpayer data, which increase the
government's and taxpayer's risk of loss or inappropriate
disclosure of taxpayer data, and (2) property and equipment (P&E),
which preclude IRS from readily reconciling its property records
to its financial records.
To assist IRS in strengthening its internal controls and improving
its operations, we have made numerous recommendations as part of
our annual financial statement audits and other financial
management-related work at IRS. This report is being provided to
you to (1) assist IRS management in tracking the status of
financial audit and financial management-related recommendations
and the actions needed to address them and (2) demonstrate how the
recommendations fit into IRS's overall management and internal
control structure. In cases where IRS has taken action on open
recommendations that did not result in our closing them, we
explain why this occurred.
We conducted our review from December 2005 through May 2006 in
accordance with U.S. generally accepted government auditing
standards.
IRS management continues to make progress in addressing many of
the internal control deficiencies that plague the agency. At the
beginning of the fiscal year 2005 IRS financial statement audit,
84 financial management-related recommendations from prior audits
remained open because IRS had not addressed the issues that gave
rise to them sufficiently to allow us to close them. During the
fiscal year 2005 financial audit, IRS took actions to effectively
address issues that gave rise to numerous recommendations,
enabling us to close 34 of those recommendations. However, more
efforts are needed by IRS to effectively address its financial
management challenges. During our fiscal year 2005 financial
audit, we continued to identify recurring internal control
deficiencies, as well as new deficiencies, and we made 22 new
recommendations to address these newly identified issues. As a
result, 72 recommendations to address IRS's internal control
deficiencies remain open.
In analyzing the nature of these open financial management
recommendations, we found that 29 recommendations, or 40 percent,
relate to issues associated with IRS's lack of effective controls
over safeguarding assets and security activities. Another 26
recommendations, or more than a third of the open recommendations,
relate to issues associated with IRS's inability to properly
record and document transactions. The remaining 17
recommendations, or approximately 24 percent, relate to issues
associated with lack of effective management review and oversight.
Effective implementation of these open recommendations could
greatly assist IRS in improving its internal controls and
achieving sound financial management. We are making no new
recommendations in this report.
In commenting on this report, IRS highlighted its efforts to
further improve its internal controls over hard-copy tax receipts,
and felt our grouping of the remaining open recommendations into
broad internal control categories will facilitate its strategy to
address its remaining financial management issues. We have
reprinted IRS's written comments in appendix II.
Internal control is not one event, but a series of actions and
activities that occur throughout an entity's operations and on an
ongoing basis. Internal control should be recognized as an
integral part of each system that management uses to regulate and
guide its operations rather than as a separate system within an
agency. In this sense, internal control is management control that
is built into the entity as a part of its infrastructure to help
managers run the entity and achieve their goals on an ongoing
basis.
Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as
the Federal Managers' Financial Integrity Act of 1982 (FMFIA)),
requires agencies to establish and maintain internal control. The
agency head must annually evaluate and report on the control and
financial systems that protect the integrity of federal programs.
The requirements of FMFIA serve as an umbrella under which other
reviews, evaluations, and audits should be coordinated and
considered to support management's assertion about the
effectiveness of internal control over operations, financial
reporting, and compliance with laws and regulations.
Office of Management and Budget (OMB) Circular No. A-123,
Management's Responsibility for Internal Control (revised Dec. 21,
2004), provides the implementing guidance for FMFIA, and sets out
the specific requirements for assessing and reporting on internal
controls3 consistent with the internal control standards issued by
the Comptroller General of the United States.4 The circular, which
was revised in 2004 with the revisions effective for fiscal year
2006, defines management's responsibilities related to internal
control and the process for assessing internal control
effectiveness, and provides specific requirements for conducting
management's assessment of the effectiveness of internal control
over financial reporting. The circular requires management to
annually provide assurances on internal control in its Performance
and Accountability Report, and for the Chief Financial Officers
(CFO) Act agencies, beginning in fiscal year 2006, to include a
separate assurance on internal control over financial reporting,
along with a report on identified material weaknesses and
corrective actions.5 The circular also emphasizes the need for
integrated and coordinated internal control assessments that
synchronize all internal control-related activities.
