Internal Revenue Service: Status of Recommendations from	 
Financial Audits and Related Financial Management Reports	 
(06-JUN-06, GAO-06-560).					 
                                                                 
In its role as the nation's tax collector, the Internal Revenue  
Service (IRS) has a demanding responsibility in annually	 
collecting over $2 trillion in taxes, processing hundreds of	 
millions of tax and information returns, and enforcing the	 
nation's tax laws. Since its first audit of IRS's financial	 
statements in fiscal year 1992, GAO has identified a number of	 
weaknesses in IRS's financial management operations. In related  
reports, GAO has recommended corrective action to address those  
weaknesses. Each year, as part of the annual audit of IRS's	 
financial statements, GAO not only makes recommendations to	 
address any new weaknesses identified but also follows up on the 
status of weaknesses GAO identified in previous years' audits.	 
The purpose of this report is to (1) assist IRS management in	 
tracking the status of audit recommendations and actions needed  
to fully address them and (2) demonstrate how the recommendations
fit into IRS's overall management and internal control structure.
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-560 					        
    ACCNO:   A55199						        
  TITLE:     Internal Revenue Service: Status of Recommendations from 
Financial Audits and Related Financial Management Reports	 
     DATE:   06/06/2006 
  SUBJECT:   Financial management				 
	     Financial management systems			 
	     Financial statement audits 			 
	     Internal controls					 
	     Tax administration systems 			 
	     Audit recommendations				 
	     Corrective action					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-560

     

     * Results in Brief
     * Background
     * Objectives, Scope, and Methodology
     * IRS's Progress on Financial Management Recommendations
          * Status of Recommendations Based on the Fiscal Year 2005 Fina
          * Relation of Open Recommendations to IRS's Control Environmen
     * Open Recommendations Grouped by Control Activity
          * Safeguarding of Assets and Security Activities
          * Proper Recording and Documenting of Transactions
          * Effective Management Review and Oversight
     * Concluding Observations
     * Agency Comments and Our Evaluation
     * Appendix I: Status of GAO Recommendations from IRS Financial
     * Appendix II: Comments from the Internal Revenue Service
     * Appendix III: Staff Acknowledgments
          * Order by Mail or Phone

Report to the Commissioner of Internal Revenue

United States Government Accountability Office

GAO

June 2006

INTERNAL REVENUE SERVICE

Status of Recommendations from Financial Audits and Related Financial
Management Reports

GAO-06-560

Contents

Letter 1

Results in Brief 3
Background 3
Objectives, Scope, and Methodology 6
IRS's Progress on Financial Management Recommendations 7
Open Recommendations Grouped by Control Activity 12
Concluding Observations 27
Agency Comments and Our Evaluation 27
Appendix I Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports 29
Appendix II Comments from the Internal Revenue Service 89
Appendix III Staff Acknowledgments 90

Tables

Table 1: Summary of Open Recommendations 11
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets 13
Table 3: Recommendations to Improve IRS's Segregation of Duties 15
Table 4: Recommendations to Improve IRS's Controls over Information
Processing 17
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records 18
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control 19
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events 21
Table 8: Recommendation to Improve IRS's Execution of Transactions and
Events 22
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level 24
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators 26
Table 11: Recommendation to Improve IRS's Management of Human Capital 27

Abbreviations

ALS Automated Lien System

ATFR Automated Trust Fund Recovery

AUR Automated Under Reporter

AWSS Agency-Wide Shared Services

BMF Business Master File

BPMS Business Performance Management System

CAP Custodial Accounting Project

CCP Centralized Case Processing

CCTV closed-circuit television

CDDB Custodial Detail Data Base

CFO chief financial officer

CIO chief information officer

CIQMS complex interest quality measurement system

COTR contracting officer's technical representative

CPE continuing professional education

DCI data collection instrument

FMFIA Federal Managers' Financial Integrity Act of 1982

FMIS Financial Management Information System

FMS Financial Management Service

FRB Federal Reserve Bank

IDRS Integrated Data Retrieval System

IFS Integrated Financial System

IMF Individual Master File

IRM Internal Revenue Manual

IRS Internal Revenue Service

IT information technology

LEM Security Law Enforcement Manual

LMSB Large and Mid-sized Business

LPG Lockbox Processing Guidelines

LSG Lockbox Security Guide

MOU memorandum of understanding

NBIC National Background Investigation Center

NFC National Finance Center

OMB Office of Management and Budget

P&E property and equipment

POD post of duty

PSEP office of Physical Security and Emergency Preparedness

SATMOD satisfied module

SB/SE Small Business/Self-Employed

SCC service center campus

SERP Service-wide Electronic Research Program

SETS Security Entry and Tracking System

SP Submission Processing

SPC submission processing center

TAC taxpayer assistance center

TE/GE Tax Exempt and Government Entities

TFRP Trust Fund Recovery Penalty

TGA Treasury's General Account

W&I Wage and Investment

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

June 6, 2006 June 6, 2006

The Honorable Mark W. Everson Commissioner of Internal Revenue The
Honorable Mark W. Everson Commissioner of Internal Revenue

Dear Mr. Everson: Dear Mr. Everson:

In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2005, IRS
collected about $2.3 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $267 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices. In its role as the nation's tax collector, the
Internal Revenue Service (IRS) has a demanding responsibility to collect
taxes, process tax returns, and enforce the nation's tax laws. In fiscal
year 2005, IRS collected about $2.3 trillion in tax payments, processed
hundreds of millions of tax and information returns, and paid about $267
billion in refunds to taxpayers. Because of its role and overall mission,
IRS's activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.

