Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial
Statements (09-NOV-06, GAO-07-136).
Because of the significance of Internal Revenue Service (IRS)
collections to overall federal receipts and, in turn, to the
consolidated financial statements of the U.S. government, which
GAO is required to audit, and Congress's interest in financial
management at IRS, GAO audits IRS's financial statements annually
to determine whether (1) the financial statements are reliable
and (2) IRS management maintained effective internal controls.
GAO also tests IRS's compliance with selected provisions of
significant laws and regulations and its financial systems'
compliance with the Federal Financial Management Improvement Act
of 1996 (FFMIA).
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-136
ACCNO: A63246
TITLE: Financial Audit: IRS's Fiscal Years 2006 and 2005
Financial Statements
DATE: 11/09/2006
SUBJECT: Accountability
Auditing standards
Data integrity
Financial management
Financial management systems
Financial statement audits
Information security
Internal controls
Reporting requirements
Risk assessment
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-136
* [1]Report to the Secretary of the Treasury
* [2]November 2006
* [3]FINANCIAL AUDIT
* [4]IRS's Fiscal Years 2006 and 2005 Financial Statements
* [5]Contents
* [6]Opinion on IRS's Financial Statements
* [7]Opinion on Internal Controls
* [8]Compliance with Laws and Regulations and FFMIA Requirements
* [9]Consistency of Other Information
* [10]Objectives, Scope, and Methodology
* [11]Agency Comments and Our Evaluation
* [12]Management Discussion and Analysis
* [13]Financial Statements
* [14]Supplemental Information
* [15]Other Accompanying Information
* [16]Material Weaknesses, Reportable Condition, and Compliance Issues
* [17]Material Weaknesses
* [18]Financial Reporting
* [19]Unpaid Tax Assessments
* [20]Tax Revenue and Refunds
* [21]Information Security
* [22]Reportable Condition
* [23]Hard-Copy Tax Receipts and Taxpayer Information
* [24]Compliance Issues
* [25]Release of Federal Tax Liens
* [26]Financial Management Systems' Noncompliance With FFMIA
* [27]Details on Audit Methodology
* [28]Comments from the Internal Revenue Service
Report to the Secretary of the Treasury
November 2006
FINANCIAL AUDIT
IRS's Fiscal Years 2006 and 2005 Financial Statements
Contents
November 9, 2006Letter
The Honorable Henry M. Paulson, Jr. The Secretary of the Treasury
Dear Mr. Secretary:
The accompanying report presents the results of our audits of the
financial statements of the Internal Revenue Service (IRS) as of, and for
the fiscal years ending, September 30, 2006 and 2005. We performed our
audits in accordance with the Chief Financial Officers (CFO) Act of 1990,
as expanded by the Government Management Reform Act of 1994. This report
contains our (1) unqualified opinions on IRS's financial statements, (2)
opinion that IRS's internal controls were not effective as of September
30, 2006, and (3) conclusion that IRS was not in compliance with one
provision of the laws and regulations we tested and that IRS's financial
management systems were not in substantial compliance with the
requirements of the Federal Financial Management Improvement Act of 1996.
Our unqualified opinions on IRS's fiscal years 2006 and 2005 financial
statements were made possible in part by the continued extraordinary
efforts of IRS senior management and staff to compensate for serious
internal control and financial management systems deficiencies. IRS is
currently in the midst of a major business systems modernization effort
that is ultimately intended to resolve its most serious financial systems
challenges. However, it is unclear when this effort will be completed or
if it will be successful. In the interim, preparing reliable financial
statements will continue to be a difficult challenge for IRS, requiring
continued use of extraordinary compensating measures. To date, these
measures have proved successful: for the seventh consecutive year, IRS has
received an unqualified opinion on its financial statements and, for the
fifth consecutive year, the audit was completed and the report issued by
November 15.
IRS has made great strides over the last several years in addressing its
financial management challenges and has resolved or substantially
mitigated several material weaknesses and other reportable conditions in
its internal controls. For example, during fiscal year 2006, IRS improved
the accuracy and reliability of its property and equipment (P&E)
accounting records by making enhancements to accounting code definitions
that make it easier for users to select the proper accounting codes for
recording a transaction, improving coordination among units involved in
processing P&E activity, and streamlining its analysis of P&E transactions
most susceptible to misclassification. These improvements, combined with
progress we reported last year, enabled us to conclude that remaining
issues related to P&E no longer constitute a reportable condition.
During fiscal year 2006, IRS continued to expand its use of the
capabilities contained in the first phase, or release, of its Integrated
Financial System (IFS), which was implemented in fiscal year 2005. For
example, IRS has populated the system's cost module with 2 years of data
and made significant progress in defining how costs will be allocated to
various internal organizations, and it has successfully used IFS to
generate its statement of net cost for the first time. This release of IFS
provides for improved audit trails and more timely information for such
activities and transactions as travel, purchases of goods and services,
and budgetary activities.
However, IRS cannot fully address the financial management issues caused
by the limitations of its automated systems without successful
implementation of the additional capabilities that were originally planned
to be provided by future releases of IFS, such as procurement and workload
management. Because of ongoing technological advances and budgetary
constraints, IRS is no longer committed to implementing additional
releases of IFS, but rather is considering other options available to
provide these capabilities, including utilizing a private shared service
provider or a federal center of excellence.^1 However, IRS has not decided
what approach it will take or obtained approval for the necessary funding.
It is therefore unclear how or when IRS will resolve the remaining related
financial management systems limitations. In formulating its strategy for
dealing with these issues, IRS will also need to address how IFS will
ultimately be integrated with the systems that support financial
management of its tax administration functions as well as addressing the
limitations of those systems if it is to fully resolve many of its
long-standing financial management challenges.
To resolve these problems, IRS is depending on its ongoing systems
modernization effort, which is intended to address the full range of
problems caused by its outdated legacy information systems. In 1995, we
designated financial management and systems modernization at IRS as
high-risk areas.^2 We continue to consider these issues as high risk and
include them in our Business Systems Modernization high-risk area.^3
Among the most serious financial management issues still remaining to be
addressed is the continued material weakness in IRS's information
security. As IRS continues its efforts to modernize its financial and
operational systems, it is critical that IRS take actions to establish and
maintain more effective information security controls on a continuing
basis, through an ongoing cycle of risk management activities, to protect
the processing, storage, and transmission of financial and sensitive data.
Until IRS successfully manages its information security risks, management
will not have assurance over the integrity and reliability of the
information generated from the new financial management system, and IRS's
opportunities for further improvements in financial management will be
limited.
We commend IRS for the improvements it has continued to make in its
financial processes and operations. Nonetheless, IRS management and staff
will continue to be challenged to sustain the level of effort needed to
produce reliable financial statements until the agency is able to fully
address the underlying systems and internal control issues that have made
this process so time consuming and resource intensive. IRS continues to
lack accurate, useful, and timely financial information and sound controls
with which to make fully informed decisions and to ensure ongoing
accountability, which is a primary objective of the CFO Act. IRS has made
significant progress in addressing its serious control and systems
deficiencies and improving financial management during the past 10 years.
It is important that these financial management initiatives continue in
order to achieve comprehensive and lasting financial management reform.
The agency also continues to face a significant challenge in strengthening
its enforcement of the nation's tax laws, another challenge at IRS that we
have designated as high risk.^4 As we have previously reported, the
resources IRS has been able to dedicate to enforcing the tax laws have not
kept pace with the increases it has seen in its enforcement workload. At
the same time, IRS continues to face significant compliance-related
issues, including combating abusive tax shelters and tax schemes, on which
it is placing a high priority. Critical to IRS's efforts in improving
enforcement and, ultimately, taxpayer compliance, is the need to have
current information on the rate of compliance, both overall and by type of
taxpayer. IRS has completed a study of the rate of compliance with the
nation's tax laws by individuals and some small business taxpayers, and
has begun a study of S-corporations' compliance.^5 However, IRS has no
approved plans to repeat its study on individual taxpayers, or to conduct
research on other significant components of the tax gap.^6 As we have
noted before, it is critical that such efforts be continued as, without
current information on noncompliance, the challenge of targeting IRS
enforcement resources to areas where they would prove most effective is
problematic.
The accompanying report also discusses other significant issues that we
considered in performing our audit and in forming our conclusions, which
we believe should be brought to the attention of IRS management and users
of IRS's financial statements.
We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental Affairs;
Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance;
House Committee on Appropriations; House Committee on Ways and Means; and
House Committee on Government Reform. We are also sending copies of this
report to the Chairman and Vice Chairman of the Joint Committee on
Taxation, the Commissioner of Internal Revenue, the Director of the Office
of Management and Budget, the Chairman of the IRS Oversight Board, and
other interested parties. Copies will be made available to others upon
request. In addition, the report is available at no charge on GAO's Web
site at http://www.gao.gov .
