Internal Revenue Service: Status of GAO Financial Audit and
Related Financial Management Report Recommendations (07-JUN-07,
GAO-07-629).
In its role as the nation's tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility in annually
collecting over $2 trillion in taxes, processing hundreds of
millions of tax and information returns, and enforcing the
nation's tax laws. Since its first audit of IRS's financial
statements in fiscal year 1992, GAO has identified a number of
weaknesses in IRS's financial management operations. In related
reports, GAO has recommended corrective action to address those
weaknesses. Each year, as part of the annual audit of IRS's
financial statements, GAO not only makes recommendations to
address any new weaknesses identified but also follows up on the
status of weaknesses GAO identified in previous years' audits.
The purpose of this report is to (1) assist IRS management in
tracking the status of audit recommendations and actions needed
to fully address them and (2) demonstrate how the recommendations
relate to control activities central to IRS's mission and goals.
GAO is making no new recommendations in this report.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-629
ACCNO: A70426
TITLE: Internal Revenue Service: Status of GAO Financial Audit
and Related Financial Management Report Recommendations
DATE: 06/07/2007
SUBJECT: Accountability
Accounting procedures
Auditing procedures
Data integrity
Financial management
Financial management systems
Financial records
Financial statements
Internal audits
Internal controls
Tax administration systems
Corrective action
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-629
* [1]Results in Brief
* [2]Background
* [3]Scope and Methodology
* [4]IRS's Progress on Financial Management Recommendations
* [5]Status of Recommendations Based on the Fiscal Year 2006 Fina
* [6]Open Recommendations Grouped by Control Activity
* [7]Safeguarding of Assets and Security Activities
* [8]Proper Recording and Documenting of Transactions
* [9]Effective Management Review and Oversight
* [10]Concluding Observations
* [11]Agency Comments and Our Evaluation
* [12]Appendix I: Status of GAO Recommendations from IRS Financial
* [13]Appendix II: Comments from the Internal Revenue Service
* [14]Appendix III: Staff Acknowledgments
* [15]Acknowledgments
* [16]Order by Mail or Phone
Report to the Acting Commissioner of Internal Revenue
United States Government Accountability Office
GAO
June 2007
INTERNAL REVENUE SERVICE
Status of GAO Financial Audit and Related Financial Management Report
Recommendations
GAO-07-629
Contents
Letter 1
Results in Brief 3
Background 4
Scope and Methodology 6
IRS's Progress on Financial Management Recommendations 7
Open Recommendations Grouped by Control Activity 9
Concluding Observations 27
Agency Comments and Our Evaluation 27
Appendix I Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports 29
Appendix II Comments from the Internal Revenue Service 81
Appendix III Staff Acknowledgments 82
Tables
Table 1: Summary of Open Recommendations 11
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets 13
Table 3: Recommendations to Improve IRS's Segregation of Duties 15
Table 4: Recommendation to Improve IRS's Controls over Information
Processing 16
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records 17
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control 18
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events 20
Table 8: Recommendation to Improve IRS's Execution of Transaction and
Events 22
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level 23
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators 26
Table 11: Recommendations to Improve IRS's Management of Human Capital 27
Abbreviations
ALS Automated Lien System AM accounts management
ATFR Automated Trust Fund Recovery
AUR Automated Under Reporter
AWSS Agency-Wide Shared Services
BPMS Business Performance Management System
CCTV closed-circuit television
CDDB Custodial Detail Data Base
CFO chief financial officer
COTR contracting officer's technical representative
DCI data collection instrument
FA Field Assistance
FC field coordinator
FISCAM Federal Information System Controls Audit Manual
FISMA Federal Information Security Management Act of 2002
FMFIA Federal Managers' Financial Integrity Act of 1982
FMIS Financial Management Information System
FMS Financial Management Service
IAR initial account representative
IDRS Integrated Data Retrieval System
IFS Integrated Financial System
IRACS Interim Revenue and Accounting Control System
IRM Internal Revenue Manual
IRS Internal Revenue Service
JFMIP Joint Financial Management Improvement Project
LEB Lockbox Electronic Bulletin
LEM Security Law Enforcement Manual
LFC lockbox field coordinators
LMSB Large and Mid-sized Business
LPG Lockbox Processing Guidelines
LSG Lockbox Security Guide
MA Mission Assurance
MITS Modernization & Information Technology Services
MOU Memorandum of Understanding
NBIC National Background Investigations Center
NFC National Finance Center
OMB Office of Management and Budget
P&E property and equipment
PSEP Physical Security and Emergency Preparedness Office
REFM Real Estate and Facilities Management
SB/SE Small Business/Self-Employed
SCC service center campus
SERP Service-wide Electronic Research Program
SETS Security Entry and Tracking System
SP Submission Processing
SPC submission processing center
SS Security Services
TAC taxpayer assistance center
TE/GE Tax Exempt and Government Entities
TFRP Trust Fund Recovery Penalty
TGA Treasury's General Account
TIGTA Treasury Inspector General for Tax Administration
USR unit security representative
USSGL United States Government Standard General Ledger
W&I Wage and Investment
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 7, 2007
The Honorable Kevin M. Brown
Acting Commissioner of Internal Revenue
Dear Mr. Brown:
In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2006, IRS
collected about $2.5 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $277 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices. In its role as the nation's tax collector, the
Internal Revenue Service (IRS) has a demanding responsibility to collect
taxes, process tax returns, and enforce the nation's tax laws. In fiscal
year 2006, IRS collected about $2.5 trillion in tax payments, processed
hundreds of millions of tax and information returns, and paid about $277
billion in refunds to taxpayers. Because of its role and overall mission,
IRS's activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.