FMFIA requires GAO to issue standards for internal control in the
federal government. GAO's Standards for Internal Control in the
Federal Government provides the overall framework for establishing
and maintaining internal control and for identifying and
addressing major performance and management challenges and areas
at greatest risk of fraud, waste, abuse, and mismanagement.
As summarized in GAO's Standards for Internal Control in the
Federal Government, the minimum level of quality acceptable for
internal control in the government is defined by the following
five standards, which also provide the basis against which
internal controls are to be evaluated:
o Control environment: Management and employees should establish
and maintain an environment throughout the organization that sets
a positive and supportive attitude toward internal control and
conscientious management.
o Risk assessment: Internal control should provide for an
assessment of the risks the agency faces from both external and
internal sources.
o Control activities: Internal control activities help ensure
that management's directives are carried out. The control
activities should be effective and efficient in accomplishing the
agency's control objectives.
o Information and communications: Information should be recorded
and communicated to management and others within the entity who
need it and in a form and within a time frame that enables them to
carry out their internal control and other responsibilities.
o Monitoring: Internal control monitoring should assess the
quality of performance over time and ensure that the findings of
audits and other reviews are promptly resolved.
The third control standard-internal control activities-helps
ensure that management's directives are carried out. Control
activities are the policies, procedures, techniques, and
mechanisms that enforce management's directives. In other words,
they are the activities conducted in the everyday course of
business that accomplish a control objective, such as ensuring IRS
employees successfully complete background checks prior to being
granted access to taxpayer information and receipts. As such,
control activities are an integral part of an entity's planning,
implementing, reviewing, and accountability for stewardship of
government resources and achievement of effective results.
A key objective in our annual audits of IRS's financial statements
is to obtain reasonable assurance about whether IRS maintained
effective internal controls with respect to financial reporting,
including safeguarding of assets, and compliance with laws and
regulations. While all five internal control standards are
critical and are used by us as a basis for evaluating the
effectiveness of IRS's internal controls, we place a heavy
emphasis on testing control activities. This has resulted in the
identification of significant deficiencies in certain internal
controls over the years and recommendations for corrective action.
The objectives of this report are to (1) assist IRS management in
tracking the status of financial audit and financial
management-related recommendations and the actions needed to
address them and (2) demonstrate how the recommendations fit into
IRS's overall management and internal control structure. To
accomplish these objectives, we evaluated the effectiveness of
IRS's corrective actions implemented in response to open
recommendations during fiscal year 2005 as part of our fiscal
years 2005 and 2004 financial audits. To report on the current
status of the recommendations, we obtained the status of each
recommendation and corrective action taken or planned as of April
2006, as reported to us by IRS. We then compared IRS's assessment
to our fiscal year 2005 audit findings and noted any differences
between IRS's and our conclusions regarding the status of each
recommendation.
In order to determine how these recommendations fit within IRS's
management and internal control structure, we compared the open
recommendations, and the issues that gave rise to them, to the
control activities listed in GAO's Standards for Internal Control
in the Federal Government and to the list of major factors and
examples outlined in our Internal Control Management and
Evaluation Tool.6 We also considered how the recommendations and
the underlying issues were categorized in our prior reports,
whether IRS had addressed in whole or in part the underlying
control issues that gave rise to the recommendations, and other
legal requirements and implementing guidance, such as OMB Circular
No. A-123; FMFIA; and the Federal Information System Controls
Audit Manual, GAO/AIMD-12.19.6 (revised June 2001).
We conducted our review from December 2005 through May 2006 in
accordance with U.S. generally accepted government auditing
standards. We requested comments on a draft of this report from
the Commissioner of Internal Revenue or his designee. We received
written comments from the commissioner, which are reprinted in
appendix II.
IRS continues to make progress on addressing its significant
financial management challenges. Over the years since we first
began auditing IRS's financial statements in fiscal year 1992, we
have closed out over 200 financial management-related
recommendations we made based on actions IRS has taken to improve
its internal controls and operational efficiency. This includes 34
recommendations we are closing in fiscal year 2006 based on
actions IRS took during the period covered by our fiscal year 2005
financial audit. At the same time, however, our audits continue to
identify significant internal control deficiencies, resulting in
our making further recommendations for corrective action,
including 22 new financial management-related recommendations
resulting from our fiscal year 2005 financial audit. These
internal control deficiencies, and the resulting recommendations,
can directly be traced to the control activities in GAO's
Standards for Internal Control in the Federal Government. As such,
it is essential that they be fully addressed and resolved to
strengthen IRS's overall financial management and to assist it in
achieving its goals and mission.