This report was prepared under the direction of Steven J. Sebastian,
Director, Financial Management and Assurance, who can be reached at (202)
512-3406 or [email protected] . If I can be of further assistance,
please call me at (202) 512-5500. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report.
Sincerely yours,
David M. Walker Comptroller General of the United States
To the Commissioner of Internal Revenue Auditor's Report
In accordance with the Chief Financial Officers (CFO) Act of 1990, as
expanded by the Government Management Reform Act of 1994,^1 this report
presents the results of our audits of the financial statements of the
Internal Revenue Service (IRS) for fiscal years 2006 and 2005. The
financial statements report the assets, liabilities, net position, net
costs, changes in net position, budgetary resources, financing, and
custodial activity related to IRS's administration of its responsibilities
for implementing federal tax legislation. The financial statements do not
include an estimate of the amount of taxes that are owed the federal
government but have not been paid by taxpayers, often referred to as the
tax gap,^2 nor do they include information on tax expenditures.^3
In its role as the nation's tax collector, IRS has a demanding
responsibility in collecting taxes, processing tax returns, and enforcing
the nation's tax laws. IRS is a large and complex organization, adding
unique operational challenges for management. IRS employs tens of
thousands of people in 10 service center campuses, 3 computing centers,
and numerous other field offices throughout the United States. In fiscal
years 2006 and 2005, IRS collected about $2.5 trillion and $2.3 trillion,
respectively, in tax payments; processed hundreds of millions of tax and
information returns; and paid about $277 billion and $267 billion,
respectively, in refunds to taxpayers.
One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers need
to assist in making day-to-day decisions, which is a primary objective of
the CFO Act. While progress continues to be made to modernize its
financial management capabilities, IRS nonetheless confronted many of the
pervasive internal control weaknesses that we have reported each year
since we began auditing its financial statements in fiscal year 1992,^4
though it continued to make strides in addressing its financial management
challenges. In fiscal year 2006, for the seventh consecutive year, IRS was
able to produce financial statements covering its tax custodial and
administrative activities that are fairly stated in all material respects.
Moreover, for the fifth consecutive year, IRS was able to issue its final
audited financial statements only a month and a half after the end of the
fiscal year. However, until its systems are replaced, IRS will continue to
be challenged to sustain the level of effort needed to produce reliable
financial statements timely.
Throughout fiscal year 2006, IRS continued to make significant progress in
its efforts to address its weaknesses in controls over several areas,
including accountability over property and equipment (P&E), management and
reporting of unpaid assessments, reliability of financial reporting, and
security over hard-copy taxpayer receipts and data. For example, IRS
improved the accuracy and reliability of its P&E accounting records by (1)
enhancing the accounting code definitions in its new financial management
system to make it easier for users to select the proper accounting codes
for recording transactions, (2) improving coordination among units
involved in processing P&E activity, and (3) streamlining its analysis of
P&E transactions most susceptible to misclassification. These
improvements, combined with the progress reported in our prior year audit,
enabled us to conclude that remaining issues related to P&E no longer
constitute a reportable condition.^5
IRS also successfully implemented the first phase of the Custodial
Detailed Database (CDDB), which is intended to ultimately serve as a link
between IRS's master files^6 and its general ledger for tax administration
activities. The first phase contains programs to analyze and classify for
financial reporting purposes related taxpayer accounts associated with
unpaid payroll taxes.^7 Although IRS's use of CDDB in fiscal year 2006
improved its process for deriving estimates of its various unpaid
assessment categories, IRS continues to lack a subsidiary ledger for
unpaid assessments and must still use a labor-intensive manual
compensating process to estimate the year-end balances of those various
unpaid assessment categories for external reporting. Full operational
capability of CDDB is several years away and depends on the successful
implementation of future system releases. Additionally, CDDB continues to
rely on IRS's master files for the information it contains.
During fiscal year 2006, IRS continued to expand processing of the less
complex individual tax returns through its Customer Account Data Engine
(CADE), the system being implemented to replace IRS's master files. In its
fiscal year 2006 Management Discussion and Analysis, IRS reported that
during the fiscal year 2006 tax filing season,^8 CADE processed over 7.3
million individual returns and over $3.4 billion in refunds. This
represents an increase of nearly 6 million returns and $3 billion in
refunds processed by CADE compared to the same period last year. However,
IRS's detailed plans for completion of the CADE project only extend
through release 7, which is intended to replace the master file for
individual tax returns.^9 However, these plans do not include plans or
schedules for additional CADE release(s) to replace the master file for
business tax returns, and it is unclear when CADE will be fully
implemented.
IRS also improved its financial reporting capabilities in fiscal year 2006
through expanded use of the capabilities of the Integrated Financial
System (IFS), the first release of which was implemented in fiscal year
2005. IFS was originally intended to resolve many of the issues discussed
in this report and replace the outdated financial management system IRS
used previously to process and report administrative transactions, such as
procurement and utilization of budgetary resources. During fiscal year
2006, IRS improved its financial reporting capabilities by populating the
cost accounting module of IFS with another year of cost data, and by
establishing a new cost allocation methodology to take advantage of the
system's cost allocation capacity and defining how those costs will be
allocated to various IRS units. However, opportunities for further
improvement in IRS's financial reporting in the near term will be limited
as IRS is not committed to future releases of IFS and is currently
reevaluating its approach to achieving the objectives originally
envisioned through implementation of these additional releases. IRS has
not decided what approach it will take or obtained approval for the
related funding necessary to bring it to fruition. In addition, IRS has
not addressed how IFS will ultimately be integrated with those systems
that support financial management of IRS's tax administration functions,
including its collection of tax revenue receipts; disbursement of tax
refunds; and identification, management, and collection of outstanding
federal taxes. It is therefore unclear how or when IRS will resolve its
remaining related financial management systems limitations.
While notable improvements were made throughout fiscal year 2006, control
deficiencies over financial reporting, management of unpaid assessments,
and collection of revenue and issuance of tax refunds continued to
represent material weaknesses.^10 These weaknesses are caused primarily by
IRS's continued reliance on outdated automated systems to provide the
financial information that management needs to make decisions, and similar
weaknesses and problems will continue to exist until its systems are
replaced. In addition, we continue to consider issues related to
information security to be a material weakness. The persistent, serious
deficiencies in information security increase the risk that confidential
IRS and taxpayer information will be compromised and have serious
implications related to the reliability of financial management
information produced by IRS's systems. Additionally, while we continued to
note significant improvement, we still consider control deficiencies in
physical security over taxpayer receipts and data to be a reportable
condition requiring further attention by IRS management.
Opinion on IRS's Financial Statements
IRS's financial statements, including the accompanying notes, present
fairly, in all material respects, in conformity with U.S. generally
accepted accounting principles, IRS's assets, liabilities, net position,
net costs, changes in net position, budgetary resources, financing, and
custodial activity as of, and for the fiscal years ended, September 30,
2006, and September 30, 2005.
However, misstatements may nevertheless occur in other financial
information reported by IRS as a result of the internal control weaknesses
described in this report.
IRS's financial statements include tax revenues collected during the
fiscal year as well as the total unpaid taxes for which IRS and the
taxpayers or courts agree on the amounts owed. Cumulative unpaid tax
assessments for which there is no future collection potential or for which
there is no agreement on the amounts owed are not reported in the
financial statements. Rather, they are reported as write-offs and
compliance assessments, respectively, in supplemental information to IRS's
financial statements. Also, in conformity with U.S. generally accepted
accounting principles, to the extent that taxes owed in accordance with
the nation's tax laws are not reported by taxpayers and are not identified
through IRS's various enforcement programs, they are not reported in the
financial statements nor in supplemental information to the financial
statements. Additionally, in conformity with U.S. generally accepted
accounting principles, tax expenditures, which represent the amount of
revenue the government forgoes resulting from federal tax provisions that
grant special tax relief for certain kinds of behavior by taxpayers or for
taxpayers in special circumstances, are not reported in the financial
statements.
Opinion on Internal Controls
Because of the material weaknesses in internal controls discussed below,
IRS did not maintain effective internal controls over financial reporting
(including safeguarding of assets) or compliance with laws and
regulations, and thus did not provide reasonable assurance that losses,
misstatements, and noncompliance with laws material in relation to the
financial statements would be prevented or detected on a timely basis. Our
opinion is based on criteria established under 31 U.S.C. S 3512 (c), (d),
commonly referred to as the Federal Managers' Financial Integrity Act of
1982 (FIA), and Office of Management and Budget (OMB) Circular No. A-123,
Management's Responsibility for Internal Control.
Despite its material weaknesses in internal controls and its systems
deficiencies, IRS was able to prepare financial statements that were
fairly stated in all material respects for fiscal years 2006 and 2005.