IRS has made much progress in improving its financial management since it
was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress was reflected in its ability
to obtain and maintain a clean audit opinion on its financial statements
each year beginning in fiscal year 2000, and to correct several material
internal control weaknesses over the years and make many other
improvements in internal control. At the same time, more remains to be
done to address long-standing internal control issues that continue to
plague the agency. IRS continues to have weak or ineffective internal
controls over fundamental elements of its operations that leave it
vulnerable to a greater risk of fraud, waste, abuse, and mismanagement.
This, in turn, has the potential to impact the lives of the nation's
taxpayers, as our audits over the years have demonstrated. IRS has made
much progress in improving its financial management since it was first
required to prepare and have audited a set of financial statements in
fiscal year 1992. This progress was reflected in its ability to obtain and
maintain a clean audit opinion on its financial statements each year
beginning in fiscal year 2000, and to correct several material internal
control weaknesses over the years and make many other improvements in
internal control. At the same time, more remains to be done to address
long-standing internal control issues that continue to plague the agency.
IRS continues to have weak or ineffective internal controls over
fundamental elements of its operations that leave it vulnerable to a
greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has
the potential to impact the lives of the nation's taxpayers, as our audits
over the years have demonstrated.
An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting errors
and fraud, as well as in helping to effectively manage its stewardship
over public An agency's internal control environment serves as the first
line of defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.^1 Unfortunately, IRS continues to be
challenged with several long-standing material weaknesses in internal
control that are at the heart of IRS's operations.^2 During our audit of
IRS's fiscal year 2006 financial statements, we continued to find material
weaknesses in controls over
o financial reporting (including safeguarding of assets),
o unpaid tax assessments,
o identifying and collecting tax revenues due and issuing tax
refunds, and
o information systems security.
In addition to the material weaknesses, we continued to identify a
reportable condition involving controls over hard-copy tax
receipts and taxpayer data, which increase the government's and
taxpayer's risk of loss or inappropriate disclosure of taxpayer
data.
^1Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient operations,
reliable financial reporting, and compliance with applicable laws and
regulations. Part of the actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for
results-oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and to
take corresponding corrective actions.
^2Prior to December 15, 2006, a material weakness was defined as a
reportable condition that precludes the entity's internal controls from
providing reasonable assurance that material misstatements in the
financial statements would be prevented or detected on a timely basis.
Reportable conditions represent significant deficiencies in the design or
operation of internal controls that could adversely affect an entity's
ability to initiate, authorize, record, process, or report financial data
reliably. In May 2006, the American Institute of Certified Public
Accountants (AICPA) issued the Statement on Auditing Standard (SAS) 112,
which became effective for audits of financial statements for periods
ending on or after December 15, 2006. SAS 112 established standards and
provides guidance on the auditor's responsibilities for identifying,
evaluating, and communicating matters related to an entity's internal
control over financial reporting identified in an audit of financial
statements. Under the new SAS, the auditor is required to communicate
control deficiencies that are significant deficiencies or material
weaknesses in internal controls. A control deficiency, which is a new term
under SAS 112, exists when the design or operation of a control does not
allow management or employees, in the course of performing their assigned
functions, to prevent or detect misstatements on a timely basis. A
material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected. A significant deficiency is a control deficiency,
or combination of deficiencies, that adversely affects the entity's
ability to initiate, authorize, record, process, or report financial data
reliably in accordance with generally accepted accounting principles such
that there is more than a remote likelihood that a misstatement of the
entity's financial statements that is more than inconsequential will not
be prevented or detected. As a result of SAS 112, the term reportable
condition is no longer used.
To assist IRS in strengthening its internal controls and improving
its operations, we have made numerous recommendations as part of
our annual financial statement audits and other financial
management-related work at IRS. This report is being provided to
you to (1) assist IRS management in tracking the status of
financial audit and financial management-related recommendations
and the actions needed to address them and (2) demonstrate how the
recommendations relate to control activities central to IRS's
mission and goals. We are making no new recommendations in this
report.
We conducted our review from December 2006 through April 2007 in
accordance with U. S. generally accepted government auditing
standards.
Results in Brief
IRS management continues to make progress in addressing many of
the internal control issues that challenge the agency. IRS's
actions have enabled us to close over 200 financial
management-related recommendations over the years since our first
audit of its financial statements in 1992. At the beginning of the
fiscal year 2006 IRS financial statement audit, 72 financial
management-related recommendations from prior audits remained
open. During the fiscal year 2006 financial statement audit, IRS
took actions to effectively address issues that gave rise to
numerous recommendations, enabling us to close 25 of those
recommendations. Thus, 47 recommendations remained open from prior
years' audits at the end of fiscal year 2006. In addition, during
our fiscal year 2006 financial audit, we made 28 new
recommendations to address newly identified issues. As a result, a
total of 75 recommendations to address IRS's internal control
issues remain open.