In April 2005, we issued a report on the status of IRS's efforts
to implement corrective actions to address financial management
recommendations stemming from our fiscal year 2004 and prior year
financial audits and other financial management-related work.7 In
that report, we identified 84 audit recommendations that at that
time, remained open and thus required corrective action by IRS. A
significant number of these recommendations had been open for
several years, either because IRS had not taken corrective action
or because the actions taken had not been effective in resolving
the issues that gave rise to the recommendations.
IRS continued to work to address many of the internal control
deficiencies to which these open recommendations relate. In the
course of performing our fiscal year 2005 financial audit, we
identified numerous actions IRS took to address many of its
internal control deficiencies. Based on IRS's actions, which we
were able to substantiate through our audit, we are able to close
34 of these prior years' recommendations since we concluded that
IRS's actions effectively addressed the issues that gave rise to
them. IRS considers another 23 of the prior years' recommendations
to be effectively addressed. However, we still consider them to be
open either because we have not yet had time to verify the
effectiveness of IRS's actions-they occurred subsequent to
completion of our audit testing and thus have not been verified,
which is a prerequisite to our closing a recommendation-or because
the actions taken did not fully address the issue that gave rise
to the recommendation.
However, continued efforts are needed by IRS to address its
serious internal control weaknesses. While we are able to close 34
financial management recommendations made in prior years, this
still leaves 50 recommendations from prior years that remain open,
a significant number of which have been outstanding for several
years. In some cases, as mentioned, IRS may have effectively
addressed the issues that gave rise to the recommendations
subsequent to our fiscal year 2005 audit testing; however, in many
cases, our fiscal year 2005 audit determined that the actions
taken to date had not effectively addressed the underlying
internal control issues. Additionally, during our fiscal year 2005
audit, we identified additional internal control issues that will
require corrective action by IRS. In a recent management report to
IRS,8 we discussed these internal control issues, and made 22 new
recommendations to IRS to address these new issues. Consequently,
a total of 72 financial management-related recommendations are
currently open and need to be addressed by IRS. Of these, we
consider 64 to be short term and 8 to be long term.9
Appendix I presents a listing of (1) recommendations we have made
based on our financial audits and other financial
management-related work that we have not previously reported as
closed, (2) the status of each of these recommendations and
corrective actions taken or planned as of April 2006 as reported
to us by IRS, and (3) our analysis of whether the issues that gave
rise to the recommendations have been effectively and fully
addressed based on the work performed during our fiscal year 2005
financial audit. The appendix lists the recommendations by the
date on which the recommendation was made and by report number.
An agency's overall internal control environment comprises the
plans, methods, and procedures that are used to meet its mission,
goals, and objectives and, in doing so, supports its
performance-based management. Internal control also serves as the
first line of defense in safeguarding an agency's assets and in
preventing and detecting errors and mitigating the potential for
fraud. Effective internal control assists program managers in
achieving desired results through effective stewardship of public
resources.
Control activities, one of the five broad standards contained in
GAO's Standards for Internal Control in the Federal Government,
are the policies, procedures, techniques, and mechanisms that
enforce management's directives. As such, they are an integral
part of an entity's planning, implementing, reviewing, and
accountability for stewardship of government resources and
achievement of results. GAO's Standards for Internal Control in
the Federal Government defines 11 control activities. These
control activities can be further grouped into three broad
categories:
o safeguarding of assets and security activities, including
o physical control over vulnerable assets,
o segregation of duties,
o controls over information processing, and
o access restrictions to and accountability for
resources and records;
o proper recording and documenting of transactions, including
o appropriate documentation of transactions and
internal control,
o accurate and timely reporting of transactions and
events, and
o proper execution of transactions and events; and
o effective management review and oversight, including
o reviews by management at the functional or
activity level,
o establishment and review of performance measures
and indicators,
o management of human capital, and
o top level reviews of actual performance.