Nonetheless, IRS continues to face the following key issues that represent
material weaknesses in internal controls:
oweaknesses in controls over the financial reporting process, resulting in
IRS not (1) being able to prepare reliable financial statements without
extensive compensating procedures and (2) having current and reliable
ongoing information to support management decision making and to prepare
cost-based performance measures;
oweaknesses in controls over unpaid tax assessments, resulting in IRS's
inability to properly manage unpaid assessments and leading to increased
taxpayer burden;
oweaknesses in controls over the identification and collection of tax
revenues due the federal government and over the issuance of tax refunds,
resulting in lost revenue to the federal government and potentially
billions of dollars in improper payments; and
oweaknesses in information security controls, resulting in increased risk
of unauthorized individuals being allowed to access, alter, or abuse
proprietary IRS programs and electronic data and taxpayer information.
The material weaknesses in internal controls noted above may adversely
affect any decision by IRS's management that is based, in whole or in
part, on information that is inaccurate because of these weaknesses. In
addition, unaudited financial information reported by IRS, including
performance information, may also contain misstatements resulting from
these weaknesses.
In addition to the material weaknesses discussed above, we identified one
reportable condition, which, although not a material weakness, represents
a significant deficiency in the design or operation of internal controls
that could adversely affect IRS's ability to meet the internal control
objectives described in this report. This condition involves deficiencies
in controls over hard-copy tax receipts and taxpayer data, which increase
the government's and taxpayers' risk of loss or inappropriate disclosure
of taxpayer data.
We have reported on these material weaknesses and the reportable condition
in prior audits and have provided IRS recommendations to address these
issues. Seventy-two of these recommendations were still open as of the
date of this report.^11 IRS continues to make strides in resolving these
matters. We will follow up in future audits to monitor IRS's progress in
implementing these recommendations. For more details on these issues, see
appendix I.
As part of our fiscal year 2006 financial audit, we evaluated IRS's
implementation of OMB's revised Circular No. A-123, Management's
Responsibility for Internal Control, which became effective on October 1,
2005. Circular No. A-123 provides updated internal control standards and
new requirements for the 24 major executive branch departments and
agencies to follow in conducting management's assessment of the
effectiveness of internal control over financial reporting. Based on this
assessment, agency management is required to prepare an assurance
statement on the effectiveness of internal controls over financial
reporting to be included in the agency's performance and accountability
report (PAR). These requirements are applicable to the 24 CFO Act
agencies, including the Department of the Treasury (Treasury), of which
IRS is a significant component. The objective of our review was to
determine whether IRS appropriately planned and implemented the
requirements of OMB Circular No. A-123, and to verify that IRS performed
sufficient work to support its related assurance statement to Treasury,
upon which Treasury would rely as a basis for its own assurance statement
to be included in its fiscal year 2006 PAR. We found that IRS's assurance
statement was adequately supported by the underlying work and
appropriately reflected the state of its internal controls. However, we
did identify opportunities for improvement in the execution and
documentation of this work that we communicated to IRS during the course
of the audit and that we will be reporting on separately.
Compliance with Laws and Regulations and FFMIA Requirements
Our tests of compliance with selected provisions of laws and regulations
disclosed one area of noncompliance that is reportable under U.S.
generally accepted government auditing standards and OMB guidance. This
area relates to IRS not timely releasing federal tax liens against
taxpayers' property.^12 Except as noted above, our tests for compliance
with laws and regulations disclosed no other instances of noncompliance
that would be reportable under U.S. generally accepted government auditing
standards or OMB audit guidance. However, the objective of our audit was
not to provide an opinion on overall compliance with laws and regulations.
Accordingly, we do not express such an opinion.
We also found that IRS's financial management systems did not
substantially comply with the requirements of the Federal Financial
Management Improvement Act of 1996 (FFMIA).^13
For more details on these issues, see appendix I.
Consistency of Other Information
IRS's Management Discussion and Analysis and required supplemental and
other accompanying information contain a wide range of data, some of which
are not directly related to the financial statements. We did not audit and
do not express an opinion on this information. However, we compared this
information for consistency with the financial statements and discussed
the methods of measurement and presentation with IRS officials. Based on
this limited work, we found no material inconsistencies with the financial
statements or nonconformance with OMB guidance. Under OMB guidance for the
financial statements of federal agencies, agencies are asked to strive to
develop and report objective measures that to the extent possible, provide
information about the cost-effectiveness of their programs. We found,
however, that because of the noted internal control and systems
limitations, IRS cannot report reliable cost-based performance measures
relating to its various programs consistent with the Government
Performance and Results Act of 1993.^14
Objectives, Scope, and Methodology
Management is responsible for (1) preparing the annual financial
statements in conformity with U.S. generally accepted accounting
principles; (2) establishing, maintaining, and assessing internal control
to provide reasonable assurance that the broad control objectives of 31
U.S.C. S 3512 (c), (d) (FIA) are met; (3) ensuring that IRS's financial
management systems substantially comply with the requirements of FFMIA;
and (4) complying with applicable laws and regulations.
We are responsible for obtaining reasonable assurance about whether (1)
the financial statements are presented fairly, in all material respects,
in conformity with U.S. generally accepted accounting principles and (2)
management maintained effective internal controls, the objectives of which
are the following:
oFinancial reporting--transactions are properly recorded, processed, and
summarized to permit the preparation of financial statements in conformity
with U.S. generally accepted accounting principles and assets are
safeguarded against loss from unauthorized acquisition, use, and
disposition.
oCompliance with laws and regulations--transactions are executed in
accordance with laws governing the use of budget authority and with other
laws and regulations that could have a direct and material effect on the
financial statements and any other laws, regulations, and governmentwide
policies identified by OMB audit guidance.
We are also responsible for (1) testing whether IRS's financial management
systems substantially comply with the three FFMIA requirements, (2)
testing compliance with selected provisions of laws and regulations that
have a direct and material effect on the financial statements and laws for
which OMB audit guidance requires testing, and (3) performing limited
procedures with respect to certain other information appearing in these
annual financial statements. For more details on our methodology and the
laws and regulations we tested, see appendix II.
We did not evaluate all internal controls relevant to operating objectives
as broadly defined by FIA, such as controls relevant to preparing
statistical reports and ensuring efficient operations. We limited our
internal control testing to testing controls over financial reporting and
compliance with laws and regulations. We did not test compliance with all
laws and regulations applicable to IRS. We limited our tests of compliance
to those laws and regulations that had a direct and material effect on the
financial statements or that were required to be tested by OMB audit
guidance that we deemed applicable to IRS's financial statements for the
fiscal years ended September 30, 2006 and 2005. We caution that
noncompliance may occur and not be detected by these tests and that such
testing may not be sufficient for other purposes. We performed our work in
accordance with U.S. generally accepted government auditing standards and
OMB audit guidance.
Agency Comments and Our Evaluation
In responding to this report, IRS agreed that the report fairly presents
its financial management progress and remaining management and systems
challenges. IRS noted its significant accomplishments in addressing
financial management issues while also successfully implementing Appendix
A of the revised OMB Circular No. A-123, Management's Responsibility for
Internal Control. IRS affirmed its dedication to continuing to improve its
financial management, and noted significant achievements including: (1)
improvements in accountability over property and equipment that enabled us
to eliminate it as a reportable condition through implementation of a
first level procurement review, revision of material group codes, and
implementation of a materiality threshold for capital asset review, (2)
significant reductions in the numbers of matters for further consideration
related to both safeguarding of taxpayer receipts and controls over
administrative accounts, (3) acceleration of the quarterly excise tax
certifications to the Department of the Treasury by 2 months, and (4)
improvements to its cost allocation methodology and use of Integrated
Financial System to generate its statement of net cost for fiscal year
2006.
IRS also agreed with our findings concerning information security, and
indicated that it is improving protection of sensitive information by
expanding the use of encryption, increasing employee education and
awareness, and improving IRS information security policies and procedures
to ensure protection of taxpayer, employee, and IRS sensitive information.
IRS also noted that it has established a Security Services and Privacy
Executive Steering Committee to coordinate information security
improvements and to leverage subject matter experts from the areas of
information technology security, physical security, and privacy and
identify theft. In addition, IRS recognized that while challenges remain,
it has established its ability to consistently produce reliable financial
statements, and believes it has a solid management team in place to
continue to improve financial management.
The complete text of IRS's response is included in appendix III.