IRS has made much progress in improving its financial management since it
was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress has led to its ability to
obtain and maintain a clean audit opinion on its financial statements each
year beginning in fiscal year 2000, and to correct several material
internal control weaknesses over the years. Despite these considerable
improvements, however, more remains to be done to address long-standing
internal control issues that continue to plague the agency. IRS continues
to have weak or ineffective internal controls over fundamental elements of
its operations that leave it vulnerable to a greater risk of fraud, waste,
abuse, and mismanagement. This, in turn, has the potential to impact the
lives of the nation's taxpayers, as our audits over the years have
demonstrated. IRS has made much progress in improving its financial
management since it was first required to prepare and have audited a set
of financial statements in fiscal year 1992. This progress has led to its
ability to obtain and maintain a clean audit opinion on its financial
statements each year beginning in fiscal year 2000, and to correct several
material internal control weaknesses over the years. Despite these
considerable improvements, however, more remains to be done to address
long-standing internal control issues that continue to plague the agency.
IRS continues to have weak or ineffective internal controls over
fundamental elements of its operations that leave it vulnerable to a
greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has
the potential to impact the lives of the nation's taxpayers, as our audits
over the years have demonstrated.

An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting errors
and fraud, as well as in helping to effectively manage its stewardship
over public An agency's internal control environment serves as the first
line of defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.1 Unfortunately, IRS continues to be
challenged with several long-standing material weaknesses in internal
control that are at the heart of IRS's operations.2 During our audit of
IRS's fiscal year 2005 financial statements, we continued to find material
weaknesses in controls over

           o  financial reporting (including safeguarding of assets),
           o  unpaid tax assessments,
           o  identifying and collecting tax revenues due and issuing tax
           refunds, and
           o  information systems security.

           In addition to the material weaknesses, we continued to identify
           two reportable conditions, including deficiencies in controls over
           (1) hard-copy tax receipts and taxpayer data, which increase the
           government's and taxpayer's risk of loss or inappropriate
           disclosure of taxpayer data, and (2) property and equipment (P&E),
           which preclude IRS from readily reconciling its property records
           to its financial records.

           To assist IRS in strengthening its internal controls and improving
           its operations, we have made numerous recommendations as part of
           our annual financial statement audits and other financial
           management-related work at IRS. This report is being provided to
           you to (1) assist IRS management in tracking the status of
           financial audit and financial management-related recommendations
           and the actions needed to address them and (2) demonstrate how the
           recommendations fit into IRS's overall management and internal
           control structure. In cases where IRS has taken action on open
           recommendations that did not result in our closing them, we
           explain why this occurred.

           We conducted our review from December 2005 through May 2006 in
           accordance with U.S. generally accepted government auditing
           standards.

           IRS management continues to make progress in addressing many of
           the internal control deficiencies that plague the agency. At the
           beginning of the fiscal year 2005 IRS financial statement audit,
           84 financial management-related recommendations from prior audits
           remained open because IRS had not addressed the issues that gave
           rise to them sufficiently to allow us to close them. During the
           fiscal year 2005 financial audit, IRS took actions to effectively
           address issues that gave rise to numerous recommendations,
           enabling us to close 34 of those recommendations. However, more
           efforts are needed by IRS to effectively address its financial
           management challenges. During our fiscal year 2005 financial
           audit, we continued to identify recurring internal control
           deficiencies, as well as new deficiencies, and we made 22 new
           recommendations to address these newly identified issues. As a
           result, 72 recommendations to address IRS's internal control
           deficiencies remain open.

           In analyzing the nature of these open financial management
           recommendations, we found that 29 recommendations, or 40 percent,
           relate to issues associated with IRS's lack of effective controls
           over safeguarding assets and security activities. Another 26
           recommendations, or more than a third of the open recommendations,
           relate to issues associated with IRS's inability to properly
           record and document transactions. The remaining 17
           recommendations, or approximately 24 percent, relate to issues
           associated with lack of effective management review and oversight.
           Effective implementation of these open recommendations could
           greatly assist IRS in improving its internal controls and
           achieving sound financial management. We are making no new
           recommendations in this report.

           In commenting on this report, IRS highlighted its efforts to
           further improve its internal controls over hard-copy tax receipts,
           and felt our grouping of the remaining open recommendations into
           broad internal control categories will facilitate its strategy to
           address its remaining financial management issues. We have
           reprinted IRS's written comments in appendix II.

           Internal control is not one event, but a series of actions and
           activities that occur throughout an entity's operations and on an
           ongoing basis. Internal control should be recognized as an
           integral part of each system that management uses to regulate and
           guide its operations rather than as a separate system within an
           agency. In this sense, internal control is management control that
           is built into the entity as a part of its infrastructure to help
           managers run the entity and achieve their goals on an ongoing
           basis.

           Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as
           the Federal Managers' Financial Integrity Act of 1982 (FMFIA)),
           requires agencies to establish and maintain internal control. The
           agency head must annually evaluate and report on the control and
           financial systems that protect the integrity of federal programs.
           The requirements of FMFIA serve as an umbrella under which other
           reviews, evaluations, and audits should be coordinated and
           considered to support management's assertion about the
           effectiveness of internal control over operations, financial
           reporting, and compliance with laws and regulations.

           Office of Management and Budget (OMB) Circular No. A-123,
           Management's Responsibility for Internal Control (revised Dec. 21,
           2004), provides the implementing guidance for FMFIA, and sets out
           the specific requirements for assessing and reporting on internal
           controls3 consistent with the internal control standards issued by
           the Comptroller General of the United States.4 The circular, which
           was revised in 2004 with the revisions effective for fiscal year
           2006, defines management's responsibilities related to internal
           control and the process for assessing internal control
           effectiveness, and provides specific requirements for conducting
           management's assessment of the effectiveness of internal control
           over financial reporting. The circular requires management to
           annually provide assurances on internal control in its Performance
           and Accountability Report, and for the Chief Financial Officers
           (CFO) Act agencies, beginning in fiscal year 2006, to include a
           separate assurance on internal control over financial reporting,
           along with a report on identified material weaknesses and
           corrective actions.5 The circular also emphasizes the need for
           integrated and coordinated internal control assessments that
           synchronize all internal control-related activities.

           FMFIA requires GAO to issue standards for internal control in the
           federal government. GAO's Standards for Internal Control in the
           Federal Government provides the overall framework for establishing
           and maintaining internal control and for identifying and
           addressing major performance and management challenges and areas
           at greatest risk of fraud, waste, abuse, and mismanagement.

           As summarized in GAO's Standards for Internal Control in the
           Federal Government, the minimum level of quality acceptable for
           internal control in the government is defined by the following
           five standards, which also provide the basis against which
           internal controls are to be evaluated:

           o  Control environment: Management and employees should establish
           and maintain an environment throughout the organization that sets
           a positive and supportive attitude toward internal control and
           conscientious management.
           o  Risk assessment: Internal control should provide for an
           assessment of the risks the agency faces from both external and
           internal sources.
           o  Control activities: Internal control activities help ensure
           that management's directives are carried out. The control
           activities should be effective and efficient in accomplishing the
           agency's control objectives.
           o  Information and communications: Information should be recorded
           and communicated to management and others within the entity who
           need it and in a form and within a time frame that enables them to
           carry out their internal control and other responsibilities.
           o  Monitoring: Internal control monitoring should assess the
           quality of performance over time and ensure that the findings of
           audits and other reviews are promptly resolved.

           The third control standard-internal control activities-helps
           ensure that management's directives are carried out. Control
           activities are the policies, procedures, techniques, and
           mechanisms that enforce management's directives. In other words,
           they are the activities conducted in the everyday course of
           business that accomplish a control objective, such as ensuring IRS
           employees successfully complete background checks prior to being
           granted access to taxpayer information and receipts. As such,
           control activities are an integral part of an entity's planning,
           implementing, reviewing, and accountability for stewardship of
           government resources and achievement of effective results.

           A key objective in our annual audits of IRS's financial statements
           is to obtain reasonable assurance about whether IRS maintained
           effective internal controls with respect to financial reporting,
           including safeguarding of assets, and compliance with laws and
           regulations. While all five internal control standards are
           critical and are used by us as a basis for evaluating the
           effectiveness of IRS's internal controls, we place a heavy
           emphasis on testing control activities. This has resulted in the
           identification of significant deficiencies in certain internal
           controls over the years and recommendations for corrective action.

           The objectives of this report are to (1) assist IRS management in
           tracking the status of financial audit and financial
           management-related recommendations and the actions needed to
           address them and (2) demonstrate how the recommendations fit into
           IRS's overall management and internal control structure. To
           accomplish these objectives, we evaluated the effectiveness of
           IRS's corrective actions implemented in response to open
           recommendations during fiscal year 2005 as part of our fiscal
           years 2005 and 2004 financial audits. To report on the current
           status of the recommendations, we obtained the status of each
           recommendation and corrective action taken or planned as of April
           2006, as reported to us by IRS. We then compared IRS's assessment
           to our fiscal year 2005 audit findings and noted any differences
           between IRS's and our conclusions regarding the status of each
           recommendation.

           In order to determine how these recommendations fit within IRS's
           management and internal control structure, we compared the open
           recommendations, and the issues that gave rise to them, to the
           control activities listed in GAO's Standards for Internal Control
           in the Federal Government and to the list of major factors and
           examples outlined in our Internal Control Management and
           Evaluation Tool.6 We also considered how the recommendations and
           the underlying issues were categorized in our prior reports,
           whether IRS had addressed in whole or in part the underlying
           control issues that gave rise to the recommendations, and other
           legal requirements and implementing guidance, such as OMB Circular
           No. A-123; FMFIA; and the Federal Information System Controls
           Audit Manual, GAO/AIMD-12.19.6 (revised June 2001).