Each of the open recommendations from our financial audits and
financial management-related work, and the underlying issues that
gave rise to them, can be traced back to the 11 control activities
and their three broad categories. Table 1 presents a summary of
the open recommendations, each tied back to the control activity
to which it relates.
1Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient operations,
reliable financial reporting, and compliance with applicable laws and
regulations. Part of the actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for
results-oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and to
take corresponding corrective actions.
2A material weakness is a reportable condition that precludes the entity's
internal controls from providing reasonable assurance that material
misstatements in the financial statements would be prevented or detected
on a timely basis. Reportable conditions represent significant
deficiencies in the design or operation of internal controls that could
adversely affect an entity's ability to initiate, authorize, record,
process, or report financial data reliably.
Results in Brief
Background
3The Circular was revised in December 2004. The circular states that the
revision followed a reexamination of the existing internal control
requirements for federal agencies that was initiated in light of the new
internal control requirements for publicly traded companies contained in
the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 stat. 745 (July
30, 2002). However, the revised circular states that it is not effective
until fiscal year 2006. Therefore, during the period covered by our fiscal
year 2005 audit of IRS's financial statements, IRS had to comply with the
requirements contained in the prior circular version, OMB Circular No.
A-123, Management Accountability and Control (June 21, 1995).
4GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (November 1999).
5The circular requires agencies and individual federal managers to take
systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
Appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
control through management assurance statements.
Objectives, Scope, and Methodology
IRS's Progress on Financial Management Recommendations
6GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001).
Status of Recommendations Based on the Fiscal Year 2005 Financial Statement
Audit
7GAO, Internal Revenue Service: Status of Recommendations from Financial
Audits and Related Financial Management Reports, GAO-05-393 (Washington,
D.C.: Apr. 29, 2005).
Relation of Open Recommendations to IRS's Control Environment
8GAO, Management Report: Improvements Needed in IRS's Internal Controls,
GAO-06-543R (Washington, D.C.: May 12, 2006).
9Short-term recommendations are defined as those that could be addressed
within 2 years at the time we made the recommendation. Long-term
recommendations are defined as those expected to require 2 years or more
to implement at the time we made the recommendation.
Table 1: Summary of Open Recommendations
Source: GAO analysis of financial management recommendations made to IRS.
As table 1 indicates, many of IRS's open recommendations are tied to
safeguarding and security issues. Specifically, 29 of the open
recommendations, or 40 percent, relate to issues associated with IRS's
lack of effective controls over safeguarding of assets and security
activities. Another 26 recommendations, or 36 percent, relate to issues
associated with IRS's inability to properly record and document
transactions. The remaining 17 recommendations, or 24 percent, relate to
issues associated with the lack of effective management review and
oversight.
Open Recommendations Grouped by Control Activity
Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to them,
to the internal control activities identified in GAO's Standards for
Internal Control in the Federal Government provides insight regarding
their significance to IRS's ability to effectively achieve the objectives
associated with the control activities and, thus, to its overall mission
and goals.
On the following pages, we group the 72 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented in
GAO's Standards for Internal Control in the Federal Government and briefly
identify some of the key IRS operations that fall under that control
activity. Although not comprehensive, the descriptions are intended to
help explain why the control activity is important for IRS and thus why
implementing the recommendations would strengthen management and controls
that support those operations. For each recommendation, we also indicate
whether it is a short-term or long-term recommendation.
Safeguarding of Assets and Security Activities
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of the
most important control activities at IRS is the safeguarding of assets.
Internal control should be designed to provide reasonable assurance
regarding prevention or prompt detection of unauthorized acquisition, use,
or disposition of an agency's assets. We have grouped together the four
control activities in GAO's Standards for Internal Control in the Federal
Government that relate to safeguarding of assets (including tax receipts)
and security activities (such as limiting access to only authorized
personnel): (1) physical control over vulnerable assets, (2) segregation
of duties, (3) controls over information processing, and (4) access
restrictions to and accountability for resources and records.