David M. Walker
Comptroller General of the United States
October 31, 2006
Management Discussion and Analysis
Financial Statements
Supplemental Information
Other Accompanying Information
Appendix I
Material Weaknesses, Reportable Condition, and Compliance Issues
Material Weaknesses
During our audits of the Internal Revenue Service's (IRS) fiscal years
2006 and 2005 financial statements, we continued to identify four material
weaknesses in internal controls. These material weaknesses have given rise
to significant management challenges that have (1) impaired management's
ability to prepare financial statements and other financial information
without extensive compensating procedures, (2) limited the availability of
reliable information to assist management in effectively managing
operations on an ongoing basis, (3) reduced IRS's effectiveness in
enforcing the Internal Revenue Code, (4) resulted in errors in taxpayer
accounts, (5) increased taxpayer burden, and (6) reduced assurance that
data processed by IRS's information systems are reliable and appropriately
protected. The issues that we have identified and discuss in this report
relate to IRS's controls over (1) financial reporting, (2) unpaid
assessments, (3) federal tax revenue and refunds, and (4) information
security. We reported on each of these issues last year^1 and in prior
audits. We highlight these issues in the following sections. Less
significant matters involving IRS's system of internal controls and its
operations will be reported to IRS separately.
Financial Reporting
In fiscal year 2006, as in prior years, IRS did not have financial
management systems adequate to enable it to accurately and timely generate
and report the information needed to both prepare financial statements and
manage operations on an ongoing basis. To overcome these systemic
deficiencies with respect to preparation of its annual financial
statements, IRS was compelled to employ extensive compensating procedures
that were costly and labor intensive. During fiscal year 2006, IRS (1) did
not have an adequate general ledger system for financial reporting
purposes, (2) could not reliably report the specific amount of revenue
collected for each of several of the federal government's largest revenue
sources, and (3) was unable to readily determine the costs of its
activities and programs and did not have cost-based performance
information to assist in making or justifying resource allocation
decisions. Although labor-intensive compensating procedures yielded
financial statements that were fairly stated as of September 30, 2006 and
2005, they do not afford real-time data needed to assist in managing
operations on a day-to-day basis and to assist in making or justifying
resource allocation decisions.
As we noted in last year's report,^2 during fiscal year 2006, IRS's
general ledger system was not supported by adequate audit trails or
integrated with its supporting records for material balances, including
federal tax revenue, federal tax refunds, taxes receivable, and property
and equipment (P&E). Because of these deficiencies, IRS's general ledger
system does not conform to the U.S. Government Standard General Ledger
(SGL) at the transaction level as required by the Core Financial System
Requirements of the Joint Financial Management Improvement Program
(JFMIP)^3 or the requirements of the Federal Financial Management
Improvement Act of 1996 (FFMIA). Further, IRS's use of two separate,
nonintegrated general ledgers, one to account for its tax administration
activities and another to capture the costs of conducting those
activities, greatly complicates efforts to measure the cost of IRS's tax
administration efforts.
In November 2004, IRS implemented the first release of the Integrated
Financial System (IFS), which now serves as IRS's core administrative
financial management system. The major components of this first release of
IFS are accounts payable, accounts receivable, budget formulation, budget
execution, general ledger, financial reporting, and cost accounting.
Additional key components were originally planned to be implemented with
future releases of IFS, such as property management, procurement, and a
workload management system. However, technological improvements and
budgetary constraints have led IRS to reconsider its commitment to future
releases of IFS while it reviews other available options, such as
acquiring alternate software or utilizing the services of a shared service
provider. IRS has not yet decided which course of action to take or
obtained necessary funding. It is therefore unclear how or when IRS will
attain the functionality originally planned for future releases of IFS. In
addition, to account for and report on over $2 trillion in annual
tax-related transactions, IRS continues to rely on legacy financial
management systems that do not interface with IFS.
In previous years, IRS had difficulty determining the specific amount of
revenue it actually collected for three of the federal government's four
largest revenue sources--Social Security, hospital insurance, and
individual income taxes. During fiscal year 2006, IRS performed an
analysis to estimate the amounts collected for Social Security and
hospital insurance. However, IRS is not yet confident of the reliability
of these amounts, and consequently reported them in its unaudited
supplemental information rather than the audited financial statements. In
addition, IRS continued to be unable to determine, at the time payments
are received, collections for other trust funds that receive excise tax
receipts, such as the Highway Trust Fund. This is primarily because the
accounting information needed to validate the taxpayer's liability and
record the payment to the proper trust fund is provided on the tax return,
which is received months after the payment is submitted. Further, the
information on the tax return pertains only to the amount of the tax
liability, not how to distribute the amount previously collected among the
appropriate trust funds. IRS does not require taxpayers to submit
information identifying the type of tax at the time of payment because it
has taken the position that imposing such a requirement would create an
additional burden to those particular taxpayers. In addition, IRS's
systems cannot at present routinely capture and report the information it
does receive. IRS is working on systems improvements to accommodate this
type of information. However, IRS will continue to be unable to timely
report the specific amount of revenue it actually collects for these large
revenue sources until it has the systems capability to record, and
requires taxpayers to provide, this information. This condition also
results in the federal government depending on a complex, multistep
process to distribute excise taxes to the recipient trust funds that
continues to be susceptible to error.
IRS's inability to timely report specific amounts of excise tax revenue to
recipient trust funds is significant for these funds and their
administrators. Since fiscal year 2004, when all federal agencies were
required to begin meeting the Office of Management and Budget's (OMB)
stipulated reporting date of November 15, the annual excise tax receipts
reported by recipient trust funds include 6 months of estimated receipts.
The trust funds must report 6 months of estimated receipts because, under
its existing processes, IRS takes 5- 1/2 months to complete its
certification of excise tax receipts and, therefore, does not complete the
certifications for the third and fourth quarters of the fiscal year until
after November 15. To the extent that these estimates differ from the
certified amounts, inaccurate distributions to the trust funds could
result and, in the case of the Highway Trust Fund, allocations of revenues
to states could be done incorrectly.^4 In July 2003, we made
recommendations to IRS for accelerating its certification process. In
response to our recommendations, IRS has performed precertifications for
the past 3 years to determine the extent to which an acceleration of the
process would affect the amounts distributed to the trust funds. Based on
IRS's analysis of the precertifications, which has indicated no
significant variances between precertified and actual certified amounts
for each quarter for the past 3 years, the Department of the Treasury
(Treasury) Excise Tax Working Group^5 has decided to accelerate the actual
certification to the precertification timeline, which will accelerate the
certification by approximately 2 months. The accelerated certification
will begin with the second quarter (September 30, 2006, liability quarter)
that is certified in fiscal year 2007. As a result of the acceleration,
beginning with the fiscal year 2007 reporting year, the annual excise tax
receipts reported by recipient trust funds will include only 3 months of
estimated receipts.
During fiscal year 2005, we reported that IRS implemented a cost
accounting module as part of the first release of IFS but that it required
improvements or additional components, such as a workload management
system, before its full potential would be realized. During fiscal year
2006, IRS further improved its cost accounting capabilities by developing
and implementing a methodology for allocating its costs of operations to
its business units. This methodology utilizes the new cost accounting
module of IFS and allows IRS to accumulate the full costs of operating
each business unit and facilitates financial reporting. For example, in
fiscal year 2006 IRS was able, for the first time, to generate its
statement of net cost directly from IFS. While these are positive steps,
IRS has not yet determined what the full range of its cost information
needs are or how best to utilize the cost module's existing capabilities
to satisfy those needs. IRS has also not yet implemented a related
workload management system intended to improve IRS's ability to
effectively manage its large workforce and to provide the cost module with
detailed labor cost information at the activity or program level. Without
this detail, IRS is unable to either readily determine the costs of
activities and programs that involve activities in multiple business
units, such as the Automated Underreporter Program, or segregate the costs
for each activity in cases where multiple activities, such as the
processing of different types of tax returns, are performed by a single
business unit. Consequently, at this time, IRS cannot rely on the system
as a significant planning and decision-making tool. It will likely require
several years and implementation of additional components, such as a
workload management system, as well as integration with its tax
administration activities, before the full potential of IRS's cost
accounting module will be realized. In the interim, IRS decision making
for attaining efficiencies and enhancing effectiveness will continue to be
hampered by a lack of meaningful underlying cost information.
Despite progress made during fiscal year 2006, the continued existence of
these financial reporting weaknesses once again compelled IRS to expend
more time and effort to maintain its accounting records and generate
financial management information than would otherwise have been necessary.
Further, despite these monumental efforts, IRS continued to lack reliable
and timely financial information to assist in managing operations
throughout fiscal year 2006. Addressing the financial reporting
deficiencies discussed above would enhance this process by providing
management the reliable and timely information that it needs to support
informed decision making without having to resort to costly and
time-consuming procedures to compensate for information system
deficiencies.
Unpaid Tax Assessments
During fiscal year 2006, we continued to find serious internal control
issues that affected IRS's management of unpaid assessments. Specifically,
we continued to find that (1) IRS lacked a subsidiary ledger for unpaid
assessments that would allow it to produce accurate, useful, and timely
information with which to manage and report externally and (2) errors and
delays in recording taxpayer information, payments, and other activities.