           We conducted our review from December 2005 through May 2006 in
           accordance with U.S. generally accepted government auditing
           standards. We requested comments on a draft of this report from
           the Commissioner of Internal Revenue or his designee. We received
           written comments from the commissioner, which are reprinted in
           appendix II.

           IRS continues to make progress on addressing its significant
           financial management challenges. Over the years since we first
           began auditing IRS's financial statements in fiscal year 1992, we
           have closed out over 200 financial management-related
           recommendations we made based on actions IRS has taken to improve
           its internal controls and operational efficiency. This includes 34
           recommendations we are closing in fiscal year 2006 based on
           actions IRS took during the period covered by our fiscal year 2005
           financial audit. At the same time, however, our audits continue to
           identify significant internal control deficiencies, resulting in
           our making further recommendations for corrective action,
           including 22 new financial management-related recommendations
           resulting from our fiscal year 2005 financial audit. These
           internal control deficiencies, and the resulting recommendations,
           can directly be traced to the control activities in GAO's
           Standards for Internal Control in the Federal Government. As such,
           it is essential that they be fully addressed and resolved to
           strengthen IRS's overall financial management and to assist it in
           achieving its goals and mission.

           In April 2005, we issued a report on the status of IRS's efforts
           to implement corrective actions to address financial management
           recommendations stemming from our fiscal year 2004 and prior year
           financial audits and other financial management-related work.7 In
           that report, we identified 84 audit recommendations that at that
           time, remained open and thus required corrective action by IRS. A
           significant number of these recommendations had been open for
           several years, either because IRS had not taken corrective action
           or because the actions taken had not been effective in resolving
           the issues that gave rise to the recommendations.

           IRS continued to work to address many of the internal control
           deficiencies to which these open recommendations relate. In the
           course of performing our fiscal year 2005 financial audit, we
           identified numerous actions IRS took to address many of its
           internal control deficiencies. Based on IRS's actions, which we
           were able to substantiate through our audit, we are able to close
           34 of these prior years' recommendations since we concluded that
           IRS's actions effectively addressed the issues that gave rise to
           them. IRS considers another 23 of the prior years' recommendations
           to be effectively addressed. However, we still consider them to be
           open either because we have not yet had time to verify the
           effectiveness of IRS's actions-they occurred subsequent to
           completion of our audit testing and thus have not been verified,
           which is a prerequisite to our closing a recommendation-or because
           the actions taken did not fully address the issue that gave rise
           to the recommendation.

           However, continued efforts are needed by IRS to address its
           serious internal control weaknesses. While we are able to close 34
           financial management recommendations made in prior years, this
           still leaves 50 recommendations from prior years that remain open,
           a significant number of which have been outstanding for several
           years. In some cases, as mentioned, IRS may have effectively
           addressed the issues that gave rise to the recommendations
           subsequent to our fiscal year 2005 audit testing; however, in many
           cases, our fiscal year 2005 audit determined that the actions
           taken to date had not effectively addressed the underlying
           internal control issues. Additionally, during our fiscal year 2005
           audit, we identified additional internal control issues that will
           require corrective action by IRS. In a recent management report to
           IRS,8 we discussed these internal control issues, and made 22 new
           recommendations to IRS to address these new issues. Consequently,
           a total of 72 financial management-related recommendations are
           currently open and need to be addressed by IRS. Of these, we
           consider 64 to be short term and 8 to be long term.9

           Appendix I presents a listing of (1) recommendations we have made
           based on our financial audits and other financial
           management-related work that we have not previously reported as
           closed, (2) the status of each of these recommendations and
           corrective actions taken or planned as of April 2006 as reported
           to us by IRS, and (3) our analysis of whether the issues that gave
           rise to the recommendations have been effectively and fully
           addressed based on the work performed during our fiscal year 2005
           financial audit. The appendix lists the recommendations by the
           date on which the recommendation was made and by report number.

           An agency's overall internal control environment comprises the
           plans, methods, and procedures that are used to meet its mission,
           goals, and objectives and, in doing so, supports its
           performance-based management. Internal control also serves as the
           first line of defense in safeguarding an agency's assets and in
           preventing and detecting errors and mitigating the potential for
           fraud. Effective internal control assists program managers in
           achieving desired results through effective stewardship of public
           resources.

           Control activities, one of the five broad standards contained in
           GAO's Standards for Internal Control in the Federal Government,
           are the policies, procedures, techniques, and mechanisms that
           enforce management's directives. As such, they are an integral
           part of an entity's planning, implementing, reviewing, and
           accountability for stewardship of government resources and
           achievement of results. GAO's Standards for Internal Control in
           the Federal Government defines 11 control activities. These
           control activities can be further grouped into three broad
           categories:

           o  safeguarding of assets and security activities, including

                        o  physical control over vulnerable assets,
                        o  segregation of duties,
                        o  controls over information processing, and
                        o  access restrictions to and accountability for
                        resources and records;

           o  proper recording and documenting of transactions, including

                        o  appropriate documentation of transactions and
                        internal control,
                        o  accurate and timely reporting of transactions and
                        events, and
                        o  proper execution of transactions and events; and

           o  effective management review and oversight, including

                        o  reviews by management at the functional or
                        activity level,
                        o  establishment and review of performance measures
                        and indicators,
                        o  management of human capital, and
                        o  top level reviews of actual performance.