In analyzing the nature of these open financial management
recommendations, we determined that 19 recommendations (25
percent) relate to issues associated with IRS's lack of effective
controls over safeguarding assets and security activities. Another
33 recommendations (approximately 44 percent) relate to issues
associated with IRS's inability to properly record and document
transactions. The remaining 23 recommendations (31 percent) relate
to issues associated with lack of effective management review and
oversight. Effectively and fully addressing these open
recommendations would greatly assist IRS in improving its internal
controls and achieving sound financial management.
In commenting on a draft of this report, IRS expressed its
appreciation for our acknowledgement of the agency's progress in
addressing its financial management challenges as evidence by our
closure of 25 of the 72 open financial management recommendations
from last year's report. We have reprinted IRS's written comments
in appendix II.
Background
Internal control is not one event, but a series of actions and
activities that occur throughout an entity's operations and on an
ongoing basis. Internal control should be recognized as an
integral part of each system that management uses to regulate and
guide its operations rather than as a separate system within an
agency. In this sense, internal control is management control that
is built into the entity as a part of its infrastructure to help
managers run the entity and achieve their goals on an ongoing
basis.
Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as
the Federal Managers' Financial Integrity Act of 1982 (FMFIA)),
requires agencies to establish and maintain internal control. The
agency head must annually evaluate and report on the control and
financial systems that protect the integrity of federal programs.
The requirements of FMFIA serve as an umbrella under which other
reviews, evaluations, and audits should be coordinated and
considered to support management's assertion about the
effectiveness of internal control over operations, financial
reporting, and compliance with laws and regulations.
Office of Management and Budget (OMB) Circular No. A-123,
"Management's Responsibility for Internal Control" (revised Dec.
21, 2004), provides the implementing guidance for FMFIA, and sets
out the specific requirements for assessing and reporting on
internal controls^3 consistent with the internal control standards
issued by the Comptroller General of the United States.^4 The
circular, which was revised in 2004 with the revisions effective
for fiscal year 2006, defines management's responsibilities
related to internal control and the process for assessing internal
control effectiveness, and provides specific requirements for
conducting management's assessment of the effectiveness of
internal control over financial reporting. The circular requires
management to annually provide assurances on internal control in
its Performance and Accountability Report, and for the 24 Chief
Financial Officers (CFO) Act agencies to include a separate
assurance on internal control over financial reporting, along with
a report on identified material weaknesses and corrective
actions.^5 The circular also emphasizes the need for integrated
and coordinated internal control assessments that synchronize all
internal control-related activities.
^3The circular was revised in December 2004. The circular states that the
revision followed a reexamination of the existing internal control
requirements for federal agencies that was initiated in light of the new
internal control requirements for publicly traded companies contained in
the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (July
30, 2002).
^4GAO, Standards for Internal Control in the Federal Government,
[18]GAO/AIMD-00-21 .3.1 (November 1999).
FMFIA requires GAO to issue standards for internal control in the
federal government. GAO's Standards for Internal Control in the
Federal Government provides the overall framework for establishing
and maintaining internal control and for identifying and
addressing major performance and management challenges and areas
at greatest risk of fraud, waste, abuse, and mismanagement.
As summarized in GAO's Standards for Internal Control in the
Federal Government, the minimum level of quality acceptable for
internal control in the government is defined by the following
five standards, which also provide the basis against which
internal controls are to be evaluated:
o Control environment: Management and employees should establish
and maintain an environment throughout the organization that sets
a positive and supportive attitude toward internal control and
conscientious management.
o Risk assessment: Internal control should provide for an
assessment of the risks the agency faces from both external and
internal sources.
o Control activities: Internal control activities help ensure that
management's directives are carried out. The control activities
should be effective and efficient in accomplishing the agency's
control objectives.
o Information and communications: Information should be recorded
and communicated to management and others within the entity who
need it and in a form and within a time frame that enables them to
carry out their internal control and other responsibilities.
^5The circular requires agencies and individual federal managers to take
systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
Appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal
o Monitoring: Internal control monitoring should assess the
quality of performance over time and ensure that the findings of
audits and other reviews are promptly resolved.
The third control standard--internal control activities--helps
ensure that management's directives are carried out. Control
activities are the policies, procedures, techniques, and
mechanisms that enforce management's directives. In other words,
they are the activities conducted in the everyday course of
business that accomplish a control objective, such as ensuring IRS
employees successfully complete background checks prior to being
granted access to taxpayer information and receipts. As such,
control activities are an integral part of an entity's planning,
implementing, reviewing, and accountability for stewardship of
government resources and achievement of effective results.
A key objective in our annual audits of IRS's financial statements
is to obtain reasonable assurance about whether IRS maintained
effective internal controls with respect to financial reporting,
including safeguarding of assets, and compliance with laws and
regulations. While all five internal control standards are
critical and are used by us as a basis for evaluating the
effectiveness of IRS's internal controls, we place a heavy
emphasis on testing control activities. This has resulted in the
identification of issues in certain internal controls over the
years and recommendations for corrective action.