Physical Control over Vulnerable Assets
IRS is charged with collecting over $2 trillion in taxes each year, a
significant amount of which is collected in the form of checks and cash
accompanied by tax returns and related information. IRS collects taxes
both at its own facilities as well as at lockbox banks that operate under
contract with the Treasury Department's Financial Management Service (FMS)
to provide processing services for certain taxpayer receipts for IRS. IRS
acts as custodian for (1) the tax payments it receives until they are
deposited in the General Fund of the U.S. Treasury and (2) the tax returns
and related information it receives until they are either sent to the
Federal Records Center or destroyed. IRS is also charged with controlling
many other assets, such as computers and other equipment, but IRS's legal
responsibility to safeguard tax returns and the confidential information
taxpayers provide in tax returns makes the effectiveness of its internal
controls with respect to physical security essential.
IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at one of its offices. While adequate physical
safeguards over receipts should exist throughout the year, it is
especially important during the peak tax filing season. Each year during
the weeks preceding and shortly after April 15, an IRS service center
campus (SCC) may receive and process daily over 100,000 pieces of mail
containing returns, receipts, or both. The dollar value of receipts each
service center processes increases to hundreds of millions of dollars a
day during the April 15 time frame.
Of our 72 open recommendations, the following 13 open recommendations are
designed to improve IRS's physical controls over vulnerable assets. (See
table 2.)
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets
Source: GAO analysis of financial management recommendations made to IRS.
Segregation of Duties
IRS employees are responsible for processing trillions of dollars of tax
receipts each year, of which hundreds of billions are received in the form
of cash or checks,10 and for processing hundreds of billions of dollars in
refunds to taxpayers. Consequently, it is critical that IRS maintain
appropriate separation of duties to allow for adequate oversight of staff
and protection of these vulnerable resources so that no single individual
would be in a position of both causing an error or irregularity and then
concealing it. For example, when an IRS field office or lockbox bank
receives taxpayer receipts and returns, it is responsible for depositing
the cash and checks in a depository institution and forwarding the related
information received to an SCC for further processing. In order to
adequately safeguard receipts from theft, the person responsible for
recording the information from the taxpayer receipts on a voucher should
be different from the individual who prepares those receipts for
transmittal to the SCC for further processing.
10The vast majority of federal tax payments are made for both businesses
and individuals via the Electronic Federal Tax Payment System (EFTPS).
The following three open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over both
tax receipts and refunds. (See table 3.)
Table 3: Recommendations to Improve IRS's Segregation of Duties
Source: GAO analysis of financial management recommendations made to IRS.
Controls over Information Processing
IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected networks of
computer systems to perform various functions, such as collecting and
storing taxpayer data, processing tax returns, calculating interest and
penalties, generating refunds, and providing customer service.
As part of our annual audits of IRS's financial statements, we assess the
effectiveness of IRS's information security controls11 over key financial
systems, data, and interconnected networks at IRS's critical data
processing facilities that support the processing, storage, and
transmission of sensitive financial and taxpayer data. From that effort,
we have identified over the years information security control weaknesses
that impair IRS's ability to ensure the confidentiality, integrity, and
availability of its sensitive financial and taxpayer data. As of March
2006, there were 45 open recommendations from our information security
work designed to improve IRS's information security controls.12
Recommendations resulting from our information security work are reported
separately and are not included in this report primarily because of the
sensitive nature of some of these issues.
However, the following six open recommendations are related to systems
limitations and IRS's need to review and resolve various exception reports
that its systems generate. (See table 4.) We included reviews of exception
reports in this control activity since they help ensure the integrity of
IRS's automated data.13
11Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access to
data is appropriately restricted, that only authorized changes to computer
programs are made, that physical access to sensitive computing resources
and facilities is protected, that computer security duties are segregated,
and that backup and recovery plans are adequate to ensure the continuity
of essential operations.
12GAO, Information Security: Continued Progress Needed to Strengthen
Controls at the Internal Revenue Service, GAO-06-328 (Washington, D.C.:
Mar. 23, 2006).
13Exception reports are one of the measures listed in GAO's Internal
Control Management Evaluation Tool ( GAO-01-1008G ) as an information
processing function.
Table 4: Recommendations to Improve IRS's Controls over Information
Processing
Source: GAO analysis of financial management recommendations made to IRS.
aALS stands for Automated Lien System.