           Each of the open recommendations from our financial audits and
           financial management-related work, and the underlying issues that
           gave rise to them, can be traced back to the 11 control activities
           and their three broad categories. Table 1 presents a summary of
           the open recommendations, each tied back to the control activity
           to which it relates.

1Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient operations,
reliable financial reporting, and compliance with applicable laws and
regulations. Part of the actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for
results-oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and to
take corresponding corrective actions.

2A material weakness is a reportable condition that precludes the entity's
internal controls from providing reasonable assurance that material
misstatements in the financial statements would be prevented or detected
on a timely basis. Reportable conditions represent significant
deficiencies in the design or operation of internal controls that could
adversely affect an entity's ability to initiate, authorize, record,
process, or report financial data reliably.

                                Results in Brief

                                   Background

3The Circular was revised in December 2004. The circular states that the
revision followed a reexamination of the existing internal control
requirements for federal agencies that was initiated in light of the new
internal control requirements for publicly traded companies contained in
the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 stat. 745 (July
30, 2002). However, the revised circular states that it is not effective
until fiscal year 2006. Therefore, during the period covered by our fiscal
year 2005 audit of IRS's financial statements, IRS had to comply with the
requirements contained in the prior circular version, OMB Circular No.
A-123, Management Accountability and Control (June 21, 1995).

4GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (November 1999).

5The circular requires agencies and individual federal managers to take
systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
Appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
control through management assurance statements.

                       Objectives, Scope, and Methodology

             IRS's Progress on Financial Management Recommendations

6GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001).

Status of Recommendations Based on the Fiscal Year 2005 Financial Statement
Audit

7GAO, Internal Revenue Service: Status of Recommendations from Financial
Audits and Related Financial Management Reports, GAO-05-393 (Washington,
D.C.: Apr. 29, 2005).

Relation of Open Recommendations to IRS's Control Environment

8GAO, Management Report: Improvements Needed in IRS's Internal Controls,
GAO-06-543R (Washington, D.C.: May 12, 2006).

9Short-term recommendations are defined as those that could be addressed
within 2 years at the time we made the recommendation. Long-term
recommendations are defined as those expected to require 2 years or more
to implement at the time we made the recommendation.

Table 1: Summary of Open Recommendations

Source: GAO analysis of financial management recommendations made to IRS.

As table 1 indicates, many of IRS's open recommendations are tied to
safeguarding and security issues. Specifically, 29 of the open
recommendations, or 40 percent, relate to issues associated with IRS's
lack of effective controls over safeguarding of assets and security
activities. Another 26 recommendations, or 36 percent, relate to issues
associated with IRS's inability to properly record and document
transactions. The remaining 17 recommendations, or 24 percent, relate to
issues associated with the lack of effective management review and
oversight.

                Open Recommendations Grouped by Control Activity

Linking the open recommendations from our financial audits and other
financial management-related work, and the issues that gave rise to them,
to the internal control activities identified in GAO's Standards for
Internal Control in the Federal Government provides insight regarding
their significance to IRS's ability to effectively achieve the objectives
associated with the control activities and, thus, to its overall mission
and goals.

On the following pages, we group the 72 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented in
GAO's Standards for Internal Control in the Federal Government and briefly
identify some of the key IRS operations that fall under that control
activity. Although not comprehensive, the descriptions are intended to
help explain why the control activity is important for IRS and thus why
implementing the recommendations would strengthen management and controls
that support those operations. For each recommendation, we also indicate
whether it is a short-term or long-term recommendation.

Safeguarding of Assets and Security Activities

Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of the
most important control activities at IRS is the safeguarding of assets.
Internal control should be designed to provide reasonable assurance
regarding prevention or prompt detection of unauthorized acquisition, use,
or disposition of an agency's assets. We have grouped together the four
control activities in GAO's Standards for Internal Control in the Federal
Government that relate to safeguarding of assets (including tax receipts)
and security activities (such as limiting access to only authorized
personnel): (1) physical control over vulnerable assets, (2) segregation
of duties, (3) controls over information processing, and (4) access
restrictions to and accountability for resources and records.

Physical Control over Vulnerable Assets

IRS is charged with collecting over $2 trillion in taxes each year, a
significant amount of which is collected in the form of checks and cash
accompanied by tax returns and related information. IRS collects taxes
both at its own facilities as well as at lockbox banks that operate under
contract with the Treasury Department's Financial Management Service (FMS)
to provide processing services for certain taxpayer receipts for IRS. IRS
acts as custodian for (1) the tax payments it receives until they are
deposited in the General Fund of the U.S. Treasury and (2) the tax returns
and related information it receives until they are either sent to the
Federal Records Center or destroyed. IRS is also charged with controlling
many other assets, such as computers and other equipment, but IRS's legal
responsibility to safeguard tax returns and the confidential information
taxpayers provide in tax returns makes the effectiveness of its internal
controls with respect to physical security essential.

IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at one of its offices. While adequate physical
safeguards over receipts should exist throughout the year, it is
especially important during the peak tax filing season. Each year during
the weeks preceding and shortly after April 15, an IRS service center
campus (SCC) may receive and process daily over 100,000 pieces of mail
containing returns, receipts, or both. The dollar value of receipts each
service center processes increases to hundreds of millions of dollars a
day during the April 15 time frame.