These conditions continued to hinder IRS's ability to effectively manage
its unpaid assessments.^6
IRS's management of unpaid assessments is hindered by a lack of effective
supporting systems. IRS continues to lack a detailed listing, or
subsidiary ledger, that tracks and accumulates unpaid assessments and
their status on an ongoing basis. In fiscal year 2006, IRS began a
phased-in implementation of its Custodial Detailed Database (CDDB). One of
the key objectives of CDDB is to ultimately serve as a subsidiary ledger
for IRS's tax administration activities, including tax revenue receipts,
refund disbursements, and unpaid tax debt, by linking account information
in IRS's master files^7 with its general ledger for tax administration
activities. The first phase of CDDB primarily consisted of implementing
computer programs that analyze and classify related taxpayer accounts from
IRS's master file that are associated with unpaid payroll taxes. Although
IRS successfully implemented the first phase of CDDB during fiscal year
2006, full operational capability of CDDB is still several years away and
depends on the successful implementation of future system releases planned
through 2009. As a result, IRS continues to rely on a costly,
labor-intensive manual compensating process for external reporting.
Specifically, to report balances for taxes receivable and other unpaid
assessments in its financial statements and supplemental information, IRS
must continue to apply statistical sampling and estimation techniques to
data in its master files to estimate the balances at year-end. While the
first release of CDDB refined this process by analyzing and classifying
taxpayer accounts from IRS's master files that are associated with unpaid
payroll taxes, the process continued to take several months to complete;
required adjustments totaling billions of dollars; and produced amounts
that after adjustments, were only reliable as of the last day of the
fiscal year. Consequently, the lack of a subsidiary ledger inhibits IRS's
ability to timely develop reliable financial and management reports useful
for ongoing management decisions.
IRS's management of unpaid assessments also continued to be hindered by
inaccurate tax records. We continued to find errors and omissions in
taxpayer records resulting from IRS's failure to accurately and timely
record information. Errors in IRS records can cause frustration to
taxpayers who either do not owe the debt or owe significantly lower
amounts.
For example, during our audit we found that IRS erroneously recorded a
taxpayer's reported tax of $1,694 as $169 million in its systems, and sent
the taxpayer two erroneous notifications to pay this amount due plus
penalties and interest of nearly $200 million. Upon receipt of these
notices, the taxpayer obtained the services of a certified public
accountant to resolve the matter with IRS; IRS ultimately corrected the
error after several months. In another example, IRS incorrectly recorded a
taxpayer's amended payroll tax return for one tax period in a different
tax period.^8 This resulted in IRS erroneously assessing the taxpayer over
$4 million in taxes that were not owed. IRS ultimately corrected the error
several months later, after erroneously notifying the taxpayer and
requiring the taxpayer to provide additional information.
We also identified some taxpayers that were assessed excess penalties
because of an error in IRS's computer program that calculates and records
penalty assessments. IRS increases the penalty rate assessed against
taxpayers for failing to pay taxes owed from one-half of 1 percent to 1
percent when the taxpayer fails to pay the tax debt following repeated
notification of the taxes due. If the taxpayer then fully pays the amount
owed, IRS is required to reset the penalty rate back to one-half of 1
percent if it assesses additional taxes against the taxpayer at a later
time. However, IRS's penalty calculation program did not recognize
instances where this situation occurred and continued to assess penalties
at the higher penalty rate on subsequent tax assessments. IRS determined
that this error affected over 62,000 taxpayers with over 69,000 accounts,
but IRS had not corrected these accounts as of September 30, 2006.^9
On the other hand, some input errors and posting delays can cost the
government money. For example, IRS found a corporate officer liable for
not remitting federal tax withholdings from employees' salaries to IRS.
When recording the assessment on the officer's master file account for one
tax period, IRS erroneously recorded a second assessment for the same
amount. IRS attempted to correct the mistake by reversing the duplicate
transaction several weeks later. However, IRS erroneously reversed both
the original and duplicate assessments. Consequently, there was no longer
any assessment on the officer's master file account for this tax period.
IRS did not identify its error until our current audit, and the statutory
period for assessing new taxes on this specific tax period had expired.^10
As of September 30, 2006, IRS had not determined whether it could still
legally pursue payment of these taxes from this officer.
As in prior years,^11 we continued to find errors involving IRS's failure
to properly record payments to all related taxpayer accounts associated
with unpaid payroll taxes.^12 IRS's current systems continued to be unable
to automatically link each of the multiple assessments made for the one
tax liability. Consequently, if the business or any officer of that
business paid some or all of the outstanding taxes, IRS's systems were
unable to automatically reflect the payment as a reduction in the amounts
owed on any related accounts. Over the past several years, IRS has taken
several steps to compensate for the lack of an automated link between
related accounts. For example, IRS manually inputs a code in each account
that cross-references it to other related accounts. In addition, since
August 2001, IRS has established procedures to more clearly link each
penalty assessment against an officer to a specific tax period of the
business account. In July 2003, IRS also began phasing in the use of an
automated trust fund recovery penalty system that is intended to properly
cross-reference payments received and thus eliminate the opportunity for
errors that plague the current manual process.
Although IRS is making improvements in its processes for recording trust
fund recovery penalties, our work in fiscal year 2006, as in prior years,
continued to find deficiencies in this process, leading to errors in
taxpayers' accounts. In our testing of 80 statistically selected payments
recorded on trust fund recovery penalty accounts established since August
2001, we found 9 instances in which IRS did not properly record payments
received on all related taxpayer accounts. Of these 9 payments, 4 were not
properly recorded in all related accounts even though the accounts
contained the required cross-referencing at the time that the payments
were made. Based on our testing, we estimate that 11.3 percent of trust
fund recovery payment transactions posted to accounts established since
August 2001 and still outstanding during fiscal year 2006 could contain
inaccuracies.^13
Although IRS has implemented a number of compensating procedures, the
ultimate solution to many of the issues related to IRS's management of
unpaid assessments, such as the lack of a subsidiary ledger and the lack
of an automated link between related accounts, continues to be the
successful modernization of IRS's systems.
Tax Revenue and Refunds
During fiscal year 2006, we continued to find that IRS's controls were not
fully effective in maximizing the federal government's ability to collect
what is owed and in minimizing the risk of payment of improper refunds.
IRS recognized this in its fiscal year 2006 Federal Managers' Financial
Integrity Act of 1982 (FIA) assurance statement to Treasury, in which it
reported material weaknesses in earned income tax credit (EITC)
noncompliance and financial accounting of revenue. IRS's taxpayer
compliance programs identify billions of dollars of potentially
underreported taxes and erroneous EITC claims each year. However, largely
because of perceived resource constraints, IRS selects only a portion of
the questionable cases it identifies for follow-up investigation and
action. In addition, IRS often does not initiate follow-up on the cases it
selects until months after the related tax returns have been filed and any
related refunds disbursed, adversely affecting its chances of collecting
amounts due on these cases. Consequently, the federal government is
exposed to potentially significant losses from reduced revenue and
disbursements of improper refunds.
The options available to IRS in its efforts to identify and pursue the
correct amount of taxes owed and to ensure that only valid refunds are
disbursed continue to be limited. For example, third-party information,
such as the data provided on IRS 1099 forms,^14 that can corroborate the
amount of income reported by taxpayers is not required to be filed until
after the start of the tax filing season.^15 Consequently, comparison of
such information with tax return data is problematic because IRS does not
have time to prepare the third-party data for matching prior to the
receipt of individual tax returns. Additionally, while it processes
hundreds of millions of tax returns each filing season, IRS must issue
refunds within statutory time constraints or be subject to interest
charges.^16
As we previously reported, IRS has some preventive controls that help to
reduce the magnitude of underreported taxes owed and improper refunds
issued. For example, IRS's Examination Branch is responsible for
performing examinations on tax returns with potentially erroneous EITC
claims to determine the validity of the claims.^17 When performed before
refunds are disbursed, these examinations are an important control to
prevent disbursement of improper refunds. However, in some cases these
examinations are performed after any related refunds are disbursed, which
negates their effectiveness as a preventive control and instead serves
only as a basis for pursuing recovery after the fact. Another preventive
control that IRS has relied on in the past is the Electronic Fraud
Detection System (EFDS), which is IRS's primary source for identification
of leads on fraudulently filed tax returns. With EFDS fully operational,
IRS stopped over $412 million in improper refunds during processing
year^18 2005. However, during processing year 2006, IRS took the original
EFDS off-line to install a new Web-based version, but encountered problems
with the Web version and stopped all related system development activities
before it became operational. As a result, IRS did not have the services
of EFDS to prevent fraudulent refunds during processing year 2006. The
actual amount of improper refunds disbursed during fiscal year 2006 as a
result of EFDS being off-line is unknown. However, the Treasury Inspector
General for Tax Administration estimated that as much as $318 million in
improper refunds may have been disbursed during processing year 2006 while
EFDS was off-line.^19
In its guidance to heads of federal agencies issued in accordance with the
Improper Payments Information Act of 2002 (IPIA),^20 OMB identified the
EITC as a program subject to IPIA and required that Treasury accordingly
report estimates of EITC-related improper payments to the President and
Congress. EITC claims totaled approximately $41 billion in fiscal year
2006, of which approximately $36 billion was refunded to taxpayers and
approximately $5 billion was used to reduce assessed taxes. IRS used the
preliminary results of the National Research Program study of tax year
2001 data to estimate the level of compliance of individual filers for
fiscal year 2006. Based primarily on the results of the study, IRS
estimated that from 23 percent to 28 percent of the value of EITC payments
disbursed during fiscal year 2006 were improper. This error rate indicates
that of the approximately $36 billion of EITC-related refunds disbursed
during fiscal year 2006, at least $8 billion, and potentially as much as
$10 billion, was likely to have been improper.