Scope and Methodology
To accomplish our objectives, we evaluated the effectiveness of
IRS's corrective actions implemented in response to open
recommendations during fiscal year 2006 as part of our fiscal
years 2006 and 2005 financial audits. To determine the current
status of the recommendations, we (1) obtained the status of each
recommendation and corrective action taken or planned as of April
2007, as reported to us by IRS and (2) compared IRS's assessment
to our fiscal year 2006 audit findings to identify any differences
between IRS's and our conclusions regarding the status of each
recommendation.
In order to determine how these recommendations fit within IRS's
management and internal control structure, we compared the open
recommendations, and the issues that gave rise to them, to the
control activities listed in GAO's Standards for Internal Control
in the Federal Government and to the list of major factors and
examples outlined in our Internal Control Management and
Evaluation Tool.^6 We also considered how the recommendations and
the underlying issues were categorized in our prior reports,
whether IRS had addressed, in whole or in part, the underlying
control issues that gave rise to the recommendations, and other
legal requirements and implementing guidance, such as OMB Circular
No. A-123; FMFIA; and the Federal Information System Controls
Audit Manual (FISCAM), [17]GAO/AIMD-12.19.6 (revised June 2001).
We conducted our review from December 2006 through April 2007 in
accordance with U. S. generally accepted government auditing
standards. We requested comments on a draft of this report from
the Commissioner of Internal Revenue or his designee on May 7,
2007. We received comments from IRS on May 18, 2007.
IRS's Progress on Financial Management Recommendations
IRS continues to make progress on addressing its significant
financial management challenges. Over the years since we first
began auditing IRS's financial statements in fiscal year 1992, we
have closed out over 200 financial management-related
recommendations we made based on actions IRS has taken to improve
its internal controls and operational efficiency. This includes 25
recommendations we are closing based on actions IRS took during
the period covered by our fiscal year 2006 financial audit. At the
same time, however, our audits continue to identify internal
control issues, resulting in our making further recommendations
for corrective action, including 28 new financial
management-related recommendations resulting from our fiscal year
2006 financial audit. These internal control issues, and the
resulting recommendations, can be directly traced to the control
activities in GAO's Standards for Internal Control in the Federal
Government. As such, it is essential that they be fully addressed
and resolved to strengthen IRS's overall financial management and
to assist it in achieving its goals and mission.
^6GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, [19]GAO-01-1008G (Washington, D.C.: August 2001).
Status of Recommendations Based on the Fiscal Year 2006 Financial
Statement Audit
In June 2006, we issued a report on the status of IRS's efforts to
implement corrective actions to address financial management
recommendations stemming from our fiscal year 2005 and prior year
financial audits and other financial management-related work.^7 In
that report, we identified 72 audit recommendations that at that
time remained open and thus required corrective action by IRS. A
significant number of these recommendations had been open for
several years, either because IRS had not taken corrective action
or because the actions taken had not fully and effectively
resolved the issues that gave rise to the recommendations.
IRS continued to work to address many of the internal control
issues to which these open recommendations relate. In the course
of performing our fiscal year 2006 financial audit, we identified
numerous actions IRS took to address many of its internal control
issues. On the basis of IRS's actions, which we were able to
substantiate through our audit, we are able to close 25 of these
prior years' recommendations. IRS considers another 26 of the
prior years' recommendations to be effectively addressed. However,
we still consider them to be open either because we had not yet
been able to verify the effectiveness of IRS's actions--they
occurred subsequent to completion of our audit testing and thus
have not been verified, which is a prerequisite to our closing a
recommendation--or because the actions taken did not fully address
the issue that gave rise to the recommendation.
However, continued efforts are needed by IRS to address its
internal control issues. While we are able to close 25 financial
management recommendations made in prior years, 47 recommendations
from prior years remain open, a significant number of which have
been outstanding for several years. In some cases, IRS may have
effectively addressed the issues that gave rise to the
recommendations subsequent to our fiscal year 2006 audit testing.
However, in many cases, our fiscal year 2006 audit determined that
the actions taken to date had not fully and effectively addressed
the underlying internal control issues. Additionally, during our
audit of IRS's fiscal year 2006 financial statements, we
identified additional issues that will require corrective action
by IRS. In two recent management reports to IRS,^8 we discussed
these issues, and made 28 new recommendations to IRS to address
these new issues. Consequently, a total of 75 financial
management-related recommendations are currently open and need to
be addressed by IRS. Of these, we consider 66 short term and 9
long term.^9
^7GAO, Internal Revenue Service: Status of Recommendations from Financial
Audits and Related Financial Management Reports, [20]GAO-06-560
(Washington, D.C.: June 6, 2006).
^8GAO, Management Report: Improvements Needed in IRS's Internal Controls,
[21]GAO-07-689R (Washington, D.C.: May 11, 2007), and Management Report:
IRS's First Year Implementation of the Requirements of the Office of
Management and Budget's (OMB) Revised Circular No. A-123, [22]GAO-07-692R
(Washington, D.C.: May 18, 2007).
^9We define short-term recommendations as those that could be addressed
within 2 years at the time we made the recommendation. We define long-term
recommendations as those expected to require 2 years or more to implement
at the time we made the recommendation.