Of our 72 open recommendations, the following 13 open recommendations are
designed to improve IRS's physical controls over vulnerable assets. (See
table 2.)

Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets

Source: GAO analysis of financial management recommendations made to IRS.

Segregation of Duties

IRS employees are responsible for processing trillions of dollars of tax
receipts each year, of which hundreds of billions are received in the form
of cash or checks,10 and for processing hundreds of billions of dollars in
refunds to taxpayers. Consequently, it is critical that IRS maintain
appropriate separation of duties to allow for adequate oversight of staff
and protection of these vulnerable resources so that no single individual
would be in a position of both causing an error or irregularity and then
concealing it. For example, when an IRS field office or lockbox bank
receives taxpayer receipts and returns, it is responsible for depositing
the cash and checks in a depository institution and forwarding the related
information received to an SCC for further processing. In order to
adequately safeguard receipts from theft, the person responsible for
recording the information from the taxpayer receipts on a voucher should
be different from the individual who prepares those receipts for
transmittal to the SCC for further processing.

10The vast majority of federal tax payments are made for both businesses
and individuals via the Electronic Federal Tax Payment System (EFTPS).

The following three open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over both
tax receipts and refunds. (See table 3.)

Table 3: Recommendations to Improve IRS's Segregation of Duties

Source: GAO analysis of financial management recommendations made to IRS.

Controls over Information Processing

IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected networks of
computer systems to perform various functions, such as collecting and
storing taxpayer data, processing tax returns, calculating interest and
penalties, generating refunds, and providing customer service.

As part of our annual audits of IRS's financial statements, we assess the
effectiveness of IRS's information security controls11 over key financial
systems, data, and interconnected networks at IRS's critical data
processing facilities that support the processing, storage, and
transmission of sensitive financial and taxpayer data. From that effort,
we have identified over the years information security control weaknesses
that impair IRS's ability to ensure the confidentiality, integrity, and
availability of its sensitive financial and taxpayer data. As of March
2006, there were 45 open recommendations from our information security
work designed to improve IRS's information security controls.12
Recommendations resulting from our information security work are reported
separately and are not included in this report primarily because of the
sensitive nature of some of these issues.

However, the following six open recommendations are related to systems
limitations and IRS's need to review and resolve various exception reports
that its systems generate. (See table 4.) We included reviews of exception
reports in this control activity since they help ensure the integrity of
IRS's automated data.13

11Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access to
data is appropriately restricted, that only authorized changes to computer
programs are made, that physical access to sensitive computing resources
and facilities is protected, that computer security duties are segregated,
and that backup and recovery plans are adequate to ensure the continuity
of essential operations.

12GAO, Information Security: Continued Progress Needed to Strengthen
Controls at the Internal Revenue Service, GAO-06-328 (Washington, D.C.:
Mar. 23, 2006).

13Exception reports are one of the measures listed in GAO's Internal
Control Management Evaluation Tool ( GAO-01-1008G ) as an information
processing function.

Table 4: Recommendations to Improve IRS's Controls over Information
Processing

Source: GAO analysis of financial management recommendations made to IRS.

aALS stands for Automated Lien System.

Access Restrictions to and Accountability for Resources and Records

Because IRS deals with a large volume of cash and checks, it is imperative
that it maintain strong controls over who has access to those assets, the
records that track those assets, and sensitive taxpayer information.
Although IRS has a number of both physical and information system controls
in place, some of the issues we have identified in our financial audits
over the years pertain to ensuring that those with direct access to these
cash and checks are appropriately vetted before being granted access to
taxpayer receipts and information and to ensuring that IRS maintains
effective access security control.

The following seven open recommendations would help IRS improve its access
restrictions to assets and records. (See table 5.)

Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records

Source: GAO analysis of financial management recommendations made to IRS.

Proper Recording and Documenting of Transactions

One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers need
to assist in making day-to-day decisions. While progress is being made to
modernize its financial management capabilities, IRS nonetheless continues
to face many of the pervasive internal control weaknesses that we have
reported each year since we began auditing its financial statements in
fiscal year 1992, many of which are related to its long-standing systems
deficiencies.

However, IRS also has a number of internal control issues that relate to
recording transactions, documenting events, and tracking the processing of
taxpayer receipts or information, which do not depend upon improvements in
information systems.

We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate documentation
of transactions and internal controls, (2) accurate and timely recording
of transactions and events, and (3) proper execution of transactions and
events.

Appropriate Documentation of Transactions and Internal Control

IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract to
process taxpayer receipts for the federal government. Therefore, it is
important that IRS maintain appropriate assurance that all documents and
records are properly managed and maintained both at its facilities and at
the lockbox banks.

The following 11 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. (See table
6.)

Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control

Source: GAO analysis of financial management recommendations made to IRS.

Accurate and Timely Recording of Transactions and Events

IRS is responsible for maintaining taxpayer records for tens of millions
of taxpayers in addition to maintaining its own financial records. To
carry out this responsibility, IRS often has to rely on outdated computer
systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, which is a long-term effort and is
dependent on future funding.