Because of time and other constraints noted above, IRS relies extensively
on detective controls, such as automated matching of tax returns with
third-party data such as W-2s (wage and tax statements), to identify for
collection underreported taxes and improper refunds. However, these
programs are not run until months after the returns have been filed;
consequently, they do not prevent improper refunds from being disbursed.
IRS's matching program for individual tax returns identifies billions of
dollars of potentially underreported taxes each year. IRS follows up on a
portion of these cases identified to determine how much tax is actually
due and to pursue collection of those amounts. Because the volume of cases
IRS can follow up on depends on resource availability, IRS conducts an
analysis that identifies case characteristics that have historically
yielded greater assessments as a result of follow-up efforts. In recent
years, IRS has increased the number of returns investigated and the dollar
amount of the total potential underreported taxes. For example, for tax
year 2001, IRS identified discrepancies in 15.7 million tax returns, with
potential underreported taxes totaling $17.2 billion, but only
investigated 3 million (19 percent) of these tax returns, which accounted
for about $7.7 billion (45 percent) of the total potential underreported
taxes.^21 By contrast, for tax year 2004, IRS identified discrepancies in
15 million tax returns with potential underreported taxes totaling $16
billion, and investigated 4.6 million (31 percent) of these tax returns,
which accounted for about $12.7 billion (78 percent) of the total
potential underreported taxes.^22
However, as these figures also illustrate, IRS continues to pursue only a
portion of the potential underrported taxes it identifies. In addition, in
deciding which or how many cases to pursue, IRS does not consider
historical collection experience or the costs incurred to work the related
cases, which could further improve IRS's net return on the cases it does
elect to pursue. There are factors that affect IRS's ability to accelerate
the timing of its automated matches, such as the limitations of its
current automated systems and the timing of filing requirements for
preparers of third-party documents, some of which are beyond IRS's
control. Nonetheless, the information from IRS's automated matching
program suggests that a substantial amount of additional revenue might be
realized if additional resources, coupled with more timely receipt of
information and more effective systems to compare such information, were
devoted to follow-up efforts. At present, billions of dollars in
underreported taxes could remain uncollected and improper refunds could be
disbursed.
Information Security
To effectively fulfill its tax processing responsibility, IRS relies
extensively on computerized systems to support its financial and
mission-related operations. Effective information system controls are
essential to ensuring that taxpayer and financial information is
adequately protected from inadvertent or deliberate misuse, fraudulent
use, improper disclosure, or destruction. Ineffective system controls can
impair the accuracy, completeness, and timeliness of information used by
management and increase the potential for undetected material
misstatements in the agency's financial statements.
IRS has made progress in implementing information security for its
financial and tax processing systems and information by addressing many of
its previously reported security weaknesses. For example, among other
things, IRS implemented stronger password settings regarding expiration
and complexity and improved controls over data sharing among mainframe
users. IRS also improved employee training on recovering critical systems
in the event of a disaster.
Although IRS has made progress toward correcting previously identified
information security weaknesses, significant weaknesses in electronic
access and other information security controls continued to exist during
fiscal year 2006. Corrective actions had not been completed for some of
the previously identified weaknesses. For example, the security software
configurations on the mainframe system, which supports IRS's general
ledger for tax administration activities, continued to contain numerous
invalid and obsolete entries, leaving IRS with a system that is overly
complicated and difficult to secure, especially in terms of monitoring
actual access privileges. We also identified new weaknesses. For example,
we found that IRS's procurement system, which processed about $3.9 billion
in fiscal year 2006, was vulnerable to a well-known exploit whereby
database commands can be inserted into the application through a user
input screen that is available to everyone on the agency's network. The
significance of this vulnerability is compounded by the fact that IRS had
granted administrative privileges to the database account used by the
application, allowing anyone who exploits this vulnerability to have
powerful database privileges, including the ability to change data. In
addition, IRS had not fully employed mitigating controls used to detect
malicious activity, such as logging and monitoring user activity. The
agency also stored user IDs and passwords in mainframe files that could be
read by every mainframe user. This information could provide a malicious
user access to IRS's data retrieval system, which contains taxpayer
information. Weaknesses also existed in other areas, such as physical
security, configuration management, segregation of duties, and personnel
security. If IRS does not adequately mitigate these weaknesses,
unauthorized individuals could gain access to critical systems, where they
may intentionally or inadvertently read, modify, or delete sensitive data
or computer programs, possibly without being detected. These individuals
could also obtain personal taxpayer information and use it to commit
financial crimes, such as identity theft. Previously reported weaknesses
that have not been corrected, and the new weaknesses identified during our
fiscal year 2006 financial audit, increase the risk that data processed by
the agency's financial management and tax administration systems are not
reliable.
A key reason for the information security weaknesses in IRS's financial
and tax processing systems was that it has not yet fully implemented a
security program^23 to ensure that controls are effectively established
and maintained. Although IRS continues to make important progress in
developing a framework for its information security program, we identified
instances in which the program had not been fully or consistently
implemented for its information systems. For example, the system that
supports IRS's general ledger for tax administration activities did not
have a documented security plan. In addition, although IRS was
periodically testing security controls on the systems we reviewed, it did
not always take remedial action to address deficiencies identified through
these tests. For example, in March 2006, IRS identified a vulnerability in
the process that manages network connectivity to its procurement system
database server; this condition continued to exist at the time of our
review 4 months later. Further, one of the systems we reviewed did not
have an alternate backup facility in place in the event of a disaster.
Until IRS takes additional steps to fully implement key elements of its
information security program, its facilities and computing resources and
the information that is processed, stored, and transmitted on its systems
will likely remain vulnerable, and management will not have assurance of
the integrity and reliability of the information generated.
The new information security deficiencies we identified in fiscal year
2006 and the unresolved deficiencies from prior audits represent a
material weakness in IRS's internal controls over its procurement, asset
management, and tax administration accounting systems. Collectively, these
deficiencies reduce IRS's ability to secure its financial and taxpayer
information. We plan to issue a separate report on the newly identified
weaknesses and the status of previously identified weaknesses.
Reportable Condition
In addition to the material weaknesses discussed above, we identified a
reportable condition concerning weaknesses in IRS's internal controls over
hard-copy tax receipts and taxpayer information.
In our previous report on the results of our audit of IRS's fiscal year
2005 financial statements, we discussed the presence of a reportable
condition with respect to weaknesses in IRS's internal controls over P&E.
Over the past several years, IRS has made substantial progress in
strengthening internal controls and procedures that enhanced its ability
to account for P&E. In fiscal year 2006, IRS made further improvements
over recording P&E transactions in its accounting records. Although IRS
continues to lack an integrated property management system, the
improvements made in fiscal year 2006, combined with progress made over
the past several years, have mitigated this issue. Thus, we no longer
consider the lack of an integrated accounting and property system to
constitute a reportable condition.
Hard-Copy Tax Receipts and Taxpayer Information
IRS manually processes hundreds of billions of dollars of hard-copy
taxpayer receipts and related taxpayer information at its service center
campuses, field office taxpayer assistance centers, other field office
units,
and commercial lockbox banks.^24 In previous audits, we have reported
that weaknesses in IRS's controls designed to safeguard taxpayer receipts
and information increase the risk that receipts in the form of checks,
cash, and the like could be misappropriated or that the information could
be compromised.^25 During our fiscal year 2006 audit, we identified
actions IRS has taken to address some of these weaknesses. For example,
IRS issued guidance to its large- and midsized taxpayer assistance centers
that enhanced managerial and supervisory review requirements and provided
for segregation of duties between preparation and review activities
relating to documents that accompany shipments of taxpayer receipts and
information to affiliated IRS service center campuses for processing.