Appendix I presents a list of (1) recommendations we have made
based on our financial statement audits and other financial
management-related work that we had not previously reported as
closed prior to our fiscal year 2006 audit, (2) the status of each
of these recommendations and corrective actions taken or planned
as of April 2007 as reported to us by IRS, and (3) our analysis of
whether the issues that gave rise to the recommendations have been
effectively and fully addressed based on the work performed during
our fiscal year 2006 financial statement audit. The appendix also
lists new recommendations we have made based on our fiscal year
2006 financial statement audit. The appendix lists the
recommendations by the date on which the recommendation was made
and by report number.
Open Recommendations Grouped by Control Activity
Linking the open recommendations from our financial audits and
other financial management-related work, and the issues that gave
rise to them, to internal control activities that are central to
IRS's tax administration responsibilities provides insight
regarding their significance.
Control activities, one of the five broad standards contained in
GAO's Standards for Internal Control in the Federal Government,
are the policies, procedures, techniques, and mechanisms that
enforce management's directives. As such, they are an integral
part of an entity's planning, implementing, reviewing, and
accountability for stewardship of government resources and
achievement of results. GAO's Standards for Internal Control in
the Federal Government defines 11 control activities. These
control activities can be further grouped into three broad
categories:
o Safeguarding of assets and security activities, including
o physical control over vulnerable assets,
o segregation of duties,
o controls over information processing, and
o access restrictions to and accountability for
resources and records.
o Proper recording and documenting of transactions, including
o appropriate documentation of transactions and
internal control,
o accurate and timely reporting of transactions and
events, and
o proper execution of transactions and events.
o Effective management review and oversight, including
o reviews by management at the functional or activity
level,
o establishment and review of performance measures
and indicators,
o management of human capital, and
o top-level reviews of actual performance.
Each of the open recommendations from our financial audits and
financial management-related work, and the underlying issues that
gave rise to them, can be traced back to the 11 control activities
and their three broad categories. Table 1 presents a summary of
the open recommendations, each tied back to the control activity
to which it relates.
Table 1: Summary of Open Recommendations
Source: GAO analysis of financial management recommendations made to IRS.
As table 1 indicates, 19 recommendations (25 percent) relate to issues
associated with IRS's lack of effective controls over safeguarding of
assets and security activities. Another 33 recommendations (44 percent)
relate to issues associated with IRS's inability to properly record and
document transactions. The remaining 23 open recommendations (31 percent)
relate to issues associated with the lack of effective management review
and oversight.
On the following pages, we group the 75 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented in
GAO's Standards for Internal Control in the Federal Government and briefly
identify some of the key IRS operations that fall under that control
activity. Although not comprehensive, the descriptions are intended to
help explain why actions to strengthen these control activities are
important for IRS to effectively carry out its overall mission. For each
recommendation, we also indicate whether it is a short-term or long-term
recommendation.
Safeguarding of Assets and Security Activities
Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of the
most important control activities at IRS is the safeguarding of assets.
Internal control in this important area should be designed to provide
reasonable assurance regarding prevention or prompt detection of
unauthorized acquisition, use, or disposition of an agency's assets. We
have grouped together the four control activities in GAO's Standards for
Internal Control in the Federal Government that relate to safeguarding of
assets (including tax receipts) and security activities (such as limiting
access to only authorized personnel): (1) physical control over vulnerable
assets, (2) segregation of duties, (3) controls over information
processing, and (4) access restrictions to and accountability for
resources and records.
Physical Control over Vulnerable Assets
IRS is charged with collecting over $2 trillion in taxes each year, a
significant amount of which is collected in the form of checks and cash
accompanied by tax returns and related information. IRS collects taxes
both at its own facilities as well as at lockbox banks that operate under
contract with the Department of the Treasury's Financial Management
Service (FMS) to provide processing services for certain taxpayer receipts
for IRS. IRS acts as custodian for (1) the tax payments it receives until
they are deposited in the General Fund of the U.S. Treasury and (2) the
tax returns and related information it receives until they are either sent
to the Federal Records Center or destroyed. IRS is also charged with
controlling many other assets, such as computers and other equipment, but
IRS's legal responsibility to safeguard tax returns and the confidential
information taxpayers provide on tax returns makes the effectiveness of
its internal controls with respect to physical security essential.
IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at one of its offices. While effective
physical safeguards over receipts should exist throughout the year, it is
especially important during the peak tax filing season. Each year during
the weeks preceding and shortly after April 15, an IRS service center
campus (SCC) or lockbox bank may receive and process daily over 100,000
pieces of mail containing returns, receipts, or both. The dollar value of
receipts each service center and lockbox bank processes increases to
hundreds of millions of dollars a day during the April 15 time frame.
Of our 75 open recommendations, the following 12 open recommendations are
designed to improve IRS's physical controls over vulnerable assets. All
are short-term in nature. (See table 2.)
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets
Source: GAO analysis of financial management recommendations made to IRS.