The following 14 open recommendations would strengthen IRS's recordkeeping
abilities. (See table 7.) They include some specific recommendations
regarding requirements for new systems for maintaining taxpayer records.
Several of the recommendations listed affect financial reporting
processes, such as subsidiary records and appropriate allocation of costs.
Some of the issues that gave rise to certain of our recommendations
directly affect taxpayers, such as those involving duplicate assessments,
errors in calculating and reporting manual interest, and recovery of trust
fund penalty assessments. Half of these recommendations are almost over 5
years old and 1 is over 10 years old, reflecting the long-term nature of
the resolution of some of these issues.

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events

Source: GAO analysis of financial management recommendations made to IRS.

Proper Execution of Transactions and Events

IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak of
the tax filing season. Because of the tremendous number of personnel
involved, IRS must maintain effective control over which employees are
authorized to either view or change sensitive taxpayer data. IRS's ability
to establish access rights and permissions for information systems is a
critical control.

Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.14 IRS requires that
all manual refunds be approved by officials who are designated by
managers. However, weaknesses in the authorization of such approving
officials expose the federal government to losses because of the issuance
of improper refunds. The following open recommendation would improve IRS's
controls over its manual refund transactions. (See table 8.)

Table 8: Recommendation to Improve IRS's Execution of Transactions and
Events

Source: GAO analysis of financial management recommendations made to IRS.

14Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers for
immediate payment due to hardship or emergency, those to beneficiaries of
deceased taxpayers, and those that need to be expedited because IRS is in
jeopardy of paying interest for exceeding the 45-day limit for processing
a return.

Effective Management Review and Oversight

All personnel within IRS have an important role in making internal
controls work, but the responsibility for good internal control rests with
IRS's managers. Management sets the objectives, puts the control
mechanisms and activities in place, and monitors and evaluates the
controls. Without effective monitoring by managers, internal control
activities may not be conducted on a consistent and timely basis.

We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of performance
measures and indicators, and (3) management of human capital. Although we
also include the control activity "top level reviews of actual
performance" in this grouping, we do not have any open recommendations to
IRS related to this internal control activity.

Reviews by Management at the Functional or Activity Level

IRS has over 80,000 full-time employees and hires over 10,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, IRS contracts with banks to process tens of thousands
of individual receipts, totaling hundreds of billions of dollars. At any
organization, management oversight of operations is important, but with an
organization as vast in scope as the IRS, management oversight is
imperative.

The following 12 open recommendations would improve IRS's management
oversight. (See table 9.) In general, these recommendations were made to
correct instances where an internal control activity either does not exist
or where an established control is not being adequately or consistently
applied. The majority of these recommendations emphasize improvements
needed to IRS's oversight of lockbox banks and contracted courier programs
in order to ensure appropriate physical control over vulnerable assets,
such as taxpayer receipts.

Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level

Source: GAO analysis of financial management recommendations made to IRS.

Establishment and Review of Performance Measures and Indicators

IRS's operations include a vast array of activities encompassing taxpayer
education, processing of taxpayer receipts and data, disbursing hundreds
of billions of dollars in refunds to millions of taxpayers, maintaining
extensive information on tens of millions of taxpayers, and seeking
collection from individuals and businesses that fail to comply with the
nation's tax laws. Within its compliance function, IRS has numerous
activities, including identifying businesses and individuals that
underreport income, collecting from taxpayers that do not pay, and
collecting from those receiving refunds for which they are not eligible.
Although IRS has at its peak over 90,000 employees, it still faces
resource constraints in attempting to fulfill its duties. Because of this,
it is vitally important for IRS to have sound performance measures to
assist it in assessing its performance and targeting its resources in a
manner that maximizes the government's return on investment.

However, in past audits we have reported that IRS did not capture cost at
the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a result,
IRS is unable to measure the costs and benefits of its various collection
and enforcement efforts to best target its available resources.
Additionally, we have reported that IRS's controls over its reporting of
interim performance measurement data were not effective throughout the
year because the data reported at interim periods for certain performance
measures were either not accurate or were outdated.

The following four open recommendations are designed to assist IRS in
evaluating its operations, determining which activities are the most
beneficial, and establishing a good system for oversight. (See table 10.)
These recommendations call for IRS to measure, track, and evaluate the
cost, benefits, or outcomes of its operations-particularly with regard to
identifying its most effective tax collection activities.

Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators

Source: GAO analysis of financial management recommendations made to IRS.

Management of Human Capital

IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens of
thousands of employees spread throughout the country, management's
responsibility to keep its guidance up-to-date and its staff properly
trained is imperative.

The following open recommendation would assist IRS in its management of
human capital in its financial operations. (See table 11.) The
recommendation is over 5 years old and may be resolved through IRS's
business systems modernization efforts.

Table 11: Recommendation to Improve IRS's Management of Human Capital

Source: GAO analysis of financial management recommendations made to IRS.

                            Concluding Observations

Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to operate more efficiently and
more effectively in its mission while protecting taxpayers and their
information.