Additionally, we observed that at one service center campus, IRS had taken
corrective actions to address several physical security vulnerabilities,
which, if left uncorrected, could have resulted in unauthorized access to
the facility. Also, during fiscal year 2006, IRS and the Financial
Management Service continued implementation of a joint lockbox performance
measurement system begun in fiscal year 2005, which was designed to
address deficiencies in internal controls, such as those identified in our
prior audits, by establishing strict standards and accountability for
adherence to these standards. Because the lockbox performance measurement
system was not fully implemented during fiscal year 2006, we could not
assess the overall impact it will have on improving the effectiveness of
internal controls at the lockbox banks. However, the system focuses on
increased oversight by requiring quarterly reviews relating to physical
security and internal controls over receipts and receipt processing, and
subsequent reporting of the reviews' results to bank management officials.
In addition, a bank receiving a cautionary rating, indicating notable
deficiencies in overall performance, may be subject to the following
punitive actions if performance does not improve: (1) ineligibility to bid
on new work or receive additional volume, (2) placement in a probationary
status for no less than 90 days, and (3) loss of existing work. This
system has the potential to significantly improve internal controls at the
lockbox bank facilities.
However, despite the improvements we found at IRS's taxpayer assistance
centers, service center campuses, and lockbox banks, IRS's controls over
receipts and related hard-copy taxpayer information did not sufficiently
limit the risk of theft, loss, or misuse of such funds and information.
Specifically, we found the following:
oWeaknesses in physical security controls designed to prevent unauthorized
access to IRS's receipt processing facilities. For example, during our
fiscal year 2006 audit, we observed that (1) the external perimeter was
vulnerable to external intrusions (at five service center campuses); (2)
guards did not respond timely to alarms (at two service center campuses
and one taxpayer assistance center), and (3) security cameras did not
provide for 360 degree coverage of the building exterior or the facility's
external perimeter (at two service center campuses and three lockbox
banks). These weaknesses increase the risk that the integrity of IRS
facilities and the taxpayer receipts and information they process may be
compromised.
oWeaknesses in procedural safeguards and controls designed to account for,
control, and protect taxpayer receipts and related taxpayer information.
For example, during our fiscal year 2006 audit, we found that (1)
sensitive taxpayer information in electronic form sent off-site for
storage was not encrypted to prevent potential unauthorized access (at
three lockbox banks), (2) there was no documentation that vendors with
off-site possession of actual or potential sensitive taxpayer information
had received required background investigations (at two service center
campuses and one lockbox bank), and (3) mail potentially containing
taxpayer receipts was not adequately secured to prevent potential
tampering or theft (at two service center campuses). These weaknesses
increase the risk that taxpayer receipts and information may be
compromised during processing at IRS facilities and lockbox banks.
oWeaknesses in controls designed to safeguard hard-copy taxpayer receipts
and related taxpayer information during transport between IRS business
units and to or from third parties, such as depository institutions and
post offices. For example, during our fiscal year 2006 audit, we found
that (1) there was no evidence that IRS employees sending packages
containing taxpayer receipts and information followed up with responsible
parties at the recipient location when document transmittal forms used to
specifically identify the contents of the packages shipped remained
unacknowledged by the recipient (at one service center campus and five
Small Business/Self-Employed units); (2) packaging and shipping procedures
used by IRS employees did not adequately secure taxpayer receipts and
information to prevent potential tampering or unauthorized access (at one
service center campus and two Small Business/Self-Employed unit); and (3)
there was no evidence documenting managerial review of transfer-related
documents^26 (at three service center campuses, two lockbox banks, two
taxpayer assistance centers, and four Small Business/Self-Employed units).
These weaknesses increase the risk that taxpayer receipts may be lost,
misappropriated, or delayed in transit between offices and that their
loss, misappropriation, or delayed arrival may not be timely detected.
These internal control weaknesses increase IRS's vulnerability to theft or
loss and expose taxpayers to increased risk of losses from financial
crimes committed by individuals who inappropriately gain access to
taxpayer receipts and confidential information entrusted to IRS. IRS's
progress in addressing these issues has been hampered by a tendency, at
times, to focus corrective actions on the issues we identify at the
specific locations where we find them, versus proactively addressing
potential weaknesses at other comparable locations to determine the full
scope of the issues across all IRS receipt processing facilities
potentially affected. For example, during our fiscal year 2005 financial
audit, we identified a physical security weakness in a perimeter fence at
one service center campus, which IRS subsequently corrected. However, IRS
did not concurrently follow up to assess whether similar issues existed at
other service center campuses. During our fiscal year 2006 audit, we found
that similar vulnerabilities existed at two additional service center
campuses. The recurrence of this issue might have been avoided if IRS had
been more proactive in its use of the information we provided in fiscal
year 2005. While IRS has made significant progress in this area, the
issues identified during our fiscal year 2006 audit indicate that more
remains to be done to effectively address these matters, which are
critical to IRS's success in meeting its customer service goals.
Compliance Issues
Our work on compliance with selected provisions of laws and regulations
disclosed one area of noncompliance that is reportable under U.S.
generally accepted government auditing standards and OMB guidance. This
area relates to the release of federal tax liens against taxpayers'
property. We also found that IRS's financial management systems do not
substantially comply with the requirements of FFMIA.
Release of Federal Tax Liens
The Internal Revenue Code grants IRS the power to file a lien against the
property of any taxpayer who neglects or refuses to pay all assessed
federal taxes. The lien becomes effective when it is filed with a
designated office, such as a courthouse in the county where the taxpayer's
property is located.^27 The lien serves to protect the interest of the
federal government and as a public notice to current and potential
creditors of the government's interest in the taxpayer's property. For
example, federal tax liens are disclosed in credit reports of individuals.
Under section 6325 of the Internal Revenue Code, IRS is required to
release federal tax liens within 30 days after the date the tax liability
is satisfied or has become legally unenforceable or the Secretary of the
Treasury has accepted a bond for the assessed tax.
In each year beginning with our audit of IRS's fiscal year 1999 financial
statements, we found that IRS did not always release the applicable
federal tax lien within 30 days of the tax liability being either paid off
or abated, as required by the Internal Revenue Code.^28 We found that
this condition continued to exist in fiscal year 2006.
In prior audits, we tested a statistical sample of tax cases with liens in
which the taxpayers' total outstanding tax liabilities were either paid
off or abated during the fiscal year under audit. In fiscal year 2006, IRS
performed its own test of the effectiveness of its lien release process as
part of implementing the requirements of the revised OMB Circular No.
A-123. Consequently, we reviewed and validated IRS's test results.
In its testing of 84 statistically selected tax cases with liens in which
the taxpayers' total outstanding tax liabilities were either paid off or
abated during fiscal year 2006, IRS found 26 instances in which it did not
release the applicable federal tax lien within the statutorily mandated 30
days. The time between satisfaction of the liability and release of the
lien ranged from 44 days to 638 days. In 4 cases, the lien still had not
been released at the time of IRS's review. Based on these results, IRS
estimates that for 31 percent of unpaid tax assessment cases in which it
had filed a tax lien that were resolved in fiscal year 2006, IRS did not
release the lien within 30 days.^29
In 13 of the 26 cases in which liens were not released timely, the delay
in the lien release was caused by IRS's failure to timely record
information on the taxpayer's account to show that the taxpayer had
satisfied or was otherwise relieved of the tax liability. In 6 of these
cases, IRS did not properly credit all of the taxpayer's outstanding
accounts when the taxpayer sent in one payment to satisfy the tax
liability of multiple tax accounts. Consequently, one or more of the
taxpayer's accounts remained open even though the taxpayer had fully
satisfied the total tax liability. This, in turn, prevented the initiation
of the lien release process for these cases. In 5 of the other cases, IRS
did not timely update the taxpayer's account to reflect that the taxpayer
had been discharged of the taxes in bankruptcy court. In the remaining 2
cases, IRS did not timely update the taxpayer's account to indicate the
taxpayer had satisfied all the conditions of an offer-in-compromise. IRS's
delay in timely recording this information also prevented the initiation
of the lien release process. The failure to promptly release tax liens
could cause undue hardship and burden to taxpayers who are attempting to
sell property or apply for commercial credit. We issued a report in
January 2005 that discusses other issues that contribute to IRS's failure
to timely release federal tax liens, along with our recommendations to
address those issues.^30
Financial Management Systems' Noncompliance With FFMIA
In fiscal year 2006, we continued to find that IRS's financial management
systems did not substantially comply with the requirements of FFMIA.
Specifically, IRS's systems did not comply with Federal Financial
Management System Requirements (FFMSR), federal accounting standards (U.S.
generally accepted accounting principles), and the SGL at the transaction
level. We found that IRS (1) cannot rely solely on information from its
general ledger to prepare its financial statements; (2) lacks a subsidiary
ledger for its unpaid assessments; and (3) lacks an effective audit trail
from its general ledger back to detailed records and transaction source
documents for material balances, such as tax revenues and tax refunds.