Access Restrictions to and Accountability for Resources and Records
Because IRS deals with a large volume of cash and checks, it is imperative
that it maintain strong controls over who has access to those assets, the
records that track those assets, and sensitive taxpayer information.
Although IRS has a number of both physical and information system controls
in place, some of the issues we have identified in our financial audits
over the years pertain to ensuring that those with direct access to these
cash and checks are appropriately vetted before being granted access to
taxpayer receipts and information and to ensuring that IRS maintains
effective access security control.
The following seven open recommendations would help IRS improve its access
restrictions to assets and records. (See table 5.)
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records
Source: GAO analysis of financial management recommendations made to IRS.
Proper Recording and Documenting of Transactions
One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers need
to assist in making day-to-day decisions. While progress is being made to
modernize its financial management capabilities, IRS nonetheless continues
to face many of the pervasive internal control weaknesses that we have
reported each year since we began auditing its financial statements in
fiscal year 1992, many of which are related to its long-standing systems
deficiencies.
However, IRS also has a number of internal control issues that relate to
recording transactions, documenting events, and tracking the processing of
taxpayer receipts or information, which do not depend upon improvements in
information systems.
We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate documentation
of transactions and internal controls, (2) accurate and timely recording
of transactions and events, and (3) proper execution of transactions and
events.
Appropriate Documentation of Transactions and Internal Control
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract to
process taxpayer receipts for the federal government. Therefore, it is
important that IRS maintain appropriate assurance that all documents and
records are properly managed and maintained both at its facilities and at
the lockbox banks.
The following 11 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. (See table
6.)
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control
Source: GAO analysis of financial management recommendations made to IRS.
Accurate and Timely Recording of Transactions and Events
IRS is responsible for maintaining taxpayer records for tens of millions
of taxpayers in addition to maintaining its own financial records. To
carry out this responsibility, IRS often has to rely on outdated computer
systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, which is a long-term effort and is
dependent on future funding.
The following 14 open recommendations would strengthen IRS's recordkeeping
abilities. (See table 7.) They include some specific recommendations
regarding requirements for new systems for maintaining taxpayer records.
Several of the recommendations listed affect financial reporting
processes, such as subsidiary records and appropriate allocation of costs.
Some of the issues that gave rise to certain of our recommendations
directly affect taxpayers, such as those involving duplicate assessments,
errors in calculating and reporting manual interest, and recovery of trust
fund penalty assessments. Half of these recommendations are almost over 5
years old and 1 is over 10 years old, reflecting the long-term nature of
the resolution of some of these issues.
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events
Source: GAO analysis of financial management recommendations made to IRS.
Proper Execution of Transactions and Events
IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak of
the tax filing season. Because of the tremendous number of personnel
involved, IRS must maintain effective control over which employees are
authorized to either view or change sensitive taxpayer data. IRS's ability
to establish access rights and permissions for information systems is a
critical control.
Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.14 IRS requires that
all manual refunds be approved by officials who are designated by
managers. However, weaknesses in the authorization of such approving
officials expose the federal government to losses because of the issuance
of improper refunds. The following open recommendation would improve IRS's
controls over its manual refund transactions. (See table 8.)
Table 8: Recommendation to Improve IRS's Execution of Transactions and
Events
Source: GAO analysis of financial management recommendations made to IRS.
14Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers for
immediate payment due to hardship or emergency, those to beneficiaries of
deceased taxpayers, and those that need to be expedited because IRS is in
jeopardy of paying interest for exceeding the 45-day limit for processing
a return.
Effective Management Review and Oversight
All personnel within IRS have an important role in making internal
controls work, but the responsibility for good internal control rests with
IRS's managers. Management sets the objectives, puts the control
mechanisms and activities in place, and monitors and evaluates the
controls. Without effective monitoring by managers, internal control
activities may not be conducted on a consistent and timely basis.
We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of performance
measures and indicators, and (3) management of human capital. Although we
also include the control activity "top level reviews of actual
performance" in this grouping, we do not have any open recommendations to
IRS related to this internal control activity.