Sound financial management and effective internal controls can assist IRS
in achieving its goals. IRS has made substantial progress in improving its
financial management since its first financial audit, as evidenced by
consecutive clean audit opinions on its financial statements for the past
6 years, resolution of several material internal control weaknesses, and
the closing of hundreds of financial management recommendations. This
progress has been the result of hard work and commitment at the top.
Nonetheless, more needs to be done to fully address the financial
management challenges the agency faces. Efforts must continue to address
the internal control deficiencies that continue to exist. Effective
implementation of the recommendations we have made and continue to make
through our financial audits and related work could greatly assist IRS in
improving its internal controls and achieving sound financial management.

                       Agency Comments and Our Evaluation

In commenting on a draft of this report, IRS expressed its appreciation
that we acknowledged the progress the agency has made in addressing its
financial management challenges, and noted that our mapping of its
remaining recommendations to specific internal control activities and
grouping them into three broad categories will facilitate its strategy to
address the remaining financial management issues. IRS also highlighted
its efforts to further improve its internal controls over hard-copy tax
receipts, noting that its plan to address these issues now includes
comprehensive actions to address our remaining recommendations covering
lockbox banks, submission processing campuses, taxpayer assistance
centers, and field offices. We will review the effectiveness of these
corrective actions and the status of IRS's progress in addressing all open
recommendations as part of our fiscal year 2006 IRS financial statement
audit.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental Affairs;
and Subcommittee on Taxation and IRS Oversight, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking Minority
Members of the House Committee on Appropriations; House Committee on Ways
and Means; Chairman and Vice Chairman of the Joint Committee on Taxation,
the Secretary of the Treasury, the Director of the Office of Management
and Budget, the Chairman of the IRS Oversight Board, and other interested
parties. Copies will be made available to others upon request. In
addition, the report will be available at no charge on GAO's Web site at
http://www.gao.gov .

If you have any questions concerning this report, please contact me at
(202) 512-3406 or [email protected] . Contact points for our Offices of
Congressional Relations and Public Affairs can be found on the last page
of this report. GAO staff who made major contributions to this report are
listed in appendix III.

Sincerely yours,

Steven J. Sebastian Director Financial Management and Assurance

Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports Appendix I: Status of GAO Recommendations from
IRS Financial Audits and Related Management Reports

Sources: IRS updates detailing IRS actions to address GAO's
recommendations and GAO's analysis of IRS's actions.

Appendix II: Comments from the Internal Revenue Service Appendix II:
Comments from the Internal Revenue Service

Appendix III: S Appendix III: Staff Acknowledgments

The following individuals made major contributions to this report: William
J. Cordrey, Charles Fox, Paul Foderaro, Nina Crocker, John Davis, Charles
Ego, David Elder, Ted Hu, Jerrod O'Nelio, John Sawyer, Peggy Smith, Lisa
Warde, Gary Wiggins, and Mark Yoder.

(196093)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-560 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Steven J. Sebastian at (202) 512-3406 or
[email protected].

Highlights of GAO-06-560 , a report to the Commissioner of Internal
Revenue

June 2006

INTERNAL REVENUE SERVICE

Status of Recommendations from Financial Audits and Related Financial
Management Reports

In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility in annually collecting over $2
trillion in taxes, processing hundreds of millions of tax and information
returns, and enforcing the nation's tax laws. Since its first audit of
IRS's financial statements in fiscal year 1992, GAO has identified a
number of weaknesses in IRS's financial management operations. In related
reports, GAO has recommended corrective action to address those
weaknesses.

Each year, as part of the annual audit of IRS's financial statements, GAO
not only makes recommendations to address any new weaknesses identified
but also follows up on the status of weaknesses GAO identified in previous
years' audits. The purpose of this report is to (1) assist IRS management
in tracking the status of audit recommendations and actions needed to
fully address them and (2) demonstrate how the recommendations fit into
IRS's overall management and internal control structure.

IRS has made significant progress in improving its internal controls and
financial management since its first financial audit in 1992, as evidenced
by 6 consecutive years of clean audit opinions on its financial
statements, the resolution of several material internal control
weaknesses, and the closing of over 200 financial management
recommendations. This progress has been the result of hard work and
commitment at the top levels of the agency.

However, IRS still faces financial management challenges. At the beginning
of GAO's audit of IRS's fiscal year 2005 financial statements, 84
financial management-related recommendations from prior audits remained
open because IRS had not fully addressed the issues that gave rise to
them. During the fiscal year 2005 financial audit, IRS took actions that
enabled GAO to close 34 of those recommendations. At the same time, GAO
identified additional internal control deficiencies resulting in 22 new
recommendations. In total, 72 recommendations currently remain open.

To assist IRS in evaluating its internal controls and in making
improvements, GAO categorized the 72 open recommendations by various
internal control activities which, in turn, were grouped into three broad
control activity groupings.

Summary of Open Recommendations

Source: GAO analysis of financial management recommendations made to IRS.

The continued existence of internal control weaknesses that gave rise to
these recommendations represents a serious obstacle that IRS needs to
overcome. Effective implementation of GAO's recommendations can greatly
assist IRS in improving its internal controls and achieving sound
financial management. IRS stated that it is taking action to address the
recommendations included in the report. GAO will review the effectiveness
of these corrective actions and the status of IRS's progress as part of
the fiscal year 2006 audit.
*** End of document. ***