Segregation of Duties
IRS employees are responsible for processing trillions of dollars of tax
receipts each year, of which hundreds of billions are received in the form
of cash or checks,^10 and for processing hundreds of billions of dollars
in refunds to taxpayers. Consequently, it is critical that IRS maintain
appropriate separation of duties to allow for adequate oversight of staff
and protection of these vulnerable resources so that no single individual
would be in a position of both causing an error or irregularity,
potentially converting the asset to their personal use, and then
concealing it. For example, when an IRS field office or lockbox bank
receives taxpayer receipts and returns, it is responsible for depositing
the cash and checks in a depository institution and forwarding the related
information received to an SCC for further processing. In order to
adequately safeguard receipts from theft, the person responsible for
recording the information from the taxpayer receipts on a voucher should
be different from the individual who prepares those receipts for
transmittal to the SCC for further processing.
^10The vast majority of federal tax payments are made for both businesses
and individuals via the Electronic Federal Tax Payment System (EFTPS).
The following four open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over both
tax receipts and refunds. All are short-term in nature. (See table 3.)
Table 3: Recommendations to Improve IRS's Segregation of Duties
Source: GAO analysis of financial management recommendations made to IRS.
Controls over Information Processing
IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected networks of
computer systems to perform various functions, such as collecting and
storing taxpayer data, processing tax returns, calculating interest and
penalties, generating refunds, and providing customer service.
As part of our annual audits of IRS's financial statements, we assess the
effectiveness of IRS's information security controls^11 over key financial
systems, data, and interconnected networks at IRS's critical data
processing facilities that support the processing, storage, and
transmission of sensitive financial and taxpayer data. From that effort
over the years, we have identified information security control weaknesses
that impair IRS's ability to ensure the confidentiality, integrity, and
availability of its sensitive financial and taxpayer data. As of March
2007, there were 48 open recommendations from our information security
work designed to improve IRS's information security controls.^12
Recommendations resulting from our information security work are reported
separately and are not included in this report primarily because of the
sensitive nature of some of these issues.
However, the following open short-term recommendation is related to
systems limitations and IRS's need to enhance its computer programs. (See
table 4.)
Table 4: Recommendation to Improve IRS's Controls over Information
Processing
Source: GAO analysis of financial management recommendations made to IRS.
Access Restrictions to and Accountability for Resources and Records
^11Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access to
data is appropriately restricted, that only authorized changes to computer
programs are made, that physical access to sensitive computing resources
and facilities is protected, that computer security duties are segregated,
and that backup and recovery plans are adequate to ensure the continuity
of essential operations.
^12GAO, Information Security: Further Efforts Needed to Address
Significant Weaknesses at the Internal Revenue Service, [23]GAO-07-364
(Washington, D.C.: Mar. 30, 2007).
Because IRS deals with a large volume of cash and checks, it is imperative
that it maintain strong controls to appropriately restrict access to those
assets, the records that track those assets, and sensitive taxpayer
information. Although IRS has a number of both physical and information
system controls in place, some of the issues we have identified in our
financial audits over the years pertain to ensuring that those individuals
who have direct access to these cash and checks are appropriately vetted
before being granted access to taxpayer receipts and information and to
ensuring that IRS maintains effective access security control.
The following two open short-term recommendations would help IRS improve
its access restrictions to assets and records. (See table 5.)
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records
Source: GAO analysis of financial management recommendations made to IRS.
Proper Recording and Documenting of Transactions
One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers need
to assist in making well-informed day-to-day decisions. While IRS is
making progress in modernizing its financial management capabilities, it
nonetheless continues to face many pervasive internal control weaknesses
related to its long-standing systems deficiencies that we have reported
each year since we began auditing its financial statements in fiscal year
1992.
However, IRS also has a number of internal control issues that relate to
recording transactions, documenting events, and tracking the processing of
taxpayer receipts or information, which do not depend upon improvements in
information systems.
We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate documentation
of transactions and internal controls, (2) accurate and timely recording
of transactions and events, and (3) proper execution of transactions and
events.
Appropriate Documentation of Transactions and Internal Control
IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract to
process taxpayer receipts for the federal government. Therefore, it is
important that IRS maintain effective controls to ensure that all
documents and records are properly managed and maintained both at its
facilities and at the lockbox banks. In addition, IRS must adequately
document and disseminate its procedures to ensure that they are available
for IRS employees.
The following 13 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. All are
short-term in nature (See table 6.)
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control
Source: GAO analysis of financial management recommendations made to IRS.
Accurate and Timely Recording of Transactions and Events
IRS is responsible for maintaining taxpayer records for tens of millions
of taxpayers in addition to maintaining its own financial records. To
carry out this responsibility, IRS often has to rely on outdated computer
systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, which is a long-term effort and is
dependent on future funding.
The following 19 open recommendations would strengthen IRS's recordkeeping
abilities. (See table 7.) Thirteen of these recommendations are
short-term, and 6 are long-term. They include some specific
recommendations regarding requirements for new systems for maintaining
taxpayer records. Several of the recommendations listed affect financial
reporting processes, such as subsidiary records and appropriate allocation
of costs. Some of the issues that gave rise to certain of our
recommendations directly affect taxpayers, such as those involving
duplicate assessments, errors in calculating and reporting manual
interest, errors in calculating penalties, and recovery of trust fund
penalty assessments. About 47 percent of these recommendations are almost
5 years or older and 1 is over 10 years old, reflecting the long-term
nature of the resolution of some of these issues.