Reviews by Management at the Functional or Activity Level
IRS has over 80,000 full-time employees and hires over 10,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, IRS contracts with banks to process tens of thousands
of individual receipts, totaling hundreds of billions of dollars. At any
organization, management oversight of operations is important, but with an
organization as vast in scope as the IRS, management oversight is
imperative.
The following 12 open recommendations would improve IRS's management
oversight. (See table 9.) In general, these recommendations were made to
correct instances where an internal control activity either does not exist
or where an established control is not being adequately or consistently
applied. The majority of these recommendations emphasize improvements
needed to IRS's oversight of lockbox banks and contracted courier programs
in order to ensure appropriate physical control over vulnerable assets,
such as taxpayer receipts.
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level
Source: GAO analysis of financial management recommendations made to IRS.
Establishment and Review of Performance Measures and Indicators
IRS's operations include a vast array of activities encompassing taxpayer
education, processing of taxpayer receipts and data, disbursing hundreds
of billions of dollars in refunds to millions of taxpayers, maintaining
extensive information on tens of millions of taxpayers, and seeking
collection from individuals and businesses that fail to comply with the
nation's tax laws. Within its compliance function, IRS has numerous
activities, including identifying businesses and individuals that
underreport income, collecting from taxpayers that do not pay, and
collecting from those receiving refunds for which they are not eligible.
Although IRS has at its peak over 90,000 employees, it still faces
resource constraints in attempting to fulfill its duties. Because of this,
it is vitally important for IRS to have sound performance measures to
assist it in assessing its performance and targeting its resources in a
manner that maximizes the government's return on investment.
However, in past audits we have reported that IRS did not capture cost at
the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a result,
IRS is unable to measure the costs and benefits of its various collection
and enforcement efforts to best target its available resources.
Additionally, we have reported that IRS's controls over its reporting of
interim performance measurement data were not effective throughout the
year because the data reported at interim periods for certain performance
measures were either not accurate or were outdated.
The following four open recommendations are designed to assist IRS in
evaluating its operations, determining which activities are the most
beneficial, and establishing a good system for oversight. (See table 10.)
These recommendations call for IRS to measure, track, and evaluate the
cost, benefits, or outcomes of its operations-particularly with regard to
identifying its most effective tax collection activities.
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators
Source: GAO analysis of financial management recommendations made to IRS.
Management of Human Capital
IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens of
thousands of employees spread throughout the country, management's
responsibility to keep its guidance up-to-date and its staff properly
trained is imperative.
The following open recommendation would assist IRS in its management of
human capital in its financial operations. (See table 11.) The
recommendation is over 5 years old and may be resolved through IRS's
business systems modernization efforts.
Table 11: Recommendation to Improve IRS's Management of Human Capital
Source: GAO analysis of financial management recommendations made to IRS.
Concluding Observations
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to operate more efficiently and
more effectively in its mission while protecting taxpayers and their
information.
Sound financial management and effective internal controls can assist IRS
in achieving its goals. IRS has made substantial progress in improving its
financial management since its first financial audit, as evidenced by
consecutive clean audit opinions on its financial statements for the past
6 years, resolution of several material internal control weaknesses, and
the closing of hundreds of financial management recommendations. This
progress has been the result of hard work and commitment at the top.
Nonetheless, more needs to be done to fully address the financial
management challenges the agency faces. Efforts must continue to address
the internal control deficiencies that continue to exist. Effective
implementation of the recommendations we have made and continue to make
through our financial audits and related work could greatly assist IRS in
improving its internal controls and achieving sound financial management.
Agency Comments and Our Evaluation
In commenting on a draft of this report, IRS expressed its appreciation
that we acknowledged the progress the agency has made in addressing its
financial management challenges, and noted that our mapping of its
remaining recommendations to specific internal control activities and
grouping them into three broad categories will facilitate its strategy to
address the remaining financial management issues. IRS also highlighted
its efforts to further improve its internal controls over hard-copy tax
receipts, noting that its plan to address these issues now includes
comprehensive actions to address our remaining recommendations covering
lockbox banks, submission processing campuses, taxpayer assistance
centers, and field offices. We will review the effectiveness of these
corrective actions and the status of IRS's progress in addressing all open
recommendations as part of our fiscal year 2006 IRS financial statement
audit.