IRS's implementation of the first release of IFS represented a major step
forward and has provided significant benefits, such as enhanced audit
trails and a cost module. However, as noted earlier in this report, IRS is
no longer committed to the future releases of IFS that were to include
additional features essential to IRS's ability to realize the system's
full potential, such as workload and procurement management. Since IRS
does not yet have a viable alternative planned, it is unclear how or when
IRS will obtain these capabilities. Additionally, IRS continues to rely on
obsolete legacy systems to process tax revenues, tax refunds, and unpaid
tax assessments. These systems do not interface with IFS, which accounts
for and reports only IRS's nontax administrative activities.
This noncompliance with FFMIA ties in with our earlier discussions of
material weaknesses related to the inability of IRS's financial management
systems to produce auditable financial statements and related disclosures
that conform with U.S. generally accepted accounting principles without
substantial compensating processes and significant adjustments. These
weaknesses also indicate that IRS's systems cannot routinely accumulate
and report the full cost of its activities. Since IRS's systems do not
comply with FFMSR, U.S. generally accepted accounting principles, and the
SGL, they also do not comply with OMB Circular No. A-127, Financial
Management Systems (revised July 23, 1993). In its FIA assurance statement
to Treasury, IRS reported that its financial management systems did not
substantially comply with the requirements of FFMIA in fiscal year 2006.
IRS has established a remediation plan to address the conditions affecting
its systems' inability to comply substantially with the requirements of
FFMIA. This plan outlines the actions to be taken to resolve these issues,
but many future corrective actions are on hold and currently unfunded.
Because of the long-term nature of IRS's systems modernization efforts,
which IRS expects will resolve many of the most serious issues, many of
the planned time frames exceed the 3-year resolution period specified in
FFMIA. However, for these instances IRS has received a waiver from this
requirement from OMB, as authorized by FFMIA.
Appendix II
Details on Audit Methodology
To fulfill our responsibilities as the auditor of the IRS's financial
statements, we did the following:
oExamined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. This included selecting
statistical samples of unpaid assessment, revenue, refund, accrued
expenses, payroll, nonpayroll, P&E, accounts payable, and undelivered
order transactions. These statistical samples were selected primarily to
substantiate balances and activities reported in IRS's financial
statements. Consequently, dollar errors or amounts can and have been
statistically projected to the population of transactions from which they
were selected. In testing these samples, certain attributes were
identified that indicated either significant deficiencies in the design or
operation of internal control or compliance with provisions of laws and
regulations. These attributes, where applicable, can be and have been
statistically projected to the appropriate populations.
oAssessed the accounting principles used and significant estimates made by
management.
oEvaluated the overall presentation of the financial statements.
oObtained an understanding of internal controls related to financial
reporting (including safeguarding assets), compliance with laws and
regulations (including the execution of transactions in accordance with
budget authority), and the existence and completion assertions related to
performance measures reported in the Management Discussion and Analysis.
oTested relevant internal controls over financial reporting (including
safeguarding assets) and compliance, and evaluated the design and
operating effectiveness of internal controls.
oConsidered IRS's process for evaluating and reporting on internal
controls and financial management systems under 31 U.S.C. S 3512 (c), (d),
commonly referred to as the Federal Managers' Financial Integrity Act of
1982, and OMB Circular No. A-123, Management's Responsibility for Internal
Control.
oTested compliance with selected provisions of the following laws and
regulations: Anti-Deficiency Act, as amended (31 U.S.C. S 1341(a)(1) and
31 U.S.C. S 1517(a)); Purpose Statute (31 U.S.C. S 1301); Release of lien
or discharge of property (26 U.S.C. S 6325); Interest on underpayment,
nonpayment, or extensions of time for payment of tax (26 U.S.C. S 6601);
Interest on overpayments (26 U.S.C. S 6611); Determination of rate of
interest (26 U.S.C. S 6621); Failure to file tax return or to pay tax (26
U.S.C. S 6651); Failure by individual to pay estimated income tax (26
U.S.C. S 6654); Failure by corporation to pay estimated income tax (26
U.S.C. S 6655); Prompt Payment Act (31 U.S.C. S 3902(a), (b), and (f) and
31 U.S.C. S 3904); Pay and Allowance System for Civilian Employees (5
U.S.C. SS 5332 and 5343, and 29 U.S.C. S 206); Federal Employees'
Retirement System Act of 1986, as amended (5 U.S.C. SS 8422, 8423, and
8432); Social Security Act, as amended (26 U.S.C. SS 3101 and 3121 and 42
U.S.C. S 430); Federal Employees Health Benefits Act of 1959, as amended
(5 U.S.C. SS 8905, 8906, and 8909); Transportation, Treasury, Independent
Agencies, and General Government Appropriations Act, 2005, Pub. L. No.
108-447, div. H, tit. II, 118 Stat. 2809, 3199 (Dec. 8, 2004); and
Department of the Treasury Appropriations Act, 2006, Pub. L. No. 109-115,
div. A, tit. II, 119 Stat. 2396, 2432 (Nov. 30, 2005).
oTested whether IRS's financial management systems substantially comply
with the three requirements of the Federal Financial Management
Improvement Act of 1996 (Pub. L. No. 104-208, div. A, S 101(f), title
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996).
Appendix III
Comments from the Internal Revenue Service
(196088)
[31]transparent illustrator graphic
www.gao.gov/cgi-bin/getrpt?GAO-07-136 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Steven J. Sebastian at (202) 512-3406 or
[email protected].
Highlights of [33]GAO-07-136 , a report to the Secretary of the Treasury
November 2006
FINANCIAL AUDIT
IRS's Fiscal Years 2006 and 2005 Financial Statements
Because of the significance of Internal Revenue Service (IRS) collections
to overall federal receipts and, in turn, to the consolidated financial
statements of the U.S. government, which GAO is required to audit, and
Congress's interest in financial management at IRS, GAO audits IRS's
financial statements annually to determine whether (1) the financial
statements are reliable and (2) IRS management maintained effective
internal controls. GAO also tests IRS's compliance with selected
provisions of significant laws and regulations and its financial systems'
compliance with the Federal Financial Management Improvement Act of 1996
(FFMIA).
What GAO Recommends
In prior audits, GAO made numerous recommendations to IRS to address
issues comprising the material weaknesses and reportable condition and
compliance matters that persisted during fiscal year 2006. GAO will
continue to monitor IRS's progress in implementing the 72 recommendations
that remain open as of the date of this report. IRS agreed with the
report's findings and that it fairly presents IRS's progress and
challenges. IRS said it had made significant progress in addressing
financial management issues and noted that it had a strong management team
to continue improving financial management with an increased focus on
internal controls and information security.
In GAO's opinion, IRS's fiscal years 2006 and 2005 financial statements
are fairly presented in all material respects. Because of serious internal
control and financial management systems deficiencies, IRS again had to
rely extensively on resource-intensive compensating processes to prepare
its financial statements. Because of these serious internal control and
financial management deficiencies, IRS did not, in GAO's opinion, maintain
effective internal controls over financial reporting (including
safeguarding of assets) or compliance with laws and regulations, and thus
did not provide reasonable assurance that losses, misstatements, and
noncompliance with laws material in relation to the financial statements
would be prevented or detected on a timely basis.
IRS has continued to make great strides in addressing its financial
management challenges and has substantially mitigated several material
weaknesses in its internal controls. IRS made significant progress in
developing its cost accounting module, which was part of the first phase
of the Integrated Financial System (IFS), implemented in fiscal year 2005.
IRS also improved the reliability of its property and equipment records,
and we no longer consider this issue to be a reportable condition.
However, because of budgetary concerns and advances in automated financial
management system technologies, IRS is no longer committed to the future
releases of IFS that were once intended to resolve many of its most
serious financial management issues, and is currently considering
alternatives. IRS has not yet committed to an alternative approach nor has
funding been appropriated. Additionally, IRS has not determined how to
resolve issues related to the lack of integration between IFS and its tax
processing systems. Consequently, it is unclear how or when these issues
will be resolved. GAO continues to consider issues related to IRS's
controls over financial reporting, management of unpaid assessments,
collection of revenue and issuance of tax refunds, and information
security to be material weaknesses. Although IRS continued to make
progress in addressing weaknesses in controls over hard-copy taxpayer
receipts and data, GAO concluded that remaining issues related to this
activity constituted a reportable condition. In addition, IRS was not
always in compliance with a law concerning the timely release of tax
liens.
IRS management faces serious challenges from its continued use of obsolete
financial management systems that do not substantially comply with FFMIA
requirements. These challenges adversely affect IRS's ability to fulfill
its responsibilities as the nation's tax collector because it is unable to
obtain comprehensive, timely, accurate, and useful information for
day-to-day decision making. Solving IRS's financial management problems
depends largely on the ultimate success of IRS's ongoing systems
modernization efforts.
References
Visible links
33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-136
*** End of document. ***