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events
Source: GAO analysis of financial management recommendations made to IRS.
Proper Execution of Transactions and Events
IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak of
the tax filing season. Because of the tremendous number of personnel
involved, IRS must maintain effective control over which employees are
authorized to either view or change sensitive taxpayer data. IRS's ability
to establish access rights and permissions for information systems is a
critical control.
Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.^13 IRS requires that
all manual refunds be approved by designated officials. However,
weaknesses in the authorization of such approving officials expose the
federal government to losses because of the issuance of improper refunds.
The following open short-term recommendation would improve IRS's controls
over its manual refund transactions. (See table 8.)
Table 8: Recommendation to Improve IRS's Execution of Transaction and
Events
Source: GAO analysis of financial management recommendations made to IRS.
Effective Management Review and Oversight
All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set the
objectives, put the control mechanisms and activities in place, and
monitor and evaluate controls. Without effective monitoring by managers,
internal control activities may not be carried out consistently and on
time.
We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of performance
measures and indicators, and (3) management of human capital. Although we
also include the control activity "top-level reviews of actual
performance" in this grouping, we do not have any open recommendations to
IRS related to this internal control activity.
^13Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers for
immediate payment due to hardship or emergency, those to beneficiaries of
deceased taxpayers, and those that need to be expedited because IRS is in
jeopardy of paying interest for exceeding the 45-day limit for processing
a return.
Reviews by Management at the Functional or Activity Level
IRS has over 80,000 full-time employees and hires over 20,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, Treasury's Financial Management Service contracts with
banks to process tens of thousands of individual receipts, totaling
hundreds of billions of dollars. At any organization, management oversight
of operations is important, but with an organization as vast in scope as
IRS, management oversight is imperative.
The following 17 open short-term recommendations would improve IRS's
management oversight. (See table 9.) Many of these recommendations were
made to correct instances where an internal control activity either does
not exist or where an established control is not being adequately or
consistently applied. Several of these recommendations emphasize
improvements needed to IRS's oversight of lockbox banks and contracted
courier programs in order to ensure appropriate physical control over
vulnerable assets, such as taxpayer receipts. However, a number of these
recommendations are aimed at enhancing IRS's own assessment of its
internal controls over financial reporting in accordance with the
requirements of the revised OMB Circular No. A-123.
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level
Source: GAO analysis of financial management recommendations made to IRS.
Establishment and Review of Performance Measures and Indicators
IRS's operations include a vast array of activities encompassing educating
taxpayers, processing of taxpayer receipts and data, disbursing hundreds
of billions of dollars in refunds to millions of taxpayers, maintaining
extensive information on tens of millions of taxpayers, and seeking
collection from individuals and businesses that fail to comply with the
nation's tax laws. Within its compliance function, IRS has numerous
activities, including identifying businesses and individuals that
underreport income, collecting from taxpayers that do not pay, and
collecting from those receiving refunds for which they are not eligible.
Although IRS has at its peak over 100,000 employees, it still faces
resource constraints in attempting to fulfill its duties. Because of this,
it is vitally important for IRS to have sound performance measures to
assist it in assessing its performance and targeting its resources to
maximize the government's return on investment.
However, in past audits we have reported that IRS did not capture costs at
the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a result,
IRS is unable to measure the costs and benefits of its various collection
and enforcement efforts to best target its available resources.
Additionally, we have reported that IRS's controls over its reporting of
interim performance measurement data were not effective throughout the
year because the data reported at interim periods for certain performance
measures were either not accurate or were outdated.
The following three open recommendations are designed to assist IRS in
evaluating its operations, determining which activities are the most
beneficial, and establishing a good system for oversight. (See table 10.)
These recommendations--two long-term and one short-term--call for IRS to
measure, track, and evaluate the cost, benefits, or outcomes of its
operations--particularly with regard to identifying its most effective tax
collection activities.
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators
Source: GAO analysis of financial management recommendations made to IRS.
Management of Human Capital
IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens of
thousands of employees spread throughout the country, management's
responsibility to keep its guidance up-to-date and its staff properly
trained is imperative.
The following three open short-term recommendations would assist IRS in
its management of human capital. (See table 11.)
Table 11: Recommendations to Improve IRS's Management of Human Capital
Source: GAO analysis of financial management recommendations made to IRS.
Concluding Observations
Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to carry out its mission more
efficiently and more effectively while protecting taxpayers and their
information.
Sound financial management and effective internal controls are essential
if IRS is to efficiently and effectively achieve its goals. IRS has made
substantial progress in improving its financial management since its first
financial audit, as evidenced by consecutive clean audit opinions on its
financial statements for the past 7 years, resolution of several material
internal control weaknesses, and the closing of hundreds of financial
management recommendations. This progress has been the result of hard work
throughout IRS and sustained commitment of IRS leadership. Nonetheless,
more needs to be done to fully address the financial management challenges
the agency faces. Efforts must continue to address the internal control
deficiencies that continue to exist. Effective implementation of the
recommendations we have made and continue to make through our financial
audits and related work could greatly assist IRS in improving its internal
controls and achieving sound financial management. While we recognize that
some actions--primarily those related to modernizing automated
systems--will take a number of years to resolve, most of our outstanding
recommendations can be addressed in the short-term.