We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental Affairs;
and Subcommittee on Taxation and IRS Oversight, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking Minority
Members of the House Committee on Appropriations; House Committee on Ways
and Means; Chairman and Vice Chairman of the Joint Committee on Taxation,
the Secretary of the Treasury, the Director of the Office of Management
and Budget, the Chairman of the IRS Oversight Board, and other interested
parties. Copies will be made available to others upon request. In
addition, the report will be available at no charge on GAO's Web site at
http://www.gao.gov .
If you have any questions concerning this report, please contact me at
(202) 512-3406 or sebastians@gao.gov . Contact points for our Offices of
Congressional Relations and Public Affairs can be found on the last page
of this report. GAO staff who made major contributions to this report are
listed in appendix III.
Sincerely yours,
Steven J. Sebastian Director Financial Management and Assurance
Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports Appendix I: Status of GAO Recommendations from
IRS Financial Audits and Related Management Reports
Sources: IRS updates detailing IRS actions to address GAO's
recommendations and GAO's analysis of IRS's actions.
Appendix II: Comments from the Internal Revenue Service Appendix II:
Comments from the Internal Revenue Service
Appendix III: S Appendix III: Staff Acknowledgments
The following individuals made major contributions to this report: William
J. Cordrey, Charles Fox, Paul Foderaro, Nina Crocker, John Davis, Charles
Ego, David Elder, Ted Hu, Jerrod O'Nelio, John Sawyer, Peggy Smith, Lisa
Warde, Gary Wiggins, and Mark Yoder.
(196093)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
www.gao.gov/cgi-bin/getrpt? GAO-06-560 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Steven J. Sebastian at (202) 512-3406 or
sebastians@gao.gov.
Highlights of GAO-06-560 , a report to the Commissioner of Internal
Revenue
June 2006
INTERNAL REVENUE SERVICE
Status of Recommendations from Financial Audits and Related Financial
Management Reports
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility in annually collecting over $2
trillion in taxes, processing hundreds of millions of tax and information
returns, and enforcing the nation's tax laws. Since its first audit of
IRS's financial statements in fiscal year 1992, GAO has identified a
number of weaknesses in IRS's financial management operations. In related
reports, GAO has recommended corrective action to address those
weaknesses.
Each year, as part of the annual audit of IRS's financial statements, GAO
not only makes recommendations to address any new weaknesses identified
but also follows up on the status of weaknesses GAO identified in previous
years' audits. The purpose of this report is to (1) assist IRS management
in tracking the status of audit recommendations and actions needed to
fully address them and (2) demonstrate how the recommendations fit into
IRS's overall management and internal control structure.
IRS has made significant progress in improving its internal controls and
financial management since its first financial audit in 1992, as evidenced
by 6 consecutive years of clean audit opinions on its financial
statements, the resolution of several material internal control
weaknesses, and the closing of over 200 financial management
recommendations. This progress has been the result of hard work and
commitment at the top levels of the agency.
However, IRS still faces financial management challenges. At the beginning
of GAO's audit of IRS's fiscal year 2005 financial statements, 84
financial management-related recommendations from prior audits remained
open because IRS had not fully addressed the issues that gave rise to
them. During the fiscal year 2005 financial audit, IRS took actions that
enabled GAO to close 34 of those recommendations. At the same time, GAO
identified additional internal control deficiencies resulting in 22 new
recommendations. In total, 72 recommendations currently remain open.
To assist IRS in evaluating its internal controls and in making
improvements, GAO categorized the 72 open recommendations by various
internal control activities which, in turn, were grouped into three broad
control activity groupings.
Summary of Open Recommendations
Source: GAO analysis of financial management recommendations made to IRS.
The continued existence of internal control weaknesses that gave rise to
these recommendations represents a serious obstacle that IRS needs to
overcome. Effective implementation of GAO's recommendations can greatly
assist IRS in improving its internal controls and achieving sound
financial management. IRS stated that it is taking action to address the
recommendations included in the report. GAO will review the effectiveness
of these corrective actions and the status of IRS's progress as part of
the fiscal year 2006 audit.
*** End of document. ***