Agency Comments and Our Evaluation
In commenting on a draft of this report, IRS expressed its appreciation
for our acknowledgment of the agency's progress in addressing its
financial management challenges as evidenced by our closure of 25 of the
72 open financial management recommendations from last year's report. IRS
also indicated its continued commitment to work with us to take corrective
actions that appropriately address the issues identified in our
recommendations. We will review the effectiveness of further corrective
actions IRS has taken or will take and the status of IRS's progress in
addressing all open recommendations as part of our audit of IRS's fiscal
year 2007 financial statements.
We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental Affairs;
and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate
Committee on Finance. We are also sending copies to the Chairmen and
Ranking Minority Members of the House Committee on Appropriations; and the
House Committee on Ways and Means; Chairman and Vice Chairman of the Joint
Committee on Taxation; the Secretary of the Treasury; the Director of OMB;
the Chairman of the IRS Oversight Board; and other interested parties.
Copies will be made available to others upon request. In addition, the
report will be available at no charge on GAO's Web site at
http://www.gao.gov .
If you have any questions concerning this report, please contact me at
(202) 512-3406 or [email protected] . Contact points for our Offices
of Congressional Relations and Public Affairs can be found on the last
page of this report. GAO staff who made major contributions to this report
are listed in appendix III.
Sincerely yours,
Steven J. Sebastian
Director
Financial Management and Assurance
Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports
Source: IRS updates detailing its actions to address GAO's recommendations
and GAO's analysis of IRS's actions.
Appendix II: Comments from the Internal Revenue Service
Appendix III: Staff Acknowledgments
Acknowledgments
The following individuals made major contributions to this report: Gloria
Cano, Stephanie Chen, William J. Cordrey, Nina Crocker, John Davis,
Charles Ego, Charles Fox, John Gates, Ted Hu, Jerrod O'Nelio, John Sawyer,
Angel Sharma, Peggy Smith, Cynthia Teddleton, LaDonna Towler, Truc Tuck,
and Gary Wiggins.
(196125)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537 Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-07-629 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Steven J. Sebastian at (202) 512-3406 or
[email protected].
Highlights of [33]GAO-07-629 , a report to the Acting Commissioner of
Internal Revenue
June 2007
INTERNAL REVENUE SERVICE
Status of GAO Financial Audit and Related Financial Management Report
Recommendations
In its role as the nation's tax collector, the Internal Revenue
Service (IRS) has a demanding responsibility in annually collecting over
$2 trillion in taxes, processing hundreds of millions of tax and
information returns, and enforcing the nation's tax laws. Since its first
audit of IRS's financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS's financial management
operations. In related reports, GAO has recommended corrective action to
address those weaknesses.
Each year, as part of the annual audit of IRS's financial statements, GAO
not only makes recommendations to address any new weaknesses identified
but also follows up on the status of weaknesses GAO identified in previous
years' audits. The purpose of this report is to (1) assist IRS management
in tracking the status of audit recommendations and actions needed to
fully address them and (2) demonstrate how the recommendations relate to
control activities central to IRS's mission and goals. GAO is making no
new recommendations in this report.
IRS has made significant progress in improving its internal controls and
financial management since its first financial statement audit in 1992, as
evidenced by 7 consecutive years of clean audit opinions on its financial
statements, the resolution of several material internal control
weaknesses, and the closing of over 200 financial management
recommendations. This progress has been the result of hard work and
commitment at the top levels of the agency.
However, IRS still faces financial management challenges. At the beginning
of GAO's audit of IRS's fiscal year 2006 financial statements, 72
financial management-related recommendations from prior audits remained
open because IRS had not fully addressed the issues that gave rise to
them. During the fiscal year 2006 financial audit, IRS took actions that
enabled GAO to close 25 of those recommendations. At the same time, GAO
identified additional internal control issues resulting in 28 new
recommendations. In total, 75 recommendations currently remain open.
To assist IRS in evaluating and improving internal controls, GAO
categorized the 75 open recommendations by various internal control
activities which, in turn, were grouped into three broad control activity
groupings.
Summary of Open Recommendations
Source: GAO analysis of financial management recommendations made to IRS.
The continued existence of internal control weaknesses that gave rise to
these recommendations represents a serious obstacle that IRS needs to
overcome. Effective implementation of GAO's recommendations can greatly
assist IRS in improving its internal controls and achieving sound
financial management and can help enable it to more effectively carry out
its tax administration responsibilities. IRS acknowledged the status of
GAO's recommendations and indicated its desire to ensure that its
corrective actions appropriately address its internal control issues.
References
Visible links
17. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-12.19.6
18. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21
19. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G
20. http://www.gao.gov/cgi-bin/getrpt?GAO-06-560
21. http://www.gao.gov/cgi-bin/getrpt?GAO-07-689R
22. http://www.gao.gov/cgi-bin/getrpt?GAO-07-692R
23. http://www.gao.gov/cgi-bin/getrpt?GAO-07-364
33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-629
*** End of document